The Foundation That Hasn't Changed
The shared responsibility model is not a relic of the early cloud era. It remains a bedrock principle across providers like Microsoft, AWS, Google, Salesforce, and Atlassian. The idea is simple:
- Cloud providers secure the infrastructure and application availability.
- Customers secure their data, identities, and configurations.
- Customers retain ownership of, and ultimate responsibility for, their business data
This division is as relevant today as ever — yet many organizations continue to misinterpret it. When data is lost to accidental deletion, unwanted modification, insider threats, or ransomware, SaaS vendors will not restore it for you. In fact, they probably aren't able to restore it for you. Those things are the customer's responsibility.
Read about Microsoft's shared responsibility
The Numbers Prove the Point
You don't have to just take my word for it. Two recent surveys underscore why this discussion remains urgent and why shared responsibility is still highly relevant today:
- 37% of organizations still rely solely on native SaaS data protection (Foundry, 2025). That means more than one in three businesses is trusting limited, provider-built capabilities to safeguard their business-critical data. Why is that risky? Native services often have short retention periods and incomplete coverage, and by design they lack independence from the production environment.
- 58% of executives believe Microsoft backs up their SaaS data (Gatepoint survey). This shows a troubling perception gap. Executives are confident the vendor is covering them, but in reality, Microsoft and other SaaS providers explicitly state that SaaS data protection is the customer's responsibility.
Together, these findings reveal a double risk: A considerable proportion of organizations remain inadequately protected in practice (more than one in three), and leadership is often not aware of the risk, which makes it less likely the issue will be addressed before a crisis.
Shared Fate: Another Way of Thinking
The shared responsibility model remains the foundation for understanding who protects what in the cloud. Some providers have introduced the idea of "shared fate" to help customers better grasp this relationship. The term underscores a simple but important point: Deploying cloud SaaS solutions and storing production data in the cloud doesn't automatically solve your data protection challenges.
In fact, one could argue that the cloud has obscured some long-established data protection best practices, such as the 3-2-1 backup rule. A key to the 3-2-1 principle is physically isolated ("air-gapped") backup, where backup copies are stored in a separate cloud and physical location from the production data.
Shared fate emphasizes that while SaaS providers deliver a secure and resilient platform, customers still carry responsibility for all the data and identities they create in it. This phrasing doesn't change the model, it reinforces it.
Google Cloud's shared responsibility and shared fate
What Organizations Should Do Now
Closing the gap between perception and reality starts with understanding shared responsibility:
- Recognize your ownership role. Native tools are not sufficient; your SaaS provider is not responsible for your backup.
- Adopt immutable, segregated backup. Independent systems are essential for resilience against ransomware and to meet regulatory requirements like DORA or NIS2.
- Test recoveries. Backup is only useful if recovery is fast, reliable, compliant, and complete.
- Involve leadership. Use data and real-world examples to get buy-in and address the perception gap among executives.
TL;DR
- 37% of organizations rely solely on inadequate native SaaS protection tools
- 58% of executives wrongly believe Microsoft backs up their data automatically
- Shared responsibility means customers own data protection, not cloud providers
- Independent, immutable backup is essential for true resilience
Source: Keepit Blog: Why the shared responsibility model is still critical today