To burrow inside Capital One’s systems, a hacker supposedly exploited a “misconfigured firewall.” Basically, the thief snuck in an open door. Both Capital One and Amazon stressed that “this type of vulnerability is not specific to the cloud.”

Yet some ­experts, such as Evan Johnson, a security manager at startup Cloudflare, say AWS’s technical setup made the breach “much worse.” AWS is particularly susceptible to “server side request forgery,” Johnson says, in which a hacker tricks a server into connecting where it shouldn’t, enabling data theft. Better mitigations ought to be in place, he says.

Despite the criticism, Capital One’s breach “doesn’t prove the cloud is wrong,” says Glenn O’Donnell, a Forrester VP. “What it does prove is you have to have the right controls in place from a security and governance perspective.”

Ed Amoroso, ex–chief security officer for AT&T, agrees that for most businesses, off-loading infrastructure to the cloud remains safer than managing one’s own: “You have to compare not against ‘perfect’ but against ‘on premises.’ ”

A version of this article appears in the September 2019 issue of Fortune with the headline “Capital Offense.”

More must-read stories from Fortune:

—Fortune Change the World 2019: See which companies made the list
—Corporate America’s most fascinating standoff: The accountant who exposed Madoff vs. GE
—America’s CEOs seek a new purpose for the corporation
—How the world’s biggest companies stay ahead
—What the world’s biggest motorcycle rally reveals about the state of festival food
Subscribe to Fortune’s CEO Daily newsletter for the latest business news and analysis.