The recent CapitalOne breach has certainly made lots of headlines in less than a day since the story broke out. And sadly, it has already thrust the $700M settlement that was reached from the largest ever data breach \u2013 the Equifax one \u2013 onto the sidelines just days after the news of that settlement broke out.But going back to CapitalOne, there are lots of lessons to be learned there certainly. I want to focus on where CapitalOne\u2019s data centers were and what that means for the rest of the planet from a security perspective. CapitalOne has been one of the most vocal AWS customers. They have appeared at numerous AWS events and touted how they have completely shuttered all their data centers and run exclusively on Amazon. And to be fair, they have also shared their best practices and use of AWS services.And then this happens.So, the question is: if one of the savviest AWS customers can suffer such a large and embarrassing data breach, then every AWS (and non-AWS) customer should be concerned...and taking proactive steps to address what cloud security means and what it does not mean.Put another way, is reliance on the cloud lulling us into security complacency?1. From rack and stack to spin up on a whimIn the days when every mid to large enterprise had one or more dedicated data centers and setting up a new server or rack involved wiring, power, cooling as well as extensive network and security reconfigurations. And it could literally take weeks. And that time would allow to ask the basic and not-so-basic security questions. Today, compute, storage, serverless\u2026everything is on-demand. And cloud bursting and data hoarding is inexpensive and quick. Everything has been accelerated many times over. So, unless security is in the process blueprint or the cloud provider offers it as a default setting (e.g. AWS by default now encrypts its S3 buckets after many an incident of unsecured data stores was reported) it can easily get lost in the noise.2. The shared responsibility model is pretty descriptive except that it can relegate to distant memoryWhen AWS came up with the Shared Responsibility Model, it got great kudos for explaining clearly what they are responsible for \u2013 \u201csecurity of the cloud\u201d and what the customer is responsible for \u201csecurity in the cloud.\u201d But the pace at which AWS releases features, it is so easy to get caught up with the catchy names \u2013 Greengrass, Lambda, Control Tower \u2013 and delve into them without remembering the \u201cof\u201d the cloud and \u201cin\u201d the cloud responsibility distinction. And that oversight can prove to be very costly.3. No two clouds are the same, and doing multi-cloud requires extra effort and careWhile multi-cloud has a bevy of advantages \u2013 better pricing, redundancy, bleeding edge feature rollout etc., it also puts a burden on the teams using multi-cloud. The investment to keep up with the latest and greatest and then know how to use it. But from a security perspective the challenge is far greater. Why? Because while inherently the shared responsibility model should apply to all clouds \u2013 AWS, Azure, Google, etc. \u2013 the implementation and the risk attribution could be very different.For instance, can an infrastructure administrator gone rogue have the ability to steal a Virtual Machine. Or if a data store is encrypted, does the end customer alone have the master key or does the cloud provider hold the key as well? And the answers could and usually are very different from cloud to cloud. And so, the shared responsibility model is also cloud specific.These are three challenges as it relates to cloud security that makes this journey not such an obvious one when seen from the lens of security and privacy. So, what does a business do then? Slow down or stop cloud adoption. The answer to that is obvious. No, that ship has sailed.Instead, ask yourself these questions periodically:Have I identified recently all the sanctioned and unsanctioned cloud workloads across all major public clouds for my enterprise (there are tools that do this kind of discovery)?Remind yourself and your team of the \u201cshared responsibility model\u201d and for all the cloud workloads ask what \u201cin the cloud\u201d security means. The answer could be very different for a cloud connected IoT sensor to a serverless compute engine.And finally, develop experts within your organization or engage a trusted third-party to educate constantly on the multi-cloud differences for the features you are working with from a security and privacy angle. Costly and Time consuming? Yes. Critical? Absolutely.Over the course of the coming weeks and months, we will learn more about the CapitalOne breach. But to borrow a marketing tagline from them ask yourself this question constantly \u201cWhat\u2019s in your cloud\u201d?