Lesson 2 · Cloud security fundamentals

The shared responsibility model in plain language

7-minute read · beginner

HorizonShield lesson workspace with guided course material and analyst notes
Lesson content is rendered from the Academy CMS and keeps its previous/next course flow.
HS AcademyCloud security fundamentalsLesson 2beginner

Every cloud provider publishes a "shared responsibility model" diagram. It is the most important thing they publish and the most often misread.

What the provider owns

  • The physical data center, power, and cooling
  • The network fabric inside the data center
  • The hypervisor and the underlying hardware
  • The control-plane services they offer (the *availability* of those services, not the *correct configuration* of them)

What you own

  • Your data, full stop
  • Identity and access — who can do what
  • Configuration of every service you use
  • The operating system and applications inside any compute resource you run
  • Logs, monitoring, and incident response for your tenant

The fuzzy middle

Some controls are shared. Patches to the provider's managed service come from them, but you still control which version you opt into and when you upgrade. Encryption keys can be provider-managed or customer-managed; the security profile is very different in each case.

How to use the model

Whenever a security question comes up, the first move is to place it on the model. If it falls on the provider's side, your job is to verify they are doing it. If it falls on your side, your job is to do it.

Most cloud breaches we see in incident response are not provider failures. They are customers who assumed the provider's side covered something the customer was actually responsible for.

HS Academy

All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.

Sign up free →
← All lessons in Cloud security fundamentals