Back to blog

"The Cloud Is Secure" — What Shared Responsibility Actually Means for Your Firm's Data

Daniel Chang, Founder of Kompflow

"We moved everything to the cloud, so we're secure now."

I hear some version of this at least once a month. The assumption behind it is understandable: if your tax software runs on a vendor's servers, and your documents are stored in a platform like SharePoint or Box, then the security of that data is someone else's problem. The cloud provider has entire teams dedicated to security. They have certifications. They have data centers with biometric locks and redundant power. Surely they've got this covered.

They do have part of it covered. The part they don't have covered is yours. And the gap between those two parts is where most cloud breaches happen.

The Model Nobody Explains to You

Every major cloud provider operates under something called the shared responsibility model. AWS calls it "security of the cloud vs. security in the cloud." Microsoft Azure maps responsibilities by service layer. Google Cloud uses the term "shared fate." The language differs, but the principle is the same across all of them.

The cloud provider is responsible for the infrastructure. The physical servers, the data center facilities, the networking hardware, the hypervisors that run the virtual machines. They patch their own systems, they manage physical security, and they maintain the certifications that prove they're doing it. That's their side of the line.

Everything on your side of the line is your responsibility. That includes who has access to your data, how that access is controlled, whether your data is encrypted, how your accounts are configured, and what happens when someone on your team makes a mistake. Gartner predicts that 99% of cloud security failures will be the customer's fault, not the provider's. The infrastructure is secure. The way people use it often isn't.

Think of it like renting office space. The building owner maintains the structure, the fire suppression system, the elevator, and the parking garage. But if you leave the front door of your suite unlocked, or you give copies of your key to people who shouldn't have them, or you leave client files sitting on a desk by the window, that's on you. The building is secure. Your office might not be.

Where CPA Firms Get This Wrong

The specific ways this plays out depend on what cloud services your firm uses, but the common mistakes follow a pattern.

Access controls that are too broad. When your firm sets up a cloud-based document management system or tax portal, someone configures the permissions. If that configuration grants everyone in the firm access to every client folder, or if admin privileges are given to people who don't need them, you've created an exposure that the cloud provider can't fix. 82% of cloud breaches stem from human error, and misconfigured access is one of the most common forms of that error.

Shared accounts and weak authentication. Some firms still use shared logins for their cloud-based tax software because it's "easier." Others have enabled multi-factor authentication on some accounts but not all. If a staff member's cloud credentials are compromised through a phishing attack, the attacker gets whatever access that person had. The cloud provider can't prevent someone from logging in with valid credentials. That's your authentication to manage.

No visibility into what's happening. Cloud platforms generate logs. Login activity, file access, configuration changes, failed authentication attempts. Most small firms never look at these logs or configure alerts based on them. If someone accesses your cloud-hosted client files from an unfamiliar location at 2 AM on a Sunday, will you know? 23% of cloud security incidents stem from misconfigurations, and many of those go undetected because nobody is watching.

Assuming backups are automatic and sufficient. Your cloud provider may maintain infrastructure redundancy, but that doesn't necessarily mean your data is backed up in a way that protects against ransomware or accidental deletion. Some cloud services include backup features. Others don't. Some include versioning that lets you restore earlier copies of files. Others overwrite without history. If you haven't verified your backup and recovery capabilities, you're assuming a safety net that might not exist.

What the Numbers Show

The scale of the problem is significant. 45% of all data breaches now occur in cloud environments, and the trend is accelerating. 83% of organizations experienced at least one cloud security breach in the past 18 months. The year-over-year surge in significant cloud breaches was 154% in 2024, with 61% of organizations reporting major incidents compared to 24% the year before.

The most telling statistic: 31% of executive leadership lacks sufficient understanding of cloud security risks. When leadership doesn't understand where their responsibility begins and the cloud provider's ends, the firm operates with a blind spot. That blind spot is where breaches happen.

The examples are instructive. In 2019, Capital One lost over 100 million customer records not because AWS was breached, but because Capital One misconfigured their own access permissions within AWS. The infrastructure was fine. The configuration was the problem. A healthcare vendor called Medico exposed nearly 14,000 files containing medical, financial, and legal records through an improperly configured storage bucket. An online marketing firm called Alteryx exposed data on 123 million U.S. households through the same type of mistake.

In none of these cases did the cloud provider fail. The customer failed to secure what was theirs to secure.

What the FTC Expects

The FTC Safeguards Rule doesn't carve out an exception for data stored in the cloud. Your obligation to protect client data applies regardless of where that data lives. If you store client Social Security numbers in a cloud-based document management system, you need to know how that system is configured, who has access, whether the data is encrypted, and what controls are in place to prevent unauthorized access.

The rule also requires you to exercise due diligence in selecting cloud service providers and to maintain contracts that specify their security obligations. This is the same service provider oversight requirement that applies to your IT provider. If your cloud vendor has access to client data, you need a written agreement that defines their responsibilities and yours.

57% of organizations reported being out of compliance with at least one regulatory framework specifically because of cloud-related issues. For CPA firms subject to the FTC Safeguards Rule, the question isn't just whether your cloud provider is secure. It's whether you can demonstrate that your use of cloud services meets the regulatory standard.

How to Work With Your IT Provider on This

This is one of the most productive conversations you can have with your IT provider. Ask them to walk you through your cloud footprint: what services your firm uses, where client data resides, and how each service is configured. Most IT providers manage these configurations and can show you what's in place.

Specifically, ask about:

Access controls. Who has access to what? Are permissions based on role and need? When was the last time someone reviewed who can access client data in your cloud systems?

Authentication. Is multi-factor authentication enforced on every cloud account? Not just admin accounts. Every account that can reach client data.

Logging and monitoring. Are login and access logs being captured? Is anyone reviewing them? Are alerts configured for unusual activity?

Encryption. Is client data encrypted at rest and in transit? Most cloud providers offer encryption, but some require you to enable it. If it's not turned on, the data is sitting unprotected even though the option exists.

Backup and recovery. If a ransomware attack encrypts your cloud-hosted files, can you recover? How far back? How quickly? Is the backup stored separately from the primary data?

Your IT provider can answer these questions and help you close any gaps. This isn't about questioning their work. It's about understanding a model that many organizations, including some with dedicated security teams, still misunderstand.

What You Can Do Today

  1. Map your cloud footprint. List every cloud service your firm uses: tax software, document management, email, file storage, client portals, communication tools. For each one, note where client data is stored and who has access.

  2. Ask your IT provider about configurations. Schedule a conversation specifically about how your cloud services are configured. Focus on access controls, MFA, and logging. If your IT provider manages these services, they should be able to show you the current settings.

  3. Review your vendor agreements. Check whether your contracts with cloud providers include language about their security obligations. The FTC requires this for any service provider that handles client data.

  4. Enable everything that's available but not turned on. Many cloud platforms offer security features like encryption, audit logging, and advanced authentication options that are available but not enabled by default. Ask your IT provider to review what's available and turn on everything that makes sense for your firm.

  5. Include cloud services in your security program. Your WISP should address how cloud-hosted data is protected. If it doesn't, update it to reflect your current cloud footprint and the controls you have in place.

The Bottom Line

The cloud is secure. Your use of the cloud might not be. The distinction matters because when something goes wrong, the FTC doesn't ask your cloud provider what happened. They ask you.

Understanding the shared responsibility model isn't about becoming a cloud security expert. It's about knowing where your responsibilities begin, making sure someone is managing those responsibilities, and being able to document it when regulators or clients ask.

If you're not sure where the line is between your cloud provider's responsibilities and yours, that's something Kompflow can help clarify. We work with firms to map their cloud environments, coordinate with their IT providers, and build the governance documentation that demonstrates compliance. Your cloud provider secures the building. We help you secure the office.

The cloud is a tool. Like any tool, it's only as safe as the way you use it.

Ready when you are

Pick where to start.

Buy the WISP yourself if you need the document.
Talk to us if you want the platform.

Get your WISP for $499Learn how Starter and Professional work
30-day money-back on Kompflow WISPCancel anytimeNo setup fees on any tier

We use cookies to measure site performance. No data is sold to third parties. You can opt out at any time. Privacy Policy