Cloud Security Fundamentals

Cloud computing has fundamentally transformed how organizations build, deploy, and scale their IT infrastructure. But this transformation introduces unique security challenges that require specialized knowledge and a complete rethink of how you approach defence.

1. Introduction to Cloud Security

Cloud security encompasses the technologies, controls, processes, and policies that protect cloud-based systems, data, and infrastructure from threats. As organizations move sensitive data, critical applications, and core business processes to cloud environments, the attack surface expands and traditional perimeter-based security models become insufficient.

The numbers are sobering: misconfigured cloud storage accounts for 65% of cloud security incidents, and the average cost of a cloud data breach now exceeds $4.45 million.

Cloud environments differ fundamentally from on-premises data centers — dynamic software-defined boundaries replace fixed perimeters, control is shared with providers, and infrastructure can be provisioned in seconds at massive scale. These differences demand a paradigm shift: from perimeter defence to identity-centric, data-focused security.

2. The Shared Responsibility Model

The foundation of cloud security is understanding who is responsible for what. Every major cloud provider operates on a shared responsibility model that divides security obligations between provider and customer.

Service Model	Provider Handles	You Handle
IaaS	Physical infrastructure, network hardware, virtualisation	OS, middleware, applications, data, network config, access management
PaaS	Infrastructure + runtime, middleware, OS	Applications, data, app-level config, user access
SaaS	Nearly everything	Data, user access management, endpoint security, compliance verification

The constant across every model: you are always responsible for your data and your access management — regardless of how much the provider abstracts away.

3. Core Cloud Security Domains

Identity & Access

Authentication & MFA
RBAC / ABAC
Identity federation
Privileged access management

Data Security

Classification
Encryption at rest & transit
Key management
Data loss prevention

Application Security

Secure SDLC
Container security
API security
Supply chain security

Network Security

Micro-segmentation
Zero Trust architecture
Cloud-native firewalls
DDoS protection

Security Operations

SIEM
CSPM
CWPP
XDR

4. Common Cloud Security Threats

Misconfiguration — The #1 Risk

Cloud misconfigurations are responsible for the majority of cloud security incidents. Common examples include storage buckets left publicly accessible, security groups allowing unrestricted inbound access (0.0.0.0/0), IAM policies granting excessive permissions, and logging left disabled.

Real-world example: The 2019 Capital One breach exposed 100 million customer records due to a misconfigured Web Application Firewall that allowed SSRF access to S3 buckets.

IAM Failures

Weak authentication, over-privileged accounts, credential theft through phishing or brute force, and insider threats all fall under this category. Because identity is the new perimeter in cloud, IAM failures are disproportionately impactful.

Insecure APIs

Cloud services are API-driven. Insecure APIs can lack authentication, expose sensitive data through verbose errors, allow mass assignment attacks, or lack rate limiting — enabling denial-of-service conditions.

Account Hijacking

Attackers with control of a cloud account can delete or modify critical resources, exfiltrate data, launch further attacks from trusted cloud IP ranges, or mine cryptocurrency using your compute budget.

Advanced Persistent Threats (APTs)

Sophisticated adversaries may establish long-term presence in cloud environments, move laterally between services, exfiltrate data gradually to avoid detection, and use cloud resources for command-and-control infrastructure.

5. Identity and Access Management (IAM)

IAM is the cornerstone of cloud security. In environments where physical perimeters don't exist, identity becomes the primary security boundary.

Authentication Best Practices

MFA everywhere — hardware tokens preferred, FIDO2/WebAuthn for high-risk scenarios
SSO — centralises authentication, reduces credential sprawl, enables consistent policy enforcement
Minimum 16 characters for administrative accounts; no password reuse across environments
Automated rotation for service account credentials

Authorization Models

Role-Based Access Control (RBAC) assigns permissions through roles. A typical hierarchy:

Organization Administrator
  └── Project Owner
      ├── Compute Admin
      ├── Storage Admin
      └── Network Admin
  └── Project Editor
      └── Compute User / Storage Viewer
  └── Project Viewer (read-only)

Attribute-Based Access Control (ABAC) is more dynamic — granting access based on user department, device compliance status, time of day, data classification, and more. It complements RBAC for fine-grained, context-aware decisions.

Principle of Least Privilege: Grant the minimum permissions needed. Implement regular access reviews, just-in-time (JIT) access for elevated privileges, and break-glass procedures for emergencies.

Identity Federation

Federation enables identity portability using standards like SAML 2.0, OAuth 2.0 / OpenID Connect, and SCIM for automated user provisioning. The result is centralised identity governance, reduced credential overhead, and consistent policy enforcement.

6. Data Protection Strategies

Encryption Strategy

Storage Type	Encryption Approach	Key Management
Object Storage (S3, Blob)	Server-side encryption (SSE) with customer-managed keys	Cloud KMS or HSM
Block Storage (EBS, Disk)	Automatic encryption	Provider-managed or customer-managed
Databases (RDS, Cloud SQL)	Transparent Data Encryption (TDE)	Integrated KMS or external HSM
File Systems (EFS, Files)	NFS-level encryption	Customer-controlled keys

For data in transit, mandate TLS 1.3 for all external communications and use mutual TLS (mTLS) between microservices via a service mesh.

Data Classification

Level	Definition	Handling Requirements
Public	Approved for public release	Standard controls
Internal	Business use, no public distribution	Access logging, basic encryption
Confidential	Sensitive business data, limited distribution	Encryption, access controls, monitoring
Restricted	Highly sensitive, legal/regulatory implications	Full encryption, strict controls, DLP, audit trails

Backup and Disaster Recovery

Follow the 3-2-1-1-0 rule: 3 copies of data, on 2 different media types, with 1 offsite (different region), 1 offline or air-gapped, and 0 errors after recovery testing. Use Write-Once-Read-Many (WORM) object lock policies for ransomware-resistant backups.

7. Network Security in the Cloud

Security Groups vs. Network ACLs

Feature	Security Groups (Stateful)	Network ACLs (Stateless)
Level	Instance / VM	Subnet
State	Return traffic auto-allowed	Explicit rules for both directions
Rules	Allow only	Allow and deny
Default	Deny all inbound, allow all outbound	Allow all traffic

Zero Trust Architecture

Zero Trust operates on three core principles:

Never trust, always verify — no implicit trust based on network location; every access request is authenticated and authorised.
Least privilege access — just-enough access (JEA) for specific resources, just-in-time (JIT) with time limits, dynamic authorisation based on risk signals.
Assume breach — micro-segmentation limits lateral movement; comprehensive monitoring with rapid incident response.

DDoS Protection

Cloud-native strategies include always-on traffic monitoring, scrubbing centres for volumetric filtering, application-layer rate limiting, geofencing during active attacks, and auto-scaling to absorb burst traffic without service degradation.

8. Compliance and Governance

GDPR

EU data protection — data subject rights, breach notification, privacy by design.

HIPAA

US healthcare — PHI protection, access controls, audit logs, Business Associate Agreements.

PCI DSS

Payment card security — network segmentation, encryption, vulnerability management.

SOC 2

Service organisation controls — security, availability, confidentiality, privacy.

ISO 27001

Information security management — risk assessment, security controls, continuous improvement.

FedRAMP

US federal cloud — standardised security assessment for cloud products used by government.

Automated Compliance Tooling

CSPM (Cloud Security Posture Management) — continuous configuration assessment, automated remediation, drift detection.
CASB (Cloud Access Security Broker) — shadow IT discovery, DLP, policy enforcement between on-premises and cloud.
CWPP (Cloud Workload Protection Platform) — vulnerability scanning, configuration hardening, runtime protection.

9. Security Monitoring and Incident Response

Logging Strategy

Log Type	Source	Minimum Retention
CloudTrail / Activity Logs	Control plane API calls	1 year
VPC Flow Logs	Network traffic metadata	90 days
Application Logs	Workload applications	30–90 days
DNS Logs	DNS queries	30 days
OS Logs	Virtual machine OS	30 days

Threat Detection

Effective cloud threat detection combines anomaly detection (ML-based behavioural analysis for unusual API patterns, abnormal data access, geographic impossibilities), IoC matching (known malicious IPs, malware signatures), and UEBA (baselining normal behaviour and scoring deviations).

Incident Response Phases

Preparation Develop IR playbooks, build contact lists, deploy forensics tooling via IaC so it can be provisioned instantly when needed.

Detection & Analysis Automated alerting, log analysis, threat hunting with SIEM and CSPM. Cloud-specific: capture logs and snapshots early — ephemeral resources auto-delete.

Containment Isolate instances, revoke active sessions, modify security groups, trigger automated response runbooks via cloud APIs.

Eradication Snapshot forensic analysis, malware removal, full credential rotation across affected services.

Recovery Restore from verified clean backups, validate integrity, re-enable workloads under enhanced monitoring.

Post-Incident Lessons learned, control improvements, compliance reporting, post-mortem documentation.

10. Emerging Trends and Future Considerations

CNAPP — The Converged Platform

Cloud-Native Application Protection Platforms consolidate CSPM, CWPP, and Cloud Infrastructure Entitlement Management (CIEM) into a single pane of glass. Combined with shift-left security practices that embed scanning into CI/CD pipelines, CNAPP reduces both alert fatigue and coverage gaps.

AI in Security

AI-powered threat detection is improving anomaly detection accuracy, enabling automated incident containment, and supporting predictive risk analysis. The flip side: adversarial AI is also improving attack sophistication, requiring defences to evolve in parallel.

Confidential Computing

Hardware-based Trusted Execution Environments (TEEs) protect data in use — the last frontier of encryption. Homomorphic encryption and secure multi-party computation extend this to scenarios where sensitive data must be processed collaboratively without being shared.

Quantum-Safe Cryptography

NIST has standardised its first post-quantum cryptographic algorithms. Building crypto-agility — the ability to rapidly swap cryptographic primitives — into your infrastructure now will dramatically reduce the cost of transitioning when quantum computers become practically threatening.

DevSecOps and Policy as Code

Security is increasingly expressed as code. Tools like Open Policy Agent (OPA) and Sentinel enforce policies automatically in CI/CD pipelines. IaC security scanners (tfsec, Checkov) catch misconfigurations before they reach production. Software Bill of Materials (SBOM) generation and artifact signing are becoming table stakes for supply chain security.

Conclusion

Cloud security is not a destination — it's a continuous journey. As cloud technologies evolve, security practices must adapt accordingly. Success requires understanding your shared responsibility obligations, implementing defence in depth across all domains, automating security to match the speed of cloud operations, and maintaining continuous visibility.

The organisations that thrive in the cloud treat security not as a barrier to innovation, but as its enabler — creating trustworthy foundations for digital transformation.