I was on the phone with a Gartner analyst earlier this week, and our discussion veered towards the shared responsibility model of cloud security. He said that this is one of the biggest sources of inquiries that he receives from enterprises - people trying to figure out where the security and compliance line is drawn between cloud app vendor and the enterprise. When we are asked this question, we typically respond with a quick-and-simple framework - The Wall Street Journal test.
Nobody wants their name on the front page of the Wall Street Journal (and countless other publications) as a result of a hack or data breach. This is true of both cloud app vendors and enterprises, so both will do their best to protect their businesses and protect this from happening. To conduct the Wall Street Journal test, come up with the cause of a hypothetical security incident (DDOS attack, SQL injection, insider theft, etc), and then decide who (cloud app vendor or enterprise) will get voluminous bad press should the incident occur.
Run through this test a few times and you'll find that the app vendors are very motivated to protect against widespread events involving their applications or the underlying infrastructure. This means they'll invest heavily in security infrastructure and security personnel to keep their names out of the press - the success of their business depends on it. At least with major app vendors, you will likely find that they have far more resources for app/infrastructure issues than you can ever dream of (and probably far more success protecting these things, despite being a larger, more public target).
Where are the app vendors not looking? They're not looking at your users and your data, and suspicious activities in either camp. If a privileged user (or someone with that user's credentials) logs into Salesforce and downloads your company's sales forecasts and contact database, and that information gets out, it'll be you on the front page of the WSJ, not Marc Benioff. Or if there is an unauthorized download of PII to an employee BYOD device that is subsequently lost or stolen, the resulting compliance failure is on you as well. In these cases, the cloud app vendors don't have their business on the line, which means that you need to step-it-up and fill in the gaps with a Cloud Access Security Broker like Bitglass.
Want to learn more?