"The key to a successful security implementation in a cloud environment is understanding where your provider's responsibility ends, and where yours begins," a CloudPassage article stated.
The provider's responsibility depends in part on the cloud service model the customer chooses. While similar security protections may be offered under infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS) cloud service models, each model demands varying levels of responsibility by a provider.
In the IaaS model, the provider is typically responsible for securing the physical elements of the cloud, such as the data centers and network infrastructure, as well as data storage and processing, while in the PaaS model, the provider typically handles security for virtual machines and operating systems. SaaS providers are responsible for the most security, managing everything except customer data and online customer touchpoints, such as websites and mobile apps. Facility security is also the provider's responsibility, protecting not only the data centers but the buildings in which the provider employees work, the employees themselves and third-party contractors.
Popular public cloud providers like Amazon Web Services (AWS) and Azure have their own security standards. AWS handles "protecting the hardware, software, networking, and facilities that run AWS Cloud services," while Azure secures "physical hosts, networks, and data centers," according to the CloudPassage article.