Cloud Computing and Shared Responsibility Model
Not sure you’re ready?
Take the ~3-minute readiness diagnostic and see where you stand.
Before the 20th century, a factory requiring electricity had to build and maintain its own power plant. This meant hiring engineers, purchasing coal, and attempting to predict exact power needs years in advance. Today, a factory simply connects to the municipal grid, flipping a switch to consume power instantly and paying only for what it uses. Information technology has recently undergone the exact same paradigm shift. For decades, organizations built their own physical datacenters to host applications and store data—a model requiring immense upfront capital and vast maintenance overhead. We have now transitioned to a utility model for computing, fundamentally altering not just how software is built, but how businesses finance, secure, and manage their entire technological footprint.
At its core, cloud computing is the delivery of computing services over the internet. Instead of purchasing hardware, powering it, and maintaining it in a back room, you are essentially renting access to a nearly infinite pool of resources hosted elsewhere.
When we talk about computing services delivered via cloud computing, we are not just talking about raw server space. The ecosystem includes servers, storage, databases, networking, software, analytics, and intelligence. You can rent a blank-slate virtual machine, a fully managed database that tunes itself using artificial intelligence, or a complete software suite ready for your marketing team to use immediately.
For business stakeholders—whether in finance, sales, or project management—the most profound impact of this shift is not technological. It is financial.
The Financial Physics: CapEx vs. OpEx
In the traditional datacenter model, if you wanted to launch a new application, you had to buy servers. This required a massive, upfront investment known as a Capital Expenditure (CapEx). You had to guess how successful your application would be. If you bought too few servers, your application would crash under high demand. If you bought too many, you wasted millions of dollars on hardware that sat idle.
Cloud computing providers typically utilize a pay-as-you-go pricing model. You only pay for what you consume, down to the minute or even the fraction of a second. This pay-as-you-go pricing model converts upfront capital expenditures (CapEx) into operational expenditures (OpEx). You no longer buy the servers; you pay a monthly operating cost for the computing power you actually used.
Why this matters to your daily reality: If a marketing campaign goes viral, cloud computing allows consumers to rapidly scale computing resources based on business demands. You can instantly spin up a hundred new servers to handle the traffic, and when the campaign ends the next day, you spin them back down and stop paying for them immediately.
When an organization moves from its own basement into the cloud, a critical question emerges: If a hacker breaches an application, whose fault is it? If a hard drive fails, who replaces it?
The answer lies in the shared responsibility model. This model dictates the security and management tasks divided between the cloud provider (like Microsoft Azure) and the cloud consumer (your organization). It is the legal and operational framework that defines who is expected to do what.
To understand how this line is drawn, we must first look at the baseline. In an on-premises datacenter, the consumer owns the entire responsibility stack. You pour the concrete for the floor, you plug in the network cables, you install the operating system, you write the application code, and you reset the passwords. It is 100% your problem.
When you move to the cloud, you transfer some of those responsibilities to the cloud provider. However, the division of responsibility in a cloud environment depends heavily on the chosen cloud service type.
The Immovable Boundaries
Before we explore how the line of responsibility shifts, you must memorize the absolutes. No matter how you use the cloud, there are certain things the cloud provider will always do, and certain things the cloud consumer will always do.
The Cloud Provider ALWAYS retains responsibility for:
- The physical datacenter: The building, the security guards, the power, and the cooling.
- The physical network: The routers and fiber-optic cables connecting the physical racks.
- The physical computing hosts: The actual silicon CPU and RAM inside the physical servers. (Notice a pattern? The provider always handles the physical reality of the hardware across all cloud service models.)
The Cloud Consumer ALWAYS retains responsibility for:
- Information and data: Microsoft will not classify your financial data or decide who is allowed to read it. If you accidentally delete your own database table, that is your responsibility.
- Mobile and personal computing devices: The laptops, phones, and tablets your employees use to access the cloud are yours to secure.
- Accounts and identities: You control who works for your company. If you give a disgruntled employee global administrator access, the cloud provider cannot prevent them from wreaking havoc. (Notice the pattern here? The consumer always handles the data and the people across all cloud service models.)
Between the physical hardware (always the provider) and the data/people (always the consumer) lies the "middle ground"—the operating systems, the network configurations, and the applications. This is where responsibilities shift based on the service model you choose.
Think of this like housing. You can buy an empty plot of land and build a house yourself (IaaS), rent a furnished apartment where maintenance is handled for you (PaaS), or book a hotel room where even your bed is made daily (SaaS).
Infrastructure as a Service (IaaS)
In an IaaS model, you are renting the bare digital hardware (like a Virtual Machine). The provider ensures the physical server is running, but they hand you a blank slate.
- The Host Operating System: The cloud consumer manages the host operating system in an Infrastructure as a Service model. You must install the Windows or Linux updates and patch security vulnerabilities.
- Network Controls: The cloud consumer configures and manages network controls (like virtual firewalls and routing rules).
- Applications: The cloud consumer manages deployed applications. You install the software you want to run.
- Identity Infrastructure: The cloud consumer manages the identity and directory infrastructure (for example, setting up your own Active Directory domain controllers on those virtual machines).
Platform as a Service (PaaS)
In a PaaS model, you want to write code and deploy an application, but you don't want to worry about the underlying servers. You are renting an environment ready for your code.
- The Host Operating System: The cloud provider manages the host operating system in a Platform as a Service model. Microsoft patches the server behind the scenes; you never even see it.
- Applications: The cloud consumer still manages deployed applications. It is your custom code running on the platform.
- Network Controls: Responsibility for network controls is shared between the provider and consumer. Microsoft secures the underlying platform network, but you configure the access rules for your specific application.
- Identity Infrastructure: Responsibility for identity and directory infrastructure is shared between the provider and consumer. Microsoft provides the underlying identity service (like Microsoft Entra ID), but you configure the user permissions.
Software as a Service (SaaS)
In a SaaS model, you are renting a completed, fully functional application (like Microsoft 365, Salesforce, or an email provider). You don't manage code, servers, or operating systems. You just log in and use the software.
- The Host Operating System: The cloud provider manages the host operating system in a Software as a Service model.
- Applications: The cloud provider manages the underlying applications in a Software as a Service model. They fix the bugs and release new features.
- Network Controls: The cloud provider manages network controls.
- Identity Infrastructure: Responsibility for identity and directory infrastructure is shared between the provider and consumer. Just like PaaS, the provider runs the directory machinery, but you must still create user accounts and enforce rules like Multi-Factor Authentication (MFA).
The Shared Responsibility Matrix
To synthesize these concepts for the exam, visualize the shifting boundaries of management. Below is the definitive breakdown of who holds the keys at each layer:
| Component | On-Premises | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Information and Data | Consumer | Consumer | Consumer | Consumer |
| Devices (Mobile & PC) | Consumer | Consumer | Consumer | Consumer |
| Accounts & Identities | Consumer | Consumer | Consumer | Consumer |
| Identity & Directory Infrastructure | Consumer | Consumer | Shared | Shared |
| Deployed Applications | Consumer | Consumer | Consumer | Provider |
| Network Controls | Consumer | Consumer | Shared | Provider |
| Host Operating System | Consumer | Consumer | Provider | Provider |
| Physical Hosts | Consumer | Provider | Provider | Provider |
| Physical Network | Consumer | Provider | Provider | Provider |
| Physical Datacenter | Consumer | Provider | Provider | Provider |
When you review this topic, do not simply memorize the table. Understand the logic behind it. Microsoft cannot manage what it cannot see (your data), and you cannot manage what you cannot touch (their physical servers). Everything in between is simply a negotiation of how much engineering burden your organization wishes to carry versus how much you are willing to outsource to the cloud.