Cloud services have become foundational to nearly every modern organization. They power secure data storage, support real‑time communication and collaboration, and seamlessly connect teams, systems and emerging devices across the business.

Cloud services also scale quickly, helping organizations support new partners, customers and remote workers with minimal delay. They’re equally essential in everyday life, powering email, social media and entertainment platforms.

However, these environments also introduce cybersecurity risks. Criminals continue to target unpatched systems, weak identity practices, and vulnerable partners in the digital supply chain. Misconfigurations, unauthorized cloud use and poorly managed access can expose sensitive data and lead to compliance issues. 

According to one study, 77% of organizations recognize that security is one of their top cloud challenges.¹ One problem is that many companies simply have not assessed the risks associated with cloud deployments or have not determined what elements of security are their responsibility. 

Since most organizations depend on cloud service providers (CSPs) to maintain these systems, it can be challenging to determine what elements of security are the responsibility of the CSP and which are not. Customer responsibility varies significantly depending on whether the cloud services are consumed as Infrastructure‑as‑a‑Service (IaaS), Platform‑as‑a‑Service (PaaS) or Software‑as‑a‑Service (SaaS). 

Understanding the limits of CSP security

CSPs usually offer built-in security features that exceed the technical capabilities and financial resources of most small and midsize businesses. One study shows that 82% of organizations are using a multi-cloud or hybrid environment.² The cloud can be as secure as in-house systems, but only if managed with appropriate storage and access controls.

While CSPs often provide tools to help manage cloud configuration, there are still many elements of security infrastructure — such as firewalls, devices and account access — that remain the cloud user’s responsibility. In fact, CSPs are not the source of most security incidents. Lack of knowledge among cloud customers and misconfiguration of CSP accounts are responsible for most breaches, big and small.

Misconfigurations can occur as teams adapt to the evolving complexity of cloud environments. Because cloud platforms offer a wide range of powerful security settings and capabilities, security and IT specialists may still be building expertise in how to apply them effectively.

Another risk area is having security processes that are incomplete or not fully aligned across the organization. When configurations and permissions aren’t carefully designed, employees may inadvertently access sensitive information — and attackers can exploit those same gaps through tactics like social engineering. This can have serious and costly impacts. Research shows that data breaches involving data stored across multiple environments cost organizations an average of $5.05 million.³ It is important to know your third-party vendors and what privileges have been granted to reduce the risk of account takeovers by cybercriminals or disruptions to normal operations.

For more specific guidance in addressing cloud security challenges, a CSP can be one of the best sources of advice. Service providers offer a range of advanced security and privacy capabilities, as well as guidelines and security defaults for rigorous configuration of cloud settings. Organizations, as cloud customers, must clearly understand their role in the Shared Responsibility Model and ensure security in the cloud through strong identity and access controls, secure configuration of cloud resources, and appropriate data protection controls.

A CSP may offer continuous monitoring solutions to help detect suspicious user activity and assess an organization’s threat status in real time. Monitoring is also essential to tracking and prioritizing investigations of malicious incidents.

However, CSPs don’t provide much help in minimizing third-party risks. Business and security leaders will need to carefully assess a partner’s security capabilities to make sure they meet or exceed their own. Third-party access often occurs through APIs and delegated tokens, which can introduce persistent risk if privileges are overly broad or not periodically reviewed.

¹ Flexera. 2025 State of the Cloud Report. https://www.flexera.com/blog/finops/the-latest-cloud-computing-trends-flexera-2025-state-of-the-cloud-report

² Fortinet. 2025 Cloud Security Report. https://www.cybersecurity-insiders.com/wp-content/uploads/2025-Cloud-Security-Report-Fortinet-final.pdf

³ IBM. Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.