I was on the phone with a Gartner analyst earlier this week, and our discussion veered towards the shared responsibility model of cloud security. He said that this is one of the biggest sources of inquiries that he receives from enterprises - people trying to figure out where the security and compliance line is drawn between cloud app vendor and the enterprise. When we are asked this question, we typically respond with a quick-and-simple framework - The Wall Street Journal test.
Nobody wants their name on the front page of the Wall Street Journal (and countless other publications) as a result of a hack or data breach. This is true of both cloud app vendors and enterprises, so both will do their best to protect their businesses and protect this from happening. To conduct the Wall Street Journal test, come up with the cause of a hypothetical security incident (DDOS attack, SQL injection, insider theft, etc), and then decide who (cloud app vendor or enterprise) will get voluminous bad press should the incident occur.