Cloud Security / Shared Responsibility Model
Domain 5 — Protection of Information Assets
Definition
The shared responsibility model defines which security controls are managed by the cloud provider and which are managed by the customer. Generally, the provider secures the infrastructure (physical security, network, hypervisor) while the customer secures their data, user access, and configurations (IAM, encryption, network policies). IS auditors evaluate cloud deployments by reviewing contract terms, provider certifications (SOC 2, ISO 27001), data residency clauses, and customer-side controls.
Real-World Audit Scenario
I audited a startup that migrated their customer database to AWS without changing any default security settings. Their S3 bucket containing 500,000 customer records with PII was set to "public" — and they did not know. I discovered it during a routine review of their cloud security architecture. The bucket had been publicly accessible for 47 days. The root cause was a misunderstanding of the shared responsibility model: they assumed AWS would secure the data, but AWS only secures the infrastructure — data-level security is the customer's responsibility.
Common Exam Trap
When the exam asks about cloud audit, remember: the customer is always responsible for data classification, encryption of data at rest and in transit, and user access management. The provider secures the physical and virtual infrastructure. A control gap in data encryption is the customer's issue, not the provider's.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →