Security Fundamentals — 🔐 Protecting Data and Access

Cloud security is a shared responsibility. The cloud provider secures the infrastructure, but you secure your applications and data.

🎯 Shared Responsibility Model

Provider Secures          You Secure
─────────────────────────────────────
Servers                   Applications
Network                   Configurations
Power/Cooling             API keys
Data Centers              User access
Hypervisors               Data classification

Key insight: You can't secure data by just relying on the provider. Active security is your responsibility.

💡 Three Core Security Concepts

1. Authentication (Who are you?)

Verify that users are who they claim to be.

Methods:

• Username/password (basic)

• Multi-factor authentication (MFA) (strong)

• OAuth/SAML (federated login)

• API keys (for applications)

Example:

User logs in → Provides username/password
→ Cloud provider verifies → Issues token
→ Token proves authenticated for 24 hours

2. Encryption (Can't read it?)

Data unreadable without the correct key.

In transit: Encrypt data traveling over internet (TLS/SSL)

At rest: Encrypt data stored in database or storage

Example:

Password: "mypassword123"
Encrypted: "$2b$12$R9h7kj42...encrypted..."
Cloud stores encrypted version only

3. Authorization (What can you do?)

Determine what authenticated users are allowed to access.

Methods:

• Role-based access control (RBAC)

• Attribute-based access control (ABAC)

• Policy-based permissions

Example:

Employee (basic role): Can read their own data
Manager (manager role): Can read team data
Admin (admin role): Can read everything and delete

📊 Cloud Security Best Practices

1. Least Privilege Access

Users get minimum permissions needed.

❌ Wrong: "Give everyone admin access"

✅ Right: "Give only necessary permissions"

2. Secure API Keys

Never commit API keys to code. Store in environment variables.

❌ Wrong:
const apiKey = "sk_prod_1234567890"

✅ Right:
const apiKey = process.env.STRIPE_API_KEY

3. Enable MFA

Multi-factor authentication prevents password theft.

Login with password → MFA challenge
→ Confirm with phone → Access granted

4. Encrypt Data

Encrypt sensitive data (passwords, payment info, health data).

5. Audit Logs

Log who accessed what and when.

Admin logs show:
- Alice accessed customer database at 3:15 PM
- Bob uploaded new code at 4:30 PM
- System auto-scaled at 5:00 PM

🎨 Real-World Security Incident

Target Breach (2013): Hackers stole 40 million credit cards.

What happened:

1. Hackers got contractor's VPN credentials

2. Contractor had database access

3. No MFA on contractor account

4. No log monitoring for unusual access

5. Breach undetected for months

Lessons:

• Limit contractor access

• Require MFA

• Monitor access patterns

• Alert on unusual activity

💡 Common Security Mistakes

🔑 Key Takeaways

• ✅ Security is shared responsibility (provider + you)

• ✅ Authentication verifies identity

• ✅ Encryption protects sensitive data

• ✅ Authorization limits what users can do

• ✅ Follow least privilege principle

• ✅ Enable MFA to prevent account theft

• ✅ Monitor logs for suspicious activity

Want production patterns? 🔐 Security Fundamentals (Experienced)