Shared Responsibility
The Campus Cloud operates on a shared responsibility model. Three parties each own a distinct layer:
- You are responsible for how you configure and use the resources in your account.
- The Campus Cloud Team manages the Landing Zone configuration, policies, and platform tooling.
- The cloud provider manages the underlying infrastructure.
This model applies across all three providers (AWS, Azure, GCP) and across every domain — security, cost, compliance, and data management.
Responsibilities by Party
What You Are Responsible For
- Security: Configuring your workloads securely (storage bucket permissions, security groups, firewall rules) and responding to security findings in your account — see Security
- Cost: Monitoring your spending, setting up budget alerts, and rightsizing resources — see Costs & Billing
- Compliance: Classifying your data, applying required tags, and ensuring your use complies with UC Policy IS-3 and applicable regulations — see Compliance
- Data: Managing access to your data and planning for archiving and retention — see Data Management
- Access: Granting the minimum role necessary to each person in your account
What the Campus Cloud Team Is Responsible For
- Landing Zone configuration: guardrails, org policies, management group structure
- Centralized audit logging and security monitoring
- Campus network connectivity
- Identity federation (UCSB SSO to each provider)
- Platform-level compliance controls (NIST 800-171 baseline)
- Baseline security tooling that runs continuously in every account (these incur a small cost — see Baseline Costs)
What the Cloud Provider Is Responsible For
- Physical data center security, hardware, and networking infrastructure
- The underlying compute, storage, and network systems that managed services run on
- Software patches and updates for managed services (RDS, Cloud SQL, Azure SQL, etc.)
Summary
| Domain | You | Campus Cloud Team | Cloud Provider |
|---|---|---|---|
| Security | Workload configuration, access control, finding remediation | Guardrails, audit logging, security monitoring, SSO | Infrastructure security, managed-service patching |
| Cost | Budget alerts, spend monitoring, rightsizing | Baseline tooling (runs at a cost to you), UC enterprise discount negotiation | Billing and invoicing |
| Compliance | Data classification, tagging, regulatory adherence | Landing Zone controls, NIST 800-171 baseline, compliance tracking tools | Certifications (SOC 2, ISO 27001, etc.) |
| Data | Data classification, retention planning, access management | Encryption defaults, audit trail of data access | Storage durability, encryption at rest |
For the cloud providers’ own descriptions of shared responsibility, see:
- AWS Shared Responsibility Model
- Azure Shared Responsibility
- GCP Shared Responsibility and Shared Fate