You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Cloud computing introduces unique security challenges. Understanding the shared responsibility model, cloud-specific threats, and security controls is essential for protecting cloud environments.
| Model | You Manage | Provider Manages | Example |
|---|---|---|---|
| IaaS | OS, apps, data, middleware | Hardware, virtualisation, network | AWS EC2, Azure VMs, GCP Compute |
| PaaS | Applications and data | OS, runtime, middleware, hardware | Heroku, Azure App Service, Google App Engine |
| SaaS | Data (and sometimes config) | Everything else | Microsoft 365, Salesforce, Google Workspace |
Security in the cloud is shared between the cloud provider and the customer:
┌─────────────────────────────────────────────────┐
│ Customer Responsibility │
│ ┌────────────────────────────────────────────┐ │
│ │ Data, Identity, Access, Configuration │ │
│ │ Application Security, Encryption Keys │ │
│ │ Network Security (security groups, NACLs) │ │
│ │ OS Patching (IaaS only) │ │
│ └────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────┤
│ Provider Responsibility │
│ ┌────────────────────────────────────────────┐ │
│ │ Physical security, Hardware, Networking │ │
│ │ Hypervisor, Storage infrastructure │ │
│ │ Global infrastructure, Availability │ │
│ └────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────┘
Tip: The provider secures the cloud infrastructure. You secure what you put in the cloud. Most cloud breaches are caused by customer misconfiguration, not provider failures.
Cloud IAM is the primary security control in cloud environments:
| Practice | Description |
|---|---|
| Least privilege | Grant minimum permissions required |
| No long-lived credentials | Use temporary credentials and roles instead of access keys |
| MFA for all users | Require MFA, especially for privileged accounts |
| Service accounts | Use dedicated service accounts with scoped permissions |
| Policy conditions | Restrict by IP, time, MFA status, or resource tags |
| Regular access reviews | Audit and revoke unnecessary permissions |
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Identity service | IAM | Entra ID (Azure AD) | Cloud IAM |
| Roles | IAM Roles | RBAC Roles | IAM Roles |
| Temporary credentials | STS AssumeRole | Managed Identity | Service Account Keys + Workload Identity |
| Policy language | JSON policies | JSON role definitions | YAML/JSON policies |
| MFA | Virtual MFA, U2F | Microsoft Authenticator, FIDO2 | Google Authenticator, Titan Key |
| Method | Description |
|---|---|
| Provider-managed keys | Cloud provider generates and manages encryption keys (default) |
| Customer-managed keys (CMK) | You generate keys in the provider's KMS and control rotation |
| Customer-supplied keys (CSEK) | You provide your own keys — provider never stores them |
| Client-side encryption | You encrypt data before uploading to the cloud |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.