Shared Responsibility Model Policy

Document Version: 1.0
Effective Date: 23 February 2026
Owner: Cloud Security & Compliance Department

1. Purpose

This Shared Responsibility Model Policy defines the security, compliance, operational, and governance responsibilities between the Cloud Provider ("Provider") and the Cloud Customer ("Customer") for all cloud services delivered by the Provider.

This document ensures transparency regarding control ownership, accountability, and risk allocation within Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) environments.

2. Scope

This policy applies to:

  • All production, staging, and development cloud environments.
  • All customers consuming Provider-hosted services.
  • All Provider personnel and subcontractors involved in service delivery.

3. Shared Responsibility Overview

The shared responsibility model divides accountability between:

  • Security of the Cloud – Managed and controlled by the Provider.
  • Security in the Cloud – Managed and controlled by the Customer.
Responsibility allocation may vary depending on service model (IaaS, PaaS, SaaS). Customers remain accountable for regulatory compliance and lawful use of the services.

4. Responsibilities of the Cloud Provider

4.1 Physical Security

  • Data center physical access controls and surveillance.
  • Environmental safeguards (power, cooling, fire suppression).
  • Hardware lifecycle management and secure disposal.

4.2 Infrastructure Security

  • Hypervisor security and patch management.
  • Host operating system hardening (where applicable).
  • Network backbone protection and segmentation.
  • DDoS mitigation at the infrastructure perimeter.

4.3 Platform Security (for PaaS/SaaS)

  • Managed runtime patching and vulnerability remediation.
  • Secure configuration of managed services.
  • Service availability and resilience architecture.

4.4 Compliance & Certifications

  • Maintaining relevant industry certifications.
  • Undergoing regular third-party audits.
  • Providing compliance documentation upon request.

4.5 Monitoring & Incident Response

  • Infrastructure-level logging and monitoring.
  • Incident detection and response for Provider-managed systems.
  • Notification of security incidents affecting Customer environments.

4.6 Service Availability

  • Maintaining defined Service Level Agreements (SLAs).
  • Disaster recovery of core infrastructure components.

5. Responsibilities of the Cloud Customer

5.1 Identity & Access Management

  • Managing user identities and credentials.
  • Enforcing least-privilege access controls.
  • Implementing multi-factor authentication where appropriate.

5.2 Operating System & Application Security (IaaS)

  • Guest OS patching and hardening.
  • Application configuration and security updates.
  • Endpoint protection within virtual machines.

5.3 Data Protection

  • Data classification and handling policies.
  • Encryption of data at rest and in transit where required.
  • Backup configuration and data retention management.

5.4 Network Configuration

  • Security group and firewall rule configuration.
  • Virtual network segmentation.
  • Secure exposure of services to the internet.

5.5 Regulatory Compliance

  • Ensuring workloads comply with applicable laws and regulations.
  • Maintaining required audit evidence for Customer-controlled components.

5.6 Incident Response

  • Monitoring and responding to incidents within Customer workloads.
  • Reporting suspected security issues to the Provider promptly.

6. Responsibility Matrix by Service Model

Layer IaaS PaaS SaaS
Physical Infrastructure Provider Provider Provider
Network Infrastructure Provider Provider Provider
Host Operating System Provider Provider Provider
Guest Operating System Customer Provider Provider
Application Runtime Customer Provider Provider
Applications Customer Customer Provider
Data Customer Customer Customer*

*While the Provider secures the SaaS application environment, Customers retain ownership and accountability for their data and access control.

7. Limitations

  • The Provider is not responsible for Customer misconfigurations.
  • The Provider is not liable for vulnerabilities introduced by Customer applications or third-party integrations.
  • Security is a joint effort requiring active participation from both parties.

8. Policy Review

This policy shall be reviewed annually or upon significant changes to service architecture, regulatory requirements, or threat landscape.

9. Contact Information

For questions regarding this policy, please contact:
Chief Information Security Officer
Email: ciso@cix.ie