A cloud service model defines how computing resources are delivered to users and how responsibilities are divided between the customer and the cloud provider. Each model shifts a different portion of operational and security duties to the provider, allowing organizations to choose the level of control, flexibility, and management effort that best fits their needs.
In this post, we’ll explore the primary cloud service models — from traditional on-premises environments to SaaS — and see how the balance of responsibilities shifts. We will then dive into how the three major cloud providers (AWS, Azure, and Google Cloud) interpret and implement the Shared Responsibility Model.
Cloud Service Models
- Traditional On-Premises Everything is managed in-house — hardware, networking, operating systems, applications, and data. This offers maximum control but requires significant effort, time, and expertise. Deployments can take weeks or even months.
- Infrastructure as a Service (IaaS) - The cloud provider manages the physical hardware, storage, networking, and virtualization layers. Customers manage operating systems, applications, data, and configurations. Deployments are dramatically faster, typically hours or minutes instead of weeks.
- Platform as a Service (PaaS) - The provider manages everything up to the application platform — infrastructure, OS, runtime, and middleware. Customers focus only on applications and data. Deployments are reduced to minutes or even seconds.
- Software as a Service (SaaS) - The provider handles nearly everything, including infrastructure, platforms, and applications. Customers are responsible only for their data, settings, and user access. Deployment is nearly instantaneous — often seconds or milliseconds.
Shared Responsibility Model
Cloud service models form the foundation of every provider’s Shared Responsibility Model. This model clarifies which security, compliance, and operational tasks are handled by the provider and which remain the customer’s responsibility. Provider responsibility: Security of the cloud, such as physical infrastructure, global networks, and data center security. Customer responsibility: Security in the cloud, such as identity management, application security, and data protection. The exact division of tasks depends heavily on the chosen service model: the more managed the service (moving toward SaaS), the less the customer must do.
AWS Shared Responsibility Model
AWS expands the generic model by introducing detailed layers such as encryption, network protection, and firewall configuration. These layers are intentionally arranged differently depending on the service model. For example, responsibility for network traffic protection shifts: In IaaS, customers must manage server-side encryption, operating systems, and network-level protections. A typical IaaS example on AWS is Amazon EC2 (Elastic Compute Cloud). In SaaS, customer responsibilities are limited to managing data, client-side encryption, and access. Examples include Amazon S3 (object storage) and Amazon DynamoDB (managed NoSQL database).
Azure Shared Responsibility Model
Azure’s model defines layers slightly differently, but the core principle remains the same: customer responsibility decreases from IaaS to PaaS to SaaS. Microsoft always manages the physical layers: datacenters, hosts, and core networking. Customers are always responsible for securing their data, identities, and devices. In the middle layers, the degree of responsibility varies. A good example is the Identity and Directory Infrastructure: Microsoft operates the platform service (Azure AD / Entra ID), ensuring uptime and security. Customers configure their tenant, manage users and groups, and define conditional access and security policies.
GCP Shared Responsibility Model
Google Cloud’s model follows the same SaaS–PaaS–IaaS structure but breaks layers down more granularly than AWS or Azure. For instance, in the hardware layer, GCP explicitly includes elements like audit logging and a hardened kernel. This doesn’t imply other providers lack these features — it simply reflects differences in presentation. As with other cloud providers: GCP is responsible for the underlying infrastructure, global network, and platform security. Customers remain responsible for their data, access controls, and configurations. And like AWS and Azure, the closer a workload is to SaaS, the fewer responsibilities fall to the customer.
The shared responsibility models shown here are, of course, simplified. If you’re planning to use any of these cloud services, it’s definitely worth taking a closer look at the official models from each provider. You can find the links to them below.
AWS Shared Responsibility Model