General Cloud Security

This section covers cross-cutting cloud security topics that apply across all providers. It establishes the shared-responsibility frame, the cloud threat model, the compliance frameworks crosswalk, and the methodology used to select and rate controls across the rest of the corpus.

Domain principles (IAM, network, data protection, logging & detection, workloads, incident response) are introduced here in provider-neutral terms and then mapped onto AWS, Azure, GCP, and OCI primitives in the per-provider sections.

Shared responsibility model

The shared responsibility model is the editorial axis on which every control in this guide turns. It partitions security obligations between the cloud provider (security of the cloud — physical facilities, host hypervisors, managed-service control planes) and the customer (security in the cloud — identity, data, network configuration, workload posture). The boundary shifts across IaaS, PaaS, and SaaS abstractions, and the most common cloud-security incidents originate in misunderstandings of who owns which layer at which abstraction.

Read the full shared-responsibility page →

Cloud threat model

Threat modelling in the cloud applies the same first principles as on-premise threat modelling — what is the asset, who wants it, how do they get it — while accounting for cloud-specific access paths: leaked access keys, misconfigured public buckets, over-privileged identities, exposed control-plane APIs, and supply-chain compromise of build pipelines. The page enumerates five adversary classes (opportunistic scanners, credential thieves, supply-chain attackers, insiders, nation-states) and walks named incident chains.

Read the full threat-model page →

Compliance frameworks crosswalk

Cloud security audits rarely arrive in a single framework dialect: a finance customer asks about ISO/IEC 27001:2022, a federal program asks about NIST SP 800-53 rev5, a board reports against NIST CSF 2.0, and an engineering team configures hardened defaults from a CIS Benchmark. This page documents what each framework is for, which exact version this corpus pins (CIS AWS v3.0.0, CIS Azure v3.0.0, CIS GCP v4.0.0, CIS OCI v2.0.0, NIST 800-53 rev5, ISO 27001:2022, ISO 27017:2015), and where the cross-framework mappings live.

Read the full compliance-frameworks page →

Methodology — how controls are selected and rated

This guide claims technical depth beyond a free CIS Benchmark PDF or a vendor whitepaper. The claim is only credible if a reader can audit the editorial process — how each control is chosen, where its severity comes from, which framework versions back its compliance mappings, and how the page is kept current. The methodology page is that audit trail: source-eligibility rules, severity rubric application, citation-quality requirements, and the build-time validation that enforces them.

Read the full methodology page →

Domain principles

  • IAM — least privilege, separation of duties, MFA, identity federation, secrets management
  • Network — segmentation, default-deny egress, private connectivity, DNS hygiene
  • Data Protection — encryption at rest and in transit, key management, classification, backup posture
  • Logging & Detection — audit trails, log centralisation, detection engineering, retention
  • Workloads — baseline hardening, patching, image provenance, runtime protection
  • Incident Response — preparation, containment, eradication, recovery, lessons learned
  • GenAI Security — Cross-cutting threat model, OWASP LLM Top 10:2025, Common Misconfigurations, and EU AI Act obligations.