Get to know our comprehensive Cybersecurity Portfolio: Learn More

close icon

Conozca nuestro completo portafolio de ciberseguridad: Aprenda más

What Is the Microsoft Shared Responsibility Model?


As businesses continue to thrive and expand, there’s a greater need for a robust and reliable data management system. The traditional on-premises data center is no longer enough to keep up with the ever-increasing demand for flexibility, scalability, uptime, and lower costs. This is where cloud computing comes in, offering a plethora of advantages for data management. Microsoft is leading the pack as one of the most secure and dependable cloud service providers.

Talk to our experts in Microsoft 365 Managed Services

However, there’s a twist. While Microsoft does a commendable job of managing data stored in the cloud, users still have a role to play in ensuring the safety of their data. This leads us to the shared responsibility model, which outlines the roles of cloud users and providers in a cloud computing environment.

Understanding the Shared Responsibility Model

The shared responsibility model is a framework that expresses the responsibilities of cloud service providers (CSPs) and cloud users to properly maintain all aspects of the cloud environment, including infrastructure, operating system (OS), data, endpoints, network controls, and access rights.

Microsoft Shared Responsibility Model

In general, it’s the duty of the CSPs to maintain the overall security of the cloud infrastructure is there is a Managed Cybersecurity service in place. Meanwhile, customers are responsible for protecting their data within the cloud. However, when considering the specifics, the allocation of responsibility can differ depending on the cloud service type where the workload is hosted. This is either infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS). 

Infrastructure as a Service (IaaS)

IaaS is a delivery model where a vendor provides a suite of computing resources like virtualized servers, network equipment and storage over the internet. Under this model, businesses are responsible for the security of any elements they own or install on the cloud infrastructure, including operating systems, middleware, applications, containers, workloads, data and code. Notable examples of IaaS include Amazon Web Services (AWS) and Microsoft Azure.

Platform as a Service (PaaS)

PaaS is a cloud service model that allows users to create, run and manage applications without maintaining the required software. PaaS providers carry the burden of managing the runtime, middleware and operating systems. At the same time, the customers manage the data and applications. Popular examples of PaaS models include AWS Elastic Beanstalk and Adobe Commerce.

Software as a Service (SaaS)

SaaS is a cloud delivery model in which a CSP hosts a software application centrally, and subscribers can use the software over the internet. End-users typically access the software through a web browser or a client program without being aware of the underlying infrastructure or platform it’s built upon. SaaS providers handle all the necessary hardware and coding, which leaves the customer with no responsibilities except managing their data and account identities. Prominent examples include Gmail, Slack and Microsoft Office 365.

With an understanding of the shared responsibility model, you can now adopt the best practices to protect your data in the cloud. Nonetheless, let’s delve into the Microsoft 365 shared responsibility model.

Microsoft 365 Shared Responsibility Model

In an on-premises data center, the owner/user bares the entire operational burden. However, with the transition to cloud computing, specific responsibilities are transferred to Microsoft. The extent of the transfer is delineated in Microsoft’s shared responsibility model for cloud computing.

Microsoft’s Responsibilities

Irrespective of the delivery model of the cloud service, Microsoft invariably assumes responsibility for the following tasks:

  • Cloud infrastructure security – This involves three main areas: access control, application security and firewalls. Access management or control consists in preventing unauthorized users or devices from gaining access to the network. Application security is concerned with implementing configuration settings on hardware and software to safeguard against potential vulnerabilities. Firewalls serve as a gatekeeper for devices, controlling the entry and exit of specific traffic into and out of the network.
  • Management of hardware and network – This encompasses a range of activities, from procuring, installing, configuring, and maintaining the physical servers, storage devices and networking equipment that comprise the cloud platform to monitoring network performance, optimizing network traffic and implementing security controls to safeguard against cyber threats. In addition, Microsoft is responsible for protecting against connection outages between the cloud platform and the customer.
  • Data center security – This involves protecting data centers from cyber-attacks. It is done by monitoring the data center activity 24/7 to deliver point-in-time reactions to any suspicious activity. In addition, Microsoft conducts regular security assessments to ensure that the cloud security controls are adequate and meet compliance requirements.

Customer’s Responsibility

Regardless of the cloud service delivery model you choose, you are responsible for the following:

  • Data security and privacy – This involves keeping safe, backing up and private your login credentials and sensitive data. It includes establishing access control limits on who can view, modify or delete your data. Additionally, you must check that the cloud provider’s terms of service and privacy policies align with your organization’s policies and legal requirements.
  • Endpoints – As a cloud user, managing the devices (endpoints) that connect you to the cloud resource is your responsibility. You can accomplish this by installing firewalls and antivirus software to protect them from damage or cyber attack. It’s also your duty to check that your devices are compatible with the cloud-based service you are attempting to access.
  • Accounts and identities – This includes setting up your account with the correct contact information and authentication credentials, such as usernames and passwords, and taking the necessary access-based security measures offered by Microsoft, such as two-factor authentication. It also involves managing the information associated with your account, such as your name, email address and phone number, and ensuring that this information is up-to-date and accurate so that Microsoft can easily contact you if any issues arise.

Platform-Specific Responsibility

Depending on the cloud service type you choose, you and Microsoft may share different levels of responsibility for the following activities:

  • Operating system – The operating system (OS) is for identifying, configuring and enabling access to underlying computer hardware devices. Typically, Microsoft is responsible for managing the OS and ensuring that it’s secure, reliable and up-to-date. However, in an IaaS model, this responsibility is handled entirely by you.
  • Applications – A cloud application refers to software that performs processing and data storage operations between the client side and server side. In an IaaS model, the responsibility of managing apps lies entirely with the user, while in a SaaS model, it is the provider’s responsibility. In a PaaS model, however, this responsibility is shared between the provider and the user.

Talk to our experts in Microsoft 365 Managed Services

Do you need a proper Backup and Recovery strategy for Microsoft 365 Data? ne Digital Can Help!

Hopefully, you now have a solid understanding of the Microsoft shared responsibility model. If you’re considering opting for their SaaS services, the question in your mind is probably, “Which particular offering is best suited for me and my business and how do you keep proper backups?” 

Microsoft 365 may be the right fit for you and your business, being a highly versatile service with many functionalities, including spreadsheet, DBMS, and presentation packages, with 1TB of storage. 

Paying for the whole stack can be expensive and cost-inefficient. However, with a managed services provider, your service offering can be streamlined so that you only pay for what you need and ensure you fully utilize the power of each one of the Microsoft 365 services and applications.

At ne Digital, you are sure to get the mission-critical IT services your company needs. From IT Due Diligence and Cybersecurity to the most modern work-focused MSP services, including Microsoft 365 Managed Services and Azure Managed Services to help you overcome operational challenges and maintain efficiency while maximizing your ROI. So, why wait? Contact us today!

Topics: Microsoft 365

Related Articles

Based on this article, the following topics could spark your interest!

Active Directory vs. Azure AD, Do we nee...

We may never see this level of rivalry between two products ...

Read More
Why Migrate Your File Server to Azure

Cloud computing is a technology that enables businesses to h...

Read More
Top 10 Benefits of Azure Sentinel for Yo...

The downsides of managing your IT infrastructure without a s...

Read More