Chapter 13: Cloud Security
Cloud Security.
We’re now moving into the cloud-native world, where most modern apps, workloads, and even critical infrastructure live (especially in India in January 2026—think massive UPI backends on AWS/Azure, startups in Navi Mumbai/Airoli using GCP for ML, and enterprises hybrid with on-prem). Cloud isn’t “someone else’s computer”—it’s your responsibility too, and missteps here cause the biggest headlines (remember those open S3 buckets leaking Aadhaar-linked data or Azure misconfigs exposing voter rolls?).
Cloud security is about understanding what the provider handles vs. what you must secure—and then layering defenses for the unique threats that come with elasticity, shared infrastructure, and rapid change.
We’ll cover each topic in detail, with real 2026 examples (multi-cloud is standard now), analogies, and practical tips for Indian orgs under DPDP Act pressure.
1. Shared Responsibility Model (AWS, Azure, GCP)
The Shared Responsibility Model is the foundation: It divides security duties between the cloud provider (security of the cloud—physical infra, hypervisor) and you (security in the cloud—your data, configs, apps).
- AWS (Amazon Web Services) AWS handles: Physical security of data centers, hardware, host OS/hypervisor, global network, and managed services’ underlying platform (e.g., patching the underlying for Lambda, RDS). You handle: Guest OS patching (EC2), app security, data encryption, IAM policies, security groups/NACLs, configurations (e.g., S3 bucket public access off), code, and compliance for your workloads. 2026 nuance: For serverless (Lambda, Fargate), AWS does more (runtime patching); for EC2, you do OS + apps. New SOC 2 guidance (July 2025) emphasizes customer evidence for IAM/logging. Example: You run an EC2 instance → AWS secures the hypervisor; you patch Windows/Linux, configure firewall, encrypt EBS volumes.
- Azure (Microsoft) Microsoft handles: Physical infra, host OS/hypervisor, Azure platform (e.g., patching underlying for Azure VMs, App Service). You handle: Guest OS/apps, network configs (NSGs), identity (Entra ID), data classification/encryption, endpoint protection. Model varies by service: IaaS (VMs) = you manage OS/apps; PaaS (App Service) = Microsoft manages runtime; SaaS (Microsoft 365) = mostly Microsoft. AI services (Azure OpenAI) add unique shared duties (Microsoft secures model hosting; you secure prompts/data). Example: Azure VM → Microsoft secures fabric; you patch guest OS, configure NSGs, enable Defender for Cloud.
- GCP (Google Cloud) Google handles: Infra, hardware, host OS, hypervisor, and managed services’ platform. You handle: Guest OS/apps, IAM, VPC configs, data encryption, compliance. GCP twist: “Shared Fate” (beyond classic shared responsibility)—Google offers proactive help (e.g., Risk Protection Program, cyber-insurance integration, config guidance) to reduce your burden. Example: GKE (Kubernetes) → Google manages control plane; you secure nodes, pods, RBAC.
Quick comparison (2026 view):
| Provider | Provider Responsibility (“of the cloud”) | Customer Responsibility (“in the cloud”) | Key 2026 Note |
|---|---|---|---|
| AWS | Infra, hypervisor, physical, managed platform | Guest OS, apps, configs, IAM, data | Serverless shifts more to AWS |
| Azure | Infra, host, platform (esp. PaaS/AI) | Guest OS, apps, identity, network | AI workloads have extra model duties |
| GCP | Infra, host, platform | Guest OS, apps, IAM, configs | “Shared Fate” adds proactive Google help |
India tip: DPDP requires you (customer) to ensure encryption/access controls—providers give tools, but you configure them.
2. Cloud-Specific Threats (Misconfigurations, Insecure APIs)
Cloud threats differ from on-prem because of scale, ephemerality, and shared tenancy.
- Misconfigurations — Still #1 threat in 2026 (Gartner/INE reports: 60%+ orgs prioritize it; human error causes 82%+). Examples: Public S3 buckets (open storage), over-permissive IAM roles (admin everywhere), open security groups (port 22/3389 worldwide), disabled logging. 2026 India example: Startup leaves Azure Blob public → leaks customer PAN/Aadhaar → massive DPDP fine + fraud.
- Insecure APIs — APIs are the new perimeter (mobile apps, microservices call them). Threats: Weak auth (no OAuth/JWT validation), excessive data exposure, rate-limit bypass, injection (SQL/NoSQL via API). Example: Insecure REST API on AWS API Gateway → attacker exploits missing auth → reads all user data. GraphQL over-fetching worsens it.
Other rising: Identity abuse (over-permissioned roles), supply-chain (compromised deps in containers), insider threats, ransomware (encrypts cloud storage).
Defense basics: Least privilege, continuous scanning, automated remediation.
3. Identity in the Cloud (IAM Roles, Federation)
Cloud identity is ephemeral and massive—machines > humans.
- IAM Roles / Policies — Temporary creds for services (EC2 assumes role → gets temp keys). Best practice: Least privilege (IAM Access Analyzer finds over-permissions), no long-lived keys (use roles), rotate often. Example: EC2 role allows S3 read-only → good; full admin → bad (if compromised, attacker owns bucket).
- Federation — Use external IdP (Entra ID, Okta, Google) for SSO/federated access. Protocols: SAML/OIDC for web, AWS IAM Identity Center / Azure AD federation. Example: Employee logs in with corporate Google → federates to GCP → accesses console without GCP creds.
2026 trend: Passwordless + phishing-resistant (Passkeys), Conditional Access (location/device), Just-in-Time access.
4. Container & Kubernetes Security Basics
Containers/K8s add layers (images, pods, nodes).
Best practices (2026 – CNCF/OWASP/Kubernetes docs):
- Images: Scan for vulns (Trivy, Anchore), use minimal bases (distroless/Alpine), sign images (cosign), no root users (runAsNonRoot).
- Pods: Pod Security Standards (restricted policy), no privileged containers, drop capabilities, read-only root FS.
- RBAC: Least privilege, no cluster-admin bindings, use roles/bindings carefully.
- Network: Network Policies (Calico/Cilium) to segment pods.
- Runtime: Seccomp/AppArmor profiles, runtime security (Falco detects anomalies).
- Secrets: Use external managers (AWS Secrets Manager, HashiCorp Vault), not env vars in images.
- Cluster: Enable API server auth, audit logging, etcd encryption.
Example: Vulnerable image deploys → exploits to pod → lateral to node → cluster compromise. Fix: Image scanning in CI/CD + restricted PSS.
Tools: Trivy/Grype (scanning), Kyverno/OPA Gatekeeper (policy), Falco (runtime).
5. Cloud Security Posture Management (CSPM)
CSPM = Continuous monitoring/remediation of misconfigs/risks across cloud (inventory, compliance checks, auto-fix).
How it works (2026): Scans configs vs. benchmarks (CIS, PCI, DPDP), finds public buckets/over-perms, prioritizes by risk (attack path analysis), auto-remediates (e.g., make bucket private).
Top tools (2026 – Gartner/Peer reviews):
- Wiz (agentless, attack path, multi-cloud).
- Orca Security (CNAPP with CSPM).
- Microsoft Defender for Cloud (Azure + multi-cloud).
- Prisma Cloud (Palo Alto – strong in India).
- Lacework, Orca, Check Point CloudGuard, CrowdStrike Falcon Cloud Security.
Example: Wiz finds over-permissive IAM role + public bucket → shows attack path to data exfil → auto-quarantines or alerts for fix.
India relevance: Helps with DPDP compliance (continuous monitoring, breach prevention).
That’s Chapter 13—cloud is your new data center, so own your part of the shared model!
