Cloud computing delivered on most of its promises. Lower infrastructure costs, remote accessibility, scalable storage, and software that updates itself. For New Zealand businesses that made the move, the technology itself rarely disappoints. What tends to create problems is a gap that nobody clearly talks about: moving to the cloud and managing it are fundamentally different responsibilities, and most businesses are only doing the first.
What Cloud Providers Actually Take Care Of
Understanding this properly starts with knowing what your provider is genuinely responsible for, because it is more than most people assume and less than most people think.
Major cloud providers handle physical infrastructure, platform uptime, hardware maintenance, and security at the infrastructure level. Microsoft, for example, invests billions annually in data centre security, redundancy systems, and platform reliability. That part of the equation is handled exceptionally well and is not something a small or medium business could replicate independently at any comparable cost.
What this means practically is that your data is stored on infrastructure that is more physically secure, more redundant, and more reliably maintained than any on-site server your business could run. That is a genuine and significant benefit of cloud adoption, and it is worth acknowledging clearly.
Where Your Responsibility Begins
Every major cloud provider operates under a shared responsibility model. The provider secures the platform. Everything built and configured on top of that platform is your responsibility.
This includes who has access to your data and whether that access remains appropriate as your business changes. It includes whether your security settings reflect current best practice or the defaults from your migration three years ago. It includes whether your backup solution would hold up during a real incident or whether it exists primarily as a green status light that nobody has ever tested under real conditions.
The reason this matters is that most businesses moved to the cloud without a clear picture of where the provider’s responsibility ends and theirs begins. Understanding that the boundary is not about identifying problems in your current setup. It is about knowing which questions to ask and who should be answering them.
Access Management: More Dynamic Than It Looks
One of the more underappreciated aspects of running a cloud environment is that access management is not a configuration you complete at setup and revisit annually. It is an ongoing discipline that needs to keep pace with your business.
When someone joins your team, they need the right access from day one, consistently applied regardless of who is handling their onboarding. When someone leaves, their access needs to be fully revoked, not just their primary email disabled. When a contractor completes a project, their permissions need to be removed rather than left active indefinitely because nobody thought to schedule the offboarding.
The businesses that handle this well treat access reviews as regular operational tasks rather than reactive ones. A quarterly review of who holds what permissions across your core platforms takes a fraction of the time of managing a security incident that could have been prevented by it. More importantly, it gives you genuine visibility into your environment rather than an assumed view.
Security Configuration Is Not Set and Forget
Cloud platforms are not static. Microsoft 365 has introduced significant security capabilities in the past two years alone, yet most existing tenancies are not using them because no one has reviewed what has become available since initial setup.
Conditional access policies can now restrict logins based on device compliance, location, and risk signals. Authentication requirements have evolved well beyond simple passwords. External sharing controls have become considerably more granular. These are not minor updates. They represent meaningful improvements to how your environment can protect itself, and they require someone to actively implement them rather than waiting for them to apply automatically.
The right approach is to treat your security configuration as a living document rather than a completed project. Reviewing it against current best practices every six months ensures your environment keeps pace with the platform’s capabilities and the evolving threats it faces.
The Backup Conversation Worth Having Now
Cloud storage and cloud backup are not the same thing. Microsoft 365 retains deleted items for a defined period and provides basic version history, which covers many everyday scenarios but falls short in others. Ransomware that propagates through cloud-synced files, accidental mass deletion, or the need to restore an entire environment to a specific point in time from months prior all require a more robust solution.
A properly structured backup for a cloud environment operates independently of the primary platform, covers all critical data sources, including email, SharePoint, and business applications, and is tested through actual restore exercises rather than assumed functional status, as indicated by the backup software.
Testing a backup means performing a full restore, confirming that the recovered data is intact, and determining how long the process takes. That knowledge is genuinely valuable when you need it and completely unavailable if you have never done it.
What Active Management Changes
The difference between a managed and unmanaged cloud environment is not about which platforms are being used. Most Auckland businesses are running broadly similar tools. The difference is whether someone with the right knowledge is actively overseeing those tools on an ongoing basis.
Active management means security configurations get reviewed regularly. Access gets audited as staff and contractors move through the business. When platforms change their defaults or introduce new capabilities, someone evaluates what that means for your specific environment and acts accordingly. Backup integrity gets verified, not assumed.
The platforms themselves are capable. What determines whether they are genuinely working for your business is the quality of the management layer sitting above them. That is what a managed IT relationship provides, and it is the part of cloud computing that the initial migration conversation almost never covers.
