Describe cloud computing
📘Microsoft Certified: Azure Fundamentals (AZ-900)
1. What Is the Shared Responsibility Model?
The Shared Responsibility Model defines how security and compliance responsibilities are divided between:
- Microsoft (the cloud provider)
- You (the customer/organization using Azure services)
In cloud computing, Microsoft does not take full responsibility for everything, and customers do not handle everything either.
Instead, the responsibilities change depending on the cloud service model:
- IaaS – Infrastructure as a Service
- PaaS – Platform as a Service
- SaaS – Software as a Service
Understanding which tasks belong to Microsoft and which belong to the customer is critical for the AZ-900 exam.
2. Why Does the Shared Responsibility Model Exist?
In traditional on-premises environments, your organization is responsible for everything:
- Servers
- Networking
- Security
- Operating systems
- Applications
- Data
But in cloud computing, Microsoft provides parts of the stack.
The shared responsibility model ensures:
- Security is clearly defined
- Roles are not confused
- Both sides understand what they must protect
3. High-Level Overview: Who Handles What?
Microsoft is responsible for:
“Security of the cloud”
Meaning Microsoft secures everything that supports cloud services, including:
- Physical datacenters
- Physical servers and storage
- Networking hardware
- Virtualization layer
- Physical security and access control
Examples in IT context:
- Protecting Azure datacenters from unauthorized physical access
- Maintaining and patching the host machines
- Ensuring power supply and cooling for hardware
- Securing the global Azure network that connects regions
Customer is responsible for:
“Security in the cloud”
Meaning the customer secures the resources they deploy or configure, such as:
- Data stored in Azure
- Identities and access (Azure AD accounts, MFA)
- Applications
- Operating systems (in IaaS)
- Network configuration (firewalls, NSGs)
- Encryption settings
Examples in IT context:
- Setting strong access controls for Azure users
- Configuring firewalls and network security groups (NSGs)
- Protecting virtual machines by installing updates
- Managing keys in Azure Key Vault
- Setting up backup and recovery policies
4. Shared Responsibility Across Service Models (IaaS, PaaS, SaaS)
A. IaaS – Infrastructure as a Service
You manage the most; Microsoft manages the least.
Microsoft manages:
- Physical servers, storage, networking
- Virtualization
- Datacenter security
Customer manages:
- Virtual machines (OS updates, OS security)
- Network controls (NSGs, firewalls)
- Applications deployed on VMs
- Data and access permissions
- Identity security (MFA, conditional access)
IT example:
If you deploy a Windows Server virtual machine, you must:
- Install OS patches
- Configure antivirus
- Secure RDP access
B. PaaS – Platform as a Service
Microsoft manages more of the environment.
Microsoft manages:
- Full platform (runtime, OS, middleware)
- Infrastructure components
- Datacenter and physical security
Customer manages:
- Data
- Application code
- Access and identity control
- Configuration settings
IT example:
If you deploy an Azure Web App:
- Microsoft patches the underlying OS and runtime
- You handle application updates and user access policies
C. SaaS – Software as a Service
Microsoft manages almost everything.
Microsoft manages:
- Application software
- Platform
- Infrastructure
- Datacenter
Customer manages:
- Data inside the application
- User access and identity management
- Some configuration settings
IT example:
Using Microsoft 365:
- Microsoft maintains the software (Outlook, SharePoint, Teams)
- You configure user permissions and protect your data in the service
5. Shared Responsibilities (Both Cloud Provider + Customer)
There are areas where both sides have responsibilities.
For AZ-900, these commonly include:
✔️ Security controls
Microsoft provides basic security features; customers must configure them.
✔️ Network protection
Microsoft secures the physical network; customers configure:
- Virtual networks
- NSGs
- Firewalls
✔️ Identity and Directory infrastructure
Microsoft provides Azure AD; customers enforce:
- MFA
- Password policies
- Role-based access control (RBAC)
✔️ Patching (depends on model)
- Microsoft patches host OS and infrastructure
- Customers patch guest OS in IaaS
6. Visual Summary Table (Exam-Friendly)
| Area | Microsoft | Customer |
|---|---|---|
| Datacenter, Physical Security | ✔️ Full responsibility | ❌ |
| Hardware, Servers, Network Devices | ✔️ | ❌ |
| Virtualization Layer | ✔️ | ❌ |
| Operating System (IaaS VM) | ❌ | ✔️ |
| Operating System (PaaS/SaaS) | ✔️ | ❌ |
| Applications | ❌ (IaaS/PaaS) / ✔️ (SaaS) | ✔️ (IaaS/PaaS) |
| Data | ❌ | ✔️ Always |
| Identities & Access | ❌ | ✔️ Always |
| Encryption settings | ❌ | ✔️ |
| Network traffic rules | ❌ | ✔️ |
Key exam point:
Customers always own and protect their data and identities—no matter the service model.
7. Important Exam Tips for the Shared Responsibility Model
🔹 “Security of the cloud” = Microsoft
Focuses on the infrastructure running Azure services.
🔹 “Security in the cloud” = Customer
Focuses on what the customer deploys and configures.
🔹 Data and identities always belong to the customer
This is a commonly tested AZ-900 concept.
🔹 Responsibility decreases from IaaS → PaaS → SaaS
The more managed the service, the less the customer must secure.
🔹 Misconfigurations are still the customer’s responsibility
If a customer sets weak access rules, Microsoft is not responsible.
8. Why This Model Matters for Real IT Environments
Organizations use the shared responsibility model to:
- Understand security gaps
- Ensure proper configuration of workloads
- Avoid assuming Microsoft handles everything
- Assign internal teams to manage cloud assets
- Ensure compliance with regulations
In IT operations, this model helps clearly divide tasks between Azure and internal teams.
Final Summary
The Shared Responsibility Model in Azure defines which security and management duties are handled by Microsoft and which are handled by the customer. Microsoft protects the cloud infrastructure, while customers protect their data, identities, and configurations. Responsibilities depend on the service model (IaaS, PaaS, SaaS), with customer responsibility decreasing as the level of managed service increases.
Mastering this concept is essential for the AZ-900 exam.
