Use Cloud Securely? What Does This Even Mean?!

Anton Chuvakin
Anton on Security
Published in
3 min readNov 11, 2022


An influential Gartner paper stated many years ago that “Clouds Are Secure: Are You Using Them Securely?”

So began the legend of cloud security vs secure clouds.

When I was an analyst, we sometimes had to discuss with clients whether various providers of public cloud services are “secure.” Over time, these discussions dwindled to a small trickle as clients ultimately saw enough evidence that cloud infrastructure is indeed radically more secure than most data centers. Admittedly, I still meet an occasional character who does not believe this, but I assure you, it is the truth. Moreover, cloud infrastructure is getting more secure all the time. However, security issues with client cloud environments did not dwindle to a corresponding trickle, and show few signs of such “dwindling.”

In fact, this situation led to the following truism: “Through 2025, 99% of cloud security failures will be the customer’s fault.” (source, also Gartner)

Thus, the explanation was always that the clouds are secure, but clients are not using them securely, and so they are to blame for the outcomes. As one of my current colleagues said on a call “this sounds a bit ‘blamy’” … and, yeah, it sure does.

So, what does USE CLOUD SECURELY mean in practical terms?

What entails secure use of the cloud?

What should one actually do to use the cloud securely?

What should one not do to use the cloud securely?

Naturally, I tried this first:


The results were interesting, but they mostly reinforced my impression that there is a wide confusion in the industry about what “use cloud securely” really means.

Next, I tried reading a whole load of materials such as “How to Make Cloud More Secure Than Your Own Data Center” , “Staying Secure in the Cloud Is a Shared Responsibility”, “Hybrid Cloud Security Best Practices” (and dozens of others, list available upon request, much of the content is paywalled, analysts need to eat).

This brought some clarity, but also an intense feeling of “it depends.” While not contesting this, I think answering this question with “do proper risk management for cloud environments” or “deploy appropriate security controls” is still not helpful for many. Some others said that this is just about the clients doing what is on their side of the shared responsibility model. However, we all know how well this works out in some cases.

A good (if a bit negative) frame emerged: “unless you are doing X, you are NOT using cloud securely” which for some values of X rings very true

A few islands of agreement emerged as well. These include:

  • You probably need to know what you have in the cloud (obviously, if you don’t, you are not using cloud securely)
  • You need a degree of awareness of real cloud threats and you need to know what threat model
  • You need to configure things securely (and actually know what this means), keep secure defaults, etc
  • You must get cloud IAM right for you (whatever that means, specifically), because ultimately you decide who can access your cloud, and not the provider.
  • You do need to detect threats against your cloud environment, your provider will help but ultimately you know your threat model better

Beyond the above, things start to look more fuzzy and agreement over what “use cloud securely” seems harder to reach.

So, conclusions:

  1. Before we scream at the clouds, we need more consensus and more certainty about what “use cloud securely” means in practical terms.
  2. Yet even after we achieve 1), there will be a lot of “it depends” (such as on risk appetite) left over; providers can help, but not magically do this (even though cloud providers can do more than what we do know, perhaps?)

Thoughts? Reactions?

Definitely expect more on this in the near future!

Related posts:



Responses (4)