Get started
Aviatrix Blog

The Shared Responsibility Paradox: Why Your Cloud Data Might Be More Vulnerable Than You Think

Entrusting your data to shared cloud infrastructure introduces risk. Learn how to protect it with centralized control, visibility, encryption, and segmentation.

Benson George srcset=
May 20, 2025 in Salt Typhoon, cloud network security By Benson George

The Shared Responsibility Paradox Why Your Cloud Data Might Be More Vulnerable Than You Think

When you store data with a cloud service provider (CSP), connect through a third-party interconnect, or use a SaaS platform, you are entrusting those vendors to help protect your data. For enterprises, this means trusting vendors with large volumes of data, some of which might be sensitive or private.

While compliance frameworks and service-level agreements (SLAs) ensure encryption and security features are available, enforcement is often left to you—the customer. This is especially true in shared infrastructure models, where CSPs provide the tools but you remain responsible for securely configuring, managing, and monitoring them.

In this blog post, we’ll explore:

  • The nature of cloud infrastructure risk
  • How the shared responsibility model works
  • Recent cybersecurity incidents and what they teach us
  • Solutions to maximize the value of shared infrastructure while protecting your data

 

The Risk of Shared Cloud Infrastructure

When you build a hybrid or multicloud network, you’re moving from a model where you own and control all aspects of security to one where responsibility is shared between you and your cloud providers. This shared responsibility has some risks attached:

  • Encryption gaps across clouds– While CSPs encrypt data within their own environments, traffic that flows between clouds, regions, or hybrid connections often lacks consistent encryption. Most CSPs decrypt traffic at ingress points, making it your responsibility to ensure encryption across the entire path.
  • Insecure APIs – When data is transferred via API calls from one system to another, your data’s security depends on the security of those APIs. Poorly-designed or insecure APIs pose a risk to your network.
  • Unclear ownership and responsibility – In shared infrastructure environments, it’s not always clear where the cloud provider’s security responsibilities end and yours begin. This confusion—especially across multiple providers or services—can lead to misconfigurations or blind spots that attackers exploit.

 

Shared Infrastructure Creates a Wider Attack Surface

In a hybrid or multicloud network with a “flat” architecture, or an architecture that allows users to move across platforms, accounts, regions, and services without strong identity enforcement, edge devices such as firewalls, routers, and gateways become soft targets. These entry points expand your attack surface and are often exploited in real-world breaches.

Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency called these edge devices the “connective tissue and the soft underbelly for our adversaries.”

 

Recent Attacks Demonstrate Shared Cloud Infrastructure Vulnerability

The vulnerability of this connective tissue and soft underbelly became clear in several recent, high-profile attacks:

  • Oracle data breach – Attackers recently gained access to a legacy Oracle environment. While the full scope is still being assessed, credential information may have been exposed, giving attackers long-term unauthorized access to enterprise systems.
  • Salt Typhoon hack – A state-sponsored advanced persistent threat (APT) group known as Salt Typhoon targeted major U.S. telecommunications providers and internet service providers. They exploited unencrypted or poorly segmented traffic across hybrid and cloud environments to establish persistence.
  • Medusa ransomware-as-a-service – A ransomware group that exploits weak access controls, unsegmented networks, and unencrypted traffic to move laterally, escalate privileges, and lock down systems for ransom. One of their latest victims was NASCAR.

 

These incidents align with CISA warnings about threat actors exploiting flat networks, shared infrastructure, and unencrypted lateral traffic.

 

Protecting Your Data in a Shared Infrastructure Model

To maintain global connectivity and take advantage of the cost and performance benefits of the cloud, organizations inherently rely on shared infrastructure. Here’s how you can preserve the value of a hybrid or multicloud environment—while securing your data from the risks that come with that shared foundation:

  1. Centralize Control Across Clouds

Relying solely on CSP-native tools creates silos—each cloud has its own security models, controls, and operational limitations. This fragmented approach makes it difficult to enforce consistent policies, detect threats, or troubleshoot issues across environments.

Explore cloud network security platforms like Aviatrix, which abstract and unify cloud-native constructs across AWS, Azure, Google Cloud, and Oracle Cloud. Aviatrix gives you:

  • Fine-grained control over networking, security, and segmentation
  • Centralized policy enforcement across accounts, regions, and CSPs
  • Consistent user experience for cloud architects and security teams
  • Integrated visibility into encrypted traffic flows, threat exposure, and policy violations

 

With a centralized control plane, you can operate your hybrid and multicloud environment like a single, secure system—without being constrained by each CSP’s limitations.

 

2. Get Cross-Cloud Visibility

Each cloud provider offers its own monitoring tools, but they’re fragmented and inconsistent—making it difficult to piece together a real-time view of your entire network. This siloed visibility slows down troubleshooting, hides lateral movement, and leaves teams blind to performance or security anomalies.

Instead of forcing network and security teams to toggle between CSP consoles, log aggregators, and CLI scripts, use a platform like Aviatrix CoPilot to deliver:

  • Unified flow telemetry across AWS, Azure, Google Cloud, and OCI
  • Deep visibility into encrypted traffic and east-west communication paths
  • Real-time insights into latency, throughput, policy violations, and topology changes
  • Visual troubleshooting tools that accelerate MTTR and incident response
  • Anomaly detection and baselining, powered by full-fidelity network data

 

Cross-cloud visibility isn’t just about performance monitoring—it’s foundational to zero trust, threat detection, and regulatory readiness in a hybrid or multicloud environment.

 

3. Invest in Sufficient Encryption

Don’t assume private connectivity is secure—that’s the fallacy Salt Typhoon exploited. “Private” does not equal “encrypted.”

State-sponsored threat groups like Salt Typhoon have taken advantage of unencrypted traffic moving across private circuits, interconnects, and shared infrastructure. While these paths may be isolated from the public internet, they often lack encryption, especially when relying on traditional solutions like MPLS, virtual cross-connects, or MACsec.

MACsec encrypts traffic hop-by-hop, decrypting and re-encrypting at every switch or router—often across infrastructure you don’t control, such as provider routers or shared fabric. This exposes your data at each intermediary device, such as provider-owned routers or shared fabric, increasing the risk of interception or compromise.

In contrast, Aviatrix High-Performance Encryption (HPE) also operates hop-by-hop, but entirely within a software-defined overlay that you control—with full visibility, centralized policy enforcement, segmentation, and orchestration at each hop. It protects traffic across VPCs, VNets, CSP regions, and even between clouds, without relying on third-party infrastructure.

Instead, use encryption that:

  • Secures in-transit traffic—across clouds, regions, and from on-prem to cloud
  • Operates at the network layer to protect metadata and routing information
  • Is software-defined, delivering scalable, high-performance encryption without relying on specialized hardware or manual orchestration.

 

4. Segment Your Network

CISA has warned that threat actors frequently “escalate privileges and move laterally within networks”—especially in flat or overly permissive architectures. In hybrid and multicloud environments, lateral movement becomes even more dangerous when network boundaries are loosely enforced or based solely on IP addresses.

To stop this, you need dynamic, identity-aware segmentation that isolates workloads, users, and services based on context—not just location.

 

With Aviatrix, you can:

  • Enforce microsegmentation across VPCs, VNets, regions, and datacenters
  • Create attribute-based policies that follow workloads across clouds
  • Apply least privilege access controls to east-west traffic
  • Visually map and monitor segmentation policies with Aviatrix CoPilot
  • Shrink the blast radius of any compromise, making attacks easier to detect and contain

 

Segmentation isn’t just a best practice—it’s essential to zero trust and a critical line of defense against ransomware, privilege escalation, and supply chain threats.

Don’t wait for attackers to exploit the gaps between your environments—assume they already are. Neutralize lateral movement by enforcing segmentation, backed by centralized control, real-time visibility, and encryption.