Getting Started with Cloud Security

From encryption fundamentals to identity and access management, this article walks you through the essential steps for securing your cloud environment. You’ll find a clear starting point to reduce risks and build a stronger security posture.

WHAT YOU’LL FIND IN THIS ARTICLE:

Encryption Basics – what it is, why it matters, and how to protect both your data and your keys.

Access Management – how to strengthen logins with strong passwords, MFA, and least privilege.

Cloud Security Foundations – practical first steps to secure your environment and reduce risks.


Before diving into advanced configurations, make sure you’ve covered the basics of identitysecurity, and encryption.

This is meant to be an introductory article on the subject and our goal here is to deliver simplehigh-impact steps that can help you drastically reduce the attack surface of your cloud environment!

Let’s begin by talking about encryption!


What is Encryption?


Encryption is the process of converting readable data (plaintext) into unreadable text (ciphertext), so only authorized people or processes can access it. It works by using cryptographic keys, which can vary in type, size, and algorithmic complexity — such as symmetric or asymmetric cryptography, with the latter being more commonly used today. There are also many algorithm “flavors” like RSAECC, and ECDSA.

By encrypting data, you ensure that even if it’s accessed by unauthorized individuals/groups, it will remain unreadable, leaving it with a big chunk of gibberish data. Thus, it is equally important to store your private keys securely to prevent malicious actors from decrypting your data. That’s why there’s such a strong focus on both encrypting the data and securing the keys — protecting your information at both levels.


Why should we care about encryption?

Data encryption is important because it helps protect people’s privacy, whether the data is being transferred or stored on other people’s servers (a.k.a. cloud), and with this, helps secure data from attackers and other cybersecurity threats

Depending on the industry you work in, there are regulations that demand and enforce this, such as HIPAA or PCI-DSS.


Encryption performs four important functions here:

  • Confidentiality: keeps the contents of the data secret
  • Authentication: verifies the origin of the message or data
  • Integrity: validates that the content of the message or data has not been altered since it was sent
  • Nonrepudiation: prevents the sender of the data or message from denying that they were the origin

Most cloud providers offer encryption for data at rest and in transit. Here are some examples of offerings from today’s major cloud providers:

  • AWS uses Key Management Service (KMS)
    EBS volumes, S3 objects, RDS databases, Lambda environment variables, Secrets Manager data and more.
  • Azure uses Azure Key Vault, Azure Storage Service Encryption(SSE) and Azure Disk Encryption(ADE).
    Virtual Machine disks, Azure Blob Storage, SQL Database, Azure Files, App Secrets and more.
  • Google Cloud uses Cloud Key Management Service (Cloud KMS)
    Cloud Storage, Compute Engine disks, BigQuery datasets, Secret Manager entries and more.

Beware that not every service offers this without associated costs. A good example is AWS KMS, which has a billing associated with the number of API Calls made to encrypt/decrypt data inside services.


Access of your Cloud Environment


To prevent common issues related to credential exposure or compromised access, you will need to provide rules that enforce security in the short and long term, like putting guardrails in place. The focus here is the people who regularly access the environment, such as developersadminsanalystscontractors or even business people from the company.


Passwords, users and groups

Begin with these and then expand to more complex solutions later such as SSO (Single Sign On).

  • Enable mandatory MFA (Multi-Factor Authentication) for all users, especially administrators and privileged accounts:
    • Avoid SMS when possible so you can avoid suffering a SIM SWAP attack.
    • When possible, use hardware or app-based authentication.


  • Enforce strong password policies, such as:
    • Minimum length (12+ characters) and Complexity (uppercase, lowercase, numbers, symbols)
      • S0methingL1k3Th!Sh0uLdB3Fin3
    • Expiration policies for users’ passwords, e.g., 60, 90, 120 days.
    • Repetition policies for users’ passwords, e.g., last 10 passwords are blocked from being used.
    • If your cloud provider supports it, create a ban list so you can be certain that ‘123456’ is not a problem for your cloud anymore (at least not in logins!).
    • Avoid using user accounts for services. Create a separate account just for the specific need you have and do keep in mind the Principle of Least Privilege.


  • Avoid using the root user for daily tasks. Create named accounts and groups with least privilege instead.


  • Audit and rotate access keys regularly, especially for programmatic access.


  • Use IAM roles and groups, not direct user-to-resource permissions.
    • REMEMBER! Just because someone has high privilege in development doesn’t mean they should in production!


Bonus: Passwords, users and groups


Remember the password I suggested before? There are a lot of tools online that help us evaluate the complexity of breaking passwords. In this example, I used the University of Illinois password strength test, and here is the result below.

ATTENTION: Do not go around putting your real passwords into the internet!! 

We are here to make your life easier, so here are some quick shortcuts to the configurations mentioned above:


Bonus Round –  Enable SSO with External Identity Providers


Once your foundation is in place, and if you have time and knowledge, you can go SSO (Single Sign-On) in your cloud provider and have a federation in place with your Identity Provider (IdP).

This allows users to use a single user account to authenticate across all environments. Of course, you have to create different profiles (remember that not everyone who is a power user in development should be one in production). Most cloud providers support external identity providers like Azure AD, Google Workspace, Okta, and others, through SAML or OIDC protocols.

With the bonus of improving your end-user experience and avoiding a mountain of tickets asking for password change or reset (yes, this can happen).

Reader: But we have Azure and use Google as our IDP. There is no way we can set this up!

Yes, there actually is!

You can certainly make this work. Here are some examples: 

There are also other solutions such as Okta, Duo, Auth0 and many others that can help you achieve this.


Wrap Up: Security Starts with the Basics


By focusing on encryptionstrong identity controls, and establishing proper access policies, you’re already covering a lot of weak points attackers love to exploit

These are foundational steps. It takes time and experience to build them properly in the long run, and when done right, they can drastically reduce your risk and give you a reliable platform to grow from.

If you’ve made it this far, thank you for investing your time in strengthening your security posture. We hope this guide helps you get from the starting point to the next point and also helps you understand the basics so you can prepare yourself for the next steps! If you’re eager to learn more about cybersecurity, we’ve got another article you won’t want to miss.

We are here to help you!

Securing your cloud environment doesn’t have to be overwhelming, and you don’t have to go it alone.

Whether you’re looking to implement best practices, set up SSO and federation, or level up your infrastructure security as your company scales, you can count on us. We work with the right professionals to build, maintain, and elevate your cloud game securely and efficiently.

You can use our online team builder or contact us directly!

Thank you for your time, and have a KWAN day!