The major cloud providers โ AWS, Google Cloud, Microsoft Azure, and the consumer-facing services built on them โ run security operations with budgets larger than most national governments’. Their infrastructure is, by most measures, more secure than what any individual or small business could build alone. That’s the part the marketing emphasizes. The part it underemphasizes: the security of your cloud-stored data depends almost entirely on the security of your account, and the account is overwhelmingly where breaches actually happen. The provider’s encrypted data center is rarely the weak link. You are.
Where breaches actually originate
Verizon’s annual Data Breach Investigations Report has documented the same pattern for years: the substantial majority of breaches involve credentials โ stolen, reused, phished, or guessed โ rather than infrastructure compromises. When a public cloud breach makes the news, the underlying cause is usually a misconfigured S3 bucket, an exposed API key in a public code repository, or a phished employee, not someone breaking the cloud provider’s encryption. For consumers, leaked photos and document exposures from major cloud services almost always trace to compromised individual accounts, often via password reuse from unrelated breaches. The provider’s security posture is largely irrelevant when the user hands over the keys.
What “encrypted” actually means in cloud storage
Most consumer cloud services encrypt data at rest and in transit, which protects against someone physically stealing a hard drive from a data center or intercepting traffic. It does not protect against someone logged into your account, because for that user, the data is decrypted on demand by the service itself. End-to-end encryption โ where the provider can’t read your files even if compelled โ is offered by some services (Proton, Tresorit, Cryptomator overlays) but is not the default for the major mainstream providers. Reading the actual encryption model of your service matters more than the marketing word “encrypted,” which is technically true of nearly everything but means very different things.
The real security checklist
For practical purposes, the things that actually move the needle are unglamorous: a unique, long password for each cloud service; a password manager so unique passwords are feasible; two-factor authentication using an authenticator app or hardware key (not SMS, which is bypassable via SIM swap); reviewing connected third-party apps and revoking ones you no longer use; and treating account-recovery channels like email as the security backbone they actually are. A cloud account secured with a unique password, 2FA, and a hardened recovery email is dramatically more secure than one without those, regardless of which provider is used.
When the provider is the right thing to worry about
There are exceptions. State-level adversaries can compel providers to hand over data via legal process. Insider threats at the provider exist and have produced breaches. Specific provider configurations โ public buckets, weak API keys โ are widespread misconfigurations. For most users most of the time, none of these are the relevant threat model. Account takeover is.
The bottom line
Cloud storage is generally secure at the infrastructure level. The account is the weak link, and the account is your responsibility. Unique passwords and proper 2FA do most of the actual security work.
Leave a Reply