In the early days of cloud, confusion around the shared responsibility model abounded. It was common for customers to simply assume that putting their data in the cloud meant that data was secure with no effort on their end. Today, that misconception, while not entirely erased, is much less likely to trip enterprises up.Migration to the cloud continues and cloud maturity varies depending on the enterprise. Misconfigurations happen, as do breaches. In fact, the majority of breaches (82%) involved data in the cloud, according to IBMs Cost of a Data Breach Report 2023.As organizations increasingly embrace their use of multiple cloud services, threat actors will continue to target it. Understanding how cloud providers are responsible for the security of the cloud and how customers are responsible for security in the cloud can help enterprises avoid potential missteps.Who Is Responsible for What?The broad definition of the shared responsibility model means cloud service providers (CSPs) are in charge of securing the underlying infrastructure of the cloud. Data centers and physical networks are their responsibility. Customers are responsible for securing their environment and their data in the cloud.While that broad definition is widely accepted, there is room for nuance among the various CSPs. They view it the same broadly, and then, they view it differently when you get into specific services, Randy Armknecht, managing director, global cloud advisory at global consulting firm Protiviti, tells InformationWeek.Related:And CSPs offer a lot of different services. We have over 200 services so that bar of the customer side and AWS side does shift a little bit on a couple of the services, Clarke Rodgers, director of enterprise strategy at cloud computing company Amazon Web Services (AWS), says.Enterprise leaders need to dig into the documentation for each cloud service they use to understand their organizational responsibilities and to avoid potential gaps and misunderstandings.While there is a definite division of responsibilities, CSPs typically position themselves as partners eager to help their customers uphold their part of cloud security. The cloud service providers are very interested and invested in their customers understanding the model, says Armknecht.Google, for one, opts to refer to the shared responsibility model as one of shared fate. We step over that shared responsibility boundary, partner with our customers, and provide much more prescriptive guidance and capabilities and services and teams like mine, for example, to help them with that part of that responsibility model, explains Nick Godfrey, senior director and global head, office of the CISO at Google Cloud, Googles suite of cloud computing services.Related:Customer success is a common mantra among cloud providers, although the exact wording may be different. Cloud is just not a technology. Its ultimately a partnership for the enterprise with the provider, says Nataraj Nagaratnam, CTO for cloud security at technology company IBM.When Misunderstandings HappenBoth parties, customer and provider, have their security responsibilities, but misunderstandings can still arise. In the early days of cloud, the incorrect assumption of automatic security was one of the most common misconceptions enterprise leaders had around cloud. Cloud providers secure the cloud, so any data plunked in the cloud was automatically safe, right? Wrong.Once that customer decides to sign up for an account, start using AWS services, start putting data in there, it is their responsibility how they choose to configure our services to meet their specific security, compliance, and privacy needs, Rodgers explains.Cloud customers might also mistakenly make assumptions about compliance with regulations like PCI or HIPAA. Microsoft and AWS and others have all of the configuration settings available and services available to be PCI compliant, but simply [putting] your data there does not make you compliant. You have to deliberately configure things to be compliant, says Armknecht.Related:Today, CSPs are much less likely to run into customers who make these kinds of assumptions. Over time, that misconception has definitely [been] reduced, but unfortunately, it has not gone away, says Nagaratnam.Even if customers fully understand their responsibilities, they may make mistakes when trying to fulfill them. Misconfigurations are a potential outcome for customers navigating cloud security. It is also possible for misconfigurations to occur on the cloud provider side.The CIA triad: confidentiality, integrity, and availability. Essentially a misconfiguration or a lack of configuration is going to put one of those things at risk, says Armknecht. Misconfigurations might result in issues like system outages or exploitable vulnerabilities.Cloud providers recognize that potential risk and aim help customers avoid that pitfall. We look really hard at providing layers of defense and multiple controls so that there is massively reduced likelihood of one misconfiguration causing that sort of nightmare scenario, says Godfrey.But misconfigurations do still happen. Where we find people having that misunderstanding is when it gets to the per service level, and I typically think it's a result of IT and development teams moving [too] fast, says Armknecht. They didn't go validate their assumption of the shared responsibility model for each service.Talking Shared ResponsibilityHow should customers talk to their CSPs about shared responsibility?I would absolutely look at the nature of the support and services that the CSP provides to the customer. I would ask questions around their philosophy and approach to secure [by] default and secure by design principles, says Godfrey. I would ask about the support in terms of providing foundations and blueprints and guidance to enable the customer to not have to figure everything out themselves.Conversations around expectations and available support can provide enterprise customers with more clarity. Once armed with that knowledge, enterprise teams -- often led by the coordinated efforts of the CIO, CTO, and CISO -- need to put in the internal work of upholding their cloud security responsibilities.There's often a tendency to assume that the relationship between the CISO and the CTO or the CIO is adversarial or challenged because they want different things, says Godfrey. We actually think they probably want exactly the same things, which is a secure and resilient cloud that enables the business to do business of the speed it wants to do it with all of the agility that the cloud has the potential to offer.Depending on the maturity of the organization, it may or may not have those roles filled or the resources to properly manage the shared responsibilities associated with the cloud.Not all customers are the same. They don't have the same resources. They don't have the same staffing or skill sets internally, says Rodgers. Customers might onboard an MSSP [managed security service provider] and use them while they're upskilling their own staff and then eventually sort of wean off the MSSP as they gain more familiarity and functionality inside of AWS.Multi-Cloud ComplexityAs enterprises increasingly leverage the benefits of the cloud, they may find it advantageous to work with different providers and adopt different services to support a variety of business functions. The majority of the customers that I meet with are using more than one cloud, or they're using SaaS services, Rodgers shares.Maintaining their half of the shared responsibility model can become more complicated for customers like that. Enterprise teams need to understand how their responsibilities shift, depending on the provider and the specific service. So, the team just has more to do; it's going to take longer, says Armknecht. He also points out that teams may understand one cloud environment but struggle with another. Maybe they misstep up on which controls are needed to meet their shared responsibility.While the complexities of multi-cloud and hybrid environments abound, there are some ways in which managing shared responsibility could become easier. Those responsibilities can be made much more addressable using technologies like AI and automation, Nagaratnam points out.As technology and risk continue to change, what will that mean for the shared responsibility model?I think the definitions of where the ... delineation actually technically sits will continue to evolve as cloud products continue to evolve, says Godfrey. But I don't think the shared responsibility model in that sort of contractual and legal delineation will go away.