The shared responsibility model (SRM) plays a central role in defining how security and operational duties are split between cloud providers and their customers. However, when this model intersects with service level agreements (SLAs), it introduces layers of complexity.
SLAs typically cover metrics like uptime, support response times and service performance, but often overlook critical elements such as data protection, breach response and regulatory compliance. This creates a responsibility gap, where assumptions about who is accountable can lead to serious blind spots. For instance, a customer might assume that the cloud provider's SLA guarantees data protection, only to realise that their own misconfigurations or weak identity management practices have led to a data breach.
Organisations may mistakenly believe their provider handles more than it does, increasing the risk of non-compliance, security incidents and operational disruptions. Understanding the nuances between SLA commitments and shared security responsibilities is vital to safely leveraging cloud services without undermining resilience or regulatory obligations.
The reality of the SRM and SLAs
The SRM fundamentally shapes the scope and impact of SLAs in cloud environments. Let’s quickly understand the reality of cloud providers’ SRM.
- Cloud providers secure the infrastructure they manage; you ensure what you deploy.
- Customers are responsible for data, configurations, identities and applications.
- Cloud providers often cite the model to deflect blame during breaches.
- Customers must secure the stack themselves, as cloud doesn’t equal safe-by-default -visibility, policy and controls are still on you.
While an SLA guarantees the cloud provider's commitment to “the security of the cloud”, ensuring the underlying infrastructure's uptime, resilience and core security, it explicitly does not cover the customer's responsibilities for "security in the cloud." This means that even if a provider's SLA promises 99.99% uptime for their infrastructure, a customer's misconfigurations, weak identity management or unpatched applications (all part of their responsibility) can still lead to data breaches or service outages, effectively nullifying the perceived security and uptime benefits of the provider's SLA. Therefore, the SRM directly impacts the adequate security and availability experienced by the enterprise, making diligent customer-side security practices crucial for realising the full value of any cloud SLA.
Read more about cloud risk
- Geopolitics, data sovereignty and rising costs are driving a change in cloud thinking, but it’s slow progress.
- Familiar cloud concerns are being overshadowed by geopolitical volatility, pushing IT strategy into the boardroom. Organisations must now assess the full spectrum of cross-border dependencies to build true resilience.
- Opportunity exists for the channel to help customers struggling to manage their cloud and hosted environments.
Several controls should be a part of a comprehensive approach to gaining access to innovative cloud technology while safeguarding your enterprise:
- Due diligence, gap analysis and risk quantification: Conduct an exhaustive review of the cloud provider's security posture beyond just the SLA. Request and scrutinise security whitepapers, independent audit reports (eg FedRAMP, SOC 2 Type 2, ISO 27001) and penetration test summaries. Perform a detailed risk assessment that quantifies the potential impact of any SLA shortfalls on your business operations, data privacy and regulatory obligations. Understand precisely where the provider's "security of the cloud" ends and your "security in the cloud" responsibilities begin, especially concerning data encryption, access controls and incident response.
- Strategic contract negotiation and custom clauses: Engage in direct negotiation with the cloud provider to tailor the SLA to your infrastructure requirements. For significant contracts, cloud providers should be willing to include custom clauses addressing critical security commitments, data handling procedures, incident notification timelines and audit rights that exceed their standard offerings. Ensure the contract includes indemnification clauses for data breaches or service disruptions directly attributable to the provider's security failures, and clearly define data portability and destruction protocols for an effective exit strategy.
- Implement robust layered security (defence-in-depth): Recognise that the shared responsibility model necessitates your active participation. In addition to the provider's native offerings, implement additional security controls covering, among others, identity and access management (IAM), cloud security posture management (CSPM), cloud workload protection (CWP), data loss prevention (DLP) and zero trust network access (ZTNA).
- Enhanced security monitoring and integration: Integrate the cloud service's logs and security telemetry into your enterprise's security information and event management (SIEM) and security orchestration, automation and response (SOAR) platforms. This centralised visibility and correlation capability allows your security operations centre (SOC) to detect, analyse and respond to threats across both your on-premises and cloud environments, bridging any potential gaps left by the provider's default monitoring.
- Proactive governance, risk and compliance (GRC): Update your internal security policies and procedures to explicitly account for the new cloud service and its specific risk profile. Map the provider's security controls and your compensating controls directly to relevant regulatory requirements (eg GDPR, HIPAA, PCI DSS). Maintain meticulous documentation of your risk assessments, mitigation strategies and any formal risk acceptance decisions.
By adopting these strategies, IT and IT security leaders can confidently embrace innovative cloud technologies, minimising inherent risks and ensuring a strong compliance posture, even when faced with SLAs that don't initially meet every desired criterion.
The Computer Weekly Security Think Tank on cloud risk
John Bruce, Quorum Cyber: Bridging the SLA gap: A guide to managing cloud provider risk.
The bottom line
Make sure to follow the principle “own your security posture” by implementing customised security policies and not relying solely on your cloud provider. Treat security as a core component of your infrastructure and not an add-on. Adopt and deploy unified controls to align security strategies across all environments to strengthen defences against the expanding threat landscape, thereby reducing risk and boosting resilience. Shared responsibility doesn’t mean shared blame, it means shared diligence.
Aditya K Sood is vice president of security engineering and AI strategy at Aryaka.