CampusFlow
SecurityCloud Security
Cloud Protection

Cloud Security

Learn shared responsibility, Zero Trust, IAM, MFA, and best practices for securing cloud environments.

Shared Responsibility Model

In cloud computing, security responsibilities are shared between the cloud provider and the customer. The provider secures the cloud infrastructure; the customer secures their data, configurations, and access.

Provider Responsibility (Security OF the Cloud)

  • • Physical data center security
  • • Hardware and networking infrastructure
  • • Hypervisor and virtualization layer
  • • Global network backbone protection

Customer Responsibility (Security IN the Cloud)

  • • Data classification and encryption
  • • IAM and access management
  • • OS and application patching (IaaS)
  • • Network configuration (security groups, ACLs)

Note: The exact division varies by service model — customers have more responsibility in IaaS and less in SaaS.

Cloud Deployment Models

Public Cloud

Third-party provider delivers services over the public internet. Shared infrastructure, multi-tenant.

Best for startups, dev/test, and variable workloads

Private Cloud

Dedicated infrastructure for a single organization. Maximum control and compliance.

Best for regulated industries (finance, healthcare, government)

Hybrid Cloud

Combines public and private clouds with orchestration between them.

Best for burst capacity, disaster recovery, and legacy migration

Multi-Cloud

Uses multiple public cloud providers (AWS, Azure, GCP) to avoid vendor lock-in.

Best for redundancy, best-of-breed services, and cost optimization

Zero Trust Architecture

"Never trust, always verify." Zero Trust eliminates implicit trust in any user, device, or network — every access request is authenticated, authorized, and encrypted.

Verify Explicitly

Always authenticate and authorize based on all available data points — user identity, location, device health, service, and data classification.

Least Privilege Access

Grant only the minimum permissions needed for users and systems to perform their functions. Limit lateral movement.

Assume Breach

Design networks assuming attackers are already present. Segment networks, monitor continuously, and encrypt everything.

Micro-Segmentation

Divide the network into small, isolated zones. Each zone requires separate authentication and authorization.

Continuous Monitoring

Validate every access request in real-time. No implicit trust based on network location alone.

IAM — Identity and Access Management

IAM is the framework for managing digital identities and controlling access to cloud resources. It ensures the right people have the right access to the right resources.

Users

Individual identities representing people or service accounts. Each user has unique credentials.

Groups

Collections of users with shared permissions. Simplifies management by assigning policies to groups.

Roles

Identities with specific permissions that can be assumed temporarily. Used for cross-account access.

Policies

JSON documents defining permissions. Attach to users, groups, or roles to control access.

MFA — Multi-Factor Authentication

MFA requires two or more verification factors — something you know (password), something you have (device), and something you are (biometric).

SMS / Phone Call

One-time code sent via SMS or voice call. Convenient but vulnerable to SIM swapping.

Medium

TOTP / Authenticator

Time-based one-time password (Google Authenticator, Authy). More secure than SMS.

High

Hardware Key (FIDO2)

Physical security key (YubiKey, Titan). Phishing-resistant, highest security.

Very High

Biometrics

Fingerprint, facial recognition, or iris scan. Convenient but raises privacy concerns.

High

SOC — Security Operations Center

A SOC is a centralized team responsible for monitoring, detecting, analyzing, and responding to security incidents 24/7. SOC analysts use SIEM (Security Information and Event Management) tools like Splunk, ELK Stack, and Azure Sentinel to correlate logs, generate alerts, and investigate threats. Key SOC tiers: Tier 1 (Triage), Tier 2 (Investigation), Tier 3 (Threat Hunting & Forensics).

Cloud Security Threats

Misconfiguration

Improperly configured cloud resources (open S3 buckets, overly permissive security groups) exposing data.

Data Breach

Unauthorized access to sensitive data through compromised credentials, application vulnerabilities, or insider threats.

Insider Threat

Malicious or negligent employees, contractors, or partners with legitimate access misusing privileges.

API Vulnerabilities

Weak or exposed APIs providing attack surfaces for unauthorized access, injection, or data exfiltration.

Cloud Security Best Practices

Encrypt all data at rest using AES-256 and data in transit using TLS 1.2+
Implement least privilege access — grant only the permissions required
Enable Multi-Factor Authentication (MFA) for all users, especially privileged accounts
Conduct regular security audits and penetration testing
Use Cloud Security Posture Management (CSPM) tools to detect misconfigurations
Implement network segmentation and micro-segmentation
Enable logging and monitoring for all cloud resources (CloudTrail, Azure Monitor)
Rotate credentials and API keys regularly — never hardcode secrets
Apply the principle of defense in depth across all layers
Have an incident response plan specific to cloud environments

Interview Questions

Q1: What is the Shared Responsibility Model in cloud security?

A: The cloud provider is responsible for security OF the cloud (physical security, hardware, networking, hypervisor). The customer is responsible for security IN the cloud (data, configurations, IAM, OS patching). The division varies by service type (IaaS, PaaS, SaaS).

Q2: What is Zero Trust Architecture?

A: Zero Trust assumes no implicit trust based on network location. Every access request must be explicitly authenticated, authorized, and continuously validated. Core principles: verify explicitly, least privilege, assume breach, micro-segmentation, and continuous monitoring.

Q3: Explain IAM and its components.

A: IAM (Identity and Access Management) manages digital identities and access. Components: Users (individuals/services), Groups (user collections), Roles (assumable identities with permissions), Policies (JSON rules defining allowed/denied actions).

Q4: What are the different types of MFA?

A: MFA types include: SMS codes (convenient but SIM-swap vulnerable), TOTP authenticator apps (more secure, time-based codes), hardware security keys (FIDO2/WebAuthn, phishing-resistant), and biometrics (fingerprint, face, iris — convenient, privacy considerations).

Q5: What are common cloud security threats?

A: Top threats: Misconfiguration (the #1 cause of breaches), Data breaches (compromised credentials/vulnerabilities), Insider threats (malicious/negligent employees), API vulnerabilities (weak endpoints), DDoS attacks, and Account hijacking.