Lesson 38 of 60 beginner

Cloud Fundamentals & Shared Responsibility

What moves to cloud and what still stays on you

Open interactive version (quiz + challenge)

Real-world analogy

Cloud is like renting apartments in different cities instead of owning the whole building. The landlord fixes the roof and plumbing; you still lock your own door, manage your own keys, and decide which guests you let in.

What is it?

Cloud fundamentals is the vocabulary and mental model for modern infrastructure. You don’t need to be a cloud architect. You need to read architecture diagrams, understand responsibility lines, and administer day-to-day services safely.

Real-world relevance

A company lifts an on-prem app to Azure. Ops team assumes ‘Azure handles backups.’ Six months later, someone deletes a storage container. Azure has no recovery because soft-delete wasn’t enabled and no customer-managed backup existed. Shared responsibility doesn’t forgive assumptions.

Key points

IaaS, PaaS, SaaS — IaaS: you rent VMs and networks (you manage OS, app, data). PaaS: you rent platforms/runtimes (you manage app and data). SaaS: you rent the whole app (you manage identity, config, data). Responsibility shifts down as you go up.
Shared responsibility, in one sentence — The cloud provider secures the cloud; you secure what you put in it. That includes identity, access, data classification, config, backups of what you own, and compliance for your workloads.
Core building blocks — Compute (VMs, containers, functions), Storage (object, block, file), Networking (VPC/VNet, subnets, load balancers, DNS), Identity (IAM), Observability (logs, metrics, traces), Security (IDPs, WAFs, encryption, secrets).
Regions and availability zones — A region is a geographic area; AZs are isolated datacenters within a region. Critical systems run across multiple AZs. Critical data often has cross-region backups for disaster recovery.
Hybrid and multi-cloud reality — Most enterprises are hybrid (on-prem + cloud) and sometimes multi-cloud (Azure + AWS + GCP). Operational consistency suffers; identity federation (Entra ↔ AWS IAM, GCP Workload Identity) is a lifesaver.
Cost awareness — ‘The cloud’ isn’t automatically cheap. Forgotten VMs, oversized instances, missing lifecycle policies on storage, and egress bandwidth run up real bills. Junior ops should recognize cost reports as part of operational health.
SaaS security traps — In SaaS (M365, Salesforce, Workday) you still own: identity (MFA, conditional access), access reviews, data classification, data loss prevention, audit log export. ‘The vendor does it all’ is a myth that sinks organizations.
The portable mental model — Across Azure/AWS/GCP: identity, network, compute, storage, security, observability, cost. Learn one cloud deeply, and you can read the other two quickly. Don’t memorize SKUs — learn the categories.

Code example

// Shared responsibility — simple matrix

                           IaaS   PaaS   SaaS
----------------------------------------------
Physical datacenter        Cloud  Cloud  Cloud
Network / host hardware    Cloud  Cloud  Cloud
Hypervisor                 Cloud  Cloud  Cloud
OS patching                You    Cloud  Cloud
Runtime / middleware       You    Cloud  Cloud
Application code           You    You    Cloud
Data                       You    You    You
Identity & access          You    You    You
Configuration              You    You    You
Compliance for workload    You    You    You

Line-by-line walkthrough

1. Shared responsibility matrix
2. Header columns IaaS/PaaS/SaaS
3. Divider line
4. Physical datacenter row
5. Host hardware row
6. Hypervisor row
7. OS patching row
8. Runtime row
9. Application code row
10. Data row
11. Identity & access row
12. Configuration row
13. Compliance row

Spot the bug

Team migrates SharePoint to M365. Plan: 'No more backups, Microsoft handles it.'

Need a hint?

What does M365 handle — and what doesn’t it handle — in practice?

Show answer

M365 handles service availability and short-term data recoverability, but NOT long-term ransomware-resilient backup of your content, customizations, permissions, and policies for your retention needs. Best practice: keep an independent backup (Veeam/Druva/etc.) per organizational retention policy, enable retention policies, audit log export, and DLP. ‘Microsoft handles it all’ is a myth.

Explain like I'm 5

You don’t fix the plumbing in your apartment — the building owner does. But you still lock your front door, know who has the spare key, and don’t leave your valuables on the balcony. That’s the cloud.

Fun fact

‘The cloud’ began as a joke/metaphor in pre-2000s network diagrams — whoever couldn’t be bothered to draw the internet just drew a cloud. The name stuck because it captures something real: someone else’s infrastructure you don’t have to draw.

Hands-on challenge

Sketch a simple enterprise architecture using three cloud building blocks (Compute, Storage, Identity) and label which responsibilities belong to the provider vs the customer for IaaS, PaaS, and SaaS.

More resources

AWS shared responsibility model (AWS)
Azure shared responsibility (Microsoft Learn)
Google Cloud shared responsibility (Google Cloud)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp