One of the most attractive aspects of cloud computing is how it reduces the management operational burden for organizations. For instance, you don’t have to worry about installing updates or patches on applications being deployed as Software as a Service (SaaS) nor do you have to worry about upgrading the software. The cloud provider handles it all.

One might also assume that the cloud also negates their responsibility of securing their applications once they are moved to the cloud. Unfortunately, that is not the case. Customers should be aware of their responsibilities depending on where the workload is hosted. Infrastructure as a Service (IaaS) customers do need to manage patches to the applications and OS deployed in their cloud environments. Platform as a Service (PaaS) Customers do not need to manage patches to OS but do need to manage patches to their applications. This is commonly misunderstood by users of the cloud.

Many assume that the cloud provider is responsible for securing their applications, however, according to Gartner, 99% of cloud security failures will be the customer’s fault.

 

The Cloud Responsibility Model

While migrating to the cloud may reduce your operational responsibilities, it by no means eliminates your security responsibilities. Clouds operate under a shared responsibility model which defines the division of security responsibilities between the cloud service provider (CSP) and the customer. It brings clarity to who is responsible for securing which components of the cloud environment and every major cloud provider offers documentation to help customers understand their role in this model.

  • Physical Security: Protecting data centers with measures such as physical access controls and surveillance systems
  • Infrastructure Security: Securing hardware components, networking equipment, and sometimes virtualization layers to ensure the integrity of the underlying infrastructure.
  • Network Security: Implementing tools and measures such as firewalls, intrusion detection systems (IDS), and network segmentation to prevent unauthorized access to cloud infrastructure.
  • Service Availability: Ensuring high availability and uptime through disaster recovery capabilities and protection against Distributed Denial-of-Service (DDoS) attacks.

So, what are cloud customers responsible for? To put it simply, their customers are responsible for securing everything they deploy or configure within the tenant environment. These include things such as:

  • Data Security: This includes encrypting data at rest and in transit as well as classifying it to ensure proper handling
  • Identity and Access Management (IAM): Managing user accounts, roles, permissions and authentication mechanisms
  • Compliance: Customers are responsible for configuring settings and services to meet their own industry regulations
  • VM Management: Clients that install a VM must configure it, maintain it and secure the operating system

CSPs usually provide their customers with tools to better assist their security efforts, however, it is up to the customer to utilize them. For instance, your cloud provider offers multifactor authentication, but it is up to you to configure it and turn it on. The CSP provides you with a tool to create users and groups, but you determine what their privileges are. It provides you with a maintained service application but you configure who gets to access it.

 

What is Cloud Security?

If you are responsible for cloud security, then it’s important to understand what it is. Cloud security refers to the set of policies, technologies, controls, and practices designed to protect data, applications, and infrastructure in cloud computing environments. Like on-premises security, cloud security involves multiple layers of protection, and enforcing the principle of least privilege is essential to prevent overly permissive access and reduce the risk of unauthorized actions.

 

Increasing Cloud Vulnerability

While there are some similarities between protecting on prem environments and the cloud, there are a lot of differences too. While companies have been migrating a majority of their workloads to the cloud, one thing hasn’t migrated well to the cloud – cybersecurity skills. That is because securing the cloud requires a different skillset and knowledge base that unfortunately, are in short supply. According to a 2025 State of Cloud Security Report, of organizations report a shortage of expertise in cloud security. The same report also found that 78% of organizations use two or more cloud providers. This multi-cloud approach can increase complexity and confusion, as each provider has its own unique responsibility model and set of security tools that organizations must understand and manage.

All of this has not gone unnoticed to threat actors.

  • The 2025 Verizon DBIR reports of cloud security risk as  “43% of disclosed cloud-infrastructure secrets are Google Cloud API keys.”
  • According to the 2024 Cloud Security Report by Check Point Software Technologies, 61% of organizations reported significant cloud security incidents.
  • A 2025 report highlights that 80% of organizations have encountered a rise in cloud-based attacks
  • Gartner predicts that by 2027, investigations involving cloud/third-party infrastructure will rise to more than two-thirds of reported incidents.

Learn more about the cloud with our Primer on Cloud Security

 

How to Get Clarity about Cloud Security

If you’re unsure about your security responsibilities in the cloud or the vulnerabilities that potentially reside within your cloud environments, a point in time assessment or a quarterly or continuous cloud security assessment program can provide the clarity you need. HALOCK Security Labs offers comprehensive assessments that identify risks across Azure, M365, AWS, and Google Cloud (GCP) environments and recommend effective remediation steps.

Our assessments leverage a combination of automated assessments using a Cloud-Native Application Protection Platform (CNAPP) and manual assessments using the CIS benchmarks to evaluate and rate your cloud controls and risks. This process combines automation with expert manual review to ensure a thorough analysis of your cloud security posture. For added clarity, we categorize each control as high, medium, or low risk, making it easy to prioritize remediation efforts. Before you migrate more to the cloud, consult with our cloud experts who can empower you to make better decisions about securing your cloud environment.