The Shared Responsibility Model on model 7-identify-security-incidents needs to be reviewed.

Hi rick halsell ,

There’s quite a lot online that detail this. Funnily enough I was just watching this video which you might find useful to depict what you’re after: https://youtu.be/nWmcWB_3jE0?si=kme2PMeBF9F6PlUY In a nutshell though.

IaaS - You’re going to be responsible for the virtual machine and its supporting components. A real example of this model that you would own as part of the shared responsibility is you are expected to update and patch Windows with the latest updates and security patches, Microsoft would not do this for you. It’s on you.

PaaS - Azure App Service Example - You won’t need to worry about patching the OS it runs on like in IaaS or any of the underlying infrastructure. However, you will be responsible for the code you deploy and run in the app and the settings on the app (misconfigurations etc). E.g if you expose the app to the internet when you don’t need to, or you’ve enabled FTP access to the app. That’s on you.

SaaS - mostly the data that lives within this. Think, a password in plain text in a word document that lives in your M365 tenant. Or maybe OneDrive organization settings allow external sharing to anyone. This is on you as a configuration of the apps who enabled or turned these features to less than ideal configurations.

Hope these helped. If so, please mark as the accepted answer!

If you find this information beneficial, please indicate your acknowledgment by clicking the "Upvote" and "Accept Answer" buttons on the post.