The Shared Responsibility Model is a fundamental concept in cloud computing that delineates the security and compliance responsibilities between the cloud service provider and the customer. This model is crucial for understanding how to maintain a secure and compliant cloud environment. In this article, we will explore the shared responsibility models of two major cloud platforms: Microsoft Azure and Salesforce.

Microsoft Azure’s Perspective

According to Microsoft Azure, the shared responsibility model varies depending on the type of cloud service—Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS). In an on-premises data center, you own the entire stack, but as you move to the cloud, some responsibilities transfer to Microsoft. Regardless of the deployment type, you always retain responsibilities for:

  • Data
  • Endpoints
  • Account
  • Access management

Azure emphasizes that the cloud offers significant advantages for solving long-standing information security challenges. By shifting day-to-day security responsibilities to the cloud provider, organizations can reallocate resources and budget to other business priorities.

Salesforce’s Perspective

Salesforce also takes security seriously and provides multiple security controls to mitigate risks. Their shared responsibility model clearly defines roles and responsibilities between the B2C Commerce platform and the customer. Responsibilities include:

  • Secure design and implementation of infrastructure, platform, and applications
  • Firewall rules management
  • Two-factor authentication (2FA)
  • Data isolation per tenant
  • Proactive code scans and pen tests
  • Third-party security assessments and audits

Customers are responsible for secure communication protocols, application-level access controls, 2FA on customer-managed interfaces, and continuous monitoring, among other things.

Where is Data Backup?

The surprise to many people is that data backup is not usually the job of the platform provider and that makes sense. In the days of on-premise servers, data backup was clearly outside the responsibility of the (OS) company. We all had backup systems in place so we could recover. Not much has changed with the cloud.

If you think about it, it’s not the job of Salesforce to look over the shoulder of the client and validate what they are doing. If you edit a record, they need to assume is that you wanted to record changed. While they could technically do it, being able to roll back changes is a massive overhead (cost) for them. That is a very good reason for the shared responsibility model.

Why Share Responsibilities?

Risk Mitigation

Sharing responsibilities allows for a more robust security posture. Cloud providers have the expertise and resources to handle security at the infrastructure level, allowing customers to focus on application-level security.

Resource Optimization

It enables organizations to optimize resources by offloading certain responsibilities to the cloud provider. This is especially beneficial for smaller organizations with limited in-house IT capabilities.


Both parties have a vested interest in ensuring compliance with industry standards and regulations. Shared responsibility ensures that both the cloud provider and the customer are accountable for maintaining a compliant environment.


The shared responsibility model is a collaborative approach to cloud security. While the specifics may vary between Microsoft Azure and Salesforce, the underlying principle remains the same: both the cloud provider and the customer have roles to play in ensuring a secure and compliant cloud environment.

Thought-Provoking Questions

  1. How does the shared responsibility model affect your organization’s cloud strategy?
  2. Are there any challenges in implementing the shared responsibility model in a multi-cloud environment?
  3. How can organizations ensure they are fulfilling their part of the shared responsibility model?

By understanding and implementing the shared responsibility model, organizations can better navigate the complexities of cloud security, ensuring a more secure and compliant cloud environment.

Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Paul Bergman
Follow me