Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

1.4.2. Shared Responsibility: Customer's Role

šŸ’” First Principle: The customer is always responsible for securing their own data, identities, and the configurations of the cloud services they consume, regardless of the service model (IaaS, PaaS, SaaS).

Scenario: You are designing a solution where a Virtual Machine hosts a legacy application that processes sensitive customer data. You need to explain to the customer that while Microsoft secures the underlying VM infrastructure, they are responsible for patching the VM's operating system and securing the application code.

The customer's responsibility in the Azure Shared Responsibility Model is for "security in the cloud." This means customers are responsible for the security of their data, applications, and configurations within the Azure environment.

Key Customer Responsibilities ("Security in the Cloud"):
  • Application Code: Securing your own application code, including input validation, secure coding practices, and protection against common vulnerabilities (e.g., OWASP Top 10).
  • Data Security: Data encryption (at rest and in transit), data integrity, and data classification for data stored in Azure Storage, Azure SQL Database, etc.
  • Identity and Access Management: Configuring Azure Active Directory (Azure AD) users, groups, and Role-Based Access Control (RBAC) policies for your applications and resources.
  • Network Configuration: Configuring Network Security Groups (NSGs), Azure Firewall, and Virtual Network (VNet) settings for your application's components.
  • Guest Operating System (for IaaS): Applying patches, security updates, and firewall configurations for the operating system running on Azure Virtual Machines.
  • Security Monitoring: Configuring Azure Monitor alerts and reviewing Azure Activity Logs and Resource Logs for your application.

āš ļø Common Pitfall: Neglecting to configure network security controls (like NSGs) for PaaS services that are integrated into a VNet. Even for managed services, you are responsible for the network configuration you apply.

Key Trade-Offs:
  • Flexibility vs. Responsibility: IaaS (like VMs) offers the most flexibility but also gives the customer the most security responsibility (e.g., OS patching). PaaS (like App Service) reduces responsibility but also offers less control over the underlying environment.

Reflection Question: How does a Solutions Architect's understanding of the customer's responsibility for "security in the cloud" (e.g., securing application code, encrypting data, configuring access controls) fundamentally influence the design of a secure and compliant Azure solution, even though Microsoft secures the underlying platform?