← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Multi-Cloud Security Curriculum · Module 01

Cloud & Security Foundations

Foundational cloud concepts, shared responsibility, attack surface, and multi-cloud security challenges — ~60 min interview prep.

20
Interview Q&As
25
MCQ Questions
4
Simulations
8h
Module Duration

Topics Covered

#TopicType
1Cloud Computing Models (IaaS, PaaS, SaaS) & NIST CharacteristicsReading
2Cloud vs On-Prem Security DifferencesReading
3Cloud Attack Surface & Threat LandscapeReading
4Introduction to Multi-Cloud StrategyReading
5Basics of IAM, Network, EncryptionReading
6Interview Q&A (20 questions)Q&A
7MCQ Quiz (25 questions)Quiz
84 Interactive SimulationsSimulation
💡 Resources: CSA Cloud Security Guidance v4 · CIS Cloud Benchmarks · AWS/Azure/GCP Well-Architected Frameworks
Core Concepts · ~10 min

Cloud & Security Foundations

NIST Cloud Definition — 5 Essential Characteristics

CharacteristicDescriptionSecurity Implication
On-demand self-serviceUsers provision resources without human interactionNo approval gates — easy to spin up insecure resources
Broad network accessServices accessible over internet from any deviceLarger attack surface vs private DC
Resource poolingResources shared across multiple tenantsTenant isolation failures; noisy-neighbour risk
Rapid elasticityScale up/down instantlyEphemeral resources hard to inventory and monitor
Measured serviceUsage metered and billed transparentlyCryptojacking inflates bills; billing anomalies = attack indicator

Cloud Service Models — Security Responsibilities

LayerIaaSPaaSSaaS
ApplicationCustomerCustomerCSP
DataCustomerCustomerCustomer
Runtime / MiddlewareCustomerCSPCSP
OSCustomerCSPCSP
VirtualisationCSPCSPCSP
Physical HardwareCSPCSPCSP
☁️ Examples — IaaS: AWS EC2, Azure VMs, GCP Compute. PaaS: App Service, Lambda, GCP App Engine. SaaS: Microsoft 365, Salesforce, Google Workspace.

Cloud vs On-Premises — Security Differences

DimensionOn-PremisesCloud
PerimeterNetwork perimeter (firewall)Identity is the new perimeter
Physical accessCustomer controlsCSP controls (no customer access)
Resource lifecycleStatic, long-livedEphemeral, auto-scaling
Infrastructure managementManual, hardware-basedAPI-driven, code-defined
VisibilityFull access to hardware/OSLimited to what CSP exposes
Data locationKnown, fixedMay span regions/countries (sovereignty)
Patch responsibilityCustomer patches everythingShared — CSP patches infrastructure

Cloud Attack Surface — Top Threats

ThreatExampleMitigation
Misconfigured storagePublic S3 bucket exposing PIIS3 Block Public Access, CSPM scanning
Overprivileged IAMLambda with AdministratorAccessLeast privilege, IAM Access Analyzer
Credential theftAPI keys committed to GitHubSecrets scanning, secrets manager, key rotation
Exposed management APIsUnauthenticated cloud management endpointAPI gateway, mTLS, rate limiting
Supply chain riskMalicious npm package in CI/CDSCA scanning, signed artifacts, SBOMs
Insecure APIsREST API returning full user objectsOWASP API Top 10 controls

Multi-Cloud Strategy

Using two or more cloud providers (e.g., AWS + Azure + GCP) to avoid vendor lock-in, leverage best-of-breed services, and improve geographic coverage.

⚠️ Security challenges: Inconsistent security controls across providers · Identity federation complexity · Visibility gaps · Separate logging/monitoring silos · Different compliance postures · Higher operational overhead
Interview Q&A · 20 Questions

Interview Questions & Model Answers

Click any question to reveal the model answer.

1What is cloud computing and what are its five key NIST characteristics?Easy
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort. The five NIST essential characteristics are:
  • On-demand self-service: Users provision resources without human CSP interaction.
  • Broad network access: Services accessible over any network from any device.
  • Resource pooling: Multi-tenant model where resources are pooled and dynamically assigned.
  • Rapid elasticity: Resources scale up/down automatically on demand.
  • Measured service: Usage monitored, controlled, and billed transparently.
💡 Interviewers often ask which characteristic creates the biggest security challenge. Answer: on-demand self-service — because anyone can spin up resources without approval, creating ungoverned shadow IT.
2Explain the difference between IaaS, PaaS, and SaaS from a security perspective.Easy
  • IaaS: Customer responsible for OS, middleware, runtime, apps, data. CSP responsible for physical hardware, networking, and hypervisor. Highest customer security responsibility. Example: AWS EC2.
  • PaaS: CSP manages OS and runtime. Customer responsible for application code and data. Medium responsibility. Example: AWS Lambda, Azure App Service.
  • SaaS: CSP manages everything except data governance and user access. Customer responsibility: who has access, what data is stored, and data classification. Example: Microsoft 365.
💡 The key interview insight: the higher up the stack you go (IaaS→PaaS→SaaS), the less security control the customer has — but also less responsibility. SaaS breaches are often due to misconfigured sharing settings or compromised user accounts, not infrastructure vulnerabilities.
3What is the shared responsibility model in cloud security?Easy
The shared responsibility model defines the division of security duties between the Cloud Service Provider (CSP) and the customer. The CSP secures of the cloud (physical datacenters, hardware, hypervisor, global network), while the customer secures in the cloud (data, identity, applications, configurations).

The exact boundary shifts by service model: IaaS customers own more, SaaS customers own less. The most common security failures come from customers misunderstanding their responsibilities — e.g., assuming the CSP encrypts data when it is actually the customer's job.
💡 Real-world example: Capital One breach (2019) — AWS infrastructure was secure, but a misconfigured WAF (customer responsibility) allowed SSRF to steal IAM credentials. The CSP was not at fault.
4What are the main security differences between cloud and on-premises environments?Medium
  • Perimeter: On-prem has a defined network perimeter (firewall boundary). Cloud has no perimeter — identity is the new control plane.
  • Physical access: On-prem: customer controls physical access. Cloud: no physical access to hardware.
  • Ephemeral resources: Cloud resources spin up/down in seconds, making traditional asset inventory inadequate.
  • API surface: Cloud management is API-driven — stolen API keys can give complete infrastructure control.
  • Visibility: In cloud, you depend on the CSP's logging (CloudTrail, Azure Monitor) — you can't tap network cables.
  • Data sovereignty: Data may reside in other countries, subject to foreign laws.
5What is multi-cloud and what are its security challenges?Medium
Multi-cloud means using two or more cloud providers simultaneously (e.g., AWS for compute, Azure for identity, GCP for ML). Drivers: avoid vendor lock-in, best-of-breed services, geographic redundancy, regulatory requirements.

Security challenges:
  • Inconsistent security controls (AWS security groups ≠ Azure NSGs)
  • Identity federation complexity across providers
  • Visibility gaps — no single pane of glass without third-party CSPM
  • Separate audit logs and SIEM integration challenges
  • Different compliance postures per provider
  • Skills gap — teams must know multiple cloud platforms
💡 Tools like Prisma Cloud, Wiz, and Orca Security provide multi-cloud security posture management to address visibility gaps.
6What is the cloud attack surface and how does it differ from traditional IT?Medium
The cloud attack surface includes all the points where an attacker could try to gain unauthorized access. In cloud environments, this includes:
  • Management APIs: Cloud control planes (AWS API, Azure ARM) accessible over the internet.
  • Credentials: API keys, access tokens, service account keys — often with broad permissions.
  • Storage: Object storage (S3, Azure Blob) that can be made publicly accessible by misconfiguration.
  • IAM policies: Overly permissive roles and policies.
  • Serverless functions: Lambda functions with misconfigured triggers or permissions.
  • Container registries: Public ECR/Docker Hub images with vulnerabilities.
Vs. traditional: attackers needed network access first. In cloud, internet-exposed management APIs mean the attack surface is global and always-on.
7What are the most common cloud security misconfigurations?Easy
  • Public S3 buckets / Azure Blob containers exposing sensitive data
  • Security groups/NSGs open to 0.0.0.0/0 on port 22 (SSH) or 3389 (RDP)
  • Root/admin accounts without MFA
  • CloudTrail/audit logging disabled
  • Overly permissive IAM policies (wildcard actions and resources)
  • Unencrypted databases and storage volumes
  • API keys hardcoded in source code or environment variables
  • Default VPC used for production workloads
  • IMDSv1 enabled (allows SSRF to steal EC2 metadata credentials)
💡 According to Gartner: 99% of cloud security failures through 2025 are the customer's fault, primarily due to misconfiguration. CSPM tools (Wiz, Prisma Cloud, AWS Security Hub) automate detection.
8What does "identity is the new perimeter" mean in cloud security?Medium
In traditional on-premises security, a network firewall defined a trusted internal zone. Everything inside was (incorrectly) assumed to be trusted. In cloud environments, there is no fixed network perimeter — resources are internet-accessible, and attackers don't need to "get inside the network" first.

Instead, identity (who you are, and what you're authorized to do) becomes the primary security control. Every API call in AWS, Azure, or GCP is authenticated with an identity (IAM user, role, service account). If an attacker steals a credential, they can act as that identity from anywhere in the world.

This is why Zero Trust Architecture — "never trust, always verify" — is critical in cloud environments.
💡 The SolarWinds breach (2020) demonstrated this perfectly: attackers obtained OAuth tokens and used them to access Microsoft 365 emails without ever touching network perimeters.
9What is data sovereignty and why does it matter?Medium
Data sovereignty refers to the principle that data is subject to the laws and governance of the country/region where it physically resides. When you store data in a cloud region, that data is subject to local law — including government access requests.

Why it matters:
  • GDPR requires EU citizen data to not leave the EU without adequate protections.
  • India's DPDP Act (2023) has data localization requirements for sensitive data.
  • Some countries require health/financial data to remain in-country.
  • US CLOUD Act allows US government to demand data from US companies regardless of where it's stored.
Mitigations: Select specific cloud regions, use data residency guarantees from CSPs, encrypt with customer-managed keys (CMEK), use data residency zones in Azure/GCP.
💡 Always confirm with legal counsel which regions are permissible for your data classification levels.
10How does the ephemeral nature of cloud resources affect security?Medium
Ephemeral resources (containers, serverless functions, auto-scaling VMs) spin up and terminate within seconds or minutes, creating significant security challenges:
  • Asset inventory: Traditional CMDBs can't track resources that exist for 30 seconds.
  • Log retention: Logs from terminated instances may be lost if not forwarded to centralized logging.
  • Forensics: Post-incident investigation is harder — the "crime scene" may no longer exist.
  • Patching: Traditional patch management doesn't apply — instead, use immutable infrastructure (replace, don't patch).
  • Security scanning: Container images must be scanned before deployment; runtime scanning (Falco) monitors live.
💡 Best practice: treat cloud infrastructure as cattle, not pets. Automate immutable image builds (CI/CD), centralize all logs to a SIEM immediately, and implement runtime security (Falco, Aqua Security).
11What is a Cloud Access Security Broker (CASB)?Hard
A CASB is a security policy enforcement point between cloud service consumers and cloud service providers that aggregates and applies enterprise security policies. It provides four core capabilities:
  • Visibility: Discovers what cloud apps employees are using (Shadow IT detection).
  • Compliance: Ensures cloud usage complies with regulations (GDPR, HIPAA).
  • Data Security: DLP policies to prevent sensitive data leaving via cloud apps.
  • Threat Protection: Detects malware, compromised accounts, and insider threats.
CASB can be deployed in three modes: forward proxy (agent-based), reverse proxy, or API-based.

Examples: Microsoft Defender for Cloud Apps, Netskope, Zscaler CASB.
💡 CASBs are especially important for SaaS security where the organization has limited visibility into what users do inside apps like Box, Salesforce, or Slack.
12What is the CSA Cloud Security Alliance and what is its significance?Easy
The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes best practices for cloud computing security. Key contributions:
  • CSA Cloud Security Guidance v4: Comprehensive guide covering 14 domains of cloud security.
  • Cloud Controls Matrix (CCM): Framework of cloud-specific security controls mapped to major compliance standards (ISO 27001, PCI-DSS, GDPR, HIPAA).
  • CCSK Certification: Certificate of Cloud Security Knowledge — widely recognized cloud security credential.
  • Top Threats Report: Annual report on the top cloud security threats (Egregious Eleven, Pandemic Eleven).
  • STAR Registry: Cloud provider security transparency program.
💡 The CSA CCM is often used for cloud vendor risk assessments — ask any cloud vendor to complete a CSA STAR self-assessment.
13What is the CIS Cloud Benchmark?Medium
The Center for Internet Security (CIS) publishes Cloud Benchmarks — prescriptive, consensus-based configuration guidelines for securing cloud environments. Available for AWS, Azure, GCP, and others.

CIS Benchmarks have two levels:
  • Level 1: Basic, widely applicable controls with minimal performance impact (recommended for all).
  • Level 2: Stricter controls for high-security environments; may reduce functionality.
Examples of CIS AWS Benchmark controls: Enable CloudTrail in all regions, enable MFA on root account, avoid root account usage, rotate access keys every 90 days, enable GuardDuty.

CSPM tools (AWS Security Hub, Prisma Cloud) can automatically audit against CIS Benchmarks and report compliance scores.
14What are the risks of Shadow IT in a cloud environment?Medium
Shadow IT is the use of IT systems, software, or services without explicit organizational approval — enabled by cloud's on-demand, credit-card-purchasable nature.

Security risks:
  • Sensitive data stored in unauthorized SaaS apps (personal Dropbox, free Slack).
  • Unauthorized cloud accounts not covered by corporate security policies.
  • No encryption, access controls, or audit logging on shadow systems.
  • Data may be stored in unapproved geographic regions.
  • Violates compliance requirements (GDPR, HIPAA) if regulated data is involved.
Controls: CASB for SaaS visibility, DNS filtering, CSPM for unauthorized cloud accounts, regular cloud spend analysis, employee security training.
15How does API security differ in cloud vs traditional environments?Hard
In cloud environments, the entire infrastructure control plane is API-driven — every resource creation, modification, and deletion happens via authenticated API calls. This creates unique security considerations:
  • Scale: Cloud APIs are internet-facing 24/7 — no network perimeter protection.
  • Blast radius: A compromised cloud management API key can delete entire environments.
  • IMDSv1 vulnerability: SSRF attacks can access EC2 instance metadata and steal IAM credentials via 169.254.169.254.
  • Service-to-service: Cloud services communicate via internal APIs — IAM roles must be tightly scoped.
  • Rate limiting: CSPs have API rate limits, but attackers can still exfiltrate data within limits.
Controls: Enforce IMDSv2, use API gateway with WAF, enable CloudTrail for all API calls, rotate keys, use short-lived tokens (STS).
16What is the difference between public and private cloud from a security standpoint?Easy
DimensionPublic CloudPrivate Cloud
InfrastructureShared multi-tenantDedicated single-tenant
Physical securityCSP responsibilityCustomer responsibility
Network isolationLogical (VPC)Physical or logical
ComplianceCSP certifications (ISO, SOC2)Customer must certify
CostOpEx, pay-per-useHigh CapEx
ControlLimitedFull control
💡 Most regulated industries (banking, defence) use a hybrid model: private cloud for sensitive workloads, public cloud for less sensitive services. "Private cloud" is often misconstrued — an on-prem VMware environment is not automatically more secure than AWS.
17What is cloud sprawl and how does it create security risks?Medium
Cloud sprawl is the uncontrolled proliferation of cloud instances, services, and accounts across an organization — often due to the ease of provisioning cloud resources. Security risks include:
  • Unknown assets that aren't patched or monitored.
  • Abandoned accounts with valid credentials still active.
  • Unmanaged data stores with sensitive data.
  • Inconsistent security policies across sprawled environments.
  • Increased attack surface and compliance scope.
Controls: Cloud governance policies, tagging enforcement, resource lifecycle management, automated decommissioning, CSPM tools, cloud cost management tools (which indirectly reveal sprawl).
18What is the AWS Well-Architected Framework Security Pillar?Hard
The AWS Well-Architected Framework has six pillars; the Security Pillar focuses on protecting information and systems. Its five design principles are:
  • Implement a strong identity foundation: Least privilege, MFA, short-lived credentials.
  • Enable traceability: Log and audit all actions (CloudTrail, Config, GuardDuty).
  • Apply security at all layers: Defence in depth — VPC, subnets, security groups, WAF, application, data.
  • Automate security best practices: IaC security, automated guardrails (SCPs, Config Rules).
  • Protect data in transit and at rest: TLS everywhere, KMS encryption.
  • Keep people away from data: Automate operations; humans shouldn't access prod data.
  • Prepare for security events: IR playbooks, GameDays, AWS Incident Manager.
19What are the top cloud threats according to the CSA?Medium
CSA's "Pandemic Eleven" top cloud security threats (2022):
  1. Insufficient Identity, Credentials, Access and Key Management
  2. Insecure Interfaces and APIs
  3. Misconfiguration and Inadequate Change Control
  4. Lack of Cloud Security Architecture and Strategy
  5. Insecure Software Development
  6. Unsecured Third-Party Resources
  7. System Vulnerabilities
  8. Accidental Cloud Data Disclosure
  9. Misconfiguration and Exploitation of Serverless and Container Workloads
  10. Organised Crime/Hackers/APT
  11. Cloud Storage Data Exfiltration
💡 Note that traditional concerns like hardware failure and DDoS are NOT on this list — the CSA focuses on customer-controlled issues, not CSP infrastructure failures.
20How would you explain the shared responsibility model to a business stakeholder?Hard
This tests communication skills. A strong answer avoids jargon:

"Think of renting an office versus owning a building. When you rent (public cloud), the landlord (CSP) is responsible for the building structure, locks on the main entrance, fire suppression systems, and utilities. But you're responsible for locking your office door, who has a key, what files you keep in your cabinets, and your own security cameras inside. If you leave confidential papers on your desk and a cleaner photographs them — that's your responsibility, not the landlord's. AWS/Azure/GCP works exactly the same way."

Key points:
  • Frame it as a risk and cost discussion, not a technical detail.
  • Clarify what YOUR team is responsible for — this is often misunderstood.
  • Explain that cloud security failures are mostly customer mistakes, not CSP failures.

MCQ Quiz · 25 Questions

Multiple Choice Questions

Select an answer then click Check. Explanations shown after submission.

Progress:
0 / 25
Simulation 1

Shared Responsibility Mapper

Drag each item into the correct responsibility zone.

Physical server hardware
Hypervisor patching
Application code security
Data encryption
Network hardware
OS patching on IaaS VM
DDoS infrastructure protection
Identity and access policies

☁️ CSP Manages

👤 Customer Manages

🤝 Shared

Simulation 2

Cloud Threat Identifier

Classify each scenario into the correct cloud threat category.

Simulation 3

Cloud vs On-Premises Quiz

For each scenario, select where the statement applies.

Simulation 4

NIST Cloud Characteristics Matcher

Match each description to the correct NIST cloud characteristic.

🎉

Module 01 complete! Proceed to Module 02: IAM in Cloud.