Skip to content

What You Don't Know About the Cloud Shared Responsibility Model

You’ve heard me mention this cringeworthy comment before but bear with me for a moment. A consultant was explaining technology to a group of accounting professionals. His advice was to move from on-premises applications to the cloud. The reason – “When you’re in the cloud, they take care of it.”

Who “they” are and what “it” is were anyone's guess. Simply imagine the cloud as the happy place where accountants and their clients could do business without a care in the world. 

In its simplest words, the cloud is nothing more than someone else’s server somewhere else. Instead of connecting to a server (another computer) that you can see and touch in your office (on-premises), the server is physically located somewhere else.

There's a natural – but flawed -- assumption that because it's someone else's server, they take care of it. Not so.

Cloud Services Come in 3 Popular Flavors


1) SaaS (software as a service) where the vendor delivers hosted applications on a cloud server, often on a subscription basis. Think Dropbox, Box, O365, Google Workspace, Shopify, and QuickBooks Online.

2) PaaS (platform as a service) provides the technology platform for developing, testing, and deploying applications. The vendor provides both the hardware and software necessary to support the customer’s application development. 

3) IaaS (infrastructure as a service) includes a broad range of computing resources such as virtual servers, storage, and network equipment over the internet. Think Azure and AWS.

There is a common belief that because it’s someone else’s server, they take care of it. This is a flawed assumption that has significant consequences for you, your company, and your customers. 

The Shared Responsibility Model You Didn’t Know About

How many of you have ever read the Terms of Service or Terms of Use for one of your cloud services? It’s safe to say you haven’t. No shame. Few of us read service agreements.

Each of the three cloud categories carries with it a shared set of responsibilities between the customer (you) and the cloud service provider. The diagram below is a summary of who does what. 




What is immediately apparent is that you are responsible for protecting your data, the information you freely share with the cloud application, and managing secure user access. 

These are hefty responsibilities. 

The Truth About Cloud Backups

To make the burden even weightier, cloud providers do not backup your individual data.

You’re probably thinking, “But they say they have regular, redundant backups.” When you hear cloud providers say they perform sophisticated backups, be aware that these backups are for the sole purpose of restoring their entire infrastructure. It’s not about you.

Cloud providers cannot support granular customer data backups.

  • Your valuable data is dumped into an unorganized pile of all customer data.
  • They have no way of recovering or restoring your deleted, stolen, or lost data.
  • Their terms of service agreements state this clearly.

For example, read Shopify’s clear data policy  –

“You are responsible for all activity and content such as photos, images, videos, graphics, written content, audio files, code, information, or data uploaded, collected, generated, stored, displayed, distributed, transmitted or exhibited on or in connection with your Account.”

Think about that for a minute.

  • If an employee inadvertently deletes your entire CRM data, it’s gone. Forever.

  • Stolen and then deleted financial data. Gone. Unrecoverable.

  • The implications are substantial.


Which Cloud Providers Use the Shared Responsibility Model?

The short answer: Most of them.

Here are 16 of the popular companies you rely on every day for you basic business services.

Box
O365
Slack
Zoom
WebEx
GitHub
Atlassian
Shopify
Dropbox
Salesforce
MailChimp
Microsoft Azure
QuickBooks Online
Adobe Creative Cloud
Google Cloud Platform
Amazon Web Services (AWS)

3 Things You Can Do

  1. Take ownership of your own data security, including setting up strong access control policies, using encryption, and regularly testing your applications for vulnerabilities.

  2. Understand the level of responsibility for SaaS, PaaS, and IaaS and how these apply to your company is the first step. Then implement the proper security measures required to protect your data and information.

  3. Remember these 7 short takeaways–

    • Cloud providers maintain their underlying hardware, software, and networking infrastructure. 

    • Cloud providers patch vulnerabilities and apply updates only to their underlying software.

    • Cloud providers do not patch vulnerabilities or apply updates to any third party applications you are running on their servers.

    • Cloud providers do not support the business applications you have deployed to the cloud.

    • Cloud providers do not manage your users’ access to your cloud applications.

    • Cloud providers do not protect your data from loss or damage.

    • Cloud providers do not provide data recovery and restore support.



About the Author

download (5)
Linda Rolf  is a lifelong curious learner who believes a knowledge-first approach builds valuable, lasting client relationships.

She loves discovering the unexpected connections among technology, data, information, people and process. For more than four decades, Linda and Quest Technology Group have been their clients' trusted advisor and strategic partner.