1.3. The Shared Responsibility Model
Who patches your Azure VMs? Who configures your firewall rules? Who encrypts your data? The answer depends on which cloud service model you're using—and getting it wrong leads to breaches.
đź’ˇ First Principle: Microsoft secures the cloud infrastructure; you secure what you put in it. The division shifts based on service model: with VMs (IaaS), you manage almost everything; with SaaS like Microsoft 365, Microsoft handles most security controls.
Consider renting an apartment versus staying in a hotel. In an apartment (IaaS), you're responsible for everything inside—furniture, locks, cleaning. The landlord handles the building's structure and common areas. In a hotel (SaaS), the hotel handles almost everything; you're just responsible for not leaving your valuables in plain sight. Azure services fall somewhere on this spectrum.
What breaks without understanding shared responsibility? Customers assume Microsoft handles security they're actually responsible for. VMs sit unpatched because "Microsoft manages Azure." Storage accounts are left public because "surely Microsoft wouldn't allow that by default." These misunderstandings cause breaches.
