CCSP and the Shared Responsibility Model in Cloud Security

May 4, 2026 · 4 views

If there is one concept that sits at the centre of the CCSP exam and of real cloud security, it is the shared responsibility model. The cloud provider secures some of the stack; you secure the rest; and the line between the two moves depending on the service model. Misjudge that line and you end up with unsecured assets you assumed someone else was covering.

The principle

In traditional on-premises IT, you owned everything from the physical building to the application. In cloud, the provider takes over the lower layers — and how much depends on the service model:

• IaaS (Infrastructure as a Service) — the provider secures the physical facilities, hardware, and virtualisation layer. You secure the operating system, runtime, middleware, applications and data. This is where the customer retains the most control and the most responsibility.
• PaaS (Platform as a Service) — the provider also operates the OS, runtime and middleware. You secure your applications and your data, and you manage identities and access.
• SaaS (Software as a Service) — the provider runs almost the entire stack. You are still responsible for your data, your user access, and your configuration choices.

What never leaves you

Notice the constant across all three models: your data and your identities are always your responsibility. No service model outsources accountability for the data you put into the cloud or for who you grant access to it. This mirrors a principle that runs through every risk certification — you can transfer operational responsibility to a provider, but you cannot transfer accountability for your data to regulators or customers.

The configuration trap

The majority of real cloud breaches are not provider failures; they are customer misconfigurations — a storage bucket left public, an over-permissive identity policy, a database exposed to the internet. These sit squarely on the customer side of the line in every model. The shared responsibility model is not just an exam diagram; it is a checklist of what you must actively secure even when "the cloud provider handles security."

Applying it

For each cloud service you adopt, draw the line explicitly: list what the provider attests to (read their compliance documentation and shared-responsibility matrix) and list everything above that line. Everything above the line needs your controls, your monitoring, and your inclusion in the risk register. On the CCSP exam, when a question describes a breach or a control gap, your first move is to locate the failure relative to the responsibility line — that almost always reveals who should have prevented it.