Cloud, MSP, SLA, Service Models, and Shared Responsibility

Cloud infrastructure changes who operates the equipment, but it does not remove security responsibility. A cloud provider may run the physical data centers, power, cooling, hardware, and core platform. The customer still makes decisions about identity, data, configuration, access, monitoring, and acceptable risk. The exact split depends on the service model.

SaaS, PaaS, and IaaS

Software as a service provides a complete application managed mostly by the provider. Examples include hosted email, collaboration platforms, customer relationship tools, and ticketing systems. The customer usually manages users, roles, data, settings, integrations, and monitoring. A SaaS provider may patch the application, but the customer can still create risk by giving every user administrative privileges or allowing weak authentication.

Platform as a service provides a managed platform for customer applications. The provider manages more of the operating system, runtime, database platform, or application hosting environment. The customer manages application code, data, identity, secrets, and configuration. A PaaS database may be patched by the provider, but the customer still decides whether it is exposed publicly and who can query it.

Infrastructure as a service provides virtual machines, networks, storage, and related building blocks. The provider manages the physical facilities and underlying hardware. The customer usually manages operating systems, patches, host firewalls, applications, identities, network security groups, and data. IaaS gives more control and more operational responsibility.

Shared Responsibility

Shared responsibility means provider and customer both have duties. It is not a slogan that says "the cloud provider handles security." In general, the provider secures the cloud infrastructure, while the customer secures what they put in the cloud and how they configure it. Misconfigured storage, overly broad identity permissions, exposed management ports, and missing logging are common customer-side risks.

Hybrid environments combine on-premises and cloud resources. A hybrid design may connect a data center to a cloud network with VPN or private connectivity. Security teams must think about routing, segmentation, identity federation, logging, key management, incident response, and data movement across both sides. An attacker who compromises a cloud identity may be able to reach on-premises systems if trust relationships are too broad.

SLA and MSP

A service level agreement defines expected service commitments. It may describe uptime, support response times, maintenance windows, notification requirements, performance targets, and remedies if commitments are not met. An SLA is not the same as perfect availability. Read what is covered, what is excluded, and what remedy exists.

A managed service provider operates services for a customer. An MSP may manage firewalls, endpoint tools, cloud environments, networks, or monitoring. Outsourcing operations does not outsource accountability. The customer still needs governance, contract review, access control, reporting, incident notification requirements, and periodic assessment of provider performance.

Practical Scenario

A company stores sensitive files in a SaaS collaboration platform. The provider patches the platform and maintains the data center, but a department shares a folder with anyone who has the link. That is a customer configuration and access governance problem. The right response is to review sharing settings, apply least privilege, enable MFA, monitor external sharing, and train data owners.

Another scenario: an IaaS virtual server is exposed to the internet with SSH open to all addresses and no patching process. The cloud provider may be operating the physical servers correctly, but the customer owns the virtual server configuration and operating system maintenance. A stronger design restricts management access to a VPN or jump host, uses MFA-backed identity, patches promptly, logs access, and segments workloads.

For CC questions, identify the model first. SaaS gives the customer less infrastructure control but still requires identity and data governance. IaaS gives the customer more control and more direct security tasks. In every model, contracts, monitoring, and shared responsibility matter.

High-Yield Checkpoints

• Cloud security depends on service model, provider controls, customer configuration, identity, monitoring, and contracts.
• SaaS, PaaS, and IaaS shift responsibility differently between provider and customer.
• A service level agreement defines expected service commitments such as uptime, support, and remedies.
• Managed service providers can operate controls, but the organization still needs governance and oversight.
• Hybrid environments require consistent identity, logging, segmentation, and incident response across on-premises and cloud systems.