Security & Compliance Basics

Cloud Platform Fundamentals

Chapter 10 · Security & Compliance Basics

Security Is a Thread, Not a Single Chapter

Real security material has already run through this course from the start — Chapter 1's shared responsibility model, Chapter 5's security groups and NACLs, Chapter 6's IAM/least privilege/MFA. This chapter pulls together what's left: encryption specifically, and a brief compliance overview — connecting directly into this site's own dedicated crypto1, dbsec1, and owasp1 security courses, rather than re-covering ground already handled.

Encryption at Rest

Directly building on crypto1-5/crypto1-6 and dbsec1-5: data encrypted while stored on disk. Cloud providers typically offer this as a simple default-on option for storage services (Chapter 4) and managed databases (Chapter 7) — the provider handles key generation and management by default (a provider-managed key), or a customer-managed key can be used instead, via a Key Management Service, for more control at the cost of more operational responsibility.

Encryption at rest doesn't replace access control
Restating a point directly from crypto1-6: encryption at rest protects against a physically stolen disk — it does not protect against a compromised application or IAM credential that already has legitimate access to decrypt and read the data. Encryption is not a substitute for the access control covered in Chapter 6; they're two separate layers of defense, both needed.

Encryption in Transit

Directly building on https1/crypto1 and dbsec1-6: TLS protecting data moving over the network, both between users and services and between services themselves. Most managed services (Chapter 7) support or enforce TLS connections by default today. A genuinely common misconfiguration worth flagging explicitly: an application connecting to a managed database without actually enforcing TLS, even though the option is available — "available" and "enforced" are different things, worth checking directly rather than assuming.

Key Management Services (KMS)

Expanding the customer-managed-key point above: AWS KMS, Azure Key Vault, and GCP Cloud KMS centralize encryption key generation, storage, and rotation — directly applying crypto1-11's key management material to a specific product category. One genuinely important nuance: who can use a key to encrypt or decrypt is itself governed by IAM policies (Chapter 6) — key access and data access are two separate permission layers, and both need to be correctly configured for encryption to actually mean anything as a control.

Security Groups, NSGs & Firewalls, Revisited

A brief callback to Chapter 5 rather than re-teaching it: the network-layer security control. This chapter adds one thing Chapter 5 didn't cover — a Web Application Firewall (WAF), a Layer 7 control sitting in front of a web application, filtering malicious HTTP requests. This connects directly to this site's xss1/sqli1 courses' own attack categories: a WAF is a genuine defense-in-depth layer against exactly those attack types, not a replacement for actually fixing the underlying application vulnerability — echoing owasp1's own recurring theme that no single defense replaces properly handling the root cause.

Compliance Frameworks — A Brief Overview

Not a deep dive — just orientation to frameworks a support engineer is likely to hear referenced:

FrameworkScope
SOC 2A common enterprise vendor-trust standard
PCI DSSPayment card data
HIPAAUS health data
GDPREU data protection

The general pattern across all of them: specific technical and procedural requirements for how sensitive data is handled, stored, and audited. Providers offer compliance certifications for their own infrastructure — the "of the cloud" side of Chapter 1's shared responsibility model — but using a compliant provider does not automatically make a customer's own application or configuration compliant. The "in the cloud" half of that responsibility remains entirely the customer's.

A Support-Relevant Distinction — "Is This Compliant?" Isn't a Simple Yes/No

Tying shared responsibility and compliance together directly: a customer asking "is your platform HIPAA compliant" often really means "is my specific configuration compliant" — which depends on things only they control (IAM policies, encryption settings, data handling practices), not just which provider they're using. Being able to explain this clearly, rather than giving a false blanket "yes" or "no," is a genuinely useful support skill.

Provider compliance certification ≠ automatic customer compliance
A provider's SOC 2/HIPAA/PCI DSS certification covers their own infrastructure and operational practices — it says nothing about whether a specific customer's own IAM policies, encryption settings, or application code meet that same standard. The "in the cloud" half of the shared responsibility model (Chapter 1) is still entirely the customer's to get right.

Hands-On Exercises

Exercise 1

Explain what encryption at rest protects against, and what it does not protect against — specifically contrasting a stolen physical disk with a compromised credential that already has legitimate decrypt access.

📄 View solution
Exercise 2

Explain why "our cloud provider is SOC 2 / HIPAA / PCI DSS certified" doesn't automatically mean a customer's own application built on that provider is compliant.

📄 View solution
Exercise 3

A team has already fixed a SQL injection vulnerability directly in their application code. Explain why deploying a WAF in front of the application is still worth doing, even after the "real" fix is already in place.

📄 View solution

Chapter 10 Quick Reference

  • This chapter fills the gaps left by earlier security-adjacent chapters (Ch.1, Ch.5, Ch.6), not a full security course — see crypto1/dbsec1/owasp1 for depth
  • Encryption at rest — provider-managed or customer-managed (KMS) keys; protects against stolen disks, not against a compromised credential with legitimate access
  • Encryption in transit — TLS; "available" and "enforced" are different things, worth verifying explicitly
  • KMS — key access (IAM) and data access are two separate permission layers, both must be correctly configured
  • WAF — a Layer 7 defense-in-depth layer against attacks like XSS/SQLi, never a substitute for fixing the underlying vulnerability
  • Compliance frameworks (SOC 2/PCI DSS/HIPAA/GDPR) — provider certification covers only the "of the cloud" half; the customer's own configuration is still entirely their responsibility
  • Next chapter: Infrastructure as Code — A First Look — CloudFormation/ARM-Bicep/Terraform conceptually