EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securitydeployment-modelsshared-responsibilityhybrid-cloud

Deployment Models & the Shared Responsibility Model

Public, private, community, hybrid — and who is actually responsible for what. The shared responsibility model is the contract that defines cloud security obligations for every workload.

Ashish Revar3 July 202611 min read1 views
Quick Bite

⚡ Quick Bite · 20s

API Security: The Cloud's Heartbeat

APIs are your biggest cloud security risk — rate-limiting and strong authentication as essential gatekeeping mechanisms for every endpoint.

Watch this 20-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Cloud Deployment Models

Where your cloud infrastructure lives determines your control, your compliance posture, and your attack surface.

Public Cloud

Infrastructure is owned and operated by a third-party provider and shared among multiple tenants. AWS, Azure, and GCP are public clouds. Capital expenditure drops to zero; operational expenditure scales with usage. The trade-off: you have no physical access and must trust provider security certifications (SOC 2, ISO 27001, FedRAMP).

Private Cloud

Dedicated infrastructure for a single organisation, either on-premises or hosted. OpenStack and VMware vSphere are common platforms. You control the hardware but absorb the full cost of capacity planning, maintenance, and security. Proxmox VE is used as the private-cloud platform in this course.

Community Cloud

Shared infrastructure among organisations with common concerns — a government cloud, a healthcare cloud. NIC MeghRaj (India) is a community cloud for government departments. Compliance requirements align; cost is shared.

Hybrid Cloud

A composition of two or more cloud models connected by technology that enables data and application portability. A hospital might keep patient records in a private cloud and use public cloud for burst compute. Security policies must span the boundary consistently.

Migration Approaches and Their Security Characteristics

StrategyDescriptionKey Security Risk
Rehost (Lift-and-shift)Move workloads to cloud VMs as-isLegacy vulnerabilities migrate unchanged
ReplatformMinimal changes to leverage managed servicesMisconfigured managed service settings
RefactorRedesign for cloud-native architectureLarger change surface during transition
RetireDecommission systemsIncomplete data deletion
RetainKeep on-premisesHybrid connectivity expands attack surface

The Shared Responsibility Model

The shared responsibility model defines what the cloud provider secures and what you must secure. It shifts depending on the service model.

LayerIaaSPaaSSaaS
Physical infrastructureProviderProviderProvider
Hypervisor / runtimeProviderProviderProvider
Operating systemCustomerProviderProvider
Application codeCustomerCustomerProvider
DataCustomerCustomerCustomer
Identity & accessCustomerCustomerCustomer
Network controlsSharedProviderProvider

The most common cloud breach pattern: A customer misunderstands the shared responsibility boundary and leaves a layer they own (usually data or identity) without adequate controls.

A Real Example: S3 Misconfiguration

An S3 bucket's access control is entirely the customer's responsibility. AWS secures the underlying storage hardware and provides the tools (bucket policies, ACLs, Block Public Access). When Capital One was breached in 2019, the attacker exploited an overly permissive IAM role — a customer responsibility, not AWS's. The provider was not liable.

Key Takeaway

Before deploying any workload to the cloud, map every component of your stack against the shared responsibility model. Document what you own. Treat provider-managed layers as trusted but not your problem to patch — and treat customer-managed layers as entirely your problem regardless of how the provider markets the service.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS Shared Responsibility Model

Official AWS documentation defining the security responsibility boundary between AWS and the customer.

blog
AWS Shared Responsibility Model

Official AWS documentation defining the security responsibility boundary between AWS and the customer.

blog
Azure Shared Responsibility in the Cloud

Microsoft documentation on shared responsibility across IaaS, PaaS, and SaaS.

blog
Azure Shared Responsibility in the Cloud

Microsoft documentation on shared responsibility across IaaS, PaaS, and SaaS.

blog
NIST SP 800-144: Guidelines for Security in Public Cloud

NIST guidance on risk assessment, data portability, and incident response in public cloud.

paper
NIST SP 800-144: Guidelines for Security in Public Cloud

NIST guidance on risk assessment, data portability, and incident response in public cloud.

paper
AWS Migration Acceleration Program Security Guidance

Security considerations for each migration strategy: rehost, replatform, refactor, retire, and retain.

blog
AWS Migration Acceleration Program Security Guidance

Security considerations for each migration strategy: rehost, replatform, refactor, retire, and retain.

blog
More articlesTest your knowledge