Domain 1 of 6 · Chapter 3 of 5

Cloud Security Concepts

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • Cryptography and key management: control follows the key
  • Identity and access control: the cloud perimeter
  • Data and media sanitization: deletion becomes crypto-erase
  • Network security: from trusted perimeter to zero trust
  • Virtualization security: new isolation boundaries, each escapable
  • Common threats and security hygiene: the exam patterns

Who holds the key, and what that buys you

PropertyProvider-managed keyCustomer-managed key (CMK)Customer-held / HYOK with HSM
Who generates and stores the keyProviderProvider service, customer controls policyCustomer, in customer-controlled HSM
Customer can set rotation and access policyNoYesYes
Customer can revoke provider access by key actionNoYes (disable/delete key)Yes (withhold key)
Protects against the provider itselfNoPartly (key still in provider HSM)Yes (key never leaves customer hardware)
Operational burden on customerLowestModerateHighest (HSM availability is customer risk)
Typical driverDefault at-rest encryptionCompliance, separation of dutiesStrict data sovereignty, FIPS 140-2/3

Decision tree

Need to control or revokeaccess to the data yourself?NoYes (compliance / SoD)Provider-managed keydefault at-rest encryption;no defense against the providerKey must stay outsidethe provider's reach?Yes (data sovereignty)NoCertified key hardwarerequired (FIPS 140-2/3)?Yes / either wayCustomer-held key (HYOK)own HSM; key never leaves your hardware;you bear HSM availability riskCustomer-managed key (CMK)key in provider KMS, you own policy;disable/delete key cuts accessAlways: to guarantee deletion on shared media, pick a key you can actually destroy (crypto-erase),and keep no escrowed copy of it

Cheat sheet

  • Encryption protects you from the provider only if you hold the key
  • Cloud platforms wrap data with envelope encryption (DEK under a KEK)
  • Customer-managed keys give you rotation and revocation; provider-managed keys do not
  • Keep the key entirely outside the provider with BYOK/HYOK plus your own HSM
  • Key management spans the full lifecycle, and destruction is a control
  • Cloud media sanitization can't overwrite or shred shared drives, so crypto-erase is the option
  • Crypto-erase requires encryption first and no escrowed key
  • Identity is the cloud perimeter, so least privilege carries the weight
  • Govern three access subjects: user, privilege, and service
  • Use just-in-time elevation instead of standing admin rights
  • Require MFA on every privileged path
  • Zero trust means network location grants no trust
  • Security groups are stateful instance-level firewalls
  • Geofencing is a coarse filter that layers on top of identity, never replaces it
  • Micro-segmentation is how zero trust contains lateral movement
  • Crossing a tenant boundary is far worse than compromising one host
  • VMs isolate strongest; containers share the host kernel and isolate weaker
  • Ephemeral and serverless compute shrink the attack window rather than the wall
  • Patch elastic fleets by replacing immutable images, not in place
  • Baselining means a known-good config plus continuous drift detection
  • Misconfiguration is the leading cause of cloud breaches
  • Insecure interfaces and APIs make the whole cloud weak
  • Regulated key hardware is validated to FIPS 140-2 or 140-3
  • In federation the IdP authenticates the user and issues the signed assertion
  • SAML trust rests on signing assertions with the IdP's key and exchanging X.509 metadata
  • OAuth 2.0 is delegated authorization; OIDC adds the authentication layer on top
  • Zero trust splits the decision (PDP/PE) from the enforcement (PEP)
  • Silo isolates strongest at highest cost; pool plus row-level security is the cheap middle
  • Throttling, rate limiting, and quotas tame the noisy-neighbor tenant
  • Protect logs from tamper with hashing, signing, and immutable centralized storage
  • HSM-generated keys never leave in plaintext; mark them non-extractable
  • Rotating a key keeps the old versions so prior data still decrypts
  • NIST SP 800-57 key states are distinct from lifecycle functions

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST CSRC Glossary, key management
  2. NIST CSRC Glossary, hardware security module
  3. NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management Whitepaper
  4. NIST CMVP, Cryptographic Module Validation Program (FIPS 140-2 / 140-3)
  5. NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization Whitepaper
  6. NIST SP 800-207, Zero Trust Architecture Whitepaper
  7. Cloud Security Alliance, Top Threats to Cloud Computing Whitepaper