Understanding and Applying the Shared Responsibility Model at Your Organization

To avoid significant security gaps and risks to sensitive data, organizations need to understand the shared responsibility model used by many SaaS providers.
Tristan Grush
2 min read
Last updated October 21, 2024

As companies increasingly incorporate SaaS, IaaS, and other applications into their environments and processes, some orgs are unaware of their role in securing sensitive data. 

This can leave a significant gap in an organization’s security stack when they rely solely on SaaS providers to protect their information. 

Understanding which security aspects an organization is responsible for versus which fall under the SaaS application’s domain is known as the shared responsibility model.

Security teams must understand this model to mitigate risks from today’s top cyber threats and protect their sensitive information.  

What is a shared responsibility model? 

The shared responsibility model holds SaaS providers accountable for securing the infrastructure and providing a highly available solution. The consumer is responsible for protecting and securing their data within the platform, which many orgs are unaware of.  

The misunderstanding of who is responsible for data security usually stems from internal teams purchasing SaaS products without involving their IT department or security teams. 

You can see a traditional breakdown of the shared responsibility outlined below, which several cloud providers such as Salesforce, AWS, and Microsoft adhere to at their organizations.  

Blog_SharedResponsibilityModel_Diagram_202402_V1

A traditional shared responsibility model.

Shared responsibility in action 

Salesforce is a notable example of the shared responsibility model in action.  

Salesforce employs security-by-design for its infrastructure, but it’s up to the end user to implement the correct security controls and best practices to keep their critical data safe from threats and breaches. 

Varonis helps organizations uphold their end of the shared responsibility model by providing real-time visibility into their Salesforce data security posture, ensuring only the right people have access to crown-jewel data, automatically remediating misconfigurations, and detecting suspicious activity.  

When organizations purchase Salesforce, sales teams tend to manage the CRM tool and are focused on ensuring information is easily accessible to users.

However, it’s quite common for security teams to have limited visibility or awareness of the risks associated with a SaaS platform like Salesforce, despite the sensitive nature of the data it contains.  

The need for quick access combined with zero security oversight often leads to data security and data governance falling by the wayside. This is especially true when SaaS applications are purchased and rolled out with little to no IT oversight, significantly increasing the probability of a data breach. 

That’s why implementing a shared responsibility model is paramount to data protection.  

How to implement the shared responsibility model at your org 

To keep sensitive data out of the wrong hands, the components of a shared responsibility model must be acknowledged and understood by your security team and the application owners.  

A collaborative relationship between your internal teams and application owners helps ensure your cloud data is properly protected and treated with as much care as data that sits on a file server. 

Give your security team and application owners access and proper controls to ensure both groups can answer these three questions: 

  1. Where is my sensitive data being stored in this application? 
  2. Who can access this data?
  3. Who is accessing my data?

Team members must understand which security components your company is responsible for protecting versus the aspects the SaaS provider owns and what security aspects need to be addressed by them specifically. All SaaS platforms your org uses should be evaluated with the shared responsibility model in mind. 

Varonis helps organizations understand where their sensitive data lives, maps access to your data, and delivers auditing and threat detection capabilities.  

We provide a clear, contextual understanding of SaaS data, protecting your org with automated outcomes without impacting business continuity. Our coverage includes a variety of SaaS, IaaS, on-premises data, and more.  

Don’t wait for a breach to occur.  

If organizations do not adequately define their shared responsibility with SaaS apps, the lack of ownership and preparedness could lead to an inability to appropriately respond to a data breach or insider threat. 

Curious to know if your sensitive data is protected?  

Get started with our free Data Risk Assessment. In less than 24 hours, you’ll have a clear, risk-based view of the data that matters most and a clear path to automated remediation. 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

a-practical-guide-to-safely-deploying-gen-ai
A Practical Guide to Safely Deploying Gen AI
Varonis and Jeff Pollard, Forrester Security and Risk Analyst, share insights into how to securely integrate generative AI into your organization.
how-to-prepare-for-a-salesforce-permissions-audit
How to Prepare for a Salesforce Permissions Audit
In this post, I'll walk you through what a Salesforce audit is, how permissions work, and provide tips on how you can prepare.
generative-ai-security:-preparing-for-salesforce-agentforce
Generative AI Security: Preparing for Salesforce Agentforce
See how Salesforce Agentforce's (formerly Einstein Copilot) security model works and the risks you must mitigate to ensure a safe and secure rollout.
varonis-in-the-cloud:-building-a-secure-and-scalable-data-security-platform
Varonis in the Cloud: Building a Secure and Scalable Data Security Platform
How we built our cloud-native SaaS platform for scalability and security—without taking any shortcuts.