Cloud Architecture Security
Security considerations for cloud deployments including the shared responsibility model, hybrid and multi-cloud considerations, service models (IaaS, PaaS, SaaS), and third-party vendor risk management.
Understanding Cloud Architecture Security
Cloud architecture security addresses the unique challenges of protecting data and workloads in cloud environments. Understanding who is responsible for what security controls is fundamental to cloud security.
Key cloud security concepts: • Shared responsibility — Provider and customer split security duties • Service models — IaaS, PaaS, SaaS have different security implications • Deployment models — Public, private, hybrid, multi-cloud • Vendor management — Third-party risk from cloud providers
The 2019 Capital One breach exposed 100 million customer records due to a misconfigured WAF in AWS—a textbook shared responsibility failure where the customer misconfigured their security controls on properly functioning cloud infrastructure.
Cloud doesn't eliminate security responsibility—it changes who is responsible for what.
Why This Matters for the Exam
Cloud architecture security is heavily tested on SY0-701 as cloud adoption is ubiquitous. Questions cover the shared responsibility model, service model differences, and cloud-specific security controls.
Understanding cloud security helps with architecture decisions, risk assessment, and compliance. Misunderstanding responsibilities leads to security gaps.
The exam tests both conceptual understanding and practical knowledge of securing cloud workloads.
Deep Dive
Who Is Responsible for Security in IaaS vs PaaS vs SaaS?
The shared responsibility model is the fundamental concept of cloud security—defining who secures what.
Responsibility Division by Service Model:
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data | Customer | Customer | Customer |
| Applications | Customer | Customer | Provider |
| Runtime | Customer | Provider | Provider |
| OS | Customer | Provider | Provider |
| Virtualization | Provider | Provider | Provider |
| Network | Provider | Provider | Provider |
| Physical | Provider | Provider | Provider |
Key Principle:
- •Provider secures the cloud (infrastructure)
- •Customer secures what's IN the cloud (data, config, access)
What Is the Customer Always Responsible For?
Regardless of service model, customers must always secure: • Data classification and protection • Identity and access management • Application-level security • Client-side encryption • Network traffic protection • Security configuration
How Do IaaS, PaaS, and SaaS Security Differ?
Infrastructure as a Service (IaaS):
- •Customer gets: Virtual machines, storage, networks
- •Customer manages: OS, applications, data, security configs
- •Provider manages: Physical infrastructure, hypervisor
- •Most customer responsibility
- •Examples: AWS EC2, Azure VMs, GCP Compute
Platform as a Service (PaaS):
- •Customer gets: Development platform, runtime
- •Customer manages: Applications, data
- •Provider manages: OS, runtime, infrastructure
- •Shared responsibility
- •Examples: AWS Elastic Beanstalk, Azure App Service, Heroku
Software as a Service (SaaS):
- •Customer gets: Complete application
- •Customer manages: Data, user access, configuration
- •Provider manages: Everything else
- •Least customer responsibility
- •Examples: Microsoft 365, Salesforce, Google Workspace
What Is the Difference Between Hybrid Cloud and Multi-Cloud?
Public Cloud:
- •Shared infrastructure, multiple tenants
- •Cost-effective, scalable
- •Security concerns: Multi-tenancy, shared resources
- •Trust in provider essential
Private Cloud:
- •Dedicated infrastructure
- •More control, higher cost
- •Can be on-premises or hosted
- •Better for sensitive/regulated data
Hybrid Cloud:
- •Combination of public and private
- •Data/workload placement flexibility
- •Complexity of securing both environments
- •Secure connectivity between environments
Multi-Cloud:
- •Multiple cloud providers
- •Avoid vendor lock-in
- •Increased complexity
- •Consistent security across providers challenging
Hybrid/Multi-Cloud Security Challenges:
| Challenge | Security Implication |
|---|---|
| Connectivity | Secure links between clouds |
| Identity | Consistent IAM across environments |
| Data movement | Encryption in transit |
| Visibility | Unified monitoring |
| Compliance | Consistent controls everywhere |
How Do You Assess Third-Party Cloud Provider Risk?
Cloud Provider Risks:
- •Data breaches at provider
- •Service outages
- •Provider employee access
- •Compliance gaps
- •Vendor lock-in
Vendor Assessment:
- •SOC 2 Type II reports
- •ISO 27001 certification
- •Penetration test results
- •Compliance certifications (HIPAA, PCI)
- •Data residency controls
Contract Considerations:
- •Data ownership clauses
- •Breach notification requirements
- •Right to audit
- •Exit/portability provisions
- •SLA terms and remedies
Cloud Security Controls
Identity and Access Management:
- •Cloud IAM services
- •Federated identity
- •Least privilege
- •MFA enforcement
- •Service accounts security
Data Protection:
- •Encryption at rest (provider or customer keys)
- •Encryption in transit (TLS)
- •Key management (HSM, KMS)
- •Data loss prevention
Network Security:
- •Virtual networks (VPC/VNet)
- •Security groups
- •Network ACLs
- •Private endpoints
- •DDoS protection
How CompTIA Tests This
Example Analysis
Scenario: A company runs a web application on AWS EC2 instances. A breach occurs because the EC2 instances were running unpatched operating systems with default configurations, and S3 buckets were publicly accessible.
Analysis - Shared Responsibility Failures:
Who Is Responsible:
| Component | Responsibility | Who Failed |
|---|---|---|
| Physical security | AWS | N/A |
| Hypervisor | AWS | N/A |
| Guest OS patches | Customer | Customer |
| OS configuration | Customer | Customer |
| S3 bucket permissions | Customer | Customer |
AWS Responsibility (Met):
- •Physical data center security
- •Hypervisor security
- •Network infrastructure
- •S3 service availability
Customer Responsibility (Failed):
- •OS patching → Unpatched vulnerabilities
- •OS hardening → Default configurations
- •S3 configuration → Public access enabled
- •Security monitoring → Issues not detected
Lessons:
- 1.IaaS = Customer manages OS security
- 2.Storage configuration is ALWAYS customer responsibility
- 3."In the cloud" doesn't mean "secured by the cloud"
- 4.Cloud Security Posture Management (CSPM) tools can detect misconfigs
Key insight: The shared responsibility model means cloud providers secure infrastructure, but customers are responsible for configuring services securely. This breach was entirely preventable with proper customer-side controls.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Think of cloud security like renting an apartment:
IaaS = You rent an empty unit. You bring furniture (apps), clean the floors (patch OS), and lock your own door (security). Landlord only maintains the building structure.
PaaS = You rent a furnished apartment. Furniture included (runtime), but you still lock your door and protect your valuables (data/apps).
SaaS = You stay at a hotel. Everything is managed for you—but you still lock the safe for your passport (data) and don't give out your room key (access).
The universal rule: No matter where you stay, YOUR STUFF is YOUR responsibility.
- •For the exam:
- •"Who patches the OS?" → IaaS = You. PaaS/SaaS = Provider.
- •"Who secures the data?" → ALWAYS you, no matter what.
- •"Who handles physical security?" → ALWAYS provider.
Test Your Knowledge
Q1.A company using AWS EC2 (IaaS) discovers their virtual machines have unpatched vulnerabilities. Who is responsible for patching these VMs?
Q2.Which cloud service model places the MOST security responsibility on the customer?
Q3.An organization uses multiple cloud providers to avoid vendor lock-in. What is this deployment model called?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee