The Shared Responsibility Model
Cloud providers secure their platforms — the servers, the networking, the core software. What they don't secure is everything that happens above that layer: your data, your users, your access controls, your sharing settings.
This is the shared responsibility model. It's documented in every major cloud provider's terms — but most SMBs never read it and assume the cloud is inherently safe. The result: misconfigured environments, exposed data, and breaches that the cloud provider had no obligation or ability to prevent.
| Security area | Cloud provider | You |
|---|---|---|
| Physical infrastructure, hardware, core network | ✓ | — |
| Platform software, operating system of the cloud service itself | ✓ | — |
| Your data stored in the cloud | — | ✓ |
| Who has access to your data and with what permissions | — | ✓ |
| How users authenticate (passwords, MFA) | — | ✓ |
| Sharing settings — who can see, edit, or download files | — | ✓ |
| Devices used to access cloud services | — | ✓ |
| Backups of your cloud data (in most cases) | — | ✓ |
The Six Most Common Cloud Security Gaps
Cloud misconfiguration is consistently cited as one of the top causes of data breaches. These are the gaps that appear most frequently in SMB cloud environments.
Publicly accessible cloud storage
Files and folders shared with 'anyone with the link' — including sensitive documents accidentally set to public. A common source of data exposure that often goes unnoticed for months.
Over-privileged accounts
Users granted admin or full access when they only need to read or edit specific files. If a privileged account is compromised, the attacker inherits full access.
No MFA on cloud accounts
Cloud accounts are high-value targets because they're accessible from anywhere. Without MFA, a stolen password is all an attacker needs to get in — from anywhere in the world.
Unmonitored external sharing
Files and folders shared with personal email addresses or external contractors, then never revoked when those relationships end. Former employees or contractors may retain access indefinitely.
Assuming the provider backs up your data
Most cloud providers (including Microsoft and Google) protect their infrastructure from failure — but they don't guarantee restoration of accidentally deleted or ransomware-encrypted user data. That's your responsibility.
Legacy authentication protocols
Old email protocols (IMAP, SMTP, POP3) don't support modern MFA. Attackers use them specifically to bypass MFA on email accounts. These should be disabled if not actively needed.
Microsoft 365 vs Google Workspace: The Same Principles Apply
Most cloud security principles are platform-agnostic. Whether you're on Microsoft 365 (Outlook, OneDrive, SharePoint, Teams) or Google Workspace (Gmail, Drive, Meet), the risks and controls are structurally similar:
- Both platforms have robust MFA — but don't enable it by default for all users
- Both have conditional access / Context-Aware Access — powerful but disabled by default
- Both allow external sharing — with minimal guardrails unless configured
- Both have audit logging — but it must be enabled and reviewed
- Neither provides a full backup of your data — that's a third-party add-on
The difference is mostly in tooling and licensing. Microsoft 365 Business Premium includes Defender for Business and Intune (mobile device management) — both highly relevant for SMB security. Google Workspace Business Plus includes Vault for audit and retention. Either is a viable platform with proper configuration.
Eight Essential Controls to Implement Now
Essential Cloud Security Controls
- Enable MFA on every cloud account — especially Microsoft 365, Google Workspace, and cloud file storage
- Audit external sharing quarterly — revoke links that are no longer needed
- Apply least-privilege access: give users only the permissions their role requires
- Disable legacy authentication protocols (IMAP, POP3, SMTP AUTH) in Microsoft 365 and Google Workspace
- Enable login audit logging so you can see who accessed what and from where
- Configure a cloud backup solution that takes independent copies of your Microsoft 365 or Google Workspace data
- Block file sharing to personal email addresses from corporate cloud storage
- Enable mobile device management (MDM) so lost or stolen devices can be wiped remotely
Cloud Backup: The Gap Most SMBs Miss
This deserves special attention because it's so widely misunderstood. Microsoft and Google protect their platform from hardware failure — if a server fails, your data is replicated and stays available. What they don't protect against:
- An employee accidentally deleting files or emails (retention is limited)
- A ransomware attack encrypting files stored in OneDrive or SharePoint
- Malicious account takeover leading to data deletion
- Malware spreading through synced cloud drives
For ransomware specifically: modern ransomware can encrypt files locally and watch those changes sync to OneDrive or SharePoint — replacing your cloud copies with encrypted versions. Microsoft's version history can help recover some files, but it's not a substitute for a proper backup that takes independent snapshots of your cloud data.
Third-party cloud backup solutions (Veeam, Backupify, Spanning, Datto SaaS Protection) provide independent, immutable backups of Microsoft 365 and Google Workspace data. They're the gap-filler that the shared responsibility model requires you to fill yourself.
The Bottom Line
The cloud is not inherently safe or unsafe — it's a platform. What you do with it determines your security posture. The shared responsibility model means the provider handles the infrastructure, and you handle everything that touches your business: your data, your users, your access controls.
The eight controls above cover the most critical gaps. Most take under an hour to configure in an existing Microsoft 365 or Google Workspace tenant. They don't require specialist expertise. They do require someone to actually do them.
Related reading: Microsoft 365 security settings every SMB should enable and backup strategies that survive ransomware.
Ransomware and cloud sync: a dangerous combination
If ransomware encrypts files on a device synced to OneDrive or Google Drive, those encrypted versions sync to the cloud and overwrite the originals. Version history can recover some files, but it's limited in depth and may not capture all content. An independent cloud backup is the reliable answer.
How Secure Is Your Cloud Environment?
Our free assessment includes a review of your cloud configuration — Microsoft 365, Google Workspace, and any connected SaaS tools.
Get Free Assessment