Today: xAI's new Grok 4 model looks impressive assuming you can ignore everything else about the company, MCP's security flaws are becoming apparent, and the latest enterprise moves.
Today: Why CoreWeave just shelled out $9 billion in stock for Core Scientific, Ingram Micro begins to recover from a holiday weekend ransomware attack, and the latest funding rounds in enterprise tech.
The Snowflake breaches are exposing the limits of cloud security's shared-responsibility model
The shared-responsibility model is groaning under the weight of the modern security environment. Snowflake's ongoing nightmare should be a wake-up call for any infrastructure or SaaS provider that they need to do more to protect their customers, because the old model is no longer working.
Cloud computing's fundamental approach to security seemed like a great deal when it was first proposed to companies struggling to protect their self-managed infrastructure. The bargain was simple: we take care of the hard stuff, and all you have to do is control access to your account.
But the shared-responsibility model is groaning under the weight of the modern security environment, with its sophisticated threat actors, scarily good phishing scams, and automated attacks. Snowflake's ongoing nightmare should be a wake-up call for any infrastructure or SaaS provider that they need to do more to protect their customers, because the old model is no longer working.
Microsoft's description of the shared-responsibility model (Credit: Microsoft)
A diagram on that page outlines a sliding scale of responsibilities, from the on-premises world where the customer must manage everything to the SaaS world, where the customer manages very little.
For example, if you're a Microsoft Azure customer, you're not responsible for the physical security of the servers you're renting, but you are responsible for the security of any operating systems or homegrown applications you run on that cloud instance. A classic example of this model in action was the 2018 response to the design flaws in Intel chips that could have allowed attackers to access secure areas of those processors; cloud providers patched those instances with little or no disruption to their customers.
But no matter what level of cloud service you're buying, under the shared responsibility model, "you're responsible for protecting the security of your data and identities," according to Microsoft, and all cloud providers use similar language to describe the partnership.
Security experts have been sounding the alarm about that last statement for some time. While Snowflake did nothing wrong under the shared responsibility model, which holds that customers are responsible for properly securing access to their accounts, a growing number of people believe that cloud providers need to do more to protect their customers.
Leading that charge is CISA and its Secure by Design initiative, which all three major cloud providers have pledged to support but has not been adopted by the engines of the generative AI boom, Snowflake and Databricks. "Products designed with Secure by Design principles prioritize the security of customers as a core business requirement, rather than merely treating it as a technical feature," according to CISA.
For example, Snowflake customers who used multifactor authentication were protected against the attacks using stolen credentials, but Snowflake still doesn't require customers to use MFA and didn't even provide a way for customers to force their own users to adopt it until last week.
"If we give you the choice to do the right thing, and you can’t seem to choose to do the right thing, then maybe it just shouldn’t be a choice anymore,” Chester Wisniewski, director and global field CTO at Sophos, told CyberSecurity Dive.
But taking on more responsibility for account security will force enterprise tech vendors to accept more friction in the user experience of their products.
That could be a tough sell for vendors that have made onboarding and ease-of-use a big part of their product strategy. One reason why a lot of enterprise software companies haven't imposed stricter security policies on their users is because those policies can frustrate customers or break existing workflows.
And while every enterprise vendor promises that they take security very seriously, product teams tend to win arguments with security teams at companies that are desperate for revenue. At the very least, enterprise vendors need to provide easier ways for customers to detect anomalous login attempts or unusual activity, which is one reason why observability companies are thinking very hard about getting into the security market.
But it took legislation and a massive PR campaign to get car companies to provide seat belts, and even more effort to get people to use them. The path to a more secure cloud will likely be just as difficult.
(This post originally appeared in the Runtime newsletter on July 18th, sign up here to get more enterprise tech news three times a week.)
Tom Krazit has covered the technology industry for over 20 years, focused on enterprise technology during the rise of cloud computing over the last ten years at Gigaom, Structure and Protocol.
Today: Two legendary software engineers sum up the current state of AI coding in mid-2025 and what comes next, Microsoft and OpenAI continue to trial balloon their contract negotiations, and the latest enterprise moves.
Today: OpenAI's attempts to alter its sweeping deal with Microsoft will force some interesting decisions in Redmond, Google Cloud offers more details about last Thursday's outage, and the latest funding rounds in enterprise tech.
Today: Databricks floats a new portmanteau for the ever-evolving world of data infrastructure, a widespread Google Cloud outage takes down sites around the world, and the latest enterprise moves.
Today: Amazon CSO Steve Schmidt discusses how AI is changing, and not changing, cybersecurity strategies, OpenAI reportedly finds new computing power in an unexpected place, and the latest funding rounds in enterprise tech.
