IaaS
You manage more. With virtual machines, the cloud provider handles physical infrastructure, but you still manage the operating system, patches, apps, identity choices, and data.
Cloud security basics
Shared responsibility decides who secures what.
In cloud computing, security is not entirely Microsoft’s job and not entirely the customer’s job. The shared responsibility model explains where the line is.
Simple version
Microsoft secures the cloud. You secure what you put in the cloud.
That sentence is not perfect for every service, but it is the mental model beginners need. Microsoft is responsible for the physical datacenters, core infrastructure, and platform services it operates. Customers are responsible for their data, accounts, access choices, and many configuration decisions.
PaaS
Responsibility shifts toward the provider. You focus more on your application, data, users, and configuration while the provider manages the runtime and operating system.
SaaS
The provider manages most of the application stack. You still manage users, data, access, device hygiene, and how the service is configured for your organization.
Common exam trap
The customer is almost always responsible for data and identity.
Even when using SaaS, the customer still needs to manage who has access, protect sensitive data, use strong authentication, and make good configuration choices. Cloud does not remove responsibility — it changes where the responsibility sits.
- Do not assume Microsoft protects you from every bad configuration.
- Do not assume moving to cloud means patching, access control, and data protection disappear.
- Do remember that responsibility usually decreases from IaaS to PaaS to SaaS, but never reaches zero.
Practice-style examples
Check your understanding.
A company stores customer records in a cloud database. Who is responsible for deciding who can read that data?
The customer. The provider secures the underlying platform, but the customer controls access decisions, identities, roles, and data handling.
A team runs a virtual machine in Azure. Who is responsible for patching the guest operating system?
Usually the customer. A virtual machine is IaaS, so the customer has more responsibility than with PaaS or SaaS.
A company uses a SaaS email platform. Is the customer responsible for anything?
Yes. The provider runs the service, but the customer still manages users, data, access policies, device practices, and security settings.