Cloud Security
π― Key Takeaways & Definition
Definition: Cloud Security consists of a set of policies, controls, procedures, and technologies that work together to protect cloud-based systems, data, and infrastructure.
Core Concept: It shifts the security model from "protecting a fortress" (On-Premise) to "protecting data everywhere" (Cloud).
Key Rule: Security in the cloud is a Shared Responsibility between the Cloud Provider (AWS/Azure/Google) and the Customer (You).
1. Definition of Cloud Security
Cloud security is the discipline of cybersecurity dedicated to securing cloud computing systems. It involves keeping data private and safe across online infrastructure, applications, and platforms. Unlike traditional security, where you own the hardware, cloud security requires trusting a third-party vendor.
Why Cloud Security Matters:
Cloud Adoption (2026):
- β’ 94% of enterprises use cloud services
- β’ 67% of infrastructure in the cloud
- β’ $500 billion cloud market
- β’ Average company uses 110 SaaS apps
Security Challenges:
- β’ Data breaches: Misconfigured S3 buckets (190 million+ records exposed 2019-2025)
- β’ Shared responsibility confusion: 67% don't understand who's responsible for what
- β’ Visibility loss: Can't physically inspect servers
- β’ Compliance: GDPR, HIPAA, PCI DSS in multi-tenant environments
Benefits of Cloud Security (When Done Right):
- β Better than on-premise: Cloud providers invest billions in security
- β Automatic updates: Patches applied without user action
- β Advanced tools: AI threat detection, 24/7 monitoring
- β Redundancy: Data replicated across multiple datacenters
2. Cloud Service Models
Cloud computing offers three main types of services. The security responsibility changes depending on which one you choose.
A. IaaS (Infrastructure as a Service) Γ°ΕΈβοΈ
Definition:
The provider gives you raw hardware (Servers, Storage, Networking). You install the OS and software.
Example:
Amazon EC2, Microsoft Azure VMs, Google Compute Engine, DigitalOcean
What You Get:
- β’ Virtual machines (CPUs, RAM)
- β’ Storage (block, object)
- β’ Networking (load balancers, VPC)
What You Manage:
- β’ Operating System (Windows Server, Linux)
- β’ Applications
- β’ Data
- β’ Runtime environment
- β’ Security patches
Security Responsibility: HIGH
- β’ You handle: OS patching, firewall configuration, antivirus, user access
- β’ Provider handles: Physical datacenter, hardware, network infrastructure
Use Cases:
- β’ Hosting websites
- β’ Development/testing environments
- β’ Big data analytics
- β’ Backup/disaster recovery
Security Best Practices:
- β Keep OS patched (monthly updates)
- β Configure firewall rules (block unnecessary ports)
- β Install antivirus/EDR
- β Enable encryption (at rest and in transit)
- β Regular vulnerability scans
B. PaaS (Platform as a Service) π οΈ
Definition:
The provider gives you a hardware and software platform (OS + Runtime). You just upload your code.
Example:
Google App Engine, Heroku, AWS Elastic Beanstalk, Azure App Service
What You Get:
- β’ Pre-configured OS
- β’ Development frameworks (Node.js, Python, Java)
- β’ Database services
- β’ Auto-scaling
What You Manage:
- β’ Application code
- β’ Data
- β’ User access
Security Responsibility: MEDIUM
- β’ You handle: Securing your code (input validation, authentication), data encryption
- β’ Provider handles: OS patching, runtime updates, network security
Use Cases:
- β’ Web application development
- β’ API backends
- β’ Mobile app backends
- β’ Microservices
Security Best Practices:
- β Secure coding practices (prevent SQL injection, XSS)
- β Input validation
- β Strong authentication (OAuth, MFA)
- β Encrypt sensitive data
- β Regular code audits (SAST/DAST)
C. SaaS (Software as a Service) Γ’ΛΒοΈ
Definition:
The provider gives you a fully functional application. You just log in and use it.
Example:
Gmail, Dropbox, Salesforce, Microsoft Office 365, Slack
What You Get:
- β’ Complete application
- β’ Automatic updates
- β’ Multi-device access
- β’ 24/7 availability
What You Manage:
- β’ User accounts
- β’ Data within the app
- β’ Access permissions
Security Responsibility: LOW
- β’ You handle: Strong passwords, MFA, access control, user training
- β’ Provider handles: Application security, infrastructure, patching, availability
Use Cases:
- β’ Email (Gmail)
- β’ Collaboration (Slack, Microsoft Teams)
- β’ CRM (Salesforce)
- β’ File storage (Dropbox, Google Drive)
Security Best Practices:
- β Enforce MFA (multi-factor authentication)
- β Strong password policies
- β Regular access reviews (remove ex-employees)
- β Data classification (don't store secrets in unencrypted docs)
- β User security training (phishing awareness)
3. Cloud Deployment Models
How is the cloud infrastructure shared? This impacts privacy and cost.
A. Public Cloud Γ°ΕΈΕΒ
Definition:
Infrastructure is owned by a provider (AWS/Azure/Google) and shared by multiple customers (Multi-tenancy).
Characteristics:
- β’ Multi-tenant: Resources shared across customers
- β’ Pay-as-you-go: OPEX model (no upfront costs)
- β’ Infinite scale: Provision resources in seconds
- β’ Global reach: Datacenters worldwide
Pros:
- β Low cost: No hardware purchase
- β Infinite scalability: Add resources instantly
- β No maintenance: Provider handles everything
- β Advanced features: AI, machine learning, analytics
Cons:
- Γ’ΒΕ Less control: Can't choose hardware
- Γ’ΒΕ Shared security: Other tenants on same physical servers
- Γ’ΒΕ Compliance concerns: Data location (GDPR)
- Γ’ΒΕ Vendor lock-in: Hard to migrate
Security Considerations:
- β’ Logical isolation: Your data separated from other tenants (software-based)
- β’ Provider security: AWS/Azure invest billions (likely better than your datacenter)
- β’ Configuration risk: YOU must configure correctly (most breaches = misconfiguration)
Use Cases:
- β’ Startups (low budget)
- β’ Web applications (scalability needs)
- β’ Development/testing
- β’ Big data analytics
Major Providers:
- β’ AWS (Amazon): 32% market share
- β’ Azure (Microsoft): 23%
- β’ GCP (Google): 10%
B. Private Cloud Γ°ΕΈΒ’
Definition:
Infrastructure is dedicated to a single organization. It can be on-premise or hosted.
Characteristics:
- β’ Single-tenant: Exclusive use
- β’ Full control: Customize everything
- β’ High security: Physical/logical isolation
- β’ CAPEX model: Buy hardware upfront
Pros:
- β Maximum control: Choose hardware, software, security policies
- β Privacy: No sharing with other organizations
- β Compliance: Meet strict regulations (HIPAA, FedRAMP)
- β Customization: Tailor to specific needs
Cons:
- Γ’ΒΕ High cost: Hardware, datacenter, staff
- Γ’ΒΕ Maintenance burden: YOU patch, monitor, maintain
- Γ’ΒΕ Limited scalability: Need to buy more hardware (takes weeks)
- Γ’ΒΕ Single point of failure: If datacenter down, you're down
Security Considerations:
- β’ Total ownership: You control physical security
- β’ No multi-tenancy: No shared resource risks
- β’ Compliance-friendly: Auditors can inspect physical servers
- β’ BUT: Security only as good as YOUR team (cloud providers have experts)
Use Cases:
- β’ Banking/Finance: Strict regulations
- β’ Government/Military: Classified data
- β’ Healthcare: HIPAA compliance
- β’ Large enterprises: Legacy applications
Deployment Options:
- β’ On-premise: Your datacenter
- β’ Hosted private cloud: Provider runs dedicated infrastructure for you (VMware Cloud, Azure Stack)
C. Hybrid Cloud π
Definition:
A combination of Public and Private clouds bound together by technology.
How It Works:
Sensitive Data β Private Cloud (on-premise)
β
Secure VPN/Direct Connect
β
Public-facing Apps β Public Cloud (AWS/Azure)Example Scenario:
- β’ Hospital: Patient records (HIPAA-sensitive) on Private Cloud
- β’ Hospital website (public information) on Public Cloud
- β’ Advantage: Compliance + cost savings
Pros:
- β Best of both worlds: Security + Scalability
- β Flexibility: Choose where each workload runs
- β Cost optimization: Public for variable loads, Private for steady state
- β Compliance: Keep sensitive data private, use public for non-sensitive
Cons:
- Γ’ΒΕ Complexity: Managing two environments
- Γ’ΒΕ Integration challenges: Networking, authentication
- Γ’ΒΕ Higher cost than pure public: Maintaining private infrastructure
Security Considerations:
- β’ Secure connectivity: VPN or direct fiber (AWS Direct Connect, Azure ExpressRoute)
- β’ Unified IAM: Single sign-on across both clouds
- β’ Data classification: Clear rules (what goes where)
- β’ Monitoring: Visibility across both environments
Use Cases:
- β’ Retail: Customer data private, e-commerce on public
- β’ Finance: Trading systems private, customer apps public
- β’ Healthcare: Patient records private, telemedicine on public
- β’ Any regulated industry balancing compliance and innovation
4. Cloud Security Threats
The cloud is secure, but using it incorrectly is dangerous.
Misconfiguration π§ (#1 Threat)
The Problem: Setting storage buckets (like AWS S3) to "Public" by accident, exposing data to the world.
Real Examples:
- β’ 2019: Capital One - 100M+ records exposed (misconfigured firewall)
- β’ 2020: 190M voter records (public S3 bucket)
- β’ 2021: Dozens of companies (S3 buckets set to "public read")
Root Cause:
- β’ Default settings not understood
- β’ "Quick test" becomes production
- β’ No configuration auditing
Prevention:
- β Use IaC (Infrastructure as Code) with security templates
- β Automated scanning (AWS Config, Azure Security Center)
- β Principle of least privilege (deny by default)
- β Regular audits
Insecure APIs π
The Problem: Hackers exploiting weak interfaces to steal data or manipulate services.
Attack Vectors:
- β’ Weak authentication: No API keys, weak keys
- β’ Lack of rate limiting: Brute force attacks
- β’ Injection attacks: SQL injection via API parameters
- β’ Broken access control: Access other users' data
Prevention:
- β Strong API keys (rotate regularly)
- β OAuth 2.0 / JWT tokens
- β Input validation
- β Rate limiting (max 1000 requests/hour)
- β API gateways (AWS API Gateway, Kong)
Account Hijacking π€
The Problem: Phishing attacks stealing Cloud Admin credentials (giving hackers the "Keys to the Kingdom").
Impact:
- β’ Delete all resources
- β’ Steal data
- β’ Launch crypto mining (expensive bills)
- β’ Pivot to other systems
Prevention:
- β MFA mandatory for admin accounts
- β Strong, unique passwords (password manager)
- β Phishing training
- β Monitor for unusual activity
- β Least privilege (don't give everyone admin)
Insider Threats π΅οΈ
The Problem: Malicious employees at the Cloud Provider (rare but possible) or within your own company.
Types:
- β’ Provider insider: Cloud employee accesses customer data (extremely rare, legal consequences)
- β’ Customer insider: Your employee steals data or sabotages
Statistics:
- β’ 60% of breaches involve insiders
- β’ Average cost: $15.38M per incident
Prevention:
- β Background checks for privileged users
- β Audit logs (track who accessed what)
- β Separation of duties (no single person has full control)
- β Offboarding procedures (immediate access revocation)
- β Cloud provider contracts: Guarantee employee vetting
5. Cloud Security Controls
Tools used to secure the environment.
A. Identity and Access Management (IAM) Γ°ΕΈβΒ
The "Bouncer" of the cloud. Strictly controlling who can access what resources.
Key Concepts:
Users & Groups:
Group: Developers
ββ Alice (can deploy apps)
ββ Bob (can deploy apps)
ββ Carol (can deploy apps)
Group: Admins
ββ Dave (can do everything)Policies:
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/*"
}
Translation: Allow reading files from "mybucket"Best Practices:
- β Principle of least privilege: Grant minimum necessary
- β MFA: Require for all users
- β Role-based access (RBAC): Assign permissions by role, not individual
- β Regular reviews: Remove unused permissions
- β Service accounts: Use for automation (not personal accounts)
B. Encryption π
At Rest:
Encrypting database files so they are unreadable without a key.
Implementation:
- β’ AWS: S3 server-side encryption (SSE), EBS encryption
- β’ Azure: Storage Service Encryption
- β’ Encryption keys managed by: Cloud provider OR you (BYOK - Bring Your Own Key)
In Transit:
Using TLS/SSL for all data moving to/from the cloud.
Implementation:
- β’ HTTPS for web traffic
- β’ TLS for database connections
- β’ VPN/IPSec for site-to-site
Why Both?
- β’ At Rest: Protects if physical drive stolen
- β’ In Transit: Protects from network sniffing
C. Cloud Access Security Broker (CASB) π‘οΈ
Software that sits between users and the cloud to enforce security policies.
What It Does:
- β’ Visibility: Discover all cloud apps in use (shadow IT)
- β’ Data security: Block uploads of credit card numbers, SSNs
- β’ Threat protection: Detect anomalies (login from new country)
- β’ Compliance: Enforce policies (GDPR, HIPAA)
Example:
Employee tries to upload customer list to personal Dropbox
β
CASB intercepts
β
Policy: "Block uploads of .xlsx files containing SSNs"
β
Upload blocked, security team notifiedPopular CASBs: Netskope, McAfee MVISION Cloud, Microsoft Defender for Cloud Apps
6. Shared Responsibility Model
This is the most critical concept for exams. You cannot outsource responsibility.
Provider (AWS/Azure/Google): Responsible for security OF the cloud.
- β’ Physical security (datacenters, guards, cameras)
- β’ Hardware (servers, storage, networking equipment)
- β’ Network infrastructure (routers, cables, DDoS protection)
- β’ Virtualization layer (hypervisor)
- β’ Compliance certifications (SOC 2, ISO 27001)
Customer (You): Responsible for security IN the cloud.
- β’ Data: Encryption, classification, access control
- β’ IAM: User accounts, passwords, MFA, permissions
- β’ Operating System: Patching (IaaS), configuration
- β’ Applications: Secure coding, input validation
- β’ Network configuration: Security groups, firewall rules
- β’ Compliance: Meeting YOUR industry regulations (HIPAA, PCI DSS)
Varies by Service Model:
- β’ IaaS: You responsible for OS, apps, data
- β’ PaaS: Provider handles OS, you handle apps and data
- β’ SaaS: Provider handles almost everything, you handle data and user access
Key Principle: "Provider secures the infrastructure, YOU secure what you put on it."
β οΈ Public vs. Private Cloud (Exam Focus)
| Feature | Public Cloud | Private Cloud |
|---|---|---|
| Ownership | Third-party Provider (AWS, Azure) | Your Organization |
| Access | Shared (Multi-tenant) | Dedicated (Single-tenant) |
| Cost Model | OPEX (Pay-as-you-go) | CAPEX (High upfront cost) |
| Scalability | Infinite (provision instantly) | Limited (buy more hardware) |
| Security | Good (shared responsibility) | Highest (Total isolation) |
| Compliance | Can meet most standards | Easiest to audit (physical access) |
| Maintenance | Provider handles | You handle (staff required) |
| Customization | Limited | Full control |
| Best For | Startups, web apps, variable loads | Banks, military, regulated industries |
Memory Trick:
Public = Pay-as-you-go, Unlimited scale, But Less control, Infinite resources, Cost-effective
Private = Physical control, Regulated industries, Isolated, Very secure, All yours, Total ownership, Expensive
Conclusion
Cloud security is a journey, not a destination. As organizations migrate workloads to the cloud, understanding the shared responsibility model becomes critical. The cloud is not inherently insecureβit's misconfiguration and misunderstanding that lead to breaches.
Key Takeaways:
- β Shared Responsibility: Provider secures infrastructure, YOU secure data and configuration
- β Service Models: IaaS (most control/responsibility), PaaS (balanced), SaaS (least control/responsibility)
- β Deployment Models: Public (cost-effective), Private (most secure), Hybrid (best of both)
- β #1 Threat: Misconfiguration (S3 buckets, firewall rules)
- β IAM Critical: Least privilege, MFA, regular audits
- β Encrypt Everything: At rest AND in transit
- β CASB: Visibility into shadow IT and policy enforcement
- β Multi-tenancy: Logically isolated, extremely rare cross-tenant breaches
Final Verdict: The cloud can be more secure than on-premise IF configured correctly. Don't let fear of the unknown prevent you from leveraging its benefits.
The Future:
- β’ Zero Trust Architecture (never trust, always verify)
- β’ AI-powered threat detection
- β’ Confidential computing (encrypt data in use)
- β’ Serverless security challenges
- β’ Multi-cloud security orchestration
Master the fundamentals, and the cloud becomes your most powerful ally! Γ’ΛΒοΈπ