The cloud is associated with security guaranteed by a huge provider. That is only half true. Microsoft, Google or another operator really does run data centres, power, network and physical protection at a level a small company will never achieve. But who has access to your data, whether it is backed up and whether it leaks out, that is already your responsibility. In the cases we handle, losses most often come not from a cloud failure but from the mistaken assumption that because data is in the cloud, it is secure on its own.
The shared responsibility model, or who is responsible for what
The most important concept to start with is the shared responsibility model. It divides duties between the provider and the customer and differs depending on the service.
- The provider is responsible for the cloud. Physical servers, network, power, updates of the hardware layer and the underlying infrastructure. You do not have to watch over this.
- You are responsible for what is in the cloud. Accounts and passwords, permissions, service configuration, data classification and who you share it with.
The boundary shifts depending on the model. In a service like Microsoft 365 the provider takes on more, because you get a ready-made application. In a virtual machine in the Azure cloud it is you who updates the operating system and looks after its security. The rule is constant: the more configuration freedom you get, the more responsibility rests on you.
The most common mistake I see during audits is the belief that the provider backs up the customer’s data. It secures its own infrastructure. Your files, which an employee deletes or ransomware encrypts, are no longer its problem.
Data encryption
Encryption is the basic layer of protection and in serious clouds it is on by default, but it is worth understanding how it works.
- Data at rest. What sits on the provider’s disks is encrypted. Even physical theft of a drive does not give access to the content.
- Data in transit. The connection between your computer and the cloud is encrypted, usually with TLS. This means no one can eavesdrop on the data along the way.
For a company the practical question is: who holds the encryption keys. In most cases the provider manages them and that is enough. If you process especially sensitive data, it is worth considering managing your own keys, which gives fuller control but requires a process for storing them securely.
Access control
In the cloud there is no firewall wall around everything. Instead there is an account that reaches your email and files from anywhere in the world. That is why identity is the new security perimeter, and access control is the most important thing to get right today.
- Multi-factor authentication (MFA). An absolute basic for every account. A password alone stopped being enough long ago.
- The principle of least privilege. An employee gets access only to what they need in their role, and nothing more.
- Order in accounts. Former employees’ accounts must be blocked immediately. An active account of someone who left six months ago is a ready-made entry point.
- Conditional access. The ability to block sign-ins from unusual countries or from unmanaged devices.
Backing up data in the cloud
This is the point that surprises the most companies. The cloud provides availability, meaning the service works, but it does not replace a backup of your data. If an employee deletes folders and someone empties the recycle bin in the heat of the moment, the data disappears once the retention period passes. The same applies to malicious encryption or account takeover.
Providers such as Microsoft operate under the shared responsibility model here too: they look after the availability of the platform, but you are responsible for the recoverability of your content. That is why we recommend a separate Microsoft 365 backup, independent of the platform itself. A good copy should follow the 3-2-1 rule: three copies of the data, on two different media, with one off the main location.
Data location
The last element a company must know about is where its data physically sits. This matters for GDPR compliance and for industry requirements.
- Data region. Check whether the provider stores data in the European Union. Serious operators let you choose a region and document it.
- Transfers outside the EU. If data goes to countries outside the European Economic Area, you need an appropriate legal basis.
- Data processing agreement. With every cloud provider that processes personal data you should have a signed data processing agreement.
These three points are not bureaucracy for its own sake. They decide whether, in the event of an inspection or an incident, you can prove you are in control of your data.
Where to start
If your company already uses the cloud and the points above only sound partly familiar, a sensible order is this:
- Enable MFA on all accounts and tidy up permissions.
- Check who has access to the data and remove accounts that should no longer exist.
- Provide an independent backup of cloud data, compliant with the 3-2-1 rule.
- Verify where the data sits and whether you have signed data processing agreements.
- Consider data leak protection if you process sensitive information.
The cloud is secure exactly to the extent that you configure it yourself. If you want to be sure that your part of the shared responsibility model is taken care of, we will help you put the whole thing in order: from access and backup to data leak protection. A good first step is a conversation about which data is critical for the company and what actually protects it today.