01
17 min read · 6 briefings

Cloud Security Foundations

The cloud is just someone else's computer — and knowing exactly which parts are yours to defend is the whole game.

01 The shared responsibility model

Every major cloud runs on a single organizing idea: the shared responsibility model. The provider secures the cloud itself — the physical data centers, the hypervisor, the network fabric, the managed-service internals. You, the customer, secure what you put in the cloud — your data, your identities, your configurations, your code. The dividing line moves depending on the service model.

You always ownShifts with service modelProvider always owns
Data, identities, access policiesOS, runtime, network config, patchingPhysical facilities, hypervisor, hardware
IaaS: you patch the guest OS and everything above itPaaS: provider patches the OS/runtime, you own the app and dataSaaS: provider owns almost everything but your data and access

The dangerous misreading is to assume "the provider handles security." They handle their half flawlessly and contractually — but a world-class hypervisor does nothing to stop you from leaving a storage bucket public or granting an over-broad role. Amazon, Microsoft, and Google all publish this model explicitly precisely because the top cause of cloud breaches lives entirely on the customer's side of the line.

Insight The model isn't just legal boilerplate — it's an operational checklist. For every service you adopt, ask literally: which security tasks did the provider just take off my plate, and which ones did they silently leave on it?

02 Why misconfiguration is the #1 risk

Ask a beginner what threatens the cloud and they picture the provider getting hacked. In reality, breaches of the hyperscalers' own infrastructure are vanishingly rare. The overwhelming cause of cloud incidents is customer misconfiguration: a storage bucket set to public, a security group open to 0.0.0.0/0, an over-permissive IAM role, logging switched off, a database exposed without authentication.

Several forces conspire to make this the norm rather than the exception:

  • Speed over safety. Cloud lets anyone spin up infrastructure in seconds, often without a security review that a physical server would have triggered.
  • Defaults and sprawl. Thousands of resources, each with dozens of settings, mutate daily across many accounts. One wrong toggle hides easily.
  • Complexity of IAM. Policy languages are powerful and subtle; "make it work" often means "make it too open."

Industry analyses have for years attributed the great majority of cloud security failures to customer-side misconfiguration and mistakes rather than provider flaws. The upshot is empowering: most cloud risk is yours to fix, using tools the provider already gives you.

Watch out "It's internal-only" is a trap. A resource behind no authentication but merely "not linked anywhere" is still discoverable — automated scanners crawl cloud IP ranges constantly and find exposed buckets and databases within minutes.

03 Accounts, subscriptions, and tenants

The most underrated cloud security control is where you draw account boundaries. Each provider has its own top-level container, and that container is the natural blast radius — the boundary a compromise struggles to cross.

  • AWS: the account is the isolation unit; large orgs run dozens or hundreds of accounts grouped under AWS Organizations, with guardrails via Service Control Policies.
  • Azure: a subscription holds resources, all sitting under an Entra ID (formerly Azure AD) tenant that defines the identity boundary.
  • Google Cloud: projects group resources under an organization node, arranged in folders.

The mature pattern is a landing zone: a multi-account structure that isolates production from development, separates workloads by team, and quarantines security tooling and logs in their own accounts. If an attacker pops a developer sandbox, sound account boundaries stop them from touching production billing, data, or identity.

Pro tip A single flat account with everything in it is the cloud equivalent of a flat network. Splitting workloads across accounts/subscriptions/projects is one of the highest-leverage architectural decisions you can make early.

04 Control plane vs. data plane

Every cloud service has two distinct surfaces, and confusing them causes real incidents. The control plane is the management layer — the APIs and console you use to create, configure, and destroy resources. The data plane is the resource actually doing work — the bytes in a bucket, the queries hitting a database, the requests served by a function.

They fail in different ways and are defended differently. A control-plane compromise (stolen API credentials, an over-privileged role) lets an attacker reshape your environment: open firewalls, disable logging, snapshot a database and copy it out, or spin up crypto-mining fleets. A data-plane compromise (a public bucket, an app-layer SQL injection) leaks or corrupts the data itself without necessarily touching your account settings.

The distinction matters because your logging and controls must cover both. It is entirely possible to have flawless application security on the data plane while your control plane is wide open through leaked access keys — or vice versa.

In the cloud, the API is the attack surface. Anything you can do to your infrastructure, an attacker with your credentials can do too.

05 Logging and managed detection

You cannot defend what you cannot see, and in the cloud "seeing" means turning on the right logs before you need them. The foundational one is the control-plane audit logAWS CloudTrail, Azure Activity Log / Monitor, Google Cloud Audit Logs. It records every API call: who did what, from which IP, when, and whether it was allowed. After any incident, this is the first thing responders reach for.

Layered on top are managed threat-detection services that analyze this telemetry for you. Amazon GuardDuty is the canonical example: it ingests CloudTrail, VPC flow logs, and DNS logs and flags patterns like credential use from an anomalous location, communication with known-malicious IPs, or the tell-tale signs of a compromised instance. Azure and Google offer analogous services (Microsoft Defender for Cloud, Google Security Command Center).

Watch out Logging is frequently the first thing a competent attacker disables. In AWS, a call to StopLogging on CloudTrail should itself be a screaming, alert-worthy event — send logs to a separate, tightly locked security account so an attacker in the workload account cannot erase their own tracks.

The rule of thumb: enable audit logging in every account and region on day one, forward it centrally, and make it immutable. Logs you turned on after the breach do not exist for the breach.

06 Posture management and drift

Because misconfiguration is the dominant risk, an entire tool category exists to hunt for it continuously: Cloud Security Posture Management (CSPM). A CSPM tool inventories every resource across your accounts and evaluates each against a library of rules and benchmarks — CIS Foundations, provider best practices, regulatory frameworks — flagging public buckets, unencrypted volumes, disabled logging, over-broad roles, and thousands of similar findings.

Its real value is catching posture drift: the slow erosion of a secure baseline as engineers make ad hoc changes over months. A resource created securely rarely stays that way if humans keep touching it. CSPM re-checks continuously and re-flags whatever slid out of compliance.

Two organizational controls make all of this tractable at scale:

  • Resource groups / hierarchy: logically grouping related resources (an Azure resource group, an AWS resource grouping, a GCP project) so lifecycle, access, and policy apply coherently.
  • Tagging: attaching key–value metadata (env=prod, owner=team-x, data-class=pii) so you can attribute cost, target policy, and answer the incident-response question "what is this thing and who owns it?"
Pro tip Treat tags as a security control, not just accounting. A resource with no owner tag is a resource nobody will patch, monitor, or safely delete — untagged sprawl is where shadow risk accumulates.

Field Glossary

Shared responsibility model
The framework dividing security duties between provider (the cloud itself: hardware, hypervisor, facilities) and customer (what runs in it: data, identity, configuration). The split shifts across IaaS, PaaS, and SaaS.
Misconfiguration
A customer-side setting error — public storage, open security groups, over-broad roles, disabled logging — that is the leading cause of cloud breaches, far ahead of provider flaws.
Control plane vs. data plane
The management/API layer that creates and configures resources (control plane) versus the resource actually processing data (data plane). Each is attacked and defended differently.
CloudTrail / Activity Log
The cloud audit log recording every control-plane API call — actor, action, source, and result. It is the primary forensic record for cloud incident response.
GuardDuty
AWS's managed threat-detection service that analyzes CloudTrail, VPC flow, and DNS logs to flag anomalous or malicious activity; Azure and Google offer analogous managed detection.
CSPM
Cloud Security Posture Management — tooling that continuously inventories resources and checks them against benchmarks to detect misconfiguration and posture drift.
Landing zone
A pre-designed multi-account (or multi-subscription/project) structure that isolates environments and workloads so a compromise's blast radius is contained.

Knowledge Check

Field Assessment

0 / 3

01 Under the shared responsibility model for an IaaS virtual machine, who is responsible for patching the guest operating system?

02 Industry analyses consistently identify which factor as the leading cause of cloud security incidents?

03 Why should CloudTrail/audit logs be forwarded to a separate, tightly controlled security account?

ESC
↑↓ navigate jack in