Within the cloud shared responsibility model, how should encryption be managed between customer and provider?

In cloud environments, encryption responsibilities are shared and change with the service model. The idea is that you must actively protect your data and manage encryption keys and configuration, while the provider takes care of the underlying infrastructure and some encryption services. How this splits depends on what you’re using: with infrastructure as a service, you control the encryption for your data at rest and your key management, while the provider handles the physical security and foundational layers; with platform as a service, the provider manages more of the stack but you still decide how your data is encrypted and who can access the keys, often using a customer-managed key or a built-in key management service; with software as a service, the provider handles most encryption for the platform, but you’re still responsible for data classification, access controls, and leveraging any key management options the provider offers. Encryption in transit is a universal necessity, but the exact duties around keys and configuration depend on the service model. That’s why the best approach is that the customer remains responsible for protecting data, encryption keys, and configuration, with the specifics varying by service model.