Cloud Security Fundamentals

Cloud Security Fundamentals
PROVIDER Secures infra CUSTOMER Secures data SHARED RESPONSIBILITY ✓ MFA on all cloud accounts ✓ Review access permissions ✓ Encrypt sensitive data ✓ Monitor cloud audit logs

Understand the shared responsibility model, cloud misconfigurations, and how to secure cloud accounts and data.

Cloud Security Fundamentals

Cloud services like Microsoft 365, AWS, and Google Workspace have transformed how organisations store and process data. But moving to the cloud does not eliminate security responsibility — it redistributes it.

The Shared Responsibility Model

SHARED RESPONSIBILITY MODEL — who is responsible for what? LAYER SaaS (e.g. M365) PaaS (e.g. App Service) IaaS (e.g. VMs) Your Data & Users YOU ← always yours YOU YOU Identities & Access YOU YOU YOU Applications PROVIDER YOU YOU OS / Runtime PROVIDER PROVIDER YOU Physical / Network PROVIDER PROVIDER PROVIDER
⛔ Important
A common misconception: “Microsoft/Google is responsible for my data in the cloud.” The provider secures the infrastructure — but you are always responsible for your own data, who has access to it, and how it is configured. Misconfigured cloud storage has caused some of the largest data breaches in history.

Principle of Least Privilege in the Cloud

Every user, application, and service account should have only the minimum permissions needed for their specific task. In cloud environments, over-permissioning is the most common security mistake:
  • An employee doesn’t need Global Administrator rights to use Microsoft 365
  • A storage bucket containing backups doesn’t need to be publicly accessible
  • A service account running scheduled jobs doesn’t need write access to the entire database
✓ Key Point
In Microsoft 365, regularly review who has Global Administrator and Exchange Administrator roles. These accounts are high-value targets. Apply MFA to all administrator accounts and use Privileged Identity Management (PIM) to activate admin rights only when needed.

Shadow IT and Unsanctioned Cloud Services

Shadow IT is when employees use cloud services not approved by IT. Common examples:
  • Storing work files in a personal Dropbox or Google Drive
  • Using personal email to send/receive work documents
  • Uploading customer data to a free online converter tool
⚠ Warning
When data leaves your organisation’s approved cloud environment, it loses all the security controls your IT team has put in place — access controls, DLP policies, audit logging, and backup. Always use organisation-approved storage and collaboration tools.

Key Cloud Security Settings to Know

Setting Why It Matters
MFA on all accounts Credential theft is the #1 cloud attack vector
External sharing restrictions Prevent accidental public exposure of files
Conditional Access policies Block logins from risky locations/devices
Audit logging enabled Required for incident investigation
Data Loss Prevention (DLP) rules Detect and block sensitive data leaving the org
Regular access reviews Remove stale accounts and over-permissioned users
Who’s actually securing your cloud?
Microsoft secures the servers — but your data, your accounts, and your sharing settings are on you, and misconfiguration is how most cloud breaches happen. Mobile Techs IT Service helps Gold Coast businesses lock down their side of the shared responsibility model: Microsoft 365 security reviews, MFA and conditional access rollout, admin role and permission audits, external sharing controls, and proper cloud backup. Home users welcome too — on-site or remote, anywhere in Australia.