concept#Cloud#Security#Architecture#Governance

Shared Responsibility Model

Framework that defines clear allocation of security, compliance and operational responsibilities between cloud providers and customers.

Defines allocation of responsibilities between cloud provider and customer for security, compliance and operations.

Maturity

Established

Cognitive loadMedium

Classification

ComplexityMedium
Impact areaOrganizational
Decision typeOrganizational
Organizational maturityIntermediate

Technical context

Integrations

Identity and access management (IAM) systemsMonitoring and SIEM platformsContract management and compliance tools

Principles & goals

Principles

Written, explicit assignment of responsibilities per service.Continuous review and adjustment upon architecture changes.Contractual coverage for critical tasks and SLAs.

Value stream stage

Run

Organizational level

Enterprise, Domain, Team

Use cases & scenarios

Use cases

Scenarios

Compromises

Risks

Misunderstandings lead to blind spots in security.
Unclear responsibility delays incident response.
Relying on provider controls without evidence is risky.

Best practices

Use a standard template for responsibility matrices.
Perform regular audits and evidence collection.
Integrate provider documentation into operational processes.

I/O & resources

Inputs

Service inventory including provider details
Legal and regulatory requirements
Organizational structure and responsibility roles

Outputs

Responsibility matrix per service
Change requests for runbooks
Contractual or SLA addenda

Resources

Description

Defines allocation of responsibilities between cloud provider and customer for security, compliance and operations. It clarifies which controls the provider manages (infrastructure, physical security, global services) and which remain with the customer (data, identity, configurations). Widely used for public cloud, SaaS and managed services to reduce gaps and define governance.

✔Benefits

Reduces uncertainty about responsibilities.
Improves compliance and auditability.
Enables targeted security investments.

✖Limitations

Boundaries are only effective as documentation and enforcement.
Different provider models complicate standardization.
Incorrect assumptions can create security gaps.

Trade-offs

Metrics

Number of clearly documented responsibilities
Counts services with a written responsibility model.
Time to incident ownership assignment
Time between incident detection and assignment of clear ownership.
Number of auditable evidences per control
Measures available evidences for provider and customer controls.

Examples & implementations

AWS Shared Responsibility Model (example)

AWS defines the separation between infrastructure and customer responsibilities for cloud services.

SaaS deployment in marketing

Marketing uses a SaaS tool; backup and access management remain customer-managed.

Hybrid data platform

A cloud data lake combines provider and customer responsibilities for encryption and access control.

Implementation steps

Inventory all used cloud and SaaS services and map providers.

Develop a responsibility matrix per service with provider and customer duties.

Adjust runbooks, operational and security processes according to the matrix.

Clarify open contractual points and schedule regular reviews.

⚠️ Technical debt & bottlenecks

Technical debt

Outdated runbooks that do not reflect provider/customer boundaries.
Manual evidences instead of automated compliance reports.
Lack of a central inventory of used services.

Known bottlenecks

Unclear responsibilities in hybrid environmentsMissing evidence of provider controlsInconsistent service documentation

Misuse examples

Assuming provider handles all backups without contractual confirmation.
Customers configure critical services even though the provider is responsible.
Missing documentation for hybrid access paths.

Typical traps

Confusing infrastructure and application responsibilities.
Adopting a model without checking provider-specific details.
Insufficient communication between security and operations teams.

Required skills

Basic understanding of cloud architectureSecurity and compliance knowledgeKnowledge of contract and SLA formulation

Architectural drivers

Compliance requirements (e.g., data protection, industry regulations)Security and access requirementsOperational and availability objectives

Constraints

• Contractual limits of provider responsibility
• Technical interfaces that do not allow full control
• Regulatory mandates that impose customer duties