Cloud control: Your data, their infrastructure – who owns the risk?
Published by Scott Norrish, Director, Customer (Queensland, Australia) on 6 August 2025
As organisations accelerate their adoption of cloud platforms, the boundaries of cyber security have shifted — but responsibility hasn’t always kept pace.
In this blog, we explore why cloud environments have become the new battleground for cyber threats and how misconfigurations, complexity, and unclear ownership are exposing businesses to risk. We unpack the shared responsibility model, highlighting the operational blind spots that attackers are exploiting.
From embedding security into DevOps pipelines to rehearsing cloud-native incident response, this post reframes cloud security as a leadership challenge that demands visibility, accountability and alignment — not just tools.
In a world where your data lives on someone else’s infrastructure, the organisations that succeed will be those that understand the risks, own the response, and stay ready.
Cloud: the new cyber security battleground
In today’s digital era, data often lives beyond an organisation’s direct control, making the cloud no longer just a business enabler, but rather, a contested environment where traditional security boundaries no longer apply and attackers thrive on confusion.
Cloud platforms offer flexibility, scale, speed, and resilience, enabling rapid innovation and new digital service models. But with more infrastructure outsourced or shared, the consequences of failure remain the organisations alone. Previously, enterprise data was protected behind perimeter firewalls within managed environments. Now, assets are scattered across multi-cloud platforms, SaaS ecosystems, hybrid networks, and third-party supply chains — often without clear visibility.
The cloud is changing — and so is the attack surface
Cloud infrastructure has evolved from a hosting convenience to the core engine of digital transformation. Organisations now deploy thousands of cloud services across multiple providers. From IaaS to container orchestration, zero trust, and cloud-native SIEM and SOAR tools, complexity is rising rapidly.
This complexity is not just technical but operational and cultural. Traditional ownership, control, and accountability models are breaking down. Who configures a cloud environment spun up by a DevOps team in a regional unit? Who monitors and patches it? Who responds if it’s breached? Cloud security is no longer only about controls — it’s about clarity.
Complexity and confidence: a dangerous mix
Many organisations wrongly believe cloud platforms are “secure by default” or that providers handle all security aspects. Misconfigurations like public S3 buckets or exposed management consoles remain dominant breach causes, often invisible to defenders until exploited.
Security teams struggle to adapt detection and response to cloud environments. Traditional SIEMs may not fully ingest cloud-native logs; endpoint tools miss ephemeral workloads; and identity systems span multiple providers with inconsistent policies.
Attackers exploit these gaps — between providers, customers, and third parties — targeting limited visibility, slow detection, and fragmented responsibility. Increasing interdependence of cloud services means one misstep can have an enormous impact.
The shared responsibility model: too often a shared illusion
Cloud providers outline a shared responsibility model — they secure the cloud infrastructure; customers secure what’s in it. But in practice, this boundary is blurred. Developers may not understand security implications; security teams lack full visibility; risk ownership fragments and assumptions fill the gaps.
Organisations must do more than acknowledge the model — they must operationalise it. Assign explicit accountability for cloud security configurations, continuously validate controls, and ensure incident response plans include providers and supply chains.
What effective cloud security requires
Effective cloud security goes beyond tools. It demands alignment, design, and discipline.
- Embed security from the start: Secure-by-default configurations, infrastructure-as-code guardrails, and enforced policies in development pipelines. Assessing risk only at production is too late.
- Ensure visibility: Unified telemetry across environments and services is critical. Deploy and tune CSPM, CWPP, and cloud-native SIEM tools — but more importantly, understand and act on their outputs.
- Foster collaboration: Cloud security requires partnership between security, IT operations, application owners, and business leaders. Roles and responsibilities must be clear for everyday operations and incident response.
- Build readiness: Tabletop exercises and red team simulations should reflect cloud-native scenarios — identity compromise, SaaS breaches, third-party data exfiltration. These build a shared operational language beyond security teams.
Your cloud, your risk
Attackers don’t respect organisational boundaries. They move fast, target mistakes, and exploit shared environments with precision. Cloud is no longer a phase but the future — yet as infrastructure abstraction grows, accountability must not evaporate.
The real question is: do you truly understand your cloud risks, own your responsibilities, and rehearse your response? In the cloud, your greatest defence isn’t just technology — it’s clarity.
Conclusion: don’t lose control at altitude
Cloud transforms how we build and secure businesses — shifting rules of engagement, expanding attack surfaces, and redistributing responsibility. Passive trust — assuming someone else “has it covered” — is dangerous.
Securing cloud environments demands intentional design, relentless visibility, and a culture of shared accountability.
This isn’t about fearing cloud — it’s about mastering it.
Because while cloud platforms may be built by others, the risk and reputation remain yours.
Gain more insights and best practice guidance in CyberCX’s newly released Secure Cloud & AI Report
