One outage can undo years of growth. Read the services overview

Menu
(561) 404-8411
Schedule A Consultation
Posted on

How Cloud Security Works: Understanding Shared Responsibility

Cloud
ChatGPT Image Apr 26 2026 09 44 20 PM

The most consequential misconception in cloud security is that “Microsoft secures Azure” means “my Azure environment is secure.” It does not. Microsoft secures the infrastructure that Azure runs on. You are responsible for securing what you build, configure, and store on that infrastructure.

This division of responsibility — called the shared responsibility model — is the foundational concept that determines what Microsoft protects and what your organization must protect. Organizations that understand the boundary correctly configure the controls on their side of it. Those that misunderstand it leave security gaps that are technically on their side of the line but that they believe Microsoft is covering.

Overview

The shared responsibility model divides security responsibilities between the cloud provider (Microsoft) and the cloud customer (your organization) based on the cloud service model. In IaaS (Infrastructure as a Service), customers bear more security responsibility because they manage more of the stack. In SaaS (Software as a Service), Microsoft manages most of the security responsibility. In between, PaaS shares responsibility across both parties. Understanding where your workloads fall in this spectrum determines what you must configure and monitor.

  • Microsoft always manages physical security, network infrastructure, and hypervisor security
  • Customer responsibility increases as the service model moves from SaaS toward IaaS
  • For IaaS: customers manage OS, middleware, applications, identity, and data
  • For SaaS like Microsoft 365: customers manage identity, access controls, and data governance
  • The customer’s security responsibility never reaches zero in any cloud service model

The 5 Why’s

  • Why is the shared responsibility model specifically important to understand for Microsoft 365 users who do not think of themselves as “cloud infrastructure” operators? Microsoft 365 is a SaaS application — Microsoft manages the infrastructure and the application. But customers are still responsible for identity management (who can sign in and with what permissions), access controls (what users can access), and data governance (how sensitive data is handled, labeled, and protected). A Microsoft 365 environment with no MFA, no conditional access, and no data loss prevention is running on Microsoft’s secure infrastructure with significant customer-managed security gaps.
  • Why does the responsibility model shift specifically based on the service type (IaaS, PaaS, SaaS)? Different service types represent different divisions of what the provider manages versus what the customer manages. In IaaS (Azure Virtual Machines), the customer manages the OS, applications, and all configuration on the VM. In PaaS (Azure App Service), Microsoft manages the OS and runtime; the customer manages the application and data. In SaaS (Microsoft 365), Microsoft manages infrastructure, OS, and application code; the customer manages identities, data, and configuration. The responsibility line moves with how much the provider manages.
  • Why does misunderstanding the shared responsibility model specifically produce security gaps rather than just theoretical confusion? If an organization believes Microsoft is responsible for access control in their Microsoft 365 environment, they will not configure MFA, conditional access, or privileged identity management. Those unconfigured controls create real exploitable vulnerabilities. The misunderstanding translates directly into missing security controls that attackers exploit. Microsoft cannot fill that gap because it is on the customer side of the responsibility line.
  • Why is data governance specifically always the customer’s responsibility regardless of the cloud service model? The customer owns the data and is legally accountable for how it is protected, retained, and processed — particularly under regulations like HIPAA, GDPR, and CCPA. The cloud provider’s compliance certifications cover how the provider handles data at the infrastructure level; the customer remains responsible for configuring the application-level controls that govern how their data is classified, accessed, retained, and disposed of.
  • Why does Microsoft Secure Score specifically help organizations understand and fulfill their security responsibilities? Secure Score provides a quantified measure of how well an organization’s Azure and Microsoft 365 environment is configured against security best practices — and provides specific, actionable recommendations for each area where configuration falls short of recommended standards. It is a practical implementation of the shared responsibility model: here are the controls on your side of the line, here is how well they are configured, here is what to do to improve them.

The Shared Responsibility Model in Practice

Physical Security — Microsoft’s Responsibility (All Service Models)

Microsoft data centers employ multiple layers of physical access control, environmental controls, hardware maintenance, and physical destruction of decommissioned media. Customers have no access to this layer and no responsibility for it.

Network Infrastructure — Microsoft’s Responsibility (All Service Models)

The network fabric that connects Azure infrastructure — the global network, the hypervisor networking layer, and the underlying switches and routers — is managed and secured by Microsoft. Customers configure virtual network resources on top of this infrastructure but are not responsible for the underlying network security.

Host Infrastructure — Microsoft’s Responsibility (All Service Models)

The physical servers, virtualization platform, and hypervisor software that runs all cloud services is Microsoft’s responsibility. Customers cannot access this layer in any service model.

Operating System — Shared or Customer Responsibility

IaaS (Azure VMs): customer’s responsibility — patch management, OS hardening, OS-level security controls.

PaaS (App Service, SQL Managed Instance): Microsoft’s responsibility — OS is managed by Microsoft; customer does not have OS-level access.

SaaS (Microsoft 365): Microsoft’s responsibility — customer has no OS-level interaction.

Applications — Customer’s Responsibility (IaaS/PaaS)

Applications deployed on Azure infrastructure are the customer’s responsibility — code security, dependency management, authentication configuration, API security.

SaaS: Microsoft’s responsibility for the application code; customer’s responsibility for configuration within the application.

Identity and Access — Customer’s Responsibility (All Service Models)

Regardless of service model, the customer is responsible for:

  • Configuring MFA and conditional access policies
  • Assigning appropriate roles and permissions
  • Managing user lifecycle (provisioning and deprovisioning)
  • Configuring guest and external access controls

Data — Customer’s Responsibility (All Service Models)

The customer is always responsible for:

  • Data classification and labeling
  • Configuring appropriate data protection controls
  • Meeting applicable regulatory requirements for data handling
  • Backup and recovery configuration

What to Configure on Your Side of the Responsibility Line

For Microsoft 365 and Azure environments:

  1. Enable MFA for all users — this is the highest-impact identity security control
  2. Configure conditional access policies — control when and under what conditions access is granted
  3. Enable Microsoft Defender for Cloud — assess and improve your security posture
  4. Review your Microsoft Secure Score — prioritize and address the highest-impact recommendations
  5. Configure sensitivity labels and DLP policies — protect sensitive data from inappropriate sharing
  6. Enable audit logging — establish the event record that security monitoring and compliance require
  7. Review access permissions — ensure users have the minimum access required for their roles

Final Takeaway

Cloud security works when both sides of the shared responsibility model fulfill their obligations. Microsoft fulfills its side consistently and at scale. Whether your organization fulfills its side depends on understanding what that side includes — and configuring the identity, access, data, and monitoring controls that sit on the customer side of the responsibility boundary. That configuration is where cloud security is won or lost in practice.

Fulfill Your Security Responsibilities With Mindcore Technologies

Mindcore Technologies helps organizations understand and fulfill their portion of the cloud shared responsibility model — identity configuration, access controls, data protection, security monitoring, and Secure Score improvement that makes Azure and Microsoft 365 environments genuinely secure.

Talk to Mindcore Technologies About Cloud Security Configuration →

Contact our team for a shared responsibility gap assessment and a prioritized remediation plan for your environment.

Matt Rosenthal Headshot
Learn More About Matt

Matt Rosenthal is CEO and President of Mindcore, a full-service tech firm. He is a leader in the field of cyber security, designing and implementing highly secure systems to protect clients from cyber threats and data breaches. He is an expert in cloud solutions, helping businesses to scale and improve efficiency.

Related Posts