Reading time:
3 min

What is the Shared Responsibility Security Model?

In the days of on-premises software, IT was responsible for securing every application layer. That all changed with the cloud and SaaS, leading to the creation of the Shared Responsibility Security Model. Here are some security duties performed by IT in the on-premises days are handled by the Cloud/SaaS provider, while other security functions are the RESPONSIBILITY of IT.

“For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices,” Microsoft argued.

Let’s let Microsoft explain the concept further. “As organizations consider and evaluate public cloud services, it is essential to explore how different cloud service models will affect cost, ease of use, privacy, security and compliance. It is equally important that customers consider how security and compliance are managed by the cloud solution provider (CSP) who will enable a safe computing solution. In addition, many organizations that consider public cloud computing mistakenly assume that after moving to the cloud their role in securing their data shifts most security and compliance responsibilities to the CSP,” the software giant explained in its Shared Responsibilities for Cloud Computing  white paper. “Cloud providers by design should provide security for certain elements, such as the physical infrastructure and network elements, but customers must be aware of their own responsibilities. CSPs may provide services to help protect data, but customers must also understand their role in protecting the security and privacy of their data. The best illustration of this issue involves the poor implementation of a password policy; a CSP’s best security measures will be defeated if users fail to use complex or difficult-to-guess passwords.”

Identity and Access Management Still in IT’s Hands

While IaaS requires IT do nearly enough to protect the cloud environment as on-premises, since IaaS is really raw computing infrastructure, high level cloud platforms like SaaS require a bit less heavy lifting. “In PaaS and SaaS solutions, Identity & access management is a shared responsibility that requires an effective implementation plan that includes configuration of an identity provider, configuration of administrative services, establishing and configuration of user identities, and implementation of service access controls. Additional considerations that should be considered are the use of two-factor authentication, role-based access control, just-in-time administrative controls, and monitoring and logging of both users and control points,” Microsoft pointed out.

The chart below shows what areas of security IT must handle at each level of the cloud services stack.

Shared Responsibility Security Model chart

How CoreView Fills in the Shared Responsibility Blanks

As you can see below, for proper M365 security IT has plenty to keep them busy. Fortunately, this is precisely where CoreView shines. CoreView helps:

  • Establish and enforce security policies
  • Provide true Least Privilege Access
  • Conduct deep forensics and auditing around security issues
  • Automates M365 admin tasks
  • Reports on critical aspects of M365 security
Microsoft Shared Security Model​ - CoreView Extends


CoreView offers deep Microsoft 365-specific security protection, governance and compliance. Learn how we help with a personalized CoreView demo.


See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.

Related resources