Recent content

The foundations of a secure agentic architecture

The foundations of a secure agentic architecture

How to secure the new generation of EUD

How to secure the new generation of EUD

AI browsers, a risky innovation

AI browsers, a risky innovation

SAAS security starts with you

SAAS security starts with you

Popular topics

CSA Framework Responsability Model SAAS SSPM agentAI agentic agenticAI ai architecture aws beginner browser cloud crypto cybersecurity data genai guardrail iam innovation introduction keys kms landingzone mcp multi-cloud report security strategy vibe coding
security cloud strategy

The responsibility of security in the Cloud

When security is everybody's business, it becomes nobody's responsibility. Why total decentralization of IT security is a bad idea.

Cédric Thibault
Cédric Thibault
The responsibility of security in the Cloud
Photo generated by Gemini

When security is everybody’s business, it becomes nobody’s responsibility

Why total decentralization of IT security is a bad idea.

Introduction

The promise of the Cloud and DevOps practices is clear: agility, velocity, and team autonomy. However, this autonomy can turn into a risk when applied to security without a framework. A widespread view is that security is “everybody’s business”. Formally reassuring, this maxim hides a dangerous paradox: by wanting to distribute responsibility, we often end up diluting it — and losing control.

This article explains why total decentralization of security is problematic, illustrates with concrete examples, and proposes operational hybrid models to stay agile while maintaining effective centralized governance.

Why total decentralization is dangerous

Diffusion of responsibility

When each team thinks security is a collective responsibility, it becomes easy to believe that someone else is taking care of it. Critical decisions — configuration choices, permissions management, fine-grained logging policies (Data events in CloudTrail for example…) — are left pending or applied inconsistently.

Cognitive load and specialization

Developers and operations teams are not always security experts. Their attention is primarily focused on feature delivery and availability. Asking them to carry both functional and security responsibilities without support or training increases the risk of costly errors. I am still waiting to see DevOps teams prioritize security tickets in their backlog…

Erosion of standards

Without a central reference framework, practices diverge: inconsistent IAM policies, different encryption standards, variable logging levels. This fragmentation makes supervision, regulatory compliance, and incident analysis difficult at the organizational level.

Concrete examples of consequences

  1. Cloud configuration errors Poorly configured buckets or blobs (S3, GCS, Azure Blob) exposing sensitive data are frequent incidents. Often, the fault is not malicious intent but a lack of central supervision and automated tools that would prevent a non-compliant public object from being deployed to production.

  2. Shadow IT Teams create instances or use unvalidated SaaS to gain speed. These environments escape backup, encryption, and supervision policies — and become vectors for exfiltration or compromise.

  3. Inconsistent IAM and “privilege creep” Without centralized governance and rights review, accounts accumulate privileges over time. Inappropriate access multiplies attack paths and complicates post-incident investigations. This problem is particularly glaring in the Cloud where non-human accesses are overwhelmingly the majority.

  4. Slowed incident response In the absence of a central plan and a SOC or shared orchestration, detection and response are slower. Local teams react in various ways, without coordination, which increases the impact of an attack. What we also sometimes see are SOC teams without access or expertise, which greatly handicaps their response speed.

Hybrid operational models to reconcile agility and control

  1. Central governance, distributed execution Establish a central security team (CISO, security architects, policy managers) that defines objectives, policies, and minimum requirements. Product teams retain autonomy to implement solutions, provided they meet these standards. This model promotes uniformity without sacrificing speed. WARNING: it requires a Governance team trained in Cloud specifics.

  2. Integrated security champions Train and support “security champions” within product teams: local points of contact trained and coached by the central team. They facilitate the integration of security by design (shift-left) and serve as relays to apply standards.

  3. Policy-as-Code and automated guardrails Deploy policies expressed as code (IaC/Policy-as-Code) that apply automatically to cloud environments (e.g., Open Policy Agent, AWS Config, Azure Policy). These guardrails prevent non-compliant deployments while allowing developer autonomy via immediate feedback. A useful reminder: a preventive control will always be more effective than a detective control…

  4. Secure self-service platforms Build internal platforms (PaaS) that offer pre-configured templates and services meeting security standards. Developers use these building blocks to deploy quickly without having to manage security details. These catalogs are complex to maintain and especially to evolve at the speed of product teams, but are very profitable for security.

  5. Federated SOC and DevSecOps practices Combine a centralized SOC (capable of orchestrating and analyzing at scale) with local monitoring capabilities. Use integrated DevSecOps pipelines — SCA/DAST scans, automated security testing, and mandatory checklists — to detect risks upstream.

Practical recommendations and indicators

  • Define a clear RACI for security (who is Responsible, who is Accountable, who needs to be Consulted, who needs to be Informed).
  • Implement operational KPIs: Mean Time To Detect (MTTD), Mean Time To Respond (MTTR), percentage of compliant deployments, number of incidents prevented by guardrails, percentage of objects not from the central catalog…
  • Automate compliance checks (IaC scans, policy-as-code, CI/CD gating, CNAPP).
  • Maintain incident response runbooks and playbooks that are accessible and regularly tested through exercises.
  • Invest in continuous training: programs for security champions, developer awareness, simulation exercises.
  • Schedule regular reviews of IAM rights and cloud inventory audits. The IAM team must acquire specific capacity and competence for the Cloud.

Benefits and trade-offs

A hybrid model allows retaining agility — rapid deployments, local innovation — while limiting the attack surface and ensuring compliance. The trade-off is organizational: it requires an investment in automation, training, and the establishment of clear governance. In the long term, these costs are largely offset by the reduction in incidents and associated costs.

Conclusion — Where to start?

The golden rule is the clarity of responsibilities. Start with an assessment of your security maturity, identify critical gaps (IAM, cloud configurations, incident processes), then pilot a hybrid model on a limited scope (a team or a product). Measure, adjust, and gradually expand. Security can be shared, but it must rest on a centralized foundation and automated mechanisms to remain effective.

Call to action

Launch a quick audit of your cloud practices this week: check the configuration of public buckets/objects, identify unauthorized SaaS, and validate your IAM policies. If you wish, I can offer you an initial checklist to start the hybrid model pilot.

The responsibility of security in the Cloud
Older post

The Right Strategies for Implementing AI Agents

The internet is buzzing with news about AI agents. But how do you implement them successfully, and why?

Newer post

No, the AWS outage doesn't necessarily strengthen multi-cloud

This article refutes simplistic reactions to the AWS outage (like multi-cloud or the return to on-prem) and refocuses the debate on the need for resilient and highly decoupled architectures.

The responsibility of security in the Cloud

You may also like

See all security
How to secure the new generation of EUD
Cédric Thibault

How to secure the new generation of EUD

No, the AWS outage doesn't necessarily strengthen multi-cloud
Cédric Thibault

No, the AWS outage doesn't necessarily strengthen multi-cloud

The Right Strategies for Implementing AI Agents
Cédric Thibault

The Right Strategies for Implementing AI Agents

2025 Status Report on Cloud Threats and Strategies
Cédric Thibault

2025 Status Report on Cloud Threats and Strategies