When we think about cloud deployments we have 2 relevant parties: the cloud platform and you the customer. While public cloud providers deliver strong security controls to protect the cloud fabric, they have no knowledge of “normal” customer traffic and thus are unable to determine malicious content from benign. This is the reason why they choose to work in a model called “shared responsibility”. The cloud platforms protects mainly their infrastructure which means they protect everything that build the cloud (for example, the physical security / SDN network / Etc…) while the customer is responsible for what he deploys in the cloud (applications, data, servers / containers).