Cloud hosting for bespoke apps: the shared responsibility explained

Cloud hosting has transformed how SMEs run bespoke web and mobile applications. Infrastructure that once required physical servers and specialist teams can now be spun up in minutes.

This convenience often creates a dangerous assumption: that moving to the cloud automatically makes systems secure.

In reality, cloud security is a shared responsibility. Understanding where the cloud provider’s role ends – and where yours begins – is crucial for avoiding gaps.

What “the cloud” actually provides

Cloud platforms such as Azure, AWS and Google Cloud offer highly secure infrastructure. They manage physical data centres, networking and underlying hardware at a scale most businesses could never achieve.

This includes:

• Physical security of servers.
• Network resilience and redundancy.
• Base-level infrastructure availability.

These foundations are strong – but they’re only part of the picture.

The shared responsibility model in plain English

In simple terms, cloud providers secure the platform, while customers secure what they build and run on top of it.

Cloud providers are responsible for:

• Physical data centres.
• Core networking.
• Underlying host infrastructure.

SMEs remain responsible for:

• Application security.
• User access and authentication.
• Data protection and privacy.

Mistaking one for the other is a common cause of cloud breaches.

Identity and access: your biggest cloud risk

Most cloud security failures don’t involve advanced hacking. They involve mismanaged credentials.

Common issues include:

• Weak or reused passwords.
• Accounts without multi-factor authentication.
• Excessive permissions granted for convenience.

Securing identity is often the most impactful improvement SMEs can make.

Configuration errors: small changes, big impact

Cloud platforms are flexible, but that flexibility increases the chance of misconfiguration.

Examples SMEs encounter include:

• Storage accidentally exposed to the public internet.
• Management interfaces left open.
• Default settings never reviewed.

None of these require sophisticated attackers – just scanning tools.

Application security still matters in the cloud

Moving an insecure application to a secure platform does not make it safe.

Bespoke apps in the cloud still need:

• Input validation.
• Authentication and authorisation.
• Protection against common attacks.

Cloud hosting does not replace secure development practices.

Data protection and storage responsibility

While cloud providers secure storage infrastructure, you control how data is stored and accessed.

SMEs should ensure:

• Sensitive data is encrypted.
• Backups are configured and retained appropriately.
• Access to data stores is restricted.

The cloud makes these things easier – but not automatic.

Backups are still your job

Availability is not the same as backup. Many SMEs assume cloud redundancy protects against data loss.

It doesn’t.

Redundant systems stay online, but they don’t recover deleted or encrypted data.

Reliable cloud backup strategies include:

• Automated snapshots.
• Separate backup storage.
• Regular restore testing.

Monitoring and alerts in cloud environments

Cloud platforms generate rich logs, but they don’t interpret them for you.

Without monitoring:

• Suspicious access goes unnoticed.
• Configuration changes slip through.
• Abuse can continue undetected.

Basic alerting dramatically improves visibility.

The role of managed services

Many cloud services manage security on your behalf – but only within defined boundaries.

For example:

• Managed databases still need access control.
• Platform authentication still needs configuration.
• Automatic scaling still needs monitoring.

“Managed” doesn’t mean “hands-off”.

Cloud security and bespoke development

Custom-built systems benefit greatly from cloud platforms – but only when security responsibilities are clearly understood.

Well-designed bespoke apps:

• Align with cloud security controls.
• Use platform identity features.
• Log activity centrally.

This reduces duplication and risk.

Common myths SMEs believe about cloud security

Several assumptions frequently cause problems:

• “The cloud provider handles security.”
• “We’re too small to be noticed.”
• “Defaults are fine.”

Cloud security failures are usually configuration issues, not platform flaws.

Practical steps SMEs can take now

A few targeted actions go a long way:

1. Enable MFA for all cloud accounts.
2. Review permissions regularly.
3. Check storage access settings.
4. Confirm backups are running and test restores.

These steps are far more effective than chasing complex tooling.

Security without over-engineering

Good cloud security doesn’t mean locking everything down to the point of frustration.

It means understanding responsibilities, using available controls sensibly, and reviewing configurations as systems evolve.

Final thought

The cloud provides strong foundations, but security still depends on how systems are built and managed. SMEs that understand the shared responsibility model avoid false confidence and build genuinely resilient systems.