<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-GB">
	<id>https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Cloud_Security_Architecture</id>
	<title>Cloud Security Architecture - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://knowledgebase.pirho.net/index.php?action=history&amp;feed=atom&amp;title=Cloud_Security_Architecture"/>
	<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;action=history"/>
	<updated>2026-07-11T14:06:46Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=432&amp;oldid=prev</id>
		<title>Dex at 07:01, 6 July 2026</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=432&amp;oldid=prev"/>
		<updated>2026-07-06T07:01:18Z</updated>

		<summary type="html">&lt;p&gt;&lt;/p&gt;
&lt;a href=&quot;https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;amp;diff=432&amp;amp;oldid=429&quot;&gt;Show changes&lt;/a&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
	<entry>
		<id>https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=429&amp;oldid=prev</id>
		<title>Dex: Created page with &quot;== Introduction ==  Cloud Security Architecture is the structured design of security controls, policies, technologies, and operational processes intended to protect cloud-based systems, applications, data, and services. It provides a framework for securing cloud environments while supporting business objectives such as scalability, availability, performance, compliance, and cost efficiency.  As organisations increasingly migrate workloads to public, private, and hybrid c...&quot;</title>
		<link rel="alternate" type="text/html" href="https://knowledgebase.pirho.net/index.php?title=Cloud_Security_Architecture&amp;diff=429&amp;oldid=prev"/>
		<updated>2026-07-06T06:54:37Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;== Introduction ==  Cloud Security Architecture is the structured design of security controls, policies, technologies, and operational processes intended to protect cloud-based systems, applications, data, and services. It provides a framework for securing cloud environments while supporting business objectives such as scalability, availability, performance, compliance, and cost efficiency.  As organisations increasingly migrate workloads to public, private, and hybrid c...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;== Introduction ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture is the structured design of security controls, policies, technologies, and operational processes intended to protect cloud-based systems, applications, data, and services. It provides a framework for securing cloud environments while supporting business objectives such as scalability, availability, performance, compliance, and cost efficiency.&lt;br /&gt;
&lt;br /&gt;
As organisations increasingly migrate workloads to public, private, and hybrid cloud platforms, security architecture has become a fundamental discipline that ensures the confidentiality, integrity, and availability of information assets across distributed and often globally accessible environments.&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture combines traditional information security principles with cloud-native technologies and operational practices to create a resilient and adaptable security posture.&lt;br /&gt;
&lt;br /&gt;
== Objectives ==&lt;br /&gt;
&lt;br /&gt;
The primary objectives of Cloud Security Architecture include:&lt;br /&gt;
&lt;br /&gt;
* Protecting sensitive information and business assets.&lt;br /&gt;
* Ensuring regulatory and legal compliance.&lt;br /&gt;
* Managing risk associated with cloud adoption.&lt;br /&gt;
* Enabling secure digital transformation initiatives.&lt;br /&gt;
* Supporting business continuity and disaster recovery.&lt;br /&gt;
* Preventing unauthorised access to systems and data.&lt;br /&gt;
* Detecting and responding to threats in real-time.&lt;br /&gt;
* Maintaining trust with customers, partners, and stakeholders.&lt;br /&gt;
&lt;br /&gt;
== Shared Responsibility Model ==&lt;br /&gt;
&lt;br /&gt;
A fundamental concept in cloud security is the &amp;#039;&amp;#039;&amp;#039;Shared Responsibility Model&amp;#039;&amp;#039;&amp;#039;, which defines the division of security responsibilities between the cloud provider and the customer.&lt;br /&gt;
&lt;br /&gt;
=== Cloud Provider Responsibilities ===&lt;br /&gt;
&lt;br /&gt;
Typically include:&lt;br /&gt;
&lt;br /&gt;
* Physical data centre security.&lt;br /&gt;
* Hardware security.&lt;br /&gt;
* Network infrastructure protection.&lt;br /&gt;
* Hypervisor security.&lt;br /&gt;
* Availability of cloud services.&lt;br /&gt;
&lt;br /&gt;
=== Customer Responsibilities ===&lt;br /&gt;
&lt;br /&gt;
Typically include:&lt;br /&gt;
&lt;br /&gt;
* Identity and access management.&lt;br /&gt;
* Data protection and classification.&lt;br /&gt;
* Operating system security (Infrastructure as a Service).&lt;br /&gt;
* Application security.&lt;br /&gt;
* Configuration management.&lt;br /&gt;
* Security monitoring and governance.&lt;br /&gt;
&lt;br /&gt;
The exact allocation of responsibilities varies depending on the cloud service model.&lt;br /&gt;
&lt;br /&gt;
== Cloud Service Models ==&lt;br /&gt;
&lt;br /&gt;
=== Infrastructure as a Service (IaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides customers with virtualised infrastructure components including:&lt;br /&gt;
&lt;br /&gt;
* Virtual machines.&lt;br /&gt;
* Storage services.&lt;br /&gt;
* Networking components.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Azure Virtual Machines.&lt;br /&gt;
* Amazon EC2.&lt;br /&gt;
* Google Compute Engine.&lt;br /&gt;
&lt;br /&gt;
Customers are responsible for securing operating systems, applications, and data.&lt;br /&gt;
&lt;br /&gt;
=== Platform as a Service (PaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides managed platforms for application development and deployment.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Azure App Services.&lt;br /&gt;
* Azure SQL Database.&lt;br /&gt;
* Google App Engine.&lt;br /&gt;
&lt;br /&gt;
Security responsibilities shift toward application and data protection.&lt;br /&gt;
&lt;br /&gt;
=== Software as a Service (SaaS) ===&lt;br /&gt;
&lt;br /&gt;
Provides fully managed applications delivered over the internet.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft 365.&lt;br /&gt;
* Salesforce.&lt;br /&gt;
* ServiceNow.&lt;br /&gt;
&lt;br /&gt;
Customers primarily focus on access control, data governance, and compliance.&lt;br /&gt;
&lt;br /&gt;
== Core Architectural Principles ==&lt;br /&gt;
&lt;br /&gt;
=== Defence in Depth ===&lt;br /&gt;
&lt;br /&gt;
Defence in Depth employs multiple layers of security controls to prevent a single point of failure.&lt;br /&gt;
&lt;br /&gt;
Typical layers include:&lt;br /&gt;
&lt;br /&gt;
# Physical Security&lt;br /&gt;
# Network Security&lt;br /&gt;
# Perimeter Security&lt;br /&gt;
# Identity Security&lt;br /&gt;
# Endpoint Security&lt;br /&gt;
# Application Security&lt;br /&gt;
# Data Security&lt;br /&gt;
# Monitoring and Response&lt;br /&gt;
&lt;br /&gt;
=== Zero Trust ===&lt;br /&gt;
&lt;br /&gt;
Zero Trust assumes that no user, device, application, or network should be automatically trusted.&lt;br /&gt;
&lt;br /&gt;
Core principles include:&lt;br /&gt;
&lt;br /&gt;
* Verify explicitly.&lt;br /&gt;
* Use least privilege access.&lt;br /&gt;
* Assume breach.&lt;br /&gt;
* Continuously validate trust.&lt;br /&gt;
* Monitor all activity.&lt;br /&gt;
&lt;br /&gt;
=== Least Privilege ===&lt;br /&gt;
&lt;br /&gt;
Users and systems should only receive the minimum permissions necessary to perform required tasks.&lt;br /&gt;
&lt;br /&gt;
Benefits include:&lt;br /&gt;
&lt;br /&gt;
* Reduced attack surface.&lt;br /&gt;
* Lower risk of privilege escalation.&lt;br /&gt;
* Improved compliance.&lt;br /&gt;
&lt;br /&gt;
=== Secure by Design ===&lt;br /&gt;
&lt;br /&gt;
Security requirements should be integrated during system design rather than added after deployment.&lt;br /&gt;
&lt;br /&gt;
This includes:&lt;br /&gt;
&lt;br /&gt;
* Threat modelling.&lt;br /&gt;
* Security architecture reviews.&lt;br /&gt;
* Security testing.&lt;br /&gt;
* Secure coding practices.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Domains ==&lt;br /&gt;
&lt;br /&gt;
=== Identity and Access Management ===&lt;br /&gt;
&lt;br /&gt;
Identity is the primary security perimeter in modern cloud environments.&lt;br /&gt;
&lt;br /&gt;
Key controls include:&lt;br /&gt;
&lt;br /&gt;
* Multi-Factor Authentication (MFA).&lt;br /&gt;
* Conditional Access Policies.&lt;br /&gt;
* Single Sign-On (SSO).&lt;br /&gt;
* Privileged Identity Management (PIM).&lt;br /&gt;
* Role-Based Access Control (RBAC).&lt;br /&gt;
* Federated Authentication.&lt;br /&gt;
&lt;br /&gt;
=== Network Security ===&lt;br /&gt;
&lt;br /&gt;
Cloud network security controls protect communication between resources.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Virtual Networks.&lt;br /&gt;
* Network Security Groups.&lt;br /&gt;
* Firewalls.&lt;br /&gt;
* Web Application Firewalls (WAF).&lt;br /&gt;
* Private Endpoints.&lt;br /&gt;
* VPN Gateways.&lt;br /&gt;
* Bastion Hosts.&lt;br /&gt;
&lt;br /&gt;
=== Data Security ===&lt;br /&gt;
&lt;br /&gt;
Data protection measures focus on securing information throughout its lifecycle.&lt;br /&gt;
&lt;br /&gt;
Controls typically include:&lt;br /&gt;
&lt;br /&gt;
* Encryption at rest.&lt;br /&gt;
* Encryption in transit.&lt;br /&gt;
* Encryption in use.&lt;br /&gt;
* Key Management Systems.&lt;br /&gt;
* Data Loss Prevention (DLP).&lt;br /&gt;
* Information Classification.&lt;br /&gt;
* Data Retention Policies.&lt;br /&gt;
&lt;br /&gt;
=== Application Security ===&lt;br /&gt;
&lt;br /&gt;
Application security protects software workloads deployed in cloud environments.&lt;br /&gt;
&lt;br /&gt;
Key techniques include:&lt;br /&gt;
&lt;br /&gt;
* Secure Development Lifecycle (SDLC).&lt;br /&gt;
* Static Application Security Testing (SAST).&lt;br /&gt;
* Dynamic Application Security Testing (DAST).&lt;br /&gt;
* Dependency Scanning.&lt;br /&gt;
* API Security.&lt;br /&gt;
* Secure Code Reviews.&lt;br /&gt;
&lt;br /&gt;
=== Endpoint Security ===&lt;br /&gt;
&lt;br /&gt;
Endpoints connecting to cloud services require protection through:&lt;br /&gt;
&lt;br /&gt;
* Endpoint Detection and Response (EDR).&lt;br /&gt;
* Anti-malware solutions.&lt;br /&gt;
* Device compliance policies.&lt;br /&gt;
* Mobile Device Management (MDM).&lt;br /&gt;
* Device encryption.&lt;br /&gt;
&lt;br /&gt;
=== Security Operations ===&lt;br /&gt;
&lt;br /&gt;
Security operations provide visibility into cloud environments.&lt;br /&gt;
&lt;br /&gt;
Capabilities include:&lt;br /&gt;
&lt;br /&gt;
* Log aggregation.&lt;br /&gt;
* Security Information and Event Management (SIEM).&lt;br /&gt;
* Security Orchestration, Automation and Response (SOAR).&lt;br /&gt;
* Threat Intelligence.&lt;br /&gt;
* Incident Response.&lt;br /&gt;
* Security Analytics.&lt;br /&gt;
&lt;br /&gt;
== Security Architecture Components ==&lt;br /&gt;
&lt;br /&gt;
=== Governance Layer ===&lt;br /&gt;
&lt;br /&gt;
Provides strategic oversight through:&lt;br /&gt;
&lt;br /&gt;
* Security policies.&lt;br /&gt;
* Security standards.&lt;br /&gt;
* Risk management frameworks.&lt;br /&gt;
* Compliance controls.&lt;br /&gt;
* Audit programmes.&lt;br /&gt;
&lt;br /&gt;
=== Control Layer ===&lt;br /&gt;
&lt;br /&gt;
Implements technical and administrative controls.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Access controls.&lt;br /&gt;
* Monitoring controls.&lt;br /&gt;
* Encryption controls.&lt;br /&gt;
* Configuration standards.&lt;br /&gt;
&lt;br /&gt;
=== Monitoring Layer ===&lt;br /&gt;
&lt;br /&gt;
Provides continuous operational visibility.&lt;br /&gt;
&lt;br /&gt;
Includes:&lt;br /&gt;
&lt;br /&gt;
* Log collection.&lt;br /&gt;
* Event monitoring.&lt;br /&gt;
* Alerting mechanisms.&lt;br /&gt;
* Threat detection systems.&lt;br /&gt;
&lt;br /&gt;
=== Response Layer ===&lt;br /&gt;
&lt;br /&gt;
Manages security incidents through:&lt;br /&gt;
&lt;br /&gt;
* Incident response plans.&lt;br /&gt;
* Security playbooks.&lt;br /&gt;
* Automated remediation.&lt;br /&gt;
* Forensic investigations.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Technologies ==&lt;br /&gt;
&lt;br /&gt;
Common technologies within modern cloud architectures include:&lt;br /&gt;
&lt;br /&gt;
* Microsoft Defender for Cloud.&lt;br /&gt;
* Microsoft Sentinel.&lt;br /&gt;
* Azure Firewall.&lt;br /&gt;
* Azure Key Vault.&lt;br /&gt;
* Azure DDoS Protection.&lt;br /&gt;
* AWS GuardDuty.&lt;br /&gt;
* AWS Security Hub.&lt;br /&gt;
* Google Security Command Center.&lt;br /&gt;
* CrowdStrike Falcon.&lt;br /&gt;
* Palo Alto Prisma Cloud.&lt;br /&gt;
&lt;br /&gt;
== Common Threats ==&lt;br /&gt;
&lt;br /&gt;
=== Misconfiguration ===&lt;br /&gt;
&lt;br /&gt;
One of the most significant causes of cloud security incidents.&lt;br /&gt;
&lt;br /&gt;
Examples include:&lt;br /&gt;
&lt;br /&gt;
* Publicly accessible storage.&lt;br /&gt;
* Excessive permissions.&lt;br /&gt;
* Open network ports.&lt;br /&gt;
&lt;br /&gt;
=== Credential Theft ===&lt;br /&gt;
&lt;br /&gt;
Compromised credentials may allow attackers to gain access to cloud resources.&lt;br /&gt;
&lt;br /&gt;
Mitigation techniques include:&lt;br /&gt;
&lt;br /&gt;
* MFA.&lt;br /&gt;
* Passwordless authentication.&lt;br /&gt;
* Conditional Access.&lt;br /&gt;
&lt;br /&gt;
=== Insider Threats ===&lt;br /&gt;
&lt;br /&gt;
May originate from employees, contractors, or partners who misuse legitimate access.&lt;br /&gt;
&lt;br /&gt;
=== Supply Chain Attacks ===&lt;br /&gt;
&lt;br /&gt;
Compromise of software, services, or third-party dependencies used within cloud environments.&lt;br /&gt;
&lt;br /&gt;
=== Ransomware ===&lt;br /&gt;
&lt;br /&gt;
Attackers may target cloud-hosted workloads, backup systems, or synchronised data repositories.&lt;br /&gt;
&lt;br /&gt;
== Compliance and Regulatory Considerations ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture often supports compliance with standards and regulations including:&lt;br /&gt;
&lt;br /&gt;
* ISO 27001&lt;br /&gt;
* ISO 27017&lt;br /&gt;
* ISO 27018&lt;br /&gt;
* SOC 2&lt;br /&gt;
* PCI-DSS&lt;br /&gt;
* GDPR&lt;br /&gt;
* HIPAA&lt;br /&gt;
* NIST Cybersecurity Framework&lt;br /&gt;
* NIST SP 800-53&lt;br /&gt;
&lt;br /&gt;
Compliance should be considered throughout the solution lifecycle rather than as a final validation exercise.&lt;br /&gt;
&lt;br /&gt;
== Cloud Security Architecture Lifecycle ==&lt;br /&gt;
&lt;br /&gt;
=== 1. Assessment ===&lt;br /&gt;
&lt;br /&gt;
Identify:&lt;br /&gt;
&lt;br /&gt;
* Assets.&lt;br /&gt;
* Risks.&lt;br /&gt;
* Threats.&lt;br /&gt;
* Compliance requirements.&lt;br /&gt;
&lt;br /&gt;
=== 2. Design ===&lt;br /&gt;
&lt;br /&gt;
Develop:&lt;br /&gt;
&lt;br /&gt;
* Security controls.&lt;br /&gt;
* Trust boundaries.&lt;br /&gt;
* Network architecture.&lt;br /&gt;
* Identity architecture.&lt;br /&gt;
&lt;br /&gt;
=== 3. Implementation ===&lt;br /&gt;
&lt;br /&gt;
Deploy:&lt;br /&gt;
&lt;br /&gt;
* Security technologies.&lt;br /&gt;
* Policies.&lt;br /&gt;
* Monitoring capabilities.&lt;br /&gt;
&lt;br /&gt;
=== 4. Validation ===&lt;br /&gt;
&lt;br /&gt;
Perform:&lt;br /&gt;
&lt;br /&gt;
* Vulnerability assessments.&lt;br /&gt;
* Penetration testing.&lt;br /&gt;
* Architecture reviews.&lt;br /&gt;
&lt;br /&gt;
=== 5. Operations ===&lt;br /&gt;
&lt;br /&gt;
Maintain:&lt;br /&gt;
&lt;br /&gt;
* Monitoring.&lt;br /&gt;
* Incident response.&lt;br /&gt;
* Change management.&lt;br /&gt;
&lt;br /&gt;
=== 6. Continuous Improvement ===&lt;br /&gt;
&lt;br /&gt;
Review and enhance controls based on:&lt;br /&gt;
&lt;br /&gt;
* Emerging threats.&lt;br /&gt;
* Business changes.&lt;br /&gt;
* Security incidents.&lt;br /&gt;
* Regulatory updates.&lt;br /&gt;
&lt;br /&gt;
== Emerging Trends ==&lt;br /&gt;
&lt;br /&gt;
Several trends are shaping the future of Cloud Security Architecture:&lt;br /&gt;
&lt;br /&gt;
* AI-assisted threat detection.&lt;br /&gt;
* Security Copilots and automated investigations.&lt;br /&gt;
* Extended Detection and Response (XDR).&lt;br /&gt;
* Cloud-Native Application Protection Platforms (CNAPP).&lt;br /&gt;
* Secure Access Service Edge (SASE).&lt;br /&gt;
* Security Service Edge (SSE).&lt;br /&gt;
* Confidential Computing.&lt;br /&gt;
* Post-Quantum Cryptography preparedness.&lt;br /&gt;
* Identity-first security models.&lt;br /&gt;
&lt;br /&gt;
== Best Practices ==&lt;br /&gt;
&lt;br /&gt;
* Adopt a Zero Trust strategy.&lt;br /&gt;
* Enable Multi-Factor Authentication everywhere possible.&lt;br /&gt;
* Apply least privilege access principles.&lt;br /&gt;
* Encrypt sensitive data.&lt;br /&gt;
* Continuously monitor cloud environments.&lt;br /&gt;
* Automate security operations where appropriate.&lt;br /&gt;
* Conduct regular security reviews.&lt;br /&gt;
* Maintain comprehensive logging.&lt;br /&gt;
* Implement robust backup and recovery procedures.&lt;br /&gt;
* Integrate security throughout the development lifecycle.&lt;br /&gt;
&lt;br /&gt;
== Conclusion ==&lt;br /&gt;
&lt;br /&gt;
Cloud Security Architecture provides the strategic and technical foundation required to secure modern cloud environments. By integrating governance, identity, data protection, monitoring, and incident response capabilities into a cohesive architecture, organisations can confidently leverage cloud technologies while managing risk and maintaining compliance. Successful cloud security architecture is not a one-time project but an ongoing discipline that evolves alongside threats, technologies, and business requirements.&lt;br /&gt;
&lt;br /&gt;
[[Category:Cloud Computing]]&lt;br /&gt;
[[Category:Cyber Security]]&lt;br /&gt;
[[Category:Enterprise Architecture]]&lt;br /&gt;
[[Category:Information Security]]&lt;br /&gt;
[[Category:Microsoft Azure]]&lt;br /&gt;
[[Category:Infrastructure]]&lt;/div&gt;</summary>
		<author><name>Dex</name></author>
	</entry>
</feed>