In this post, I’ll focus on Infrastructure providers (IaaS), though these points may be relevant to platform and software providers as well.
Infrastructure providers tend to be very good at providing security inside the infrastructure. However, not all providers go beyond infrastructure security. Instead, the model is to have a shared security where responsibility for security beyond the infrastructure is in the hands of end-customers.
In the simplest example, the provider sets-up a virtual instance running, say, Windows, but everything that runs within that instance, including operating system and applications, is the responsibility of the end-customer. On the IaaS side, this is completely reasonable theoretically, but it has potentially damaging results if the end-customer isn’t taking further steps to protect the OS or the apps.