In the past, companies had to buy massive, expensive physical servers and store them in secure rooms inside their offices. Today, companies rent virtual servers and software hosted over the internet by massive providers like Amazon (AWS), Microsoft (Azure), and Google (GCP). This is Cloud Computing.
While the cloud is incredibly scalable and convenient, storing sensitive data on someone else's server introduces completely unique cybersecurity challenges.
The 3 Models of Cloud Computing
Security strategies heavily depend on which cloud model a company uses:
IaaS (Infrastructure as a Service): You rent the raw virtual hardware (servers, networking). Example: AWS EC2. You have maximum control, but you are fully responsible for installing and securing the operating system.
PaaS (Platform as a Service): You rent a ready-made environment to build and host your own apps. Example: Heroku. The provider handles the servers and OS, you just secure your app's code.
SaaS (Software as a Service): You rent a completely finished, ready-to-use application over the web. Example: Google Workspace, Salesforce. The provider handles all technical security; you only need to secure user access (strong passwords and MFA).
The Shared Responsibility Model
A massive misconception is that "because it's in the cloud, Amazon/Google handles all the security." This is false. Security in the cloud operates on a Shared Responsibility Model:
The Cloud Provider (AWS/Azure): Is responsible for the security OF the cloud. They protect the physical data centers, the hardware, and the foundational networking infrastructure.
The Customer (You): Are responsible for security IN the cloud. You must secure your own data, configure strong firewalls, set up strict access controls (IAM), and encrypt sensitive databases.
Major Cloud Security Threats
Misconfigurations: The #1 cause of cloud breaches. Administrators accidentally leave an online storage bucket (like an AWS S3 bucket) configured as "Public," exposing millions of customer records to anyone on the internet.
Compromised Credentials: Since the cloud is accessible from anywhere in the world, if a hacker steals a cloud administrator's password, they have instant access to the entire company's infrastructure.
Insecure APIs: Cloud services talk to each other heavily through APIs. If these interfaces are not properly secured and authenticated, attackers can exploit them to extract data.
Deep Dive: Identity and Access Management (IAM)
In the physical world, your network is protected by physical walls and a locked front door. In the cloud, the "front door" is entirely virtual, meaning Identity is the new perimeter.
To secure this, organizations use IAM (Identity and Access Management). This is a central framework of policies and technologies ensuring that the right users have the appropriate access to cloud resources.
Principle of Least Privilege (PoLP): A core IAM concept stating that a user (or an application) should only ever be given the bare minimum access rights necessary to perform their job. If a marketing intern's account gets hacked, the hacker shouldn't automatically have access to the production databases.
Role-Based Access Control (RBAC): Instead of assigning permissions to individuals one by one, administrators create "Roles" (e.g., DatabaseAdmin, ReadOnlyUser) and assign users to those roles.
Zero Trust: The modern cloud philosophy that completely assumes attackers are already inside the network. Therefore, no user or device is ever trusted by default. Every single request to access data must be strictly verified and authenticated every single time.
Knowledge Check
?
Under the Shared Responsibility Model, who is primarily responsible for configuring proper data encryption and strong passwords for applications running IN the cloud?