Lesson 15: Introduction to Cloud Security — Identity Is the New Perimeter
Until now we discussed defense in terms of a physical network: a perimeter, an interior, servers in a server room. This lesson moves to an arena where most of those assumptions no longer hold — cloud computing. The 'server' isn't yours anymore, it sits on someone else's hardware, and there's no phys
In brief: in the cloud there's no physical wall to rely on, so the 'boundary' becomes who you are, not where you're connecting from. The shared responsibility model says: the provider handles hardware and availability; you handle your configuration, identities, and data. IaaS/PaaS/SaaS are three degrees of 'how much the provider does for you' — and the more it does, the more your responsibility for configuration and data doesn't disappear. Most cloud breaches don't happen because someone cracked sophisticated technology — they happen because someone accidentally left something open.
- Cloud Computing & the On-Demand Model
- A model enabling remote access to computing resources (servers, storage, databases, networks) over the internet, on demand and paid per usage (pay-as-you-go) — without owning or maintaining physical servers on-site.
- Old vs. New Approach: Identity Is the New Perimeter
- In the old approach, security relied on physical location — inside the firewall meant 'trusted,' outside meant 'suspect'; the problem: an attacker who got past the wall could move freely inside. In the new approach, with employees using SaaS, working from home, and the server itself sitting in the cloud — the network is no longer a reliable boundary. What stays constant is 'who' is trying to access the information, so defense shifted from protecting the network to protecting identity.
- Components of the New Perimeter: MFA, Context & Least Privilege
- Instead of asking 'which network are you coming from,' the system asks identity questions before every action: strong authentication (MFA — a password alone isn't enough), context-based access (is this the known device, a reasonable country, a fitting time of day), and least privilege — even after authentication, access is granted only for what the job requires.
- Zero Trust
- The assumption that even inside the organizational network, no one is trusted by default — every access request is re-checked as if it came from the public internet, with no fixed 'trusted zone' that gets automatic trust.
- The Shared Responsibility Model: Security OF vs. IN the Cloud
- Cloud responsibility splits by layer — the provider isn't responsible for everything, and neither is the customer. Security OF the Cloud (provider's responsibility): physical data-center security, power and cooling, hardware, the virtualization layer (hypervisor), and global availability (Regions/Availability Zones). Security IN the Cloud (customer's responsibility): identity and access management (IAM), data protection and encryption, and service configuration.
- IaaS, PaaS & SaaS: the Responsibility Gradient
- IaaS (e.g. EC2): the provider gives servers, storage, and network; the customer manages the OS, services, and applications — very high customer responsibility. PaaS (e.g. RDS): the provider also adds the OS and runtime; the customer focuses on code and business logic. SaaS (e.g. Gmail): the provider supplies the full application; the customer only uses the service — but is still responsible for user management, MFA, and preventing data leakage.
- Cloud Deployment Types: Private, Public, Hybrid & Multi-Cloud
- Private cloud: infrastructure dedicated to a single organization — total control, but expensive to build and maintain. Public cloud: shared infrastructure between organizations with logical separation, pay-per-use, and elasticity (scaling up/down as needed). Hybrid cloud: a combination of both — sensitive data stays on-premises, flexible workloads move to the public cloud. Multi-cloud: using several public cloud providers at once, to avoid vendor lock-in, for backup, and for regulation.
- Multi-tenancy vs. Single-tenancy
- In a public cloud (multi-tenant), virtual servers belonging to dozens of different organizations may run on the same physical server — logical separation exists, but physical resources are shared. In a private cloud (single-tenant), the 'tenant' organization is the only one on the hardware.
- Misconfiguration — Cloud's Threat #1
- Most cloud security incidents aren't a breach of sophisticated technology, but a human configuration mistake — for example, leaving S3 storage open for public access to the entire world — due to lack of awareness or unclear security policy.
- Cloud Network, Data & Governance: VPC, Data Lifecycle & Sovereignty
- A VPC (Virtual Private Cloud) is a private, isolated network inside the public cloud, divided into public subnets (for internet-facing services) and private subnets (for sensitive databases). Within it, a NACL operates at the network level (stateless — checked independent of who initiated it, already covered in lesson 12), versus a Security Group which operates at the server level (stateful — checked based on who initiated the connection). The data lifecycle requires protection across three states: at rest (on disk — encryption), in transit (on the network — SSL/TLS), and in use (in memory during processing). Without logs (like CloudTrail) documenting who/what/when/where, there's no investigation capability. And choosing a Region also determines regulatory compliance (like GDPR) and data sovereignty.