Curriculum Overview: The Shared Responsibility Model

This curriculum provides a comprehensive breakdown of the Shared Responsibility Model, a foundational concept for the Microsoft Azure Fundamentals (AZ-900) exam. It details how security and operational duties shift between the cloud provider (Microsoft) and the consumer based on the service model chosen.

Prerequisites

Before starting this module, learners should have a basic understanding of the following:

• Basic IT Infrastructure: Familiarity with servers, networking, and databases.
• Traditional Computing: Understanding of "on-premises" environments where an organization owns and manages all hardware.
• Cloud Fundamentals: A high-level definition of cloud computing (providing services over the internet).

Module Breakdown

The curriculum is structured to move from theoretical concepts to practical application of the responsibility matrix.

Learning Objectives per Module

Module 1: Defining Responsibility

• Explain the transition from on-premises total ownership to cloud-based shared ownership.
• Describe how the shared responsibility model reduces the "headache" of server management and infrastructure costs.

Module 2: The Service Model Spectrum

• Differentiate between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
• Illustrate the shift of responsibility for the Operating System and Network controls across these models.

Module 3: The "Always" Clauses

• Identify the components that are always the customer's responsibility (e.g., Information and Data).
• Identify the components that are always the provider's responsibility (e.g., Physical Datacenter).

Module 4: Practical Mapping

• Use a responsibility matrix to assign ownership for specific tasks like identity management, endpoint protection, and application configuration.

Visual Anchors

The Responsibility Shift

This diagram illustrates how much of the "stack" is managed by the provider versus the customer.

The Security Matrix

The following TikZ diagram visualizes the "layered" nature of responsibility.

\begin{tikzpicture}[node distance=0.8cm] \draw[thick, fill=blue!10] (0,0) rectangle (6,1) node[midway] {\textbf{Information and Data (Customer)}}; \draw[thick, fill=blue!20] (0,1) rectangle (6,2) node[midway] {\textbf{Devices / Endpoints (Customer)}}; \draw[thick, fill=green!10] (0,2) rectangle (6,3) node[midway] {\textbf{App / OS (Shared)}}; \draw[thick, fill=red!10] (0,3) rectangle (6,4) node[midway] {\textbf{Physical Infrastructure (Provider)}};

\draw[->, thick] (-1,0) -- (-1,4) node[midway, sloped, above] {Cloud Provider Responsibility Increases}; \draw[->, thick] (7,4) -- (7,0) node[midway, sloped, above] {Customer Responsibility Increases}; \end{tikzpicture}

Success Metrics

To demonstrate mastery of the Shared Responsibility Model, the learner must:

1. Correctly Categorize: Place 10 specific IT tasks (e.g., "Fixing a broken router," "Updating an app password") into the correct ownership bucket for a given cloud model.
2. Explain the "Data" Rule: Articulate why the customer is responsible for data security even in a SaaS environment (like Microsoft 365).
3. Perform Cost-Benefit Analysis: Explain how shifting responsibility to a provider (e.g., moving from IaaS to PaaS) results in lower operational overhead (OpEx).

Real-World Application

[!IMPORTANT] Understanding this model is not just for passing exams; it is critical for business operations and legal compliance.

• Security Compliance: If a data breach occurs because a database was left unencrypted in an IaaS VM, the Customer is liable because they managed the OS and Database configuration.
• Disaster Recovery: Organizations use this model to determine who is responsible for backups. In IaaS, you must configure your own backup schedule; in some PaaS offerings, the provider handles it automatically.
• Cost Management: By shifting the responsibility for physical hardware to Azure, companies avoid Capital Expenditure (CapEx) and only pay for what they use through a consumption-based model.