Multi-Cloud Security Curriculum · Module 01
Cloud & Security Foundations
Foundational cloud concepts, shared responsibility, attack surface, and multi-cloud security challenges — ~60 min interview prep.
20
Interview Q&As
25
MCQ Questions
4
Simulations
8h
Module Duration
Topics Covered
| # | Topic | Type |
|---|---|---|
| 1 | Cloud Computing Models (IaaS, PaaS, SaaS) & NIST Characteristics | Reading |
| 2 | Cloud vs On-Prem Security Differences | Reading |
| 3 | Cloud Attack Surface & Threat Landscape | Reading |
| 4 | Introduction to Multi-Cloud Strategy | Reading |
| 5 | Basics of IAM, Network, Encryption | Reading |
| 6 | Interview Q&A (20 questions) | Q&A |
| 7 | MCQ Quiz (25 questions) | Quiz |
| 8 | 4 Interactive Simulations | Simulation |
💡 Resources: CSA Cloud Security Guidance v4 · CIS Cloud Benchmarks · AWS/Azure/GCP Well-Architected Frameworks
Core Concepts · ~10 min
Cloud & Security Foundations
NIST Cloud Definition — 5 Essential Characteristics
| Characteristic | Description | Security Implication |
|---|---|---|
| On-demand self-service | Users provision resources without human interaction | No approval gates — easy to spin up insecure resources |
| Broad network access | Services accessible over internet from any device | Larger attack surface vs private DC |
| Resource pooling | Resources shared across multiple tenants | Tenant isolation failures; noisy-neighbour risk |
| Rapid elasticity | Scale up/down instantly | Ephemeral resources hard to inventory and monitor |
| Measured service | Usage metered and billed transparently | Cryptojacking inflates bills; billing anomalies = attack indicator |
Cloud Service Models — Security Responsibilities
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Application | Customer | Customer | CSP |
| Data | Customer | Customer | Customer |
| Runtime / Middleware | Customer | CSP | CSP |
| OS | Customer | CSP | CSP |
| Virtualisation | CSP | CSP | CSP |
| Physical Hardware | CSP | CSP | CSP |
☁️ Examples — IaaS: AWS EC2, Azure VMs, GCP Compute. PaaS: App Service, Lambda, GCP App Engine. SaaS: Microsoft 365, Salesforce, Google Workspace.
Cloud vs On-Premises — Security Differences
| Dimension | On-Premises | Cloud |
|---|---|---|
| Perimeter | Network perimeter (firewall) | Identity is the new perimeter |
| Physical access | Customer controls | CSP controls (no customer access) |
| Resource lifecycle | Static, long-lived | Ephemeral, auto-scaling |
| Infrastructure management | Manual, hardware-based | API-driven, code-defined |
| Visibility | Full access to hardware/OS | Limited to what CSP exposes |
| Data location | Known, fixed | May span regions/countries (sovereignty) |
| Patch responsibility | Customer patches everything | Shared — CSP patches infrastructure |
Cloud Attack Surface — Top Threats
| Threat | Example | Mitigation |
|---|---|---|
| Misconfigured storage | Public S3 bucket exposing PII | S3 Block Public Access, CSPM scanning |
| Overprivileged IAM | Lambda with AdministratorAccess | Least privilege, IAM Access Analyzer |
| Credential theft | API keys committed to GitHub | Secrets scanning, secrets manager, key rotation |
| Exposed management APIs | Unauthenticated cloud management endpoint | API gateway, mTLS, rate limiting |
| Supply chain risk | Malicious npm package in CI/CD | SCA scanning, signed artifacts, SBOMs |
| Insecure APIs | REST API returning full user objects | OWASP API Top 10 controls |
Multi-Cloud Strategy
Using two or more cloud providers (e.g., AWS + Azure + GCP) to avoid vendor lock-in, leverage best-of-breed services, and improve geographic coverage.
⚠️ Security challenges: Inconsistent security controls across providers · Identity federation complexity · Visibility gaps · Separate logging/monitoring silos · Different compliance postures · Higher operational overhead
Interview Q&A · 20 Questions
Interview Questions & Model Answers
Click any question to reveal the model answer.
1What is cloud computing and what are its five key NIST characteristics?Easy▼
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. The five NIST essential characteristics are:
- On-demand self-service: Users provision resources without human CSP interaction.
- Broad network access: Services accessible over any network from any device.
- Resource pooling: Multi-tenant model where resources are pooled and dynamically assigned.
- Rapid elasticity: Resources scale up/down automatically on demand.
- Measured service: Usage monitored, controlled, and billed transparently.
💡 Interviewers often ask which characteristic creates the biggest security challenge. Answer: on-demand self-service — because anyone can spin up resources without approval, creating ungoverned shadow IT.
2Explain the difference between IaaS, PaaS, and SaaS from a security perspective.Easy▼
- IaaS: Customer responsible for OS, middleware, runtime, apps, data. CSP responsible for physical hardware, networking, and hypervisor. Highest customer security responsibility. Example: AWS EC2.
- PaaS: CSP manages OS and runtime. Customer responsible for application code and data. Medium responsibility. Example: AWS Lambda, Azure App Service.
- SaaS: CSP manages everything except data governance and user access. Customer responsibility: who has access, what data is stored, and data classification. Example: Microsoft 365.
💡 The key interview insight: the higher up the stack you go (IaaS→PaaS→SaaS), the less security control the customer has — but also less responsibility. SaaS breaches are often due to misconfigured sharing settings or compromised user accounts, not infrastructure vulnerabilities.
3What is the shared responsibility model in cloud security?Easy▼
The shared responsibility model defines the division of security duties between the Cloud Service Provider (CSP) and the customer. The CSP secures of the cloud (physical datacenters, hardware, hypervisor, global network), while the customer secures in the cloud (data, identity, applications, configurations).
The exact boundary shifts by service model: IaaS customers own more, SaaS customers own less. The most common security failures come from customers misunderstanding their responsibilities — e.g., assuming the CSP encrypts data when it is actually the customer's job.
The exact boundary shifts by service model: IaaS customers own more, SaaS customers own less. The most common security failures come from customers misunderstanding their responsibilities — e.g., assuming the CSP encrypts data when it is actually the customer's job.
💡 Real-world example: Capital One breach (2019) — AWS infrastructure was secure, but a misconfigured WAF (customer responsibility) allowed SSRF to steal IAM credentials. The CSP was not at fault.
4What are the main security differences between cloud and on-premises environments?Medium▼
- Perimeter: On-prem has a defined network perimeter (firewall boundary). Cloud has no perimeter — identity is the new control plane.
- Physical access: On-prem: customer controls physical access. Cloud: no physical access to hardware.
- Ephemeral resources: Cloud resources spin up/down in seconds, making traditional asset inventory inadequate.
- API surface: Cloud management is API-driven — stolen API keys can give complete infrastructure control.
- Visibility: In cloud, you depend on the CSP's logging (CloudTrail, Azure Monitor) — you can't tap network cables.
- Data sovereignty: Data may reside in other countries, subject to foreign laws.
5What is multi-cloud and what are its security challenges?Medium▼
Multi-cloud means using two or more cloud providers simultaneously (e.g., AWS for compute, Azure for identity, GCP for ML). Drivers: avoid vendor lock-in, best-of-breed services, geographic redundancy, regulatory requirements.
Security challenges:
Security challenges:
- Inconsistent security controls (AWS security groups ≠ Azure NSGs)
- Identity federation complexity across providers
- Visibility gaps — no single pane of glass without third-party CSPM
- Separate audit logs and SIEM integration challenges
- Different compliance postures per provider
- Skills gap — teams must know multiple cloud platforms
💡 Tools like Prisma Cloud, Wiz, and Orca Security provide multi-cloud security posture management to address visibility gaps.
6What is the cloud attack surface and how does it differ from traditional IT?Medium▼
The cloud attack surface includes all the points where an attacker could try to gain unauthorized access. In cloud environments, this includes:
- Management APIs: Cloud control planes (AWS API, Azure ARM) accessible over the internet.
- Credentials: API keys, access tokens, service account keys — often with broad permissions.
- Storage: Object storage (S3, Azure Blob) that can be made publicly accessible by misconfiguration.
- IAM policies: Overly permissive roles and policies.
- Serverless functions: Lambda functions with misconfigured triggers or permissions.
- Container registries: Public ECR/Docker Hub images with vulnerabilities.
7What are the most common cloud security misconfigurations?Easy▼
- Public S3 buckets / Azure Blob containers exposing sensitive data
- Security groups/NSGs open to 0.0.0.0/0 on port 22 (SSH) or 3389 (RDP)
- Root/admin accounts without MFA
- CloudTrail/audit logging disabled
- Overly permissive IAM policies (wildcard actions and resources)
- Unencrypted databases and storage volumes
- API keys hardcoded in source code or environment variables
- Default VPC used for production workloads
- IMDSv1 enabled (allows SSRF to steal EC2 metadata credentials)
💡 According to Gartner: 99% of cloud security failures through 2025 are the customer's fault, primarily due to misconfiguration. CSPM tools (Wiz, Prisma Cloud, AWS Security Hub) automate detection.
8What does "identity is the new perimeter" mean in cloud security?Medium▼
In traditional on-premises security, a network firewall defined a trusted internal zone. Everything inside was (incorrectly) assumed to be trusted. In cloud environments, there is no fixed network perimeter — resources are internet-accessible, and attackers don't need to "get inside the network" first.
Instead, identity (who you are, and what you're authorized to do) becomes the primary security control. Every API call in AWS, Azure, or GCP is authenticated with an identity (IAM user, role, service account). If an attacker steals a credential, they can act as that identity from anywhere in the world.
This is why Zero Trust Architecture — "never trust, always verify" — is critical in cloud environments.
Instead, identity (who you are, and what you're authorized to do) becomes the primary security control. Every API call in AWS, Azure, or GCP is authenticated with an identity (IAM user, role, service account). If an attacker steals a credential, they can act as that identity from anywhere in the world.
This is why Zero Trust Architecture — "never trust, always verify" — is critical in cloud environments.
💡 The SolarWinds breach (2020) demonstrated this perfectly: attackers obtained OAuth tokens and used them to access Microsoft 365 emails without ever touching network perimeters.
9What is data sovereignty and why does it matter?Medium▼
Data sovereignty refers to the principle that data is subject to the laws and governance of the country/region where it physically resides. When you store data in a cloud region, that data is subject to local law — including government access requests.
Why it matters:
Why it matters:
- GDPR requires EU citizen data to not leave the EU without adequate protections.
- India's DPDP Act (2023) has data localization requirements for sensitive data.
- Some countries require health/financial data to remain in-country.
- US CLOUD Act allows US government to demand data from US companies regardless of where it's stored.
💡 Always confirm with legal counsel which regions are permissible for your data classification levels.
10How does the ephemeral nature of cloud resources affect security?Medium▼
Ephemeral resources (containers, serverless functions, auto-scaling VMs) spin up and terminate within seconds or minutes, creating significant security challenges:
- Asset inventory: Traditional CMDBs can't track resources that exist for 30 seconds.
- Log retention: Logs from terminated instances may be lost if not forwarded to centralized logging.
- Forensics: Post-incident investigation is harder — the "crime scene" may no longer exist.
- Patching: Traditional patch management doesn't apply — instead, use immutable infrastructure (replace, don't patch).
- Security scanning: Container images must be scanned before deployment; runtime scanning (Falco) monitors live.
💡 Best practice: treat cloud infrastructure as cattle, not pets. Automate immutable image builds (CI/CD), centralize all logs to a SIEM immediately, and implement runtime security (Falco, Aqua Security).
11What is a Cloud Access Security Broker (CASB)?Hard▼
A CASB is a security policy enforcement point between cloud service consumers and cloud service providers that aggregates and applies enterprise security policies. It provides four core capabilities:
Examples: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB.
- Visibility: Discovers what cloud apps employees are using (Shadow IT detection).
- Compliance: Ensures cloud usage complies with regulations (GDPR, HIPAA).
- Data Security: DLP policies to prevent sensitive data leaving via cloud apps.
- Threat Protection: Detects malware, compromised accounts, and insider threats.
Examples: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB.
💡 CASBs are especially important for SaaS security where the organization has limited visibility into what users do inside apps like Box, Salesforce, or Slack.
12What is the CSA Cloud Security Alliance and what is its significance?Easy▼
The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes best practices for cloud computing security. Key contributions:
- CSA Cloud Security Guidance v4: Comprehensive guide covering 14 domains of cloud security.
- Cloud Controls Matrix (CCM): Framework of cloud-specific security controls mapped to major compliance standards (ISO 27001, PCI-DSS, GDPR, HIPAA).
- CCSK Certification: Certificate of Cloud Security Knowledge — widely recognized cloud security credential.
- Top Threats Report: Annual report on the top cloud security threats (Egregious Eleven, Pandemic Eleven).
- STAR Registry: Cloud provider security transparency program.
💡 The CSA CCM is often used for cloud vendor risk assessments — ask any cloud vendor to complete a CSA STAR self-assessment.
13What is the CIS Cloud Benchmark?Medium▼
The Center for Internet Security (CIS) publishes Cloud Benchmarks — prescriptive, consensus-based configuration guidelines for securing cloud environments. Available for AWS, Azure, GCP, and others.
CIS Benchmarks have two levels:
CSPM tools (AWS Security Hub, Prisma Cloud) can automatically audit against CIS Benchmarks and report compliance scores.
CIS Benchmarks have two levels:
- Level 1: Basic, widely applicable controls with minimal performance impact (recommended for all).
- Level 2: Stricter controls for high-security environments; may reduce functionality.
CSPM tools (AWS Security Hub, Prisma Cloud) can automatically audit against CIS Benchmarks and report compliance scores.
14What are the risks of Shadow IT in a cloud environment?Medium▼
Shadow IT is the use of IT systems, software, or services without explicit organizational approval — enabled by cloud's on-demand, credit-card-purchasable nature.
Security risks:
Security risks:
- Sensitive data stored in unauthorized SaaS apps (personal Dropbox, free Slack).
- Unauthorized cloud accounts not covered by corporate security policies.
- No encryption, access controls, or audit logging on shadow systems.
- Data may be stored in unapproved geographic regions.
- Violates compliance requirements (GDPR, HIPAA) if regulated data is involved.
15How does API security differ in cloud vs traditional environments?Hard▼
In cloud environments, the entire infrastructure control plane is API-driven — every resource creation, modification, and deletion happens via authenticated API calls. This creates unique security considerations:
- Scale: Cloud APIs are internet-facing 24/7 — no network perimeter protection.
- Blast radius: A compromised cloud management API key can delete entire environments.
- IMDSv1 vulnerability: SSRF attacks can access EC2 instance metadata and steal IAM credentials via
169.254.169.254. - Service-to-service: Cloud services communicate via internal APIs — IAM roles must be tightly scoped.
- Rate limiting: CSPs have API rate limits, but attackers can still exfiltrate data within limits.
16What is the difference between public and private cloud from a security standpoint?Easy▼
| Dimension | Public Cloud | Private Cloud |
|---|---|---|
| Infrastructure | Shared multi-tenant | Dedicated single-tenant |
| Physical security | CSP responsibility | Customer responsibility |
| Network isolation | Logical (VPC) | Physical or logical |
| Compliance | CSP certifications (ISO, SOC2) | Customer must certify |
| Cost | OpEx, pay-per-use | High CapEx |
| Control | Limited | Full control |
💡 Most regulated industries (banking, defence) use a hybrid model: private cloud for sensitive workloads, public cloud for less sensitive services. "Private cloud" is often misconstrued — an on-prem VMware environment is not automatically more secure than AWS.
17What is cloud sprawl and how does it create security risks?Medium▼
Cloud sprawl is the uncontrolled proliferation of cloud instances, services, and accounts across an organization — often due to the ease of provisioning cloud resources. Security risks include:
- Unknown assets that aren't patched or monitored.
- Abandoned accounts with valid credentials still active.
- Unmanaged data stores with sensitive data.
- Inconsistent security policies across sprawled environments.
- Increased attack surface and compliance scope.
18What is the AWS Well-Architected Framework Security Pillar?Hard▼
The AWS Well-Architected Framework has six pillars; the Security Pillar focuses on protecting information and systems. Its five design principles are:
- Implement a strong identity foundation: Least privilege, MFA, short-lived credentials.
- Enable traceability: Log and audit all actions (CloudTrail, Config, GuardDuty).
- Apply security at all layers: Defence in depth — VPC, subnets, security groups, WAF, application, data.
- Automate security best practices: IaC security, automated guardrails (SCPs, Config Rules).
- Protect data in transit and at rest: TLS everywhere, KMS encryption.
- Keep people away from data: Automate operations; humans shouldn't access prod data.
- Prepare for security events: IR playbooks, GameDays, AWS Incident Manager.
19What are the top cloud threats according to the CSA?Medium▼
CSA's "Pandemic Eleven" top cloud security threats (2022):
- Insufficient Identity, Credentials, Access and Key Management
- Insecure Interfaces and APIs
- Misconfiguration and Inadequate Change Control
- Lack of Cloud Security Architecture and Strategy
- Insecure Software Development
- Unsecured Third-Party Resources
- System Vulnerabilities
- Accidental Cloud Data Disclosure
- Misconfiguration and Exploitation of Serverless and Container Workloads
- Organised Crime/Hackers/APT
- Cloud Storage Data Exfiltration
💡 Note that traditional concerns like hardware failure and DDoS are NOT on this list — the CSA focuses on customer-controlled issues, not CSP infrastructure failures.
20How would you explain the shared responsibility model to a business stakeholder?Hard▼
This tests communication skills. A strong answer avoids jargon:
"Think of renting an office versus owning a building. When you rent (public cloud), the landlord (CSP) is responsible for the building structure, locks on the main entrance, fire suppression systems, and utilities. But you're responsible for locking your office door, who has a key, what files you keep in your cabinets, and your own security cameras inside. If you leave confidential papers on your desk and a cleaner photographs them — that's your responsibility, not the landlord's. AWS/Azure/GCP works exactly the same way."
Key points:
"Think of renting an office versus owning a building. When you rent (public cloud), the landlord (CSP) is responsible for the building structure, locks on the main entrance, fire suppression systems, and utilities. But you're responsible for locking your office door, who has a key, what files you keep in your cabinets, and your own security cameras inside. If you leave confidential papers on your desk and a cleaner photographs them — that's your responsibility, not the landlord's. AWS/Azure/GCP works exactly the same way."
Key points:
- Frame it as a risk and cost discussion, not a technical detail.
- Clarify what YOUR team is responsible for — this is often misunderstood.
- Explain that cloud security failures are mostly customer mistakes, not CSP failures.
MCQ Quiz · 25 Questions
Multiple Choice Questions
Select an answer then click Check. Explanations shown after submission.
Progress:
0 / 25
Simulation 1
Shared Responsibility Mapper
Drag each item into the correct responsibility zone.
Physical server hardware
Hypervisor patching
Application code security
Data encryption
Network hardware
OS patching on IaaS VM
DDoS infrastructure protection
Identity and access policies
☁️ CSP Manages
👤 Customer Manages
Simulation 2
Cloud Threat Identifier
Classify each scenario into the correct cloud threat category.
Simulation 3
Cloud vs On-Premises Quiz
For each scenario, select where the statement applies.
Simulation 4
NIST Cloud Characteristics Matcher
Match each description to the correct NIST cloud characteristic.
🎉
Module 01 complete! Proceed to Module 02: IAM in Cloud.