Cloud security worries a lot of business owners, and for good reason — data breaches are expensive and damaging. But cloud security isn't magic. It's a set of practices that, once understood, are straightforward to implement.

Cloud security fundamentals

Cloud security rests on a few core principles:

  • Least privilege: Every user and system should have the minimum access they need to do their job, and nothing more.
  • Defence in depth: Multiple layers of security, so no single failure exposes everything.
  • Encryption: Data should be encrypted when stored (at rest) and when transmitted (in transit).
  • Monitoring: Log access and changes. Detect unusual activity. Alert when things look wrong.

The shared responsibility model

This trips up a lot of businesses. When you use AWS, Azure, or Google Cloud, the provider secures the infrastructure — the physical servers, the network, the hypervisors. But you're responsible for everything you put on top of it.

The provider secures: the physical data centre, the network, the hardware, the base platform services.

You secure: your data, your user accounts, your application code, your configurations, your access policies.

If someone uses a weak password to access your AWS console and deletes your database, that's your problem — not AWS's. The shared responsibility model means "shared" doesn't mean "they handle it."

Common security mistakes

  • Open storage buckets: S3 buckets or blob storage containers left publicly accessible. This is the most common cloud data breach cause, and it's entirely preventable.
  • Overly permissive IAM policies: Users or services with admin-level access when they only need read access. More access means more risk.
  • No MFA: Multi-factor authentication should be mandatory for every user who accesses cloud consoles, full stop.
  • Hardcoded credentials: API keys or database passwords stored in application code. If the code is compromised, so is everything the credentials can access.
  • No logging: If you don't log access and changes, you can't detect breaches or investigate incidents.

Practical security checklist

  1. Enable MFA for all cloud console users
  2. Review IAM policies quarterly — remove access that's no longer needed
  3. Audit storage bucket permissions — nothing public unless intentionally so
  4. Use secrets management (AWS Secrets Manager, Azure Key Vault) instead of hardcoded credentials
  5. Enable access logging across all services
  6. Set up billing alerts — unexpected cost spikes often indicate compromised resources
  7. Encrypt data at rest and in transit
  8. Use private networks (VPCs) to isolate sensitive workloads
  9. Test your backups — restoration, not just creation

Cloud security isn't about being paranoid. It's about being methodical. Follow the fundamentals, review regularly, and most of the risk disappears.

Kasun Wijayamanna Founder & Lead Developer Postgraduate Researcher (AI & RAG), Curtin University - Western Australia
Cloud SecurityBusiness OwnersIT Leaders