Next IT Security cybersecurity conference logo
Get Ticket

The Blame Game: Who is  Responsible When the Cloud Breaks?

The Blame Game: Who is  Responsible When the Cloud Breaks?

Cloud Break

This article aims to dissect the shared responsibility model, explore the often blurry lines of accountability, and propose pathways towards better collaboration and trust in the evolving cloud landscape. By understanding these intricacies, organizations can move beyond the unproductive cycle of blame and towards a more resilient and secure cloud future.

When the Digital Sky Falls: Unraveling the Cloud Break Mystery

Consider the power outage that struck Spain and Portugal on April 28, 2025. While initial speculation pointed towards a cyberattack, the incident underscored the fragility of interconnected infrastructure and how failures in one domain can cascade into widespread digital disruption. This event is a stark reminder that a “Cloud Break” might not always be a direct cyber incident but could stem from foundational infrastructure issues, immediately complicating the assignment of blame.

At the heart of this issue lies the shared responsibility model, a foundational concept in cloud computing that outlines the security and operational duties of both the cloud provider and the customer. However, despite its prevalence, the nuances and complexities of this model often lead to confusion and the inevitable “blame game” when things go wrong.

The Illusion of Control: Decoding the Shared Responsibility Model

To truly understand who is responsible when the cloud breaks, one must first grasp the fundamental principles of the shared responsibility model. This model is not a simple black-and-white division but rather a collaborative framework where both the cloud service provider and the customer have distinct yet interconnected security and operational obligations. It’s akin to renting an apartment versus staying in a hotel. In an apartment (representing Infrastructure as a Service or IaaS), you are responsible for most aspects within your living space, while the landlord handles the building’s foundation and external structure. Conversely, in a hotel (representing Software as a Service or SaaS), the hotel management takes care of almost everything, from the room’s cleanliness to the building’s security.

The cloud provider typically assumes responsibility for what is often termed “Security of the Cloud.” This encompasses the physical security of their data centers, including those located in regions like Europe, ensuring the protection of the underlying hardware, network infrastructure, and virtualization layers. They are also responsible for the availability and reliability of their cloud services and the management of the underlying platform in Platform as a Service (PaaS) and SaaS models. This includes the foundational security services and tools that customers can leverage.

On the other hand, the cloud customer bears the responsibility for “Security in the Cloud.” This involves securing their data, including implementing encryption and managing access controls. Customers are also accountable for configuring cloud services and resources securely, such as storage buckets and firewall rules , and for managing user identities and access permissions through Identity and Access Management (IAM). In IaaS environments, customers retain the responsibility for patching and managing their operating systems and applications.A significant challenge arises from the common misconception that simply migrating to the cloud inherently guarantees security. This often leads to a lack of due diligence on the customer’s side, resulting in potential “Cloud Breaks” due to misconfigurations or neglected security measures.

Where the Buck Stops… Maybe: Navigating the Blurry Lines of Accountability

Pinpointing accountability during a “Cloud Break” in 2025 often feels like navigating a digital minefield.

The lines become even more blurred when considering vulnerabilities within the cloud provider’s own infrastructure. The alleged Oracle Cloud hack of March 2025 , where a significant amount of tenant data was reportedly compromised, raises serious questions about the provider’s accountability for securing their platform. The cable damage in Finland in May 2025 , which disrupted internet connectivity, illustrates how physical infrastructure failures can impact cloud services, even if the provider has implemented robust redundancy measures. In such cases, assigning accountability becomes a multifaceted challenge involving telecommunication companies, cloud providers, and the affected organizations.

The increasing sophistication of cyberattacks, such as the coordinated attacks on Danish critical infrastructure in May 2025 , makes it exceedingly difficult to assign blame definitively. These attacks often exploit vulnerabilities across both the customer’s and provider’s domains, sometimes even targeting weaknesses in third-party software or services. Determining whether the initial point of entry was due to a customer misconfiguration, a provider vulnerability, or a flaw in a shared component can be a complex forensic undertaking. This shift suggests a move away from solely pointing fingers at the cloud provider and towards a greater expectation that organizations will demonstrate due diligence and implement comprehensive security measures across their entire IT landscape.

Bridging the Divide: Fostering Collaboration for Seamless Cloud Security

Effective cloud security necessitates a paradigm shift from the “blame game” to a culture of strong partnership and enhanced collaboration between organizations and their cloud providers.

Organizations and providers should prioritize several key strategies to bridge the divide and foster seamless cloud security.

Establishing clear and open communication channels is paramount for sharing security updates, reporting incidents promptly, and disclosing vulnerabilities transparently.

Developing joint incident response plans that explicitly outline the roles, responsibilities, and escalation procedures for both parties during a “Cloud Break” can significantly improve the speed and effectiveness of mitigation efforts.

Regular joint security assessments and penetration testing exercises, conducted collaboratively, can help identify and address vulnerabilities across the shared infrastructure.

 Actively participating in cloud provider security forums and sharing threat intelligence can create a more informed and proactive security community. Furthermore, customers must ensure they are effectively leveraging the security tools and services provided by their cloud vendors, while also taking responsibility for their proper configuration and ongoing management.

The Next IT Security conference agenda likely features discussions on strengthening these crucial partnerships between organizations and technology providers, including cloud vendors.

Trust in the Untrusted: Emerging Frameworks for Decentralized Multi-Cloud Ecosystems

In landscapes, where organizations might leverage services from multiple cloud providers, the need for verifiable assurances and clear lines of accountability becomes even more critical. Initiatives like Gaia-X  represent a significant step towards establishing a trusted and sovereign data infrastructure in Europe. Gaia-X aims to provide a framework where organizations can confidently choose and utilize multiple cloud services while maintaining control over their data and ensuring compliance with European regulations.

Charting the Course for 2025: Actionable Strategies in a Shifting Cloud Landscape

Cybersecurity experts and IT leaders should adopt the following actionable strategies to enhance their resilience and minimize the impact of cloud outages:

  1. Conduct Comprehensive Cloud Risk Assessments
  2. Develop Robust BC/DR Plans
  3. Implement Cloud Security Posture Management (CSPM) Tools
  4. Strengthen Identity and Access Management (IAM)
  5. Foster Stronger Collaboration with Cloud Providers
  6. Review and Update Service Level Agreements (SLAs)
  7. Implement Proactive Monitoring and Alerting Systems
  8. Conduct Chaos Engineering Exercises
  9. Stay Informed on Regional Threats and Best Practices

Beyond Blame: Embracing Shared Ownership in the Cloud

While the shared responsibility model provides a crucial framework for understanding cloud security, the lines of responsibility, accountability, and liability can often become blurred when a “Cloud Break” occurs. The natural inclination to assign blame can be counterproductive, hindering effective incident resolution and impeding efforts to prevent future disruptions. Instead, organizations must embrace a culture of shared ownership in cloud security, fostering stronger collaboration, ensuring clear communication, and adopting a proactive security posture.

Share on:

Linkedin X-twitter Facebook

Recent Posts

Join 150 Cybersecurity Leaders

Private, invitation-based event for CISOs and senior decision-makers.

    • No vendors. No noise.
    • Real discussions, real insights
  • Closed-door executive environment

Discover Our Exclusive Events

East Central September 30, 2026
Nordics October 22, 2026
Benelux November 12, 2026
DACH November 26, 2026
Get your pass

The most exclusive Cyber Security EVENTS in the world.

Exclusive C-level cybersecurity gatherings across Europe. Limited seats, maximum impact.

Session reserved
05:00
Your registration session is active. Complete your application within the reserved time.
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · East Central
Main Conference Ticket
€495
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. September 30, Belgrade.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
Workshops — Sold Separately
Workshop 1 Chapter 1 · Compliance & Regulation
From Regulation to Reality: Making NIS2 & DORA Work in Practice
A working session for security leaders who need to translate regulatory requirements into operational plans. Participants work through actual compliance gaps, build a self-assessment framework, and leave with a prioritised action list — without dedicated compliance teams or enterprise-level budgets.
Time
09:00 – 11:00
Format
Masterclass + working groups
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 2 Chapter 2 · AI & Emerging Threats
Shadow AI: How to Find It, Govern It, and Not Kill Innovation Doing It
A practical masterclass for security leaders dealing with AI tools that were never approved, deployed without oversight, and are already inside the environment. Participants map their own shadow AI exposure and build a proportionate governance framework.
Time
11:30 – 13:30
Format
Masterclass + case analysis
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 3 Chapter 3 · Vendor Dependency & Sovereignty
Managing Vendor Risk Without Rebuilding Your Stack
A strategic working session on third-party risk, technology dependency, and realistic options for East Central organisations. Participants conduct a structured dependency audit, evaluate viable European alternatives, and leave with a vendor risk strategy that is operationally grounded.
Time
14:15 – 16:15
Format
Masterclass + structured audit
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
Workshop 4 Chapter 4 · Cybercrime in a Borderless Threat Landscape
Cross-Border Cybercrime: What Private Sector Security Leaders Need to Know
A practitioner-led masterclass bridging private sector incident response and the realities of cross-jurisdictional law enforcement. Participants learn how cybercrime investigations unfold across borders and how to build an incident posture that works with — not against — public sector constraints.
Time
16:45 – 18:45
Format
Masterclass + Q&A
Duration
2 hours
Capacity
Limited seats
Sold separately  249
Buy Ticket
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · Nordics
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. October 22, Stockholm.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · Benelux
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. November 12, Amsterdam.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials
By submitting this form, you acknowledge that you have read and agree to our Privacy Policy .
Next IT Security · DACH
C-Suite Edition
€990 €0
Promo Code Applied ✓
/ Ticket
Tickets are exclusively reserved for C-level executives from end-user companies of IT security services. November 26, Frankfurt.
  • Full-day access
  • 1:1 executive meetings
  • Roundtable sessions
  • Networking dinner
  • All speaker sessions
  • Post-event materials

Secure registration · Confirmation sent to email · Limited seats available