Shared Responsibility Model

The Shared Responsibility Model defines which security responsibilities belong to the cloud service provider and which belong to you, the customer. The exact division depends on the service type: in IaaS, you're responsible for most security above the physical infrastructure; in PaaS, the provider handles more; in SaaS, the provider handles almost everything except data and user access management.

The key principle is that moving to the cloud doesn't transfer your security obligations to the provider. You're always responsible for your data, your user accounts, your access policies, and your compliance. The provider secures their infrastructure, but your security configuration decisions determine whether your data is actually protected.