Cloud Security Architecture: Layers, Models, and Practices
#cloud#security#architecture#compliance
Cloud security is not a product you buy -- it is an architecture you build. Understanding the shared responsibility model, defense-in-depth layers, and identity-centric security is fundamental to any cloud deployment.
The Shared Responsibility Model
The boundary between provider and customer responsibility varies by service type:
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical security | Provider | Provider | Provider |
| Network infrastructure | Provider | Provider | Provider |
| Hypervisor / host OS | Provider | Provider | Provider |
| Guest OS | Customer | Provider | Provider |
| Runtime / middleware | Customer | Provider | Provider |
| Application | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| Identity & access | Customer | Customer | Customer |
| Client-side encryption | Customer | Customer | Customer |
Key insight: data and identity are always your responsibility, regardless of service model.
Network Security
VPC Architecture
- Public subnets -- only for load balancers and bastion hosts
- Private subnets -- application servers, databases, internal services
- Isolated subnets -- no internet access, for sensitive data processing
- VPC endpoints -- access cloud services without traversing the internet
Security Controls
| Control | Purpose | Provider Examples |
|---|---|---|
| Security Groups | Instance-level firewall (stateful) | AWS SG, GCP Firewall Rules |
| Network ACLs | Subnet-level firewall (stateless) | AWS NACL, Azure NSG |
| WAF | Application-layer protection | AWS WAF, Cloud Armor, Azure WAF |
| DDoS protection | Volumetric attack mitigation | AWS Shield, Cloud Armor, Azure DDoS |
| Private Link | Private connectivity to services | AWS PrivateLink, GCP Private Service Connect |
Identity and Access Management
IAM is the most critical security layer in the cloud. Misconfigured IAM is the leading cause of cloud breaches.
Core principles:
- Least privilege -- grant only the permissions needed for the task
- No long-lived credentials -- use IAM roles, workload identity, not access keys
- MFA everywhere -- enforce multi-factor authentication for all human users
- Federation -- centralize identity with SSO (Okta, Azure AD, Google Workspace)
- Service accounts -- separate identity for each service, no shared credentials
Identity Architecture
| Pattern | Description | Use Case |
|---|---|---|
| SSO + SAML/OIDC | Federate corporate identity to cloud | Human access |
| Workload Identity | Cloud-native identity for services | Service-to-service |
| Cross-account roles | Assume roles across AWS accounts | Multi-account architectures |
| Just-in-time access | Temporary elevated permissions | Break-glass scenarios |
Encryption
At Rest
- Default encryption -- all major providers encrypt storage by default
- Customer-managed keys (CMK) -- you control the key in KMS, provider encrypts
- Client-side encryption -- encrypt before sending to the cloud (highest control)
In Transit
- TLS everywhere -- enforce TLS 1.2+ for all connections
- Mutual TLS (mTLS) -- both client and server authenticate (service mesh)
- Certificate management -- use ACM (AWS), Certificate Manager (GCP), or Let's Encrypt
Security Posture Management
Continuously assess and remediate security configurations:
| Tool Category | Examples | What It Does |
|---|---|---|
| CSPM | Prisma Cloud, AWS Security Hub, Wiz | Detect misconfigurations across accounts |
| CWPP | Aqua, Sysdig, Falco | Runtime workload protection |
| CIEM | Ermetic, CloudKnox | Identity permission analysis |
| IaC scanning | Checkov, tfsec, Bridgecrew | Catch issues before deployment |
| Secret scanning | GitGuardian, Trufflehog | Detect leaked credentials in code |
Compliance Frameworks
| Framework | Focus | Common In |
|---|---|---|
| SOC 2 | Security controls and processes | SaaS companies |
| ISO 27001 | Information security management | Enterprise |
| GDPR | Data protection (EU) | Any company handling EU data |
| HIPAA | Health information protection | Healthcare |
| PCI DSS | Payment card data | E-commerce, finance |