Security & Compliance Basics
Overview
Section titled “Overview”Security and compliance are fundamental considerations in cloud computing. Understanding basic security principles and compliance frameworks is essential for making informed decisions about cloud adoption and ensuring appropriate protection of organizational assets and data.
Core Security Principles
Section titled “Core Security Principles”The CIA Triad
Figure: The CIA Triad forms the foundation of information security
The CIA Triad
Section titled “The CIA Triad”The foundation of information security rests on three core principles:
Confidentiality
- Ensures information is accessible only to authorized individuals
- Protects sensitive data from unauthorized disclosure
- Implemented through access controls, encryption, and authentication
Integrity
- Ensures information remains accurate, complete, and unaltered
- Protects against unauthorized modification or destruction
- Implemented through checksums, digital signatures, and version control
Availability
- Ensures information and systems are accessible when needed
- Protects against disruption of service or access
- Implemented through redundancy, backup systems, and disaster recovery
Defense in Depth
Section titled “Defense in Depth”Defense in Depth Layers
Figure: Multiple layers of security controls provide comprehensive protection
Multiple layers of security controls (physical, network, endpoint, application, data, identity, administrative) provide comprehensive protection.
Principle of Least Privilege
Section titled “Principle of Least Privilege”Users receive only minimum permissions necessary for their role. Regular review and time-bound access reduce risk.
Zero Trust Security Model
Section titled “Zero Trust Security Model”Never trust, always verify. Continuous verification of identity and device state with conditional access based on risk.
Identity and Access Management (IAM)
Section titled “Identity and Access Management (IAM)”Authentication vs. Authorization
Section titled “Authentication vs. Authorization”Authentication (Who are you?): Verifies identity through passwords, MFA, biometrics Authorization (What can you do?): Determines access permissions based on roles and policies
Multi-Factor Authentication (MFA)
Section titled “Multi-Factor Authentication (MFA)”Combines multiple verification factors:
- Knowledge: Passwords, PINs
- Possession: Mobile phones, hardware tokens
- Inherence: Biometrics (fingerprint, facial recognition)
Role-Based Access Control (RBAC)
Section titled “Role-Based Access Control (RBAC)”Users assigned to roles based on job responsibilities. Roles have predefined permissions, simplifying management and compliance.
Data Protection Fundamentals
Section titled “Data Protection Fundamentals”Data Classification
Section titled “Data Classification”Public: No harm if disclosed Internal: Internal use only, basic controls Confidential: Could cause harm, enhanced protection Restricted: Severe damage potential, highest protection
Data Encryption
Section titled “Data Encryption”In Transit: Protects data moving between systems (TLS/SSL, IPsec) At Rest: Protects stored data (files, databases, backups) Key Management: Secure key generation, storage, rotation; HSMs for high-value keys
Data Loss Prevention (DLP)
Section titled “Data Loss Prevention (DLP)”Monitors data movement, identifies sensitive patterns, blocks/alerts on policy violations
Network Security Basics
Section titled “Network Security Basics”Core Controls
Section titled “Core Controls”Firewalls: Control traffic based on security rules, first line of defense VPNs: Encrypted tunnels for secure remote access Network Segmentation: Isolate resources to limit breach impact
Common Security Threats
Section titled “Common Security Threats”Malware: Viruses, ransomware; mitigate with antivirus, patching, training Phishing: Fraudulent communications; mitigate with training, filtering, MFA Social Engineering: Psychological manipulation; mitigate with awareness training Insider Threats: Internal risks; mitigate with access controls, monitoring
Cloud-Specific Considerations
Section titled “Cloud-Specific Considerations”Shared Responsibility: Provider secures infrastructure, customer secures data/apps Data Location: Understand storage locations and residency requirements Account Management: Secure cloud accounts and integrate with identity systems
Compliance Frameworks Overview
Section titled “Compliance Frameworks Overview”What is Compliance?
Section titled “What is Compliance?”Meeting legal, regulatory, and industry requirements; following standards; demonstrating due diligence.
Compliance Frameworks Comparison
Figure 1: Major compliance frameworks and their key focus areas
Major Frameworks
Section titled “Major Frameworks”SOC 2: Service provider security, availability, confidentiality, privacy ISO 27001: International information security management standard GDPR: EU data protection and privacy regulation HIPAA: US healthcare data protection (PHI) PCI DSS: Credit card data security requirements
Cloud Compliance
Section titled “Cloud Compliance”Shared Responsibility: Providers achieve certifications, customers ensure compliant use Benefits: Professional controls, third-party audits, automated monitoring, cost-effective access
Risk Management Principles
Section titled “Risk Management Principles”Risk Process
Section titled “Risk Process”Identification: Identify threats, vulnerabilities, and asset value Analysis: Assess impact and probability, prioritize by severity Treatment: Accept, avoid, mitigate, or transfer risks
Business Continuity
Section titled “Business Continuity”Impact Analysis: Define RTO/RPO for critical processes Disaster Recovery: Backup procedures, alternative sites, regular testing High Availability: Redundancy, failover, geographic distribution
Security Governance
Section titled “Security Governance”Policies: High-level management intent, acceptable use, accountability Procedures: Detailed implementation guidelines and standards Training: Regular awareness training, phishing simulations, role-specific training Continuous Improvement: Regular assessments, lessons learned, threat updates
Cloud Security Best Practices
Section titled “Cloud Security Best Practices”Account Security: MFA enabled, regular password updates, access reviews, admin/user separation Data Protection: Encryption at rest and in transit, key management, automated backups, recovery testing Monitoring: Continuous security monitoring, automated alerts, log analysis, regular assessments Incident Response: Defined procedures, clear roles, communication plans, post-incident reviews
Industry-Specific Considerations
Section titled “Industry-Specific Considerations”Healthcare: HIPAA compliance (administrative, physical, technical safeguards) Financial: SOX, PCI DSS, GLBA, Basel III requirements Government: FedRAMP, FISMA, ITAR compliance
Summary
Section titled “Summary”Security and compliance are foundational to successful cloud adoption. Key principles include:
- CIA Triad: Confidentiality, Integrity, Availability
- Defense in Depth: Multiple layers of security controls
- Identity and Access Management: Authentication and authorization
- Data Protection: Classification, encryption, and loss prevention
- Compliance Frameworks: Understanding regulatory requirements
- Risk Management: Assessment, treatment, and continuous monitoring
Understanding these basics prepares you for more advanced security topics and helps ensure appropriate protection in cloud environments.
Next Steps
Section titled “Next Steps”- ✅ Review security principles and their applications
- ✅ Consider how these concepts apply to your organization
- ✅ Continue to Data Protection Principles
- ✅ Study Compliance Frameworks
- ✅ Review Identity and Access Basics
- ✅ Complete Module 2 Knowledge Check
Additional Resources
Section titled “Additional Resources”- NIST Cybersecurity Framework
- Cloud Security Alliance (CSA)
- Microsoft Security Documentation
- AWS Security Best Practices
Last Updated: November 2025