It’s an exciting time to embrace cloud computing. The sheer number of cloud services, and their innovative features and capabilities, give organizations more visibility and control of their cloud environments than was possible even in the recent past. Cloud service providers (CSPs) are also building advanced security into their products, often rivaling or exceeding the security of on-premises infrastructures. Yet cloud security failures still happen and when they do, there’s often a scramble to determine the cause and who should be held responsible. Organizations should also go a click deeper to ask, how these failures could have been prevented in the first place.

These questions are challenging considering the complexity of modern cybersecurity. The answer lies in the delineation of responsibilities between customers, their CSPs and the importance of human oversight when managing technology.

Customer Misconceptions Abound

There are two main camps when it comes to trusting the cloud. There are security leaders who are ever-wary, and those on the opposite side of the spectrum who place an overabundance of trust in their cloud services to do the security heavy lifting. However, as is often the case, the best position is somewhere in the middle.

Many leaders concerned with cloud security will cite stats like this: Cloud environment intrusions increased by 75% from 2022 to 2023. But the truth is most cloud breaches don’t stem from an inherent lack of security measures to safeguard cloud data, but rather the failure of the end user to properly configure their cloud service using the tools at their disposal. A shocking statistic from Gartner states that through 2025, 99% of cloud security failures will be the customer’s fault. This is not to say there aren’t exceptions, but many perceived risks of cloud security are preventable with greater vigilance on the customer’s part.

But what about those in the other camp, who may view their cloud services as infallible? This false sense of security likely stems from misunderstanding the “shared responsibility” model that’s common between CSPs and customers.

Two Sides of the Bargain

Cloud security today is too complicated to fall on the shoulders of one person or party. For this reason, most cloud services operate on a shared responsibility model that divvies security roles between the CSP and the customer. Large players in this space, such as AWS and Microsoft Azure, have even published frameworks to draw the lines of liability in the sand.

While the exact delineations can change depending on the service model (e.g., software-as-a-service, infrastructure-as-a-service, platform-as-a-service, etc.), the CSP is typically responsible for the security “of” the cloud. The customer is responsible for security “in” the cloud. For example, the cloud provider often secures the computing host infrastructure and their physical facilities, including power and connectivity. Customers take on aspects like endpoint security, identity and access management and data classification. These examples only touch the surface but illustrate how elements of cloud security can be distributed between the service provider and the end user.

However, while the expectations laid out in shared responsibility models are designed to reduce confusion, customers often struggle to conceptualize what this framework looks like in practice. And unfortunately, when there’s a lack of clarity, there’s a window of opportunity for threat actors.

Steps to Avoid Cloud Failures

The best-case scenario for mitigating cloud security risks is when CSPs and customers are transparent and aligned on their responsibilities from the beginning. Even the most secure cloud services aren’t foolproof, so customers need to be aware of what security elements they’re “owning” versus what falls in the court of their CSP. This is particularly true considering they are held accountable for most security breaches, especially because they oversee data security. Most breaches can also be traced back to user error or misconfigurations, whether they were too lax when configuring the service or failed to monitor and adjust settings over time. While some oversights are understandable, especially as the cloud evolves rapidly, they can lead to massive consequences.

With so much at stake, here are some other steps organizations can take to avoid cloud security failures:
• Don’t make assumptions about who is responsible for what
• Take the time to review the fine print of the CSP’s Service Level Agreement (SLA)
• Hire security leaders with cloud expertise
• Conduct regular security audits

Cloud security in 2024 is akin to playing a team sport – it requires clear communication and collaboration between technology vendors and customers. When customers understand shared responsibility models and know exactly what they’re accountable for in the security equation, they will be better protected against the cloud threats of today and tomorrow.