Your data is in the cloud, so it's protected, right? Not automatically. Microsoft and Google guarantee that their infrastructure stays up, that their data centres are physically secure, and that their systems run reliably. They do not guarantee the safety of your data, the strength of your account configurations, or the actions your users take. Most businesses misunderstand this line. The result is unrecovered data and preventable breaches.
What Cloud Providers Guarantee
Microsoft's own service level agreement explicitly states that the company is not responsible for data loss. The agreement covers uptime (your ability to access your data) and infrastructure security (their systems are not compromised). It does not cover whether your data is backed up, whether your passwords are strong, whether your accounts are properly configured, or whether someone with legitimate access shares data they shouldn't. Those are your responsibilities.
Google's terms are similar. Amazon Web Services' shared responsibility model, which is widely adopted across the industry, draws a clear line. The provider secures the cloud. The customer secures what's in the cloud. A business using Google Workspace or Microsoft 365 often assumes the provider is managing backups, security updates, and user access controls. In reality, the customer must manage all of those things.
Your Side Of The Line
Your organization is responsible for account security. That means strong passwords, multi-factor authentication on every account, and monitoring for suspicious activity. You are responsible for data protection. Cloud services do not back up your data by default. If a user deletes a file and empties the recycle bin, it's gone. You need a separate backup system. You are responsible for device management. Cloud providers don't care what happens on your laptop, your phone, or your staff's personal devices. You need mobile device management, or at least security policies that cover devices accessing your cloud services.
User training is your responsibility. Phishing, social engineering, and credential compromise start with users. Your staff need security awareness training. Account configuration is your responsibility. Default settings in Microsoft 365 or Google Workspace often favour convenience over security. Multi-factor authentication, sharing permissions, and email forwarding rules need your attention. Monitoring and incident response are your responsibility. If something suspicious happens in your cloud environment, you need the ability to detect it and respond.
The Shared Responsibility Reality
Think of it this way. Microsoft doesn't give you a secure account. It gives you a secure platform on which to build a secure account. That's the distinction. The platform is their job. What you do on that platform is yours. A data breach isn't always the cloud provider's responsibility. More often it traces back to the customer side: a weak password, MFA left disabled, or access shared with someone it shouldn't have been.
This matters because it shifts accountability. You can't assume your cloud provider is protecting your data. You have to actively protect it yourself. A backup strategy that relies on cloud provider redundancy isn't a backup strategy at all. A security posture that assumes your cloud provider handles everything is not a security posture.
Take Responsibility
The first step is acknowledging the division of labour. Your cloud provider secures the infrastructure. You secure your data, your accounts, and your users. If you're uncertain about what you're responsible for in your specific cloud environment, that's a sign you need help. Microsoft 365 management and business continuity planning ensure these responsibilities are covered. The cost of getting it wrong is far higher than the cost of getting it right.