person Tute World Team

Cloud Security Fundamentals

The cloud doesn't come pre-secured. The single most important concept in cloud security is understanding what's your responsibility and what's the provider's — because the line isn't always obvious, and mistakes on your side are entirely your problem.

The Shared Responsibility Model

Every major cloud provider uses a shared responsibility model — a division of security duties between the provider and the customer. The provider secures the infrastructure; you secure what you run on it.

What AWS (and Others) Are Responsible For

Physical data center security, hardware, network infrastructure, the hypervisor, and the managed service layer. If an AWS data center is broken into physically, that's AWS's problem. If the hypervisor has a vulnerability that lets one VM read another's memory, that's AWS's problem.

What You Are Responsible For

Operating system patching on your VMs, application security (SQL injection, XSS in your code), IAM configuration (who has access to what), data encryption, network configuration (security groups, NACLs), and security monitoring. If you open port 22 (SSH) to the entire internet, that's your misconfiguration. If your S3 bucket is public, that's on you.

The line shifts by service model: With IaaS, you own more. With PaaS, the provider owns more. With SaaS, the provider owns almost everything. As you move up the stack, your security scope narrows — but your responsibility for data and access control never disappears.

The Cloud Threat Landscape

Cloud security failures cluster around a handful of recurring patterns:

#1: Misconfiguration

The most common cause of cloud breaches. Publicly accessible S3 buckets exposing sensitive data, overly permissive security groups, IAM roles with excessive privileges, publicly exposed databases. The Capital One breach (2019, 100M records), the Twitch breach, and hundreds of smaller incidents all trace back to misconfiguration. Tools like AWS Config, GCP Security Command Center, and third-party CSPMs (Cloud Security Posture Management) continuously scan for misconfigurations.

#2: Compromised Credentials

Stolen AWS access keys, leaked service account passwords, or phished admin credentials. Once an attacker has your cloud credentials, they can spin up GPU miners, exfiltrate data, or destroy resources. Multi-factor authentication (MFA) on all accounts, no long-lived access keys, and CloudTrail/audit logging to detect unusual API calls are the core defenses.

#3: Insecure APIs

AI systems expose APIs. APIs with missing authentication, broken authorization (you can access other users' data), injection vulnerabilities, or excessive data exposure are a major attack surface. The OWASP API Security Top 10 is the definitive reference for API threat categories.

#4: Supply Chain Attacks

Your container image contains a vulnerable open-source library. Your training data is poisoned. Your ML model artifact is replaced with a backdoored version. The AI supply chain — from dataset to model to serving — has attack surfaces traditional security didn't need to consider. Model signing, dependency scanning (Snyk, Dependabot), and provenance tracking (SLSA framework) address this.

Defense in Depth for Cloud

Good cloud security is layered — no single control is sufficient:

🆔

Identity (IAM)

Least-privilege access. MFA everywhere. No long-lived credentials. Separate roles for humans and services.

🌐

Network

VPC isolation. Private subnets for sensitive resources. Security groups allowing minimum necessary access.

🔒

Data

Encryption at rest and in transit. KMS for key management. No plaintext secrets in code or environment variables.

📊

Detection

CloudTrail / audit logs. Anomaly detection. SIEM integration. Alerting on unusual API calls or data access patterns.

🔍

Posture

CSPM tools continuously scan for misconfigurations and compliance drift. AWS Security Hub, GCP SCC, Azure Defender.

♻️

Response

Incident response runbooks. Automated remediation (Lambda/Functions triggered by security alerts). Regular DR drills.

Frequently Asked Questions

Is the cloud more or less secure than on-premises?

For most organizations — more secure, if configured correctly. Cloud providers invest billions annually in security, run 24/7 security operations centers, and employ thousands of security engineers. Most organizations can't match that. But "cloud is secure" doesn't mean "your cloud deployment is secure." Your configuration choices, IAM policies, and application security are still entirely your responsibility. Cloud gives you access to world-class security primitives; it doesn't automatically apply them for you.

What are the most important first security steps for a new cloud account?

1) Enable MFA on the root/owner account and all admin accounts. 2) Never use the root account for day-to-day work — create IAM roles. 3) Enable CloudTrail (or equivalent audit logging) in all regions. 4) Enable AWS Config or equivalent for configuration monitoring. 5) Set up billing alerts so you notice unexpected resource creation (often the first sign of compromise). 6) Apply the well-known cloud security benchmarks (CIS AWS Foundations Benchmark) as a baseline. These 6 steps address the majority of cloud account compromise scenarios.

How do I store secrets (API keys, database passwords) securely in the cloud?

Never in code, environment variables in source control, or S3 buckets. Use dedicated secrets management services: AWS Secrets Manager or Parameter Store, GCP Secret Manager, or Azure Key Vault. These store secrets encrypted, control access via IAM, rotate secrets automatically, and audit all access. Your application retrieves secrets at runtime via API call — they're never stored in your deployment artifact or version control.

← Phase 6 Overview Next: IAM →

Frequently Asked Questions

What will I learn here?

This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.

How should I use this page?

Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.

What should I read next?

Use the navigation below to continue to the next lesson or explore related topics.