In this article:
- Why being in the cloud doesn’t mean your data is fully protected
- What Microsoft and Google are — and aren’t — responsible for
- The difference between redundancy and a real backup
- Why every device your staff uses is a potential vulnerability
It was my first week at CIM. January 2010. The world was watching the devastating aftermath of the Haiti earthquake, and the large ministry I had just been hired to support was in full response mode, coordinating relief efforts, communicating with field staff, managing the kind of urgent, mission-critical work that doesn’t wait for convenient timing.
Then a squirrel chewed through the wires on the transformer at their headquarters.
Their Exchange server went down. Email went dark. In the middle of one of the most significant humanitarian crises of the decade, this ministry lost its primary means of internal communication because of a rodent and an on-premises server.
That wasn’t the last time a squirrel caused an outage. I wish I were joking.
That experience set the course for much of the work I’ve done over the past twenty-plus years: helping ministries move off vulnerable on-premises infrastructure and into the cloud. And the cloud has been a genuine gift. Microsoft 365 and Google Workspace are reliable, accessible, and far more resilient than most anything a ministry could afford to run on its own.
But over those same twenty years, I’ve watched a new assumption take hold, one that concerns me just as much as that old Exchange server did.
The assumption is this: being in the cloud means your data is protected.
It isn’t, at least not completely. And understanding why is one of the most important things your organization can do right now.
The Shared Responsibility Model
Both Microsoft and Google operate under what’s formally called a Shared Responsibility Model. Microsoft publishes this explicitly in their documentation; Google does the same within their Workspace and Google Cloud trust frameworks. The idea is straightforward: the cloud provider protects the platform, but the customer is responsible for what lives on it.
Here’s how the line is drawn.
The diagram above gives you the overview, here’s what that actually looks like day to day:
What Microsoft and Google cover:
- Physical datacenters, servers, and hardware
- Global network infrastructure
- Application availability and uptime (Microsoft commits to a 99.9% SLA for most M365 services)
- Platform-level security patches and updates
In other words, they make sure the building is safe, the lights stay on, and the elevators work.
What your organization is responsible for:
But inside that building, you control what happens. Your ministry is responsible for:
- Who has keys (accounts, passwords, MFA) and who has which level of access.
- Ways in which data is shared: within the team, between departments, and with parents, donors, and external partners.
- How long information is kept and whether you could recover it if something went wrong.
- Which devices are allowed to access your accounts and how well those devices are protected.
- How your information is governed and audited so you meet both legal and ethical obligations.
That second list is longer than most people expect. And every item on it is something I’ve seen cause real harm to real ministries when left unaddressed.
Redundancy is not a backup
This is the distinction I find myself explaining most often, and it matters enormously.
Microsoft and Google do replicate your data across multiple datacenters. If a server fails on their end, your data doesn’t disappear. That’s called redundancy, and it’s genuinely valuable. It’s also what most people picture when they assume the cloud is protecting their data.
But redundancy does not protect against:
- A staff member accidentally deleting files or an entire folder
- A ransomware attack that encrypts or corrupts your data
- A departing employee whose account, and everything in it, gets removed
- A misconfigured integration that wipes or exposes records
- Malicious activity from inside your organization
Microsoft’s own retention policies have limits. Deleted items in Microsoft 365 are only recoverable for a finite window, often 30 to 93 days depending on your configuration and license tier, after which they may be permanently gone. (Microsoft documentation)
A backup is something different: a separate, independent copy of your data stored outside the platform, on a schedule you control, recoverable on your timeline. Redundancy keeps the platform running. Backups keep your data.
For an organization entrusted with donor relationships, sensitive communications, and the records of people you serve, that difference is not a technicality. It’s a stewardship issue.
Every endpoint is a door
Even a perfectly configured Microsoft 365 or Google Workspace environment can be compromised through the devices that access it.
A staff member’s personal laptop with no antivirus, logging into their work email over public Wi-Fi. A volunteer’s phone with an outdated operating system. A board member reviewing files from a shared family computer. Each of these is an open door into your organization’s data, and the cloud doesn’t distinguish between a secure device and an unsecured one.
Endpoint security means ensuring that every device accessing your environment meets a baseline:
- Antivirus and anti-malware protection
- Current operating system and application updates
- Strong authentication, ideally multi-factor for every account
- Remote wipe capability for lost or stolen devices
The platform can be impeccable. If credentials are stolen from an unprotected device, your data is at risk regardless of what Microsoft or Google has done on their end.
This is a stewardship issue
I think about that first week at CIM often. A squirrel and a transformer should not have been able to derail a ministry’s response to a humanitarian disaster. The cloud solved that problem, and it solved it well.
But the cloud introduced a new responsibility that too many ministries are carrying without realizing it. Your data, your accounts, your devices, and your backups, these are yours to steward. The platform is a gift; the governance is yours.
At CIM, we work alongside ministries and nonprofits to help them understand exactly where they stand and what practical next steps look like for their size and budget. Not every organization needs the same solution, but every organization needs to know where its gaps are.
If you’d like to talk through your organization’s security posture, I’d welcome the conversation. Reach out on our contact page to schedule a time to review.
The mission is worth protecting.
Ready to take the next step?
Find out where your organization stands.
Every ministry I work with has gaps they didn’t know existed in their backups, their devices, or their access controls. Reach out and let’s talk through what a security posture review could look like for your organization.