Shared responsibility

Working in the cloud and using your own infrastructure is night and day. It’s the difference between having a trusted partner to lean on and going it alone.

Delivering security in the cloud means drawing clear boundaries of responsibility between client and provider.

Physical security, service security, and infrastructure accessibility can only be handled by the cloud team. But the client controls access to virtual machines and other resources. Whether it’s locally or in the cloud, the client marks and structures their data to ensure regulatory compliance.

Who handles what for security?

There are a few factors that go into determining security roles: the services used by the cloud system, the usage model (IaaS, PaaS, SaaS), and the cloud provider’s security mechanisms and policies.

Usage models for cloud services


The provider is responsible for physical security, platform fault-tolerance, network security, and collecting and analyzing hypervisor and infrastructure component events. The client handles security for guest machines, the virtual network, and user accounts while also controlling access to resources and creating a backup of virtual machines.


The client handles data classification, controls data and user access, sets up processes to protect data, and interacts with third-party services. The provider takes responsibility for component security within the managed services.


The client is responsible for managing user access to data. The provider handles just about everything else: data accessibility and integrity, monitoring, logging, physical security, and security for the network, the service components, and the application itself.

Still have questions?

If there’s more you want to ask about security and our cloud platform, get in touch. The Yandex Cloud experts have the answers you’re looking for and will help you find the perfect solution for your project.