After years of enterprises fearing the cloud because of security, we’re now at risk for the opposite problem–companies relying too heavily on their cloud providers to look after security. A pair of professionals from the IBM Security team warned attendees against this trend at IBM InterConnect 2017 this week in Las Vegas.

IBM’s Sridhar Muppidi and Dan Wolff urged IT leaders to think of cybersecurity as a shared responsibility between the business and its cloud infrastructure vendors–whether that’s IBM, Microsoft, Amazon, Google, or other providers.

SEE: Video: Why businesses are becoming less concerned about cloud security

Muppidi and Wolff laid out six cloud security “must-haves” that every enterprise needs to cover. Here’s their checklist:

1. Access management (users, privileges, clients)

  • identity and access management
  • identity governance
  • privileged identity management

2. Network security (anomalies, threats, activities)

  • monitoring events
  • threat detection and prevention
  • inter-workload protection

3. Data protection (databases, workloads, content)

  • file and folder encryption
  • key lifecycle management
  • data loss prevention
  • vulnerability scanning
  • PII discover and monitoring

4. Application security (threat prevention)

  • secure application development
  • application vulnerability assessment and management

5. Visibility and intelligence (anomalies, threats, activities)

  • event correlation
  • monitoring and alerting
  • multi-cloud and on-premise integration

6. Workload centric (security and DevOps management)

  • cloud security policy management
  • patch management
  • auditing of controls

The two IBM Security professionals stressed that IT leaders should look at their cloud infrastructure providers and figure out which security services are offered, which ones have enhanced/upgraded services, and which ones are left to the customer to provider.

Muppidi and Wolff recommended making a chart to figure out what your cloud vendor offers by default and what advanced services (including third party integrations) are available. As an example, they charted IBM’s cloud security offerings, as you can see in the chart below: