The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself.
“One of main reasons organizations adopt cloud applications is to free their employees from the constraints of a physical network. With cloud apps, you don’t have to log into a work-issue PC attached to a corporate LAN in a company office to get your information or do your job. Any web-connected computer will do, so efficiencies and opportunities abound.”
“This same freedom also applies to hackers of all varieties, but in particular social engineering attackers. Compromised passwords can now be employed from any web-connected PC; the attacker need not enter your building to steal or destroy data. Your employees can be conned in favourable settings — a coffee shop or airport lounge — without the oversight or support of company security staff. Above all, it is much easier for an attacker to pose as a legitimate authority when their target is already accustomed to dealing with remote teammates via phone, email or chat. If you’ve never met your IT staff, it’s far simpler for a hacker to pretend to be from that IT staff.”