Companies like Amazon, Google, and Microsoft spend huge amounts of money to secure their cloud data centers from hackers. But can they guarantee that customers will be safe?
The short answer is no.
“You can never be paranoid enough,” Microsoft’s top cloud executive Scott Guthrie said on Wednesday. “If people say, ‘if I sign with you, can you guarantee I won’t be hacked?’ If I say yes, I’m lying.”
The problem is that business software or online services rely on many moving pieces. Some are under the control of the company that built the software, and some are a function of the data center infrastructure that customers rely on. Everyone needs to do their bit.
Get Data Sheet, Fortune’s technology newsletter
“You need to be responsible at the application level to do what you have to do,” Guthrie said at the Geekwire Cloud Tech Conference in Bellevue, Wash.
He said many of the recent hacks occurred not because someone broke into the cloud data center but because they were able to exploit vulnerabilities in the applications. That means the companies who build and support those applications have to “lock them down,” said Guthrie who is executive vice president of Microsoft’s (MSFT) Cloud and Enterprise business group.
Related: OneLogin Security Breach Poses Worrisome Questions
Microsoft provides a tool that monitors a customer’s software running on Microsoft Azure public cloud to show potential vulnerabilities and recommends how to address them, he said.
Related: Public Cloud Goes from Security Goat to Champion
Greg DeMichillie, director of product management for Google (GOOGL) cloud agreed with Guthrie’s assessment. Moving software to cloud is is all about layered defenses on each part of the technology, he told Fortune.
In public cloud, companies like market leader Amazon (AMZN) Web Services rent computing, networking, and storage to customers instead of those customers using their own data centers. The public cloud vendors argue that they have more resources to secure their data centers than their customers and ensure that customers are running the latest-and-safest software.
But those business customers nonetheless must ensure that their own software security practices are up to date.
