You pride yourself on your cloud computing security strategy and tool stack. Indeed, your system made up of many security solutions is both proactive, and self-updating. So, you’ll never have to worry about new security attacks that you’re not prepped to defend—well, almost.

Most IT shops do a good job looking for the latest DNS and ransomware attacks, but they’re not paying as much attention to the cloud security fundamentals such as physical security, federated data access governance, and network visibility.

I once had a friend who was the best security guy in the business. He built a software-based security solution for his company’s on-premises data center that was both well done and state-of-the-art. However, over the weekend a security guard failed to lock a loading dock door and those very secure servers left in the bed of an F-150.

The moral of this story for the cloud is that while we seem to be clever in pulling together the best cloud security solutions, in many instances we’re missing the more primitive aspects of security. While I don’t believe that your cloud server will go rolling down the street in the back of a truck any time soon, there are very similar things to look out for. Here are three:

Application-level security. For the most part, cloud security people don’t look at application-level security, cloud or not. This is due more around control and politics more so than desire. However, if an application has access to data, and that application is vulnerable, then so is the data.

The answer is that security needs to be designed in the application and should be systemic to all applications and databases. Yet that’s almost never the case.

Bad actors. Every company has a story about a disgruntled employee who decided to walk out with a USB drive full of secure data. Moreover, there are employees who are well intentioned but end up having their laptops—and thus the laptops’ data—stolen from their cars.

The only way to protect your data is to limit what the people can see and what they can carry with them. There should be a need-to-know rule where they can see only the data they need to see, and they should never have the ability to do massive downloads or data dumps.

Legacy systems that have cloud access. The frustration of cloud data integration with legacy systems has left many cloud-to-legacy gateways poorly configured and thus vulnerable. When a company can’t get to data on the public cloud due to a well-designed security system, too often many of those security systems are bypassed due to the need to provide data sync. These bypasses are easily exploited.

In all security, your weakest link is your biggest vulnerability. Cloud security is no different. But where those weak links are probably not where you’re looking. So start looking in more places.