Cloud Security - Deep Technical Breakdown

Five Big Layers to Secure

• Identity (who can do what)
• Network (who can reach what)
• Compute (VMs, containers, Kubernetes)
• Data (storage, DB, secrets)
• Operations (logging, monitoring, response)

1) Shared Responsibility Model

In cloud, security is shared:

• If Azure VM is hacked due to SSH open to world -> your misconfiguration.
• If a cloud region outage happens -> provider issue, but your availability design is still your responsibility.

2) IAM (Most Breaches Start Here)

What attackers love

• Over-permissive roles (admin everywhere)
• Long-lived access keys in .env or GitHub
• No MFA
• Credential reuse
• No dev/stage/prod separation

Best practices

• Least privilege and RBAC
• MFA everywhere, especially admins
• Separate environments by subscription/project/account
• Use short-lived credentials and managed identities/workload identities
• Use just-in-time privileged access

For microservices + DevOps: use service identities, not user credentials; each service should access only its own DB/storage/queue.

3) Cloud Network Security

Segmentation is everything.

• Common mistake: everything gets public IP because it is easy.
• Goal: only internet-facing services should be public, usually 443 only.

Key controls

• Security Groups / NSGs allow-list inbound and outbound
• Private endpoints / private link
• Egress controls to limit attacker callback traffic
• Bastion / VPN instead of public SSH/RDP

Rule of thumb: if a service does not require internet access, do not assign a public IP.

4) Data Security

Data risks

• Public storage buckets/containers
• Unencrypted sensitive fields (PII, salary, identity-like fields)
• Secrets in code
• No backup or restore testing

Best practices

• Encrypt in transit with TLS everywhere
• Encrypt at rest, use customer-managed keys where needed
• Use KMS and rotate keys
• Use secret manager (Key Vault / Secrets Manager)
• Never store secrets in repos or images
• Automated, immutable backups with restore drills

5) Compute Security (VMs, Containers, Kubernetes)

6) Cloud Posture and Misconfiguration

Most incidents are misconfiguration, not advanced attacks.

• Public storage exposure
• Overly open firewall rules
• Leaked admin credentials
• Overpowered IAM roles

How to control posture

• Golden config templates (IAM, network, logging)
• Policy-as-code checks before deployment
• Continuous CSPM checks

7) Logging, Monitoring, Incident Response

Assume breach. You must answer: who accessed what, from where, what changed, what data left.

Must-have logs

• Identity sign-ins and admin actions
• Network flow logs
• VM/K8s audit logs
• Application auth and suspicious pattern logs
• WAF/CDN logs

Response readiness

• Alerts for impossible travel and suspicious logins
• Privilege escalation detection
• Mass data read/export detection
• Public exposure change detection
• Runbooks for key leak, DB exposure, compromised container

8) CI/CD and Supply Chain Security

Many cloud attacks enter through pipelines.

• Do not keep plaintext secrets in pipeline variables
• Use protected branches and required reviews
• Sign artifacts and container images
• Scan dependencies (SCA) and images
• Restrict who can edit pipeline configuration
• Separate deploy permissions by environment

9) Quick Cloud Security Checklist