Every cloud provider publishes a "shared responsibility model" diagram. It is the most important thing they publish and the most often misread.
What the provider owns
- The physical data center, power, and cooling
- The network fabric inside the data center
- The hypervisor and the underlying hardware
- The control-plane services they offer (the *availability* of those services, not the *correct configuration* of them)
What you own
- Your data, full stop
- Identity and access — who can do what
- Configuration of every service you use
- The operating system and applications inside any compute resource you run
- Logs, monitoring, and incident response for your tenant
The fuzzy middle
Some controls are shared. Patches to the provider's managed service come from them, but you still control which version you opt into and when you upgrade. Encryption keys can be provider-managed or customer-managed; the security profile is very different in each case.
How to use the model
Whenever a security question comes up, the first move is to place it on the model. If it falls on the provider's side, your job is to verify they are doing it. If it falls on your side, your job is to do it.
Most cloud breaches we see in incident response are not provider failures. They are customers who assumed the provider's side covered something the customer was actually responsible for.
All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.
Sign up free →