If you are using a popular cloud app such as QuickBooks, HubSpot, RentMagic, Yardi, Tableau, TobiiPro, JaneApp, Dentrix, AbleDent or anything else, you might assume everything is secure. And that is true. It’s also false. Here’s what you need to know about your IT security responsibility for any cloud software you may use.
Before diving into your responsibilities, let’s clarify what we mean by cloud security. Cloud computing security involves protecting data, applications, and infrastructures associated with cloud computing—whether you’re using Software as a Service (SaaS) like QuickBooks, Platform as a Service (PaaS) for custom applications, or Infrastructure as a Service (IaaS) for virtual servers. The security challenges are similar to traditional IT, but the shared responsibility model makes all the difference.
Cloud Security Is a Shared Liability Between You + Your Software Provider
Your cloud service providers have responsibilities to you, for protecting your data, but you also have responsibilities in protecting your data and the data of your clients.
The ways in which you and your team apply (or fail to apply) best practices for data security will be a big factor in whether you protect your business or end up with a breach.
If you read the fine print in your cloud software terms of service, you should find wording on shared responsibility for cloud security. Let’s get into it.
Shared IT Security For Small Business Owners
It does not matter what cloud software or infrastructure you choose, you are responsible for securing your own space within that cloud environment and also securing all endpoints (computers) that will connect to your cloud services.
In other words, just because your business uses a cloud service owned and maintained by another company does not mean you can take security for granted. Insufficient due diligence is one of the top reasons for security failures.
This shared responsibility model exists because cloud environments blend your organization’s data and applications with third-party infrastructure. When you store data or host applications on cloud services, you’re essentially placing your digital assets in someone else’s data center, accessed through the internet. This creates a unique security landscape where traditional physical security measures don’t apply, but digital security becomes even more critical.
Cloud security concerns fall into two general classes:
1. Security dilemmas encountered by cloud providers (SaaS, PaaS, and IaaS providers)
2. Security dilemmas encountered by customers of cloud providers (organizations or enterprises that store data or host applications on the cloud.
While cloud providers must ensure the defense of their cloud infrastructure, customers must:
• Understand relevant laws and regulations for compliance and risk management.
• Choose the right people to support technology.
• Use trusted software from reputable vendors.
• Use Identity Management to apply policies and conditional access rules across all devices connecting to practice data, and to bound all approved devices that are allowed to access practice data to the domain and deny all others from access.
• Continuously monitor endpoints (computers) for cyber threats, compliance and risk concerns.
• Continuously patch and update all endpoints to protect from vulnerability in software code exploited by would be attackers (daily or weekly).
• Use strong passwords enforced by policy on all devices accessing practice data.
• Not allow staff to share logins, passwords or email accounts.
• Use 2 factor authentication on all email accounts, enforced by policy on all accounts connected to practice domain.
• Have secure processes to revoke all access from staff when they leave the practice (secure offboarding).
• Consider enacting a no-file-download policy to local computers. Additionally, file editing should be done over the cloud, making it easier to control data security and manage files if and when an employee leaves the organization.
• Considering portability between databases.
• Maintain backup and disaster recovery frameworks for all patient data, including digital radiographs, as well as all practice email communications.
Understanding Modern Cloud Security Threats
The threat landscape targeting cloud environments has evolved significantly. Today’s sophisticated cyber threats include Advanced Persistent Threats (APTs) designed to bypass network defenses by targeting weaknesses in the computing stack. These threats are particularly dangerous because they can:
- Remain undetected for extended periods.
- Target the weakest link in your security chain (often human error).
- Exploit the interconnected nature of cloud services.
- Leverage legitimate credentials to access sensitive data.
According to the Cloud Security Alliance, malicious insiders rank as the third top threat to cloud computing. This threat is amplified in cloud environments because of
“the convergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure.”
This is why your endpoint security, password policies, and access controls become even more critical in a cloud-first business environment.
All these cyber security requirements fall outside the scope of responsibility for any cloud app you may use, and they land squarely in your court.
Given the complexity of technology management paired with ever changing technologies to thwart evolving cyber threats, more small businesses than ever have turned to outsourced IT management.
Managing Security Outside Your Cloud Software
Modern cloud security operates in what’s called a Software-Defined Everything (SDE) environment. This means that traditional hardware-based security controls have been replaced by software-based solutions that are portable, scalable, and dynamic. Your security must be equally responsive to environmental changes and organizational workloads, whether data is at rest or in transit.
This is why you have so much technology to manage outside your cloud apps, including but not limited to:
• Cloud or local servers
• Cloud or local computers
• Web and email domains
• Identity control systems
• Email accounts
• Any personal or mobile devices staff may use for business email access
• File storage, downloading, forwarding etc
• WiFi & network switches, modems and routers and more
Each one is vulnerable to multiple security threats. Each one must be reasonably secured and managed. A Managed IT Services Provider (MSP) will manage all of the above for you, for less than the cost of hiring a dedicated IT employee.
Using best practices, Remote Monitoring & Management tools (RMM) and automation, your MSP will apply and maintain best practices in cloud security that protect client data, and reduce risk and liability.
The DIY IT Option
You can opt to manage all your technology yourself.
If you do decide to DIY, take a cyber security course, and make time to create password security policies and acceptable use policies for all your staff.
We don’t recommend this option because there is simply too much that falls under the “you don’t know what you don’t know” axiom, especially when you have a team sharing data, working remotely, and so on. The tools and skills needed to maintain security for a modern, mobile team take years to learn.
The Outsourced IT Option
You can to outsource your IT by hiring a Managed IT Services Provider in Toronto – or wherever you are located.
The reality is that cloud security has become increasingly complex as cyber threats evolve. What once required basic antivirus software now demands sophisticated monitoring, threat detection, and response capabilities. The tools and expertise needed to maintain security for modern, mobile teams operating in cloud environments require specialized knowledge that takes years to develop.
You can choose basic endpoint management only, which offers good antivirus and EDR and Application Security Controls as well as automated software and computer patching to protect against many common threats.
However, basic endpoint management does not include the tools and services you need for cloud security and mobility. Things like a central way to track user logins, or control who can access what files and folders, or who can log in to company email from specific computers only. These types of services fall under Identity Management solutions. You can get them with a more comprehensive Managed IT Services plan.
For robust IT Governance, Risk and Compliance solutions, a Managed Security Services Provider like TUCU can help.
Without managed security in today’s world, everything you have built is at risk.
The Bottom Line on Cloud Security Responsibility
Understanding cloud security as a shared responsibility isn’t just about compliance—it’s about business survival. While your cloud service providers secure their infrastructure, you remain responsible for:
- Access Security: Who can log in and from where.
- Endpoint Protection: Securing all devices that connect to your cloud services.
- Data Governance: How data is classified, accessed, and shared.
- Identity Management: Ensuring only authorized users can access specific resources.
- Incident Response: Having a plan when security events occur.
The gap between what your cloud provider secures and what you need to secure is where most small business breaches occur. Closing this gap requires either significant internal expertise or partnering with security professionals who understand both traditional IT security and modern cloud environments.
Schedule your free consultation now to discuss your IT management for everything outside your trusty cloud app.
