Who Secures What? The Shared Responsibility Model Explained
One of the most common myths about the cloud is: "I moved to the cloud, so now Microsoft handles all my security."
This is WRONG.
Just because you park your car in a paid garage doesn't mean you can leave the windows down and the keys in the ignition. This partnership is called the Shared Responsibility Model.
Security "OF" vs. Security "IN"
To understand this for the AZ-900 exam, memorize this distinction:
- Microsoft is responsible for the Security OF the Cloud. (Physical datacenters, cabling, power, networking hardware).
- You are responsible for Security IN the Cloud. (Your passwords, your data, who you allow to access your files).
The 3 Rules You Must Know
1. You Always Own Your Data
It doesn't matter if you use IaaS, PaaS, or SaaS. If you upload a file containing credit card numbers and you share it with the public, that is your fault. Microsoft does not check your data.
2. Identities are Your Job
Microsoft cannot stop you from setting your password to "123456". Protecting your accounts (Identity Management) is always the customer's responsibility.
3. OS Updates Depend on the Model
IaaS: You must install Windows Updates manually.
PaaS/SaaS: Microsoft installs the updates for you automatically.
Who is Responsible? (Cheat Sheet)
| Area | IaaS (Virtual Machine) | PaaS (SQL DB) | SaaS (Outlook) |
|---|---|---|---|
| Physical Datacenter | Microsoft | Microsoft | Microsoft |
| Operating System | YOU | Microsoft | Microsoft |
| Network Controls | YOU | Shared | Microsoft |
| Data & Accounts | YOU | YOU | YOU |
Division of Responsibility: A graphical representation
Understanding this model protects you from hackers and helps you pass the exam. Remember: You can outsource the work, but you cannot outsource the responsibility.