The shared responsibility model is a framework that delineates the division of security obligations between a cloud service provider and its customer. The provider is typically responsible for securing the underlying infrastructure—physical data centres, networking and hypervisor layers—whilst the customer is responsible for securing their data, identities, applications and configurations within the cloud environment. The exact boundary varies by service model (IaaS, PaaS, SaaS).
Misunderstanding the shared responsibility model is one of the most common causes of cloud security incidents. Organisations must clearly map which controls fall under their responsibility and implement appropriate measures accordingly. This includes identity management, encryption, access controls and monitoring—areas that remain the customer's obligation regardless of the cloud deployment model.