When organisations move systems to the cloud, many assume that security becomes the cloud provider’s job. In reality, security in cloud computing is divided between the cloud provider and the customer. This division is known as the shared responsibility model. In IB Computer Science, students are expected to understand how responsibilities are shared, why confusion causes security failures, and what each party is responsible for.
IB examiners reward answers that explain who is responsible for what and why this matters.
What Is the Shared Responsibility Model?
The shared responsibility model states that:
- Cloud security is shared
- Responsibilities are divided between:
- The cloud provider
- The cloud customer
Neither party is fully responsible for security on their own.
In IB terms, the model explains why moving to the cloud does not remove security responsibility.
Why the Shared Responsibility Model Exists
Cloud providers control:
- Physical infrastructure
- Data centres
- Core networking
Customers control:
- How services are used
- What data is stored
- How access is managed
Because control is split, security responsibility must also be split.
Cloud Provider Responsibilities
The cloud provider is responsible for security of the cloud.
This includes:
- Physical security of data centres
- Hardware and infrastructure
- Core networking
- Power, cooling, and facilities
Providers ensure that:
- Servers are protected
- Infrastructure is maintained
- Systems are reliable
IB students should emphasise that providers protect the foundation, not the data itself.
Customer Responsibilities
The customer is responsible for security in the cloud.
This includes:
- User access control
- Authentication and passwords
- Data protection
- Application security
- Configuration of services
Customers decide:
- Who can access systems
- What data is stored
- How services are configured
Most cloud security failures occur due to customer misconfiguration, not provider failure.
Why Confusion Causes Security Breaches
If customers assume:
- “The provider handles everything”
Then:
- Permissions may be misconfigured
- Data may be exposed
- Accounts may be compromised
Understanding the shared model prevents:
- Data breaches
- Unauthorised access
- Misplaced blame
IB examiners often expect students to link breaches to misunderstanding responsibility.
How Responsibility Changes by Service Type
The level of customer responsibility depends on:
- Type of cloud service used
For example:
- More provider responsibility in fully managed services
- More customer responsibility in self-managed environments
However:
- Customers always control access and data
This principle remains constant.
Shared Responsibility and Risk Assessment
Risk assessment in cloud systems must consider:
- Provider controls
- Customer controls
Ignoring either side increases risk.
IB students should explain that shared responsibility supports clear risk management.
Real-World Examples
Examples of customer responsibilities include:
- Setting strong access policies
- Encrypting sensitive data
- Managing user accounts
Examples of provider responsibilities include:
- Protecting data centre access
- Maintaining hardware security
Both are required for secure systems.
Common Student Mistakes
Students often:
- Say cloud providers handle all security
- Ignore customer configuration
- Focus only on hacking
- Forget shared accountability
Clear division of roles earns marks.
How This Appears in IB Exams
IB questions may ask students to:
- Explain the shared responsibility model
- Identify provider vs customer responsibilities
- Apply the model to a scenario
- Explain why breaches occur
Role clarity is essential.
Final Thoughts
The shared responsibility model explains how cloud security is divided between providers and customers. Providers secure the infrastructure, while customers secure their data, users, and configurations.
Understanding this model allows IB Computer Science students to explain cloud security clearly and realistically — exactly what examiners expect.
