Skip to main content
Hosting & Infrastructure

Shared Responsibility Model

The split of security duties between a cloud provider and its customer; the cloud secures the infrastructure, the customer secures what runs on it.

The shared responsibility model is the split of security duties between a cloud provider and its customer. The provider secures the physical data centers, hardware, and core services. The customer secures everything built on top: operating systems, encryption settings, access rules, and logging.

Under HIPAA, this split means a signed BAA with AWS, Azure, or Google Cloud is necessary but not sufficient. The safeguards at 45 CFR § 164.312 that fall on the customer side must still be configured, which is where most audit failures happen. See HIPAA compliant cloud hosting for how the split works in practice.