The cloud security shared responsibility model is a way of describing how the security tasks and obligations are divided between the cloud service provider (CSP) and the customer, depending on the type of cloud service model used. The cloud service models are:
Software as a Service (SaaS): The CSP provides and manages the entire software stack, including the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer only needs to access the software through a web browser or an application. The customer is responsible for managing their own data and identities, as well as configuring the security settings of the software. The CSP is responsible for everything else, including patching the operating system and the applications12
Platform as a Service (PaaS): The CSP provides and manages the platform layer, including the runtime, middleware, operating system, virtualization, servers, storage, and networking. The customer can deploy and run their own applications and data on the platform, using the tools and languages supported by the CSP. The customer is responsible for managing their own applications and data, as well as configuring the security settings of the platform. The CSP is responsible for patching the operating system and the middleware12
Infrastructure as a Service (IaaS): The CSP provides and manages the infrastructure layer, including the virtualization, servers, storage, and networking. The customer can provision and use virtual machines, containers, or bare metal servers, and install their own operating system, middleware, applications, and data. The customer is responsible for managing and patching their own operating system, middleware, applications, and data, as well as configuring the security settings of the infrastructure. The CSP is responsible for the physical security and availability of the infrastructure12
References := 1: Shared responsibility in the cloud - Microsoft Azure 2: Cloud security shared responsibility model - NCSC
