Organizations migrating to cloud platforms frequently have unclear understanding of security responsibility. The cloud provider secures the infrastructure. The customer is responsible for securing configuration, data, and applications. This distinction, called the shared responsibility model, is fundamental to cloud security. Organizations that misunderstand responsibility often discover that they have relied on their cloud provider for security protections that are actually the customer’s responsibility. This article clarifies what cloud providers secure and what customers must secure themselves.
The Shared Responsibility Model
Cloud providers like AWS, Microsoft Azure, and Google Cloud Platform secure the infrastructure that hosts customer applications and data. They secure the physical data centers, the networks, the storage systems, and the virtualization platforms. They patch the hypervisors, maintain the storage systems, and manage network security at the infrastructure layer.
Customers are responsible for everything running on that infrastructure. They secure their applications, their data, their configurations, and their identity management. They patch their operating systems and applications, configure network security for their environments, manage access to their resources, and protect their data.
This division of responsibility is sometimes misunderstood. Organizations frequently assume that moving to the cloud means cloud providers handle all security. It does not. Customers are responsible for the majority of security decisions and the majority of security implementation.
Cloud security is a shared responsibility. The cloud provider secures the platform. You secure your use of the platform.
What Cloud Providers Secure
Cloud providers assume responsibility for security of the infrastructure and the platform. This includes:
Physical Security
Cloud providers secure physical data centers. They restrict access to data center facilities. They monitor who enters and exits. They implement video surveillance, biometric access control, and security personnel. They secure power systems, cooling systems, and network infrastructure.
Customers do not secure physical infrastructure. The data center is controlled and secured by the cloud provider.
Infrastructure Security
Cloud providers maintain the security of the virtualization platforms, storage systems, and networking infrastructure. They patch hypervisors. They maintain separation between customer environments so that one customer cannot access another customer’s data or systems. They apply security updates to infrastructure systems.
Customers do not patch or maintain infrastructure. They rely on the cloud provider to maintain infrastructure security.
Platform Maintenance
Cloud providers maintain and patch the platforms on which customers deploy applications. A managed database service, for example, is maintained by the cloud provider. The provider patches the database software, maintains backups, and handles patches and updates.
Customers do not manage the underlying database infrastructure. The cloud provider handles this responsibility.
What Customers Must Secure
Customers are responsible for security of their applications, data, and configurations. This includes:
Configuration Security
Cloud resources must be configured securely. This includes:
- Network configuration: firewalls, security groups, and network segmentation that restrict network access to resources.
- Access control: identity and access management that ensures only authorized users have access to resources.
- Encryption settings: enabling encryption for data at rest and in transit.
- Logging configuration: enabling audit logging that creates records of access and modifications.
- Default settings: changing default passwords, disabling unnecessary services, and removing unnecessary permissions.
Cloud providers provide the tools to configure these settings securely. They do not configure them for you. A common vulnerability is that customers deploy cloud resources with default configurations: security groups that allow all traffic, public access enabled for databases, encryption disabled, and logging turned off. The cloud provider has not secured the resources. The customer has deployed insecure configurations.
Data Protection
Customers are responsible for protecting their data. This includes:
- Data classification: categorizing data by sensitivity and determining what protection is appropriate.
- Encryption: encrypting sensitive data in transit and at rest, using keys that the customer controls.
- Backup and recovery: implementing backup procedures and testing recovery to ensure data can be restored if corruption or deletion occurs.
- Data retention: defining retention policies that specify how long data is maintained before deletion.
- Data sanitization: ensuring that deleted data cannot be recovered through forensic methods.
Cloud providers maintain the physical infrastructure that stores data. Customers maintain policies and procedures that protect the logical data stored in that infrastructure.
Access Control and Identity Management
Customers must implement access control that ensures only authorized users can access resources. This includes:
- User provisioning: creating accounts for users who need access and removing access when users leave or change roles.
- Multi-factor authentication: requiring multiple forms of authentication for sensitive resources and accounts.
- Role-based access control: granting users only the permissions they need for their role.
- Access reviews: periodically verifying that access is appropriate and removing access that is no longer needed.
- Service accounts and credentials: managing passwords, API keys, and other credentials that applications and services use to access cloud resources.
Cloud providers provide the tools for access control. Customers implement the access control policies appropriate for their organization.
Application Security
Customers are responsible for security of their applications. This includes:
- Secure development: writing code that does not contain security vulnerabilities.
- Dependency management: identifying and patching vulnerable libraries and frameworks.
- Input validation: validating that user input does not contain malicious code.
- Authentication and authorization: implementing login and access control within the application.
Cloud providers do not write customer applications. Customers own application security.
Operating System and Patch Management
When customers deploy virtual machines or other compute resources that require operating system management, they are responsible for patching the operating system and applications. Cloud providers provide the infrastructure. Customers manage the systems running on that infrastructure.
Managed services reduce this responsibility. A managed database service is patched by the cloud provider. A virtual machine with an operating system is patched by the customer.
Common Security Misunderstandings
Organizations frequently misunderstand cloud security responsibility and discover their misunderstanding during a breach or security incident.
Misunderstanding One: Cloud Encryption
A customer assumes their cloud provider encrypts all data, providing protection. The cloud provider does encrypt data in transit between customer applications and storage. However, the customer must manage encryption keys. If the customer does not manage encryption keys appropriately, the encryption provides minimal protection.
For example, a customer might store encryption keys in the same cloud account as encrypted data. If an attacker gains access to the account, they can access both encrypted data and keys. The encryption is useless. Customers must use key management services that separate keys from data.
Misunderstanding Two: Cloud Security Groups
A customer deploys a database in the cloud and configures the security group to allow all traffic. The customer assumes the database is secure because it is in the cloud. The cloud provider has not secured the database. The customer has configured it to be publicly accessible.
Cloud security is only as strong as customer configuration. A wide-open security group configuration is not a cloud provider security gap. It is a customer configuration error.
Misunderstanding Three: Cloud Backups
A customer assumes the cloud provider backs up their data. Many cloud providers do provide automated backups. However, some storage services do not provide automated backups. Customers are responsible for understanding what backup their cloud provider provides and implementing additional backup if necessary.
More importantly, a customer is responsible for testing that backups are actually recoverable. A backup that cannot be restored is not a backup. Customers should regularly test recovery procedures to verify that backup and recovery work as expected.
Misunderstanding Four: Cloud Logging
A customer assumes that the cloud provider logs access to resources and alerts on suspicious activity. Many cloud providers provide logging. However, logging must be enabled by the customer. Logging must be configured appropriately. Logs must be aggregated and analyzed.
A customer can have comprehensive logs stored by the cloud provider but have no monitoring or analysis of those logs. Logs are only effective if they are actively analyzed.
Building Secure Cloud Deployments
Organizations deploying to cloud platforms should implement the following security practices:
- Understand your cloud provider’s shared responsibility model. Read the documentation. Understand what the provider secures and what you must secure.
Configure security groups and network controls to restrict access to resources. Do not rely on defaults.
Implement multi-factor authentication for all user accounts and service accounts with elevated privileges.
Enable encryption for all sensitive data. Use encryption keys that you control, not keys managed by the cloud provider.
Enable audit logging for all resources. Aggregate logs from all systems into a centralized location for analysis.
Implement regular access reviews. Verify that users have appropriate access and remove access that is no longer needed.
Patch all operating systems and applications regularly. Cloud provider infrastructure is patched by the provider. Your systems must be patched by you.
Test backup and recovery procedures. Verify that you can recover data if needed.
Monitor and analyze logs for suspicious activity. Enable alerting on unusual patterns.
Configure security groups and network controls to restrict access to resources. Do not rely on defaults.
Implement multi-factor authentication for all user accounts and service accounts with elevated privileges.
Enable encryption for all sensitive data. Use encryption keys that you control, not keys managed by the cloud provider.
Enable audit logging for all resources. Aggregate logs from all systems into a centralized location for analysis.
Implement regular access reviews. Verify that users have appropriate access and remove access that is no longer needed.
Patch all operating systems and applications regularly. Cloud provider infrastructure is patched by the provider. Your systems must be patched by you.
Test backup and recovery procedures. Verify that you can recover data if needed.
Monitor and analyze logs for suspicious activity. Enable alerting on unusual patterns.
Managed Services: Shifting Responsibility
One way to reduce your security responsibility is to use managed services rather than infrastructure-as-a-service. Managed services shift some responsibility to the cloud provider.
For example:
Infrastructure-as-a-Service: You deploy a virtual machine. You are responsible for patching the operating system, patching applications, and maintaining the system. The cloud provider maintains the infrastructure.
Platform-as-a-Service: You deploy an application on a managed platform. The cloud provider maintains the underlying platform, including patching. You are responsible for application security and access control.
Managed Database Service: You use a cloud-provided database. The cloud provider maintains the database software, patches, and backups. You are responsible for configuring access, encrypting data, and managing user access.
Managed services reduce your operational responsibility. However, they do not eliminate your security responsibility. You must still configure managed services securely, control access, and protect data.
Conclusion: Security Shared Responsibility
Cloud platforms provide significant security advantages: infrastructure is maintained by vendors with security expertise, data centers are secured by enterprise vendors, and redundancy and backup are built into cloud platforms.
However, these advantages do not eliminate your security responsibility. You must secure your configuration, your data, your applications, and your access. The division of responsibility between you and your cloud provider is clear. Organizations that understand this division implement secure cloud deployments. Organizations that misunderstand responsibility often discover their misunderstanding when a security incident occurs.
Cloud providers secure the infrastructure. You secure your use of the infrastructure. Understand this distinction and build secure deployments accordingly.
Valukoda helps growing businesses make smarter technology decisions. Whether you need strategic IT leadership, managed services, or a security program built from the ground up, we bring decades of CIO and CISO experience to your team. Schedule a conversation or call us at 888.380.7212.
© 2026 Valukoda, Inc. All rights reserved.

