Some questions regarding the Shared Responsibility Matrix of Azure

Najam ul Saqib 280 Reputation points
2024-09-11T08:25:06.91+00:00

Hi,

I am studying the shared responsibility matrix (SRM) on Azure and I have some confusions, I don't find the official documentation on this topic to be very helpful as many things are not explained properly in it.

User's image

  1. What exactly comes under the "Information and data" responsibility?
  2. If encryption comes under "Information and data", Microsoft claims that they uses encryption at rest in some of the resources, then why is it always responsibility of customer? Why isn't it a shared responsibility if Azure is encrypting data at rest.
  3. In services like Front Door, where SSL certificates are managed by Azure, isn't in this case "encryption at transit" comes under the responsibility of Azure?
  4. If Azure Storage, Azure VNet, Azure Load Balancer are examples of IaaS, how are customers responsible for managing the operating systems of these resources?
  5. Other than VM, and the ones I have mentioned above, can you give me more examples of IaaS on Azure?
  6. If Azure Storage comes under IaaS, then how Azure SQL is a PaaS? Aren't both used for storage of data (I know the type of data is different, but underlying cause is storage of data)?
  7. In the cases where, the responsibility is shared lets say in the case of "Identity and directory infrastructure" in SaaS and PaaS, how can one determine which responsibility is held by CSP and which by customer? Can you give some real world example?
  8. Is there any resource that can help with defining clear boundaries when the responsibility is shared?
  9. Can you explain the responsibility of "Devices"? What does it mean? Is it the devices that you use to access cloud? What is a customer's responsibility for devices when it comes to cloud? Do I need to protect them from getting stolen or what? I mean it's obvious that if its my mobile phone I need to protect it, Microsoft won't do so. Or is there something that I am missing?
  10. Is there any rule of thumb or some online directory that can help me determine which cloud service lies under which category? SaaS, IaaS, Paas? If I don't know as a customer if the app service I am using is a PaaS or an IaaS, I won't be able to protect it properly.

I have consulted some of the previously asked questions on this website, but they didn't answer my questions, but they included some useful information that helped me refine my questions so here they're:

  1. https://video2.skills-academy.com/en-us/answers/questions/1522007/seeking-guidance-on-cloud-service-responsibilities
  2. https://video2.skills-academy.com/en-us/answers/questions/1885460/where-can-i-find-detailed-information-about-the-sh
Azure Training
Azure Training
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Training: Instruction to develop new skills.
1,523 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 22,130 Reputation points MVP
    2024-09-15T15:03:13.5666667+00:00
    1. What comes under "Information and data" responsibility?

    "Information and data" refers to the protection and management of customer-owned data. As a customer, you are responsible for:

    • Data classification: Deciding how to label and categorize data based on sensitivity.
    • Data access control: Ensuring that only authorized users have access to the data.
    • Data encryption: Even though Azure encrypts data at rest (which is a part of the shared responsibility), customers must ensure additional encryption mechanisms, manage encryption keys (depending on the service), and protect data in transit and in use.
    1. Why is encryption always the customer's responsibility?

    While Azure encrypts data at rest by default, the customer's responsibility involves managing keys (in certain cases), ensuring encryption in transit (for data moving between customer systems), and using additional encryption layers where necessary. This gives the customer control over how data is protected, regardless of Azure's infrastructure-level encryption.

    • Example: Azure Storage encrypts data at rest, but customers may choose to use their own keys (via Azure Key Vault) or implement further encryption at the application layer.
    1. In services like Front Door, where Azure manages SSL certificates, is encryption in transit Azure's responsibility?

    Yes, encryption in transit is Azure's responsibility when using services like Azure Front Door that manage SSL certificates for you. However, the customer is responsible for configuring and enforcing proper TLS policies or setting up custom certificates if desired.

    1. If Azure Storage, VNet, Load Balancer are IaaS, how are customers responsible for managing the operating systems?
    • Services like Azure Storage, Azure VNet, and Azure Load Balancer are IaaS, but they don’t require you to manage an OS. These services provide infrastructure capabilities without the need to manage underlying operating systems.
    • However, for VMs, customers are responsible for maintaining the OS (patching, updates, security) since it’s a full virtual machine that you control.
    1. More examples of IaaS on Azure?
    • Azure Virtual Machines (VMs)
    • Azure Virtual Network (VNet)
    1. Why is Azure Storage IaaS while Azure SQL is PaaS?

    The difference lies in the level of management:

    • Azure Storage provides raw storage infrastructure, making it an IaaS service. You manage the data, storage accounts, and permissions, but not the underlying storage hardware.
    • Azure SQL Database is a fully managed PaaS offering. Azure handles backups, patching, high availability, and performance tuning, leaving customers to focus solely on the data and application layer.
    1. In shared responsibilities (like Identity and directory infrastructure in SaaS and PaaS), how do we determine responsibilities?
    • Customer responsibility: Configuring user access, managing authentication policies (e.g., MFA), and enforcing least privilege principles.
    • Cloud Service Provider (CSP) responsibility: Running and maintaining the identity infrastructure (e.g., Azure Active Directory), ensuring the uptime and security of authentication services.
    • Example: In Azure AD, Microsoft is responsible for the availability and security of the Azure AD service itself, but customers are responsible for ensuring secure configurations, such as password policies and MFA enforcement.
    1. Resources for clear boundaries in shared responsibility?
    • Microsoft Documentation on the Shared Responsibility Model clearly defines responsibilities for IaaS, PaaS, and SaaS.
    • CIS Benchmarks: Helps customers implement best practices and provides security guidelines for cloud environments.
    1. What does "Devices" mean in SRM?
    • "Devices" refers to the physical or endpoint devices (like laptops, desktops, or mobile devices) that customers use to access cloud services.
    • The customer is responsible for securing these devices: ensuring that they are free of malware, using endpoint protection, and ensuring secure configurations (e.g., applying patches, encrypting storage).
    • Microsoft may offer tools (e.g., Microsoft Defender for Endpoint) to help secure your devices, but the ultimate responsibility for securing access devices falls on the customer.
    1. How to determine which service is IaaS, PaaS, or SaaS?
    • Rule of Thumb:
      • IaaS: You manage the infrastructure (e.g., VMs, storage), and the cloud provider manages the physical hardware.
      • PaaS: The cloud provider manages the infrastructure and platform (runtime, OS, middleware), while you manage the application and data.
      • SaaS: The provider manages everything (application, platform, infrastructure), and you only manage the data and how you interact with the service.
    • Azure Services Documentation: For specific services, Microsoft's documentation and Azure services comparison table can help you identify the service type.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.