Understanding Microsoft’s Shared Responsibility Model

When it comes to the security of your data, SaaS providers like Microsoft subscribe to the shared responsibility model. While the model is a widely accepted security framework, many organizations that store data in the cloud are still unaware they’re responsible for the data loss or corruption they create. 

This creates a false sense of security. And this widespread phenomenon isn’t going away anytime soon: SaaS continues to dominate the enterprise landscape as the preferred method of application delivery, meaning customer relationship management vendors like Microsoft Dynamics 365 and Azure are growing rapidly.

Here’s what you need to know about Microsoft’s shared responsibility model—and how to protect your data.

Before we explain who is responsible for protecting Dynamics 365 and Power Platform data, what are we protecting it from exactly?

 Through 2025, Gartner predicts 99% of data failures will be the customer’s fault. Careless employees, lax permissioning, social hacking, insider threats, poor physical security controls, and other vulnerabilities are far more likely to result in data loss than attacks on the SaaS provider. 

Further, while Microsoft’s cloud platform is built to enable your business to continue operating in the face of disruption, Microsoft does acknowledge certain potential disruptive events pose threats to data availability and security. These threats can include:

• Users accidentally deleted or updated a row in a table
• Malicious attackers succeeded in deleting data or dropping a database
• Earthquake caused a power outage and temporarily disabled datacenter

The shared responsibility model states that CSPs are responsible for security of the cloud, and customers are responsible for security in the cloud:

• CSPs: Responsible for configuring, managing and securing applications, network controls and the host infrastructure
• Customers: Responsible for all data stored in the cloud, endpoints (devices), and account and access management

Microsoft even calls out the shared responsibility model in its user documentation. This diagram illustrates the areas of responsibility between you and Microsoft, according to your stack’s  type of deployment:

A good way of thinking about shared responsibility in the cloud is the relationship between a landlord and apartment renter. The landlord is responsible for making sure your roof doesn’t leak, for example, and you’re responsible for items located inside of the apartment. 

Governments and regulators also place the onus of protecting data on the data owner. The customer must conform to data policies, standards, or laws relevant to its business processes. Legislation like the European Union’s GDPR and industry-focused governance such as California’s CCPA in data privacy, HIPAA in healthcare, FINRA in financial services, and FERPA in education place liability for data safety and integrity on the company that collects the data, not the SaaS provider that stores it on their servers. 

It’s the organization’s responsibility to safeguard data from any threat—internal or external—and ensure that their cloud providers deliver bulletproof security and compliance guardrails.

While it’s clear organizations are responsible for safeguarding data stored in the cloud, that isn’t stopping data loss from occurring. Our annual State of SaaS Data Protection Report found that 75% of respondent organizations had suffered data loss or corruption in the past year. 

While that might seem discouraging, there are steps you can take to protect your data. Several of the respondents in the report already use third-party backup and recovery solutions, to ensure that, when data loss strikes, they are able to swiftly and wholly recover the affected data with minimal disruption to the business. When we asked these organizations if they’re seeing value from their backup and recovery solutions, an overwhelming majority said that yes, they are.

At OwnBackup, we help you keep your data safe and uphold your part of the shared responsibility model. Our market-leading backup and recovery solution, OwnBackup Recover, is currently available for both Microsoft Power Platform (on the Dataverse) and Dynamics 365 customers.

Contact us to learn more about protecting your SaaS data or schedule a customized 1:1 demo today. Because after all, it’s your responsibility to back up your SaaS data.