COVID-19 has changed the dynamic of operating business globally by transforming the traditional workplace. Working from home with a virtual office setup is the new normal, and holding meetings via video conferencing tools to communicate. It makes cloud commuting more engaged, so the organizations need to focus on hardening their security. In the case of the public cloud, there will be a shared cloud security responsibility between the Cloud Service Provider (CSP) and the user/ client (organization/ individual). Security is an absolute necessity for owners’ network controls, data classifications, and physical security. This division of responsibility for providing security to the cloud is known as the Shared Responsibility Model for cloud security. 

Definition of Shared Responsibility Model 

The Shared Responsibility Model is considered a fundamental concept of cloud computing. Whether you are using SaaS, IaaS, or PaaS, it is an essential part of the mix as it states where the roles and responsibilities of cloud providers end and clients begin. Organizations can only fully utilize the benefits of cloud migration when they understand and execute this model properly for securing the data.  

Regarding roles and responsibilities, the cloud provider and client (organization) have designated roles to fulfill. As for cloud providers, they are responsible for securing the infrastructure they provide. It includes securing the data center, virtual platform, and network. The cloud provider also needs to monitor the system assigned to them for any security events while the client (organization) is responsible for securing their data application. It includes data encryption, control access, designing, and secure application integration. The client also needs to monitor the system assigned to them for any security events.  

As per the cloud service the client is using, like IaaS (Infrastructure as a Service), SaaS (Software as a Service), or PaaS (Platform as a Service), the Shared Responsibility Model may differ. It is said that approximately one-third of the organization’s critical applications use SaaS, IaaS, or PaaS instead of on-premises infrastructure. According to Gartner’s report, the market for IaaS has grown approx. 40% in 2020. 

Figure 1 - cloud shared responsibility for cloud computing

Source: Microsoft 

PaaS (Platform as a Service) 

PaaS provides cloud platform service. It can also be said that it gives developers a platform or framework and tools to design apps or software. In addition, it offers its clients more access to servers, networks, and storage. 

IaaS (Infrastructure as a Service) 

IaaS is a cloud infrastructure service that allows organizations to directly purchase the resources rather than investing in them and maintaining their infrastructure. 

SaaS (Software as a Service) 

SaaS is a cloud application service, one of the most popular services in the cloud industry. It allows people to access software or application through the internet via subscription. They are designed so that people can use them from anywhere and anytime, eliminating the additional downloading and installation.  

SaaS primarily assigns most of the responsibilities to the cloud service provider rather than its client. In contrast to PaaS and IaaS, the client has to take more responsibility, and the burden of the cloud provider is lessened relatively. 

Mitigation of Cyber-Attacks & Best Practices 

 It is essential that an organization for proper cyber hygiene as it is the first step towards cybersecurity. In addition, various cloud security services will help the organization improve its defense against multiple cloud threats and risks.  

Varutra offers cloud security services like Cloud Vulnerability Assessment, Penetration Testing Services for application and information systems in the cloud, and Cloud Security Audit, which determines the security and effectiveness of the controls.  

Here are some best practices that an organization should follow while practicing the Shared Responsibility Model. This way, they can keep their data and resources secure in the cloud. 

  • Defining the roles and responsibilities: The roles and responsibilities should be appropriately assigned to every party if they use the Shared Responsibility Model. It will help in the proper securing of data and resources. 
  • Reviewing, implementing, and testing security controls: Check whether all the security controls in each level which includes administrative, logical, and physical, are all enacted, working, and secure. This way, you can protect your resources and data from unauthorized access. It is recommended that you monitor your controls regularly and test them whenever there is any change in the organization’s management. 

Figure 2 - Security controls (shared responsibility model for cloud computing)

Source: PurpleSec 

  • Creating awareness among employees and educating them: Creating awareness among the employees regarding cloud security, educating them about the Shared Responsibility Model, and guiding them about their roles and responsibilities in securing data and resources. It will help them understand the importance of cloud security. 
  • Monitoring cloud activities : Closely monitor the cloud activities for any suspicious activity as it will help detect potential security threats and risks. In the beginning, identifying the dangers will help take appropriate measures and mitigate them in the early stage without causing any heavy damage to the organization. 


The cloud provider and the client are responsible for protecting the respective part of the cloud system. They need to ensure it is appropriately configured, appropriate security controls are in place, and monitor their designated areas in the system for security events. It is suggested that an organization should reduce the complexity wherever possible, work on their security policies and workflow automation, and create situation and visibility awareness as it strengthens the cloud security program. 




Center for Internet Security, Inc. (CIS®) 



Sanjana Yadav, 

Marketing Department, 

Varutra Consulting Pvt. Ltd.