Many Nigerian firms move to the cloud and assume their job is done. They pay a fee, store their files, and walk away thinking safety is now someone else’s task in full.
This belief causes more breaches than almost any other single mistake. The truth is far more split. Cloud safety is a shared job, not a job you can hand off whole to your cloud firm.
This guide explains the shared responsibility model in plain, clear terms. You will learn what your cloud firm guards, what your own firm must guard, and how this split shifts across different kinds of cloud service.
Lagos Data School made this guide as part of our cyber and cloud course. Indeed, this model sits at the very base of how we teach cloud safety. So let’s break it down with care.
What Is the Shared Responsibility Model?
The shared responsibility model is a simple idea with a big impact. It states that cloud safety is split between two parties: the cloud provider and the firm that uses the cloud service.

The cloud provider, such as AWS, Microsoft Azure, or Google Cloud, guards the base layer. This includes the physical buildings, the raw hardware, and the core systems that keep the whole cloud running.
Your own firm, on the other hand, must guard what sits on top of that base layer. This often includes your data, your user accounts, your app settings, and how your staff uses the cloud each day.
Think of it like renting an apartment in a large, guarded building. The landlord locks the main gate and watches the shared halls. But you still must lock your own door, and you alone decide who gets a copy of your key.
Why This Model Exists
Cloud firms build huge, complex systems that serve millions of clients at once. It would be both costly and risky for each client to try to guard every single layer on their own, especially the deep, technical base layers most firms never touch directly.
So cloud firms take on the heavy lifting for the parts that are the same for every client. This includes guarding power systems, network cables, and the raw servers that sit deep within huge data centers.
However, each client’s own data, settings, and user habits differ widely from one firm to the next. No cloud firm could ever guess the right settings for every single client. So this part of the job falls, quite reasonably, on each client’s own shoulders.
How the Split Changes Across Service Types
The exact split of duty shifts depending on which kind of cloud service your firm uses. There are three common types, and each one shifts more or less weight onto your own team.
Infrastructure as a Service (IaaS)
With IaaS, the cloud firm gives you raw computing power, storage, and networking, much like renting an empty plot of land with basic utilities already connected. You then build and guard nearly everything else yourself.
This means your firm holds a large share of the safety duty here. You must guard your own operating system, your own apps, and your own data, all sitting on top of the cloud firm’s base hardware.
Platform as a Service (PaaS)
With PaaS, the cloud firm also manages the operating system and some of the basic software tools for you. This shifts more duty onto the cloud firm, while your own firm still must guard your app code and your data.
Think of this like renting a furnished apartment rather than an empty plot of land. More of the heavy work is already done for you, but you still must lock your own door and watch your own belongings.
Software as a Service (SaaS)
With SaaS, such as a ready-made email or accounting tool, the cloud firm manages nearly everything beneath the surface. Your own firm mainly handles user accounts, data you put into the tool, and how your staff uses it.
This is like staying in a fully serviced hotel room. Nearly everything is handled for you, yet you still must lock your own door, watch your own bags, and avoid giving your room key to a stranger.
| Layer | IaaS | PaaS | SaaS |
| Physical hardware | Provider | Provider | Provider |
| Operating system | Your firm | Provider | Provider |
| App code | Your firm | Your firm | Provider |
| Your data | Your firm | Your firm | Your firm |
| User access rules | Your firm | Your firm | Your firm |
What the Cloud Provider Typically Guards
Across nearly all cloud service types, the cloud provider tends to handle a core set of duties. Knowing this list helps you avoid wasted effort trying to guard things that are not truly yours to guard.
- Physical safety of data centers, including guards, locks, and access logs
- Base hardware, such as servers, storage drives, and network cables
- Core network safety between data centers around the world
- Patching and updates for the base systems that run the cloud itself
- Disaster recovery for the cloud platform’s own core systems
This is real, valuable work, and it forms a strong base for the safety of your own data. However, it does not cover what you build and store on top of that base.
What Your Firm Must Guard
Here is what falls on your own shoulders, no matter which cloud service type you use. This list grows or shrinks slightly depending on the service type, but it never disappears completely.
- Your own data, including how it is stored, shared, and backed up
- User accounts, passwords, and access rules for your staff
- App settings and how you configure each cloud tool you use
- Network rules within your own part of the cloud, such as firewalls
- Staff training on safe habits when using cloud tools
- Compliance with rules like the NDPR for any Nigerian client data you hold
Real Examples of Shared Responsibility Failures
Many real breaches trace back to firms not understanding this split clearly. Walking through a few common patterns helps make the idea less abstract and more real.
Example 1: The Open Storage Bucket
A firm sets up cloud storage for client files. The cloud firm’s part — guarding the base storage system — works exactly as planned. However, the firm itself leaves the storage setting open to the public web by simple mistake.
In this case, the cloud firm did its job fully. The breach traces back entirely to a setting that sat on the client firm’s own side of the responsibility line.
Example 2: The Shared Admin Login
A small firm shares one admin login across five staff members to save time. A staff member’s laptop later gets infected, and the shared password leaks. A hacker then uses this single login to reach a wide range of cloud data.
Again, this falls squarely on the client firm’s side. User account habits sit on your list of duties, not the cloud provider’s.
Example 3: The Outdated App Code
A firm builds a custom app on a PaaS platform and never updates the app’s own code for two years, even as new safety flaws are found and published. A hacker later finds and uses one of these known flaws to break in.
The cloud firm kept the base platform updated throughout, exactly as their part of the deal required. But app code safety sat on the client firm’s side, and it was left unattended for far too long.
How to Apply the Shared Responsibility Model in Your Firm
Understanding the model in theory is a good start. Applying it well in daily practice is what truly keeps your firm safe. Here is the clear plan that Lagos Data School teaches.
Step 1: Read Your Cloud Provider’s Responsibility Documents
Each major cloud firm publishes a clear document explaining exactly what they guard and what falls to you. Read this document fully for each cloud service your firm uses, rather than guessing at the split.
Step 2: List Out Your Own Duties Clearly
Once you know your part, write it down in plain terms that any staff member can follow. A vague sense of duty often leads to gaps, while a clear written list rarely does.
Step 3: Assign Clear Owners to Each Duty
For each item on your list, name a real person responsible for it. A duty with no named owner often gets missed entirely, especially during busy periods or staff changes.
Step 4: Review Your Settings on a Regular Schedule
Cloud settings can drift over time as staff change roles or new tools get added. Set a fixed schedule, such as once a month, to review your settings against your written list of duties.
Step 5: Train Every New Staff Member on This Model
Make sure every staff member who touches your cloud tools understands this split clearly, right from their very first week. This single habit prevents a large share of common, careless mistakes.
Shared Responsibility and Nigerian Compliance Rules
The Nigeria Data Protection Regulation, known as the NDPR, places real duties on Nigerian firms. This is true no matter where personal data sits. It holds even when the data lives within a cloud provider’s own servers.
This means you can not point to your cloud provider as the reason for a compliance failure. Regulators expect your own firm to show real, clear steps taken on your side of the shared responsibility line.
So building strong habits around this model is not just smart cyber practice. It is also a direct path toward meeting Nigerian rules around data protection in a clear, defensible way.
Common Misunderstandings About Shared Responsibility
A few myths about this model show up again and again among Nigerian firms new to the cloud. Clearing these up early saves real pain later.
Myth: Paying More Means More Safety, Automatically
A pricier cloud plan does not automatically shift more duty onto the provider. The core split based on service type, IaaS, PaaS, or SaaS, stays largely the same no matter your spending level, unless you also add specific extra safety services.
Myth: The Cloud Firm Will Warn You About Every Risk
Cloud firms offer some warnings and tools, but they rarely watch your specific settings closely enough to catch every single risk on your behalf. Active, regular review on your own side remains a real and ongoing need.
Myth: Small Firms Face Less Risk Under This Model
Firm size does not change the basic split of duty. A small firm with weak settings faces the same kind of risk as a large one, even if the scale of harm from a breach may differ.
Building a Shared Responsibility Culture
Beyond formal steps, real safety under this model depends on a shared mindset across your whole team. Make it normal to ask, before adopting any new cloud tool, exactly what falls on your side of the line.
Also, avoid the trap of assuming safety once a tool is set up. Treat shared responsibility as an ongoing task, not a single box to check during initial setup and then forget.
Lagos Data School works to build this exact mindset into every student, since tools and platforms will keep changing, but a clear grasp of this core idea holds steady no matter what specific tool a firm uses next.
Recommended External Resource
For an official breakdown of the shared responsibility model, visit Amazon Web Services’ own documentation page: https://aws.amazon.com/compliance/shared-responsibility-model/
Shared Responsibility Across Different Industries
The exact weight of duty under this model can shift slightly depending on which industry your firm operates within. Understanding these small differences helps Nigerian firms plan more precisely.
Banking and Finance
Nigerian banks face close watch from the Central Bank of Nigeria. They also face global rules tied to money data. This means their own side of the line often carries extra weight. Regulators expect proof of strong, hands-on control over client data, no matter where it sits.
Healthcare
Health firms in Nigeria increasingly store patient records in the cloud, which brings its own added duty around privacy and consent. A breach here can cause real harm beyond just financial loss, so health firms often need to apply even stricter controls on their own side of the model.
E-Commerce and Retail
Online shops handle large volumes of customer payment data, which makes their own side of the shared responsibility split especially focused on payment security standards, such as PCI DSS, alongside general data protection duties.
Education
Schools and training centers, including firms like Lagos Data School itself, handle student records and personal data. This places a duty on these firms to apply careful access rules and clear data handling habits, even while relying on a cloud provider for the base infrastructure.
How Cloud Providers Communicate Their Side of the Deal
Major cloud providers do not leave this split a mystery. Each one publishes clear, detailed documents explaining exactly what falls on their side of the responsibility line.
AWS calls this their shared responsibility model, with a dedicated page explaining the split in plain terms. Microsoft Azure offers a similar breakdown, often tailored to each specific service type a firm might use. Google Cloud follows the same general pattern, with its own clear documentation covering each layer of duty.
Nigerian firms should bookmark and revisit these documents regularly, since cloud providers occasionally update their own side of the responsibility split as they roll out new services or features.
Furthermore, many providers also offer free training modules explaining this exact model, which Lagos Data School often recommends as a useful supplement alongside our own structured course content.
Shared Responsibility in Multi-Cloud and Hybrid Setups
Many larger Nigerian firms now run a mix of cloud platforms together, or combine cloud services with their own in-house servers in what is often called a hybrid setup. This adds real complexity to the shared responsibility picture.
In a multi-cloud setup, your firm must track a separate split for each platform you use. AWS, Azure, and Google Cloud each draw their own line a bit differently, depending on the service involved.
In a hybrid setup, your firm holds full responsibility for anything running on your own in-house servers, while the shared model still applies fully to whatever sits within your cloud accounts. Keeping these two pictures clear and separate in your team’s mind matters greatly for avoiding dangerous gaps.
Lagos Data School trains students to map out responsibility clearly across each environment a firm uses, rather than assuming one single, simple rule applies evenly across every platform and setup type.
Training Your Team to Speak the Same Language
One often overlooked part of this model is simple language. Different staff members may use different words to describe the same idea, which can cause real confusion during a busy, stressful moment.
So agree on clear, shared terms within your own firm. Decide together what you call each layer, each duty, and each owner role. This small step saves real time and confusion later, especially when a real issue strikes and fast, clear talk matters most.
Lagos Data School teaches a consistent set of terms throughout our course, so graduates can step into any Nigerian firm and speak the same shared language that most IT teams already use across the industry.
This may seem like a small detail, but during a real, live incident, every minute spent clarifying basic terms is a minute not spent fixing the actual problem at hand.
A Quick Shared Responsibility Self-Check
Before you close this guide, run through this short self-check to see how clearly your firm grasps this model today.
- Can your team clearly state what your cloud provider guards versus what you guard?
- Have you read the responsibility document for each cloud tool your firm uses?
- Does each safety duty on your side have a clearly named owner?
- Do you review your cloud settings on a fixed, repeat schedule?
- Would your team know what to check first if a breach happened tomorrow?
If you answered no to two or more of these, treat this topic as a near-term training priority. Lagos Data School built this self-check from real gaps we see often among Nigerian firms moving deeper into cloud use each year.
About Lagos Data School
Lagos Data School is Nigeria’s top school for cybersecurity, data science, cloud, and analytics. Every idea in this guide is part of our hands-on course.
Our teachers are real security pros, not just classroom staff. So you learn from people who guard live networks every day.
We run classes on weekdays, weekends, and online. So no matter your time, we have a slot for you. Beyond skills, we also give you a real certificate and links to job partners.
Visit Lagos Data School today to view our courses and join the next class.
Know your part. Train with Lagos Data School.

