This chapter covers cloud security fundamentals, a critical topic for the Security+ SY0-701 exam under Objective 3.6 (Security Architecture). Cloud adoption continues to grow, and understanding how to secure cloud environments is essential for any security professional. We will explore cloud deployment models, service models, shared responsibility, cloud-specific threats, and security controls. This chapter provides the foundational knowledge you need to answer scenario-based questions on the exam and to apply these concepts in real-world cloud architectures.
Jump to a section
Imagine a shared apartment building where each tenant (customer) rents a unit. The landlord (cloud provider) is responsible for the building's structural integrity, electricity, plumbing, and common areas (physical security, network backbone, hypervisor). However, each tenant is responsible for locking their own door, securing their valuables, and not leaving a window open (securing their OS, applications, data, and access). In a hotel (Software as a Service), the staff handles everything inside the room, but you still lock your suitcase (data). In a co-living space (Infrastructure as a Service), you have your own room and must lock it yourself. The landlord provides a strong front door and a security guard (firewall, DDoS protection), but if you leave your door unlocked, an intruder can enter. This shared responsibility model means you cannot blame the landlord if you leave your door open. In the cloud, you must configure identity and access management (IAM), encryption, and logging because the provider only secures the underlying infrastructure up to a certain point. The exam tests your understanding of exactly where provider responsibility ends and customer responsibility begins.
What is Cloud Computing and Why Security Matters
Cloud computing is the on-demand delivery of IT resources over the internet with pay-as-you-go pricing. Instead of owning data centers, you rent compute power, storage, and applications from a cloud provider like AWS, Azure, or Google Cloud. The National Institute of Standards and Technology (NIST) defines five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. Security in the cloud is fundamentally different from on-premises because you do not control the physical infrastructure, and the shared responsibility model dictates which security tasks you own versus the provider.
Cloud Deployment Models
There are four primary deployment models: - Public Cloud: Resources are owned and operated by a third-party provider and shared over the internet. Examples: AWS, Azure, Google Cloud. Security responsibility is split between provider and customer. - Private Cloud: Resources are used exclusively by a single organization, either on-premises or hosted by a third party. The organization has full control over security. - Hybrid Cloud: Combines public and private clouds, allowing data and applications to be shared. This introduces complexity in security boundaries and data transfer. - Community Cloud: Shared by several organizations with common concerns (e.g., compliance, jurisdiction). Security is a shared responsibility among the community members.
The exam expects you to know the security implications of each: public cloud offers less control but more scalability; private cloud offers full control but higher cost; hybrid cloud requires careful integration security; community cloud must meet all members' compliance requirements.
Cloud Service Models (SPI Model)
The three main service models define the level of abstraction and responsibility: - Infrastructure as a Service (IaaS): The provider offers virtualized computing resources (VMs, storage, networks). The customer configures and secures the OS, applications, and data. Example: Amazon EC2, Google Compute Engine. - Platform as a Service (PaaS): The provider manages the runtime environment (OS, middleware, runtime). The customer only develops and deploys applications. Example: AWS Elastic Beanstalk, Google App Engine. - Software as a Service (SaaS): The provider delivers a complete application. The customer only manages data and user access. Example: Salesforce, Office 365.
Shared Responsibility Model
This is the most critical concept for the exam. The cloud provider is responsible for the security OF the cloud (physical security, hypervisor, network infrastructure). The customer is responsible for security IN the cloud (data, identity, access, OS patches, network configurations). The exact split varies by service model:
In IaaS, the customer secures everything above the hypervisor (OS, apps, data, network ACLs).
In PaaS, the customer secures applications and data; the provider secures the platform.
In SaaS, the customer secures data and user access; the provider secures the application.
Cloud Security Threats
Misconfiguration: The number one cause of cloud breaches. Examples: S3 buckets left public, overly permissive security groups, unencrypted data. The 2021 Code Spaces attack was due to misconfigured AWS IAM roles.
Insecure APIs: Cloud services are managed via APIs. Weak authentication or excessive permissions can allow attackers to manipulate resources. CVE-2022-22965 (Spring4Shell) affected cloud-based Java applications.
Data Breaches: Stolen credentials, insider threats, or insecure interfaces lead to unauthorized data access.
Denial of Service (DoS): Cloud resources can be overwhelmed, causing availability issues.
Account Hijacking: Phishing or credential stuffing to take over cloud accounts.
Insider Threats: Malicious or negligent employees with access to cloud resources.
Shadow IT: Employees using cloud services without IT approval, bypassing security controls.
Cloud Security Controls
Identity and Access Management (IAM): Use least privilege, multi-factor authentication (MFA), and role-based access control (RBAC). AWS IAM policies, Azure RBAC, Google Cloud IAM.
Encryption: Encrypt data at rest (AES-256) and in transit (TLS 1.2+). Use customer-managed keys (CMKs) for sensitive data. Key management services (KMS) rotate keys automatically.
Network Security: Use virtual private clouds (VPCs), subnets, security groups, network ACLs, and web application firewalls (WAF). Implement micro-segmentation.
Logging and Monitoring: Enable cloud trail logs (AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs). Use SIEM to analyze logs for suspicious activity.
Backup and Disaster Recovery: Use snapshots, cross-region replication, and immutable backups to protect against ransomware.
Compliance and Governance: Use cloud compliance frameworks (CIS Benchmarks, NIST 800-53, SOC 2) and tools like AWS Config, Azure Policy to enforce rules.
Cloud Access Security Broker (CASB)
A CASB sits between users and cloud services to enforce security policies. It provides visibility, data loss prevention (DLP), threat protection, and compliance monitoring. For example, Microsoft Cloud App Security or Netskope. CASBs can detect shadow IT, block risky apps, and enforce encryption.
Virtualization Security
Cloud relies on virtualization. The hypervisor (e.g., VMware ESXi, Hyper-V) must be secured to prevent VM escape attacks (CVE-2019-5544). Use hypervisor hardening, disable unnecessary services, and apply patches. The exam may ask about VM escape, where an attacker breaks out of a VM to access the hypervisor or other VMs.
Cloud-Specific Attacks
Cloud Hopper: Attackers use compromised managed service providers (MSPs) to access customer data.
Cloud Cryptomining: Attackers exploit misconfigured cloud resources to mine cryptocurrency (e.g., TeamTNT malware targeting AWS).
S3 Bucket Enumeration: Attackers list public buckets to find sensitive data.
Metadata Spoofing Attack: Manipulating cloud instance metadata to trick applications (e.g., AWS IMDS).
Tools and Commands
AWS CLI: aws s3 ls s3://bucket-name to list buckets; aws configure to set credentials.
Azure CLI: az storage blob list --account-name mystorage --container-name mycontainer
Google Cloud SDK: gcloud compute instances list
Cloud security scanners: Prowler (AWS CIS benchmark), ScoutSuite (multi-cloud).
Standards and Frameworks
CSA STAR: Cloud Security Alliance's Security, Trust, Assurance, and Risk registry.
FedRAMP: US government cloud authorization.
ISO 27017: Cloud-specific security controls.
PCI DSS: For cloud payment processing.
Exam Focus
SY0-701 tests your ability to apply cloud security concepts in scenarios. You must differentiate between service models, deployment models, and understand the shared responsibility model. Common wrong answers: confusing IaaS with PaaS, assuming the provider secures everything, or thinking private cloud is always more secure. Remember: Security is not just about technology but also processes and policies.
Identify Cloud Deployment Model
First, determine if the environment is public, private, hybrid, or community cloud. This sets the baseline for security responsibilities. For example, if the scenario mentions multi-tenant infrastructure, it's likely public cloud. If it mentions dedicated hardware, it's private cloud. Hybrid cloud will have connectivity between on-premises and cloud. Community cloud is shared among organizations with similar compliance needs. This step is crucial because the deployment model affects how data is isolated and who has access to physical infrastructure.
Determine Service Model
Next, identify whether the service is IaaS, PaaS, or SaaS. Look for clues: if the scenario involves managing virtual machines, it's IaaS. If it involves deploying code without managing servers, it's PaaS. If it's a full application like email or CRM, it's SaaS. The service model defines the boundary of the shared responsibility model. For instance, in IaaS, you are responsible for patching the OS; in PaaS, the provider patches the OS but you patch the application; in SaaS, the provider patches everything.
Map Shared Responsibilities
Based on the service model, map out which security controls are the provider's responsibility and which are the customer's. Use the shared responsibility model as a guide. For IaaS, the provider handles physical security, network infrastructure, and hypervisor. The customer handles OS, applications, data, network ACLs, and identity. For PaaS, the provider handles the runtime, middleware, and OS; the customer handles application code and data. For SaaS, the provider handles the entire stack except data and user access. This mapping helps identify gaps.
Identify Threats and Vulnerabilities
Analyze the scenario for common cloud threats: misconfiguration, insecure APIs, data breaches, account hijacking, insider threats, and shadow IT. Look for indicators like overly permissive permissions, lack of encryption, missing logging, or weak authentication. For example, if the scenario mentions an S3 bucket that is publicly accessible, that's a misconfiguration. If it mentions API keys hardcoded in code, that's an insecure API. This step requires knowledge of cloud-specific attack vectors.
Select and Implement Controls
Choose appropriate security controls to mitigate the identified threats. For misconfiguration, use cloud security posture management (CSPM) tools and automated compliance checks. For insecure APIs, enforce strong authentication (OAuth 2.0, MFA) and API gateways. For data breaches, encrypt data at rest and in transit, and implement DLP. For account hijacking, enable MFA and monitor for anomalous logins. For insider threats, implement least privilege and user behavior analytics (UEBA). For shadow IT, deploy a CASB. This step requires matching controls to threats.
Scenario 1: Misconfigured S3 Bucket Leads to Data Breach
A security analyst at a mid-size e-commerce company notices unusual network traffic from an AWS S3 bucket. Upon investigation, they find that the bucket containing customer PII (names, addresses, credit card numbers) is publicly accessible due to a misconfigured bucket policy. The analyst uses AWS CloudTrail to trace the access logs and discovers that an automated scanner from a malicious IP had enumerated the bucket and downloaded 10 GB of data. The correct response: immediately block public access, rotate any exposed keys, notify affected customers, and report the incident. Common mistake: assuming the bucket is private because it's in a VPC. In reality, S3 bucket policies are separate from VPC settings. The analyst should have used AWS Trusted Advisor or a CSPM tool like Prisma Cloud to detect the misconfiguration proactively.
Scenario 2: Insider Threat in a PaaS Environment
A developer at a financial institution pushes code to a PaaS environment (Azure App Service) that contains hardcoded database credentials. Another employee with access to the source code repository steals the credentials and accesses the production database, exfiltrating financial records. The security team detects the exfiltration via Azure Monitor alerts showing unusual data transfer. The correct response: revoke the compromised credentials, rotate the database password, implement credential scanning in CI/CD pipelines, enforce code reviews, and limit access to production secrets using Azure Key Vault. Common mistake: focusing only on network security (e.g., firewalls) while ignoring application-level secrets management. The shared responsibility model in PaaS places application security on the customer.
Scenario 3: DDoS Attack on a Public Cloud Application
A SaaS provider (Office 365) experiences a massive DDoS attack targeting its authentication endpoint. The provider's infrastructure automatically scales to absorb the traffic, but some legitimate users experience latency. The security operations center (SOC) monitors the attack using Azure DDoS Protection and Azure Sentinel. The correct response: enable DDoS mitigation policies, block malicious IPs via Web Application Firewall (WAF), and communicate with affected customers. Common mistake: assuming the customer must handle DDoS themselves. In SaaS, the provider is responsible for network security, including DDoS mitigation. However, the customer should have a business continuity plan for service disruption.
What SY0-701 Tests
Objective 3.6 focuses on cloud security concepts. The exam expects you to:
Differentiate between public, private, hybrid, and community cloud deployment models.
Differentiate between IaaS, PaaS, and SaaS service models.
Explain the shared responsibility model and identify which party is responsible for specific security controls.
Identify cloud-specific threats (misconfiguration, insecure APIs, account hijacking, etc.).
Recommend appropriate security controls (IAM, encryption, logging, CASB, etc.).
Common Wrong Answers
"The cloud provider is responsible for all security." Candidates think that because the provider manages the infrastructure, they also secure the customer's data. Reality: The customer is always responsible for data and access.
"Private cloud is always more secure than public cloud." While private cloud offers more control, it can be less secure if not properly managed. Public cloud providers invest heavily in security.
"SaaS requires the customer to patch the application." No, the provider patches the application in SaaS. The customer only manages data and user access.
"Hybrid cloud is just a mix of public and private." The key is the integration and data transfer between them, which introduces complexity.
Specific Terms and Values
NIST SP 800-145: Defines cloud computing.
SPI model: SaaS, PaaS, IaaS.
Shared Responsibility Model: Provider secures OF the cloud; customer secures IN the cloud.
CASB: Cloud Access Security Broker.
CSPM: Cloud Security Posture Management.
IAM: Identity and Access Management.
MFA: Multi-Factor Authentication.
RBAC: Role-Based Access Control.
TLS 1.2+: Transport Layer Security for data in transit.
AES-256: Encryption standard for data at rest.
Common Trick Questions
"Which service model gives the customer the most control?" Answer: IaaS (full control over OS, apps, data).
"Which deployment model is used by multiple organizations with common concerns?" Answer: Community cloud.
"Who is responsible for patching the OS in PaaS?" Answer: The provider.
"What is the primary cause of cloud data breaches?" Answer: Misconfiguration.
Decision Rule for Eliminating Wrong Answers
When faced with a scenario question about cloud security responsibility, ask: "Is this control related to physical infrastructure, hypervisor, or network backbone?" If yes, it's the provider's responsibility. If it's related to data, identity, or application configuration, it's the customer's responsibility. For service models, remember: IaaS = customer manages OS; PaaS = customer manages app; SaaS = customer manages data only.
Cloud deployment models: public, private, hybrid, community.
Cloud service models: IaaS, PaaS, SaaS (SPI model).
Shared responsibility: provider secures OF the cloud; customer secures IN the cloud.
Misconfiguration is the leading cause of cloud breaches.
Use IAM with least privilege, MFA, and RBAC.
Encrypt data at rest (AES-256) and in transit (TLS 1.2+).
Monitor cloud environments with logging (CloudTrail) and SIEM.
Deploy CASB for visibility and control over shadow IT.
Secure APIs with strong authentication and rate limiting.
Apply CIS benchmarks and use CSPM tools for compliance.
These come up on the exam all the time. Here's how to tell them apart.
IaaS (Infrastructure as a Service)
Customer manages OS, applications, and data.
Provider manages physical infrastructure, hypervisor, and network.
Example: Amazon EC2, Google Compute Engine.
More customer control and responsibility.
Suitable for lift-and-shift migrations.
SaaS (Software as a Service)
Provider manages entire application stack.
Customer manages only data and user access.
Example: Salesforce, Office 365.
Less customer control but easier to use.
Suitable for end-user productivity.
Mistake
The cloud provider is responsible for all security.
Correct
The provider is responsible for security OF the cloud (physical, hypervisor, network). The customer is responsible for security IN the cloud (data, identity, access, OS). The exact split depends on the service model.
Mistake
Private cloud is always more secure than public cloud.
Correct
Private cloud can be more secure if properly managed, but it also requires the organization to handle all security controls. Public cloud providers have dedicated security teams and advanced tools that many organizations lack.
Mistake
SaaS means the customer has no security responsibilities.
Correct
The customer is still responsible for managing user access, data classification, and compliance. For example, in Office 365, the customer must configure MFA and DLP policies.
Mistake
Hybrid cloud is just a mix of public and private cloud.
Correct
Hybrid cloud involves integration and orchestration between environments, which introduces additional security challenges such as data transfer security, consistent policies, and identity federation.
Mistake
Cloud security is the same as on-premises security.
Correct
Cloud security differs due to shared responsibility, multi-tenancy, dynamic environments, and API-driven management. Traditional perimeter-based security is less effective; identity and data-centric security become paramount.
The shared responsibility model defines the security obligations of the cloud provider and the customer. The provider is responsible for the security OF the cloud, meaning physical infrastructure, hypervisor, and network. The customer is responsible for security IN the cloud, including data, identity, access, and OS configuration. The exact split depends on the service model (IaaS, PaaS, SaaS). For example, in IaaS, the customer manages the OS and applications; in SaaS, the customer only manages data and user access. This model is critical for the Security+ exam.
IaaS provides virtualized computing resources (VMs, storage) where the customer manages the OS, applications, and data. PaaS provides a platform for developing and deploying applications where the customer manages only the application code and data. SaaS provides a complete application where the customer manages only data and user access. The level of customer control and responsibility decreases from IaaS to SaaS. The exam tests your ability to identify which service model fits a given scenario.
A Cloud Access Security Broker (CASB) is a security policy enforcement point placed between cloud service consumers and cloud providers. It provides visibility into cloud usage, data loss prevention (DLP), threat protection, and compliance monitoring. CASBs help detect shadow IT, enforce encryption, and block risky applications. For example, Microsoft Cloud App Security can alert when a user accesses a sanctioned cloud app from an unusual location. The exam may ask about CASB as a control for shadow IT.
Misconfiguration is highlighted as the primary cause of cloud data breaches. Examples include leaving S3 buckets public, overly permissive security groups, and unencrypted databases. The exam expects you to recommend controls like cloud security posture management (CSPM) tools, automated compliance checks, and regular audits. Other major threats include insecure APIs, account hijacking, and insider threats.
Cloud encryption protects data at rest (stored data) and in transit (data moving between systems). For data at rest, use AES-256 encryption managed by the provider (server-side encryption) or customer-managed keys (CMKs) via a key management service (KMS). For data in transit, use TLS 1.2 or higher. The exam emphasizes that the customer should enable encryption and manage keys appropriately. Also, consider encryption for backups and snapshots.
Public cloud resources are owned and operated by a third-party provider and shared across multiple tenants over the internet. Private cloud resources are used exclusively by one organization, either on-premises or hosted. Public cloud offers scalability and cost efficiency but less control; private cloud offers full control but higher cost. Security-wise, public cloud relies on the provider's security measures, while private cloud requires the organization to implement all controls. The exam may ask which deployment model suits specific compliance needs.
A VM escape attack occurs when an attacker breaks out of a virtual machine to access the hypervisor or other VMs. This is a critical virtualization security threat. The hypervisor must be hardened and patched. For example, CVE-2019-5544 affected VMware ESXi. The exam expects you to know that VM escape can compromise the entire cloud infrastructure. Mitigations include hypervisor isolation, regular patching, and disabling unnecessary features.
You've just covered Cloud Security Fundamentals — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?