Troy Bowman | Securing the cloud

Many small and mid-sized businesses assume that moving to the cloud means security is automatically handled by the provider. But as Troy Bowman, Senior Security Engineer, explains, that’s a dangerous misconception.

‍Defining Small and Midsize Business (SMB) Cybersecurity

‍Unlike large enterprises with dedicated security teams, SMBs often have limited security staff—sometimes just one IT professional juggling multiple responsibilities. This means security can become an afterthought rather than a strategic priority. “You can make all the money in the world, but if you’re not staffing your company to protect itself, can you really say you’re that large of an organization?” Troy asks.

The Cloud Isn’t a Security Cure-All

The shift to cloud computing doesn’t eliminate security concerns—it just changes them. Companies still need to worry about networking, DNS, patching vulnerabilities, and access controls—just as they would in a traditional data center.

And cloud providers don’t take on full responsibility for security. Instead, it depends on the service model:

• Infrastructure-as-a-Service (IaaS) – Security responsibilities mostly fall on the customer.
• Platform-as-a-Service (PaaS) – Some security responsibilities shift to the provider.
• Software-as-a-Service (SaaS) – The provider handles more security, but customers must still assess risks.

Third-Party Risk: It’s More Than Just Your Vendor

Cloud security doesn’t stop at your immediate provider. Many SaaS vendors rely on third, fourth, or even fifth-party cloud providers. That means security failures could be outside your direct control. Troy recommends SMBs conduct due diligence, asking for third-party security attestations and ensuring vendors follow industry best practices.

Where SMBs Should Start

• Understand your cloud model – Know your security responsibilities based on IaaS, PaaS, or SaaS.
• Review contracts carefully – Pay attention to Service Level Agreements (SLAs) and uptime guarantees.
• Follow cloud security frameworks – Resources like the Cloud Security Alliance (CSA) provide best practices.
• Architect for security from the beginning – It’s easier to build security into a cloud environment than to fix gaps later.

“Start small,” Troy advises. “Have someone with strong cloud expertise help build a secure architecture before you scale.”

Listen to the CyberWatch podcast on Spotify and Apple Podcasts, or watch the episode on YouTube.