A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?
For IaaS, Microsoft is responsible for the physical data center, including physical security, hardware maintenance, and network infrastructure. This is a core tenet of the shared responsibility model.
Why this answer
Under the shared responsibility model, Microsoft is responsible for the physical security of its Azure data centers, including access controls, surveillance, and environmental safeguards. The customer is responsible for securing the virtual machine's operating system, applications, and data, but not the physical infrastructure. Therefore, Microsoft retains responsibility for physical security even when the customer manages the guest OS and application.
Exam trap
The trap here is that candidates mistakenly think the customer is responsible for all security when they manage the OS and application, but physical security always remains the provider's responsibility under the shared responsibility model.
How to eliminate wrong answers
Option A is wrong because the customer is responsible for securing the OS, applications, and data on the VM, not the physical data center infrastructure. Option C is wrong because physical security is not shared equally; Microsoft retains sole responsibility for the physical data center, while the customer manages the virtualized components. Option D is wrong because physical security remains essential in cloud data centers; it is handled by the provider (Microsoft) rather than being eliminated.