Most organizations believe that moving to the public cloud automatically makes them secure. That's not the case. Why? Because, even while the hyperscale cloud provider is responsible for building the most secure platform worldwide, you also have a responsibility.

In cloud security, we call this the shared responsibility model. There's a responsibility for the cloud provider and the cloud consumer. That’s you.

Now you may ask, "Jetro, what am I always responsible for?" Three things.

Information & Data

You're always responsible for your information and data. So whatever you put into the cloud, you have to make sure that you back it up, for example. There's no default backup. Yes, hyperscale cloud providers often have these nice features that automatically back up your data, but you have to activate and configure them. That's the whole point.

When I give training, I often ask people: "How many of you are using OneDrive or Google Drive?" All the hands go up. And then I ask, "How many of you backup their data from OneDrive and Google Drive?" And they’re like, "Wait, I have to backup OneDrive?" Yes, because the cloud provider is responsible for having a secure platform available, but you're responsible for the data you put there. So yes, you need to back up your OneDrive, Google Drive, and cloud storage.

Devices (Endpoints)

The second thing you're always responsible for is devices, all the endpoints. Think of smartphones, laptops, and servers; they all connect to the cloud. You have to keep them up to date, patched, and secured. If not, your endpoint is at risk, and therefore your data in the cloud is at risk. Keeping your devices and assets up to date is very important.

Accounts & Identities

The third thing you're always responsible for is accounts and identities. Remember, in the cloud, identity is your first line of defense. It's a public cloud, meaning everybody could theoretically connect to your environment. But who manages the identities? You. Who's responsible for keeping those identities up to date? You.

Remember, identities are not just people — they include devices, APIs, applications, and of course, natural people. They all have an identity, and with an identity comes access privileges. So you're responsible for keeping your identities up to date and well privileged — not overprivileged.

In summary, yes, public cloud is more secure than on-premise if configured well. But you're always responsible for three things:

🔸 Information & Data
🔸 Devices or Endpoints
🔸 Accounts & Identities

Stay sharp,
Jetro

🔔 My goal is to help as many European organizations as possible turn their fragmented cybersecurity into well-governed cyber resilience.

Here’s how I usually help:

🔸 Fractional CISO services
🔸 Cyber risk assessments
🔸 Certified training
🔸 Keynotes

👉 Want to talk? Reach me at: ciso@bluedragonsecurity.com :: +32 495 81 47 41 (WhatsApp OK)