December 11, 2025 • 27 mins
In this episode of Technology Tap: CompTIA Study Guide, we dive deep into cloud security fundamentals, perfect for those preparing for the CompTIA Security+ exam. Join our study group as we explore the shifting security landscape from locked server rooms to identity-based perimeters and data distributed across regions. This practical, Security+-ready guide connects architecture choices to real risks and concrete defenses, offering valuable IT certification tips and tech exam prep strategies. Whether you're focused on your CompTIA exam or looking to enhance your IT skills development, this episode provides essential insights to help you succeed in technology education and advance your career.
We start by grounding the why: elasticity, pay-per-use costs, and resilience pushed organizations toward public, private, community, and hybrid clouds. From there, we map service models—SaaS, PaaS, IaaS, and XaaS—and the responsibilities each one assigns. You’ll hear how thin clients reduce device risk, why a transit gateway can become a blast radius, and where serverless trims surface area while complicating visibility. Misunderstanding the shared responsibility model remains the leading cause of breaches, so we spell out exactly what providers secure and what you must own.
Identity becomes the new perimeter, so we detail IAM guardrails: least privilege, no shared admins, MFA on every privileged account, short-lived credentials, and continuous auditing. We cover encryption in all three states with AES-256, TLS 1.3, HSMs, and customer-managed keys, then add CASB for SaaS control and SASE to bring ZTNA, FWaaS, and DLP to the edge where users actually work. Virtualization and containers deliver speed and density but expand the attack surface: VM escapes, snapshot theft, and poisoned images require hardened hypervisors, signed artifacts, private registries, secret management, and runtime policy. Hybrid and multi-cloud introduce inconsistent IAM and fragmented logging—centralized identity, unified SIEM, CSPM, and infrastructure-as-code guardrails bring discipline back.
We wrap with the patterns attackers exploit—public storage exposure, stolen API keys, unencrypted backups, and supply chain compromises—and the operating principles that stop them: zero trust, verification over assumption, and automation that responds at machine speed. Stick around for four rapid Security+ practice questions to test your skills and cement the concepts.
If this helped you study or sharpen your cloud strategy, follow and subscribe, share it with a teammate, and leave a quick review telling us which control you’ll deploy first.
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:29):
And welcome to Technology Tap.
I'm Professor J.
Rod.
In this episode, Cloud andVirtualization, let's tap in.
(01:09):
Hi, this is Professor J Rod.
Welcome to Technology Tap.
For those of you not familiarwith this podcast, in this
podcast, we do I try to help mystudents with their A Plus,
Deborah Plus, Security Plus.
And coming soon, Tech Plus.
So if you want to follow me, youcan follow me at Instagram at
Professor J Rod at TikTok atProfessor J Rod LinkedIn.
(01:33):
Look me up under Professor Jrod.
And I'm also, if you want to buyme a coffee, those who know me
know that I love coffee.
You can go to buymeacoffee.comslash professor J Rod.
Alright, on this episode, we'regoing to talk about cloud and
virtualization.
There was a time when everycomputer program lived inside
one machine (01:56):
one hard drive, one building, one locked server
room.
But today, your data can live inVirginia, Oregon, Ireland,
Singapore, and a backup copy inanother hemisphere all at once.
Welcome to the age of cloudcomputing.
Today we're gonna do a deep diveinto cloud and virtualization
(02:17):
security, one of the mostimportant domains of the CompTea
Security Plus exam.
This is the story of howcomputing left the building, how
virtualization reshapedinfrastructure, how security
followed behind at full sprint,and why misconfiguration, not
malware, is the number one cloudthreat.
(02:38):
Let's tap in.
What is cloud computing really?
Cloud computing is defined ason-demand network access to
shared pool of configurablecomputing resources.
Those resources include servers,storage, database, networking,
applications, analytics, andintelligence services.
(03:02):
And the organizations that sellthese, they are called cloud
service providers.
For example, Amazon WebServices, Microsoft Azure,
Google Cloud Platform, OracleCloud, IBM Cloud.
Cloud computing exists becauseit solves four massive business
problems.
Elasticity, scale instantly,scalability, grow without
(03:27):
rebuilding, pay per use, nocapital hardware costs, and
resistancy fail overautomatically.
Or in plain English, you don'tbuy the data center, you rent
the power of one.
The four types of cloud.
Security plus exam requires youto master four cloud type.
(03:48):
Public cloud, owned by aprovider, shared infrastructure,
internet access, cheap, highlyscalable.
Examples AWS, Azure, GoogleCloud.
Security risk, theirmulti-tenant exposure and
misconfiguration.
Private cloud, owned by oneorganization, on-premise or
(04:10):
hosted, high control, high cost.
Security advantage, full controlof data.
Community cloud shared betweensimilar organizations, example,
hospital, universities,financial institutions, security
focused, regulatory compliance,and hybrid cloud combines public
(04:32):
and private.
Most common real-worlddeployment used for burst
computing, backup, disasterrecovery, sensitive workloads.
Biggest security challenge, datamovement between trusted zones.
Cloud locations anddecentralized computing.
(04:52):
Cloud computing is notcentralized.
It operates in a decentralizedgeographic model.
This means regions, availabilityzones, redundant replicas,
global loan, load balancing,security implications, and an
outage in one city no longermeans a system-wide outage
unless your securityarchitecture is poorly designed.
(05:16):
Cloud architecture concepts.
In the Security Plus exam, thereare three major architectural
technologies that dominate.
One is the thin client.
A thin client has no processingpower, boots from cloud servers,
and stores no permanent data.
Security advantage, stolendevice equals no stolen data.
(05:39):
Right?
Because everything's on thecloud.
There's nothing on the client.
Transit gateways connectsmultiple VPCs, data centers,
branch soffice, VPN.
Security risk, singlemisconfigured gateway can expose
the entire enterprise.
Serverless infrastructure, alsocalled function as a service.
(06:01):
You deploy code while theprovider manages servers, RAMs,
OS, and patching.
Security advantage, reduceattack surface, security risk,
visibility of blind spots.
And the four you have four cloudservice models.
These are the ones that are mosttested on the exam.
(06:22):
First one is SaaS Software as aservice.
You use email, CRM, officetools.
You manage users, passwords, andthe data.
Vendor manages everything else.
Example, Office 365, GoogleWorkspace, Salesforce.
Next, we have PLAS Platform as aService.
(06:43):
You deploy your own application.
Vendor manages OS, runtime,patching, database platform, and
it's perfect for developers.
IaaS infrastructure as aservice, you control the OS, the
patching, the firewall, and theapplication.
The vendor controls the physicalhardware.
And this leads to maximumflexibility and maximum
(07:06):
responsibility.
And XAAS, anything as a service,everything, cybersecurity, DRAS,
DBAS, ALS, and storage as aservice.
Next, let's talk about cloudmanagement and service
providers.
Cloud management can be handledby local IT staff, managed
(07:29):
service providers, or managedsecurity service providers.
MSSPs provide 24-7 monitoring,SEM, SOC, threat hunting,
incident response, especiallycritical for small business,
healthcare, education, andfinancial services.
MamaLith versus microservices,Mammalith applications, one
(07:51):
massive code base, all servicestightly linked, one crash equals
everything crashes.
Microservices, small specializedservice, each with its own log,
authentication, database, andAPIs.
Faster updates, betterscalability, more attack
services, and API securitybecomes mission critical.
(08:19):
So we define deployment models,service models, cloud locations,
microservices, and the businessthat and the business forces
that pushed computing offphysical servers and into the
virtual infrastructure.
Now we secure it because themoment data leaves your
building, trust becomesarchitecture and architecture
becomes survival.
(08:41):
Cloud security, architecture,and control.
The shared responsibility model.
The most dangerousmisunderstanding in cloud
security.
The number one cause of cloudbreaches is not hacking, it's
misunderstanding responsibility.
Every cloud provider uses ashared responsibility model,
(09:02):
meaning the provider sharessecures the cloud, the customer
secures what's in the cloud.
Provider always secure thephysical building, the power,
the HVAC system, the physicalserver, the storage hardware,
then the fiber backbones.
Use secure, depending on ifyou're using IAS, PAS or SAS,
identities, passwords, accesscontrol, encryption, data
(09:26):
classification, firewall rules,patching, antivirus, and
application security.
Real world breach problem.
A company exposed millions ofrecords because AWS secured the
hardware, but the company leftan S3 bucket public.
No malware, no hackers, justmisconfiguration.
(09:49):
Identity is the new perimeter.
In cloud security, the firewallis no longer the perimeter.
Identity is.
Cloud platform relies onidentity and access management,
role-based access control, leastprivilege, multi-factor
authentication, and API tokens.
Core IAM security rules (10:08):
no shared admin accounts, no
permitted access keys, MFA onall privileged users, road-based
permission only and continuouslyauditing.
Breach scenario (10:22):
an exposed API key in GitHub allow attackers to
spit up servers and mine cryptoand rack up$100,000 in cloud
charges.
Cloud security failures not costmoney by the minute.
Encryption in the cloud must beprotected in three states.
(10:45):
Cloud data exists in threedifferent states: data at rest,
store on disk, data in transitwhen it's moving across the
networks, and data in use whenit's being processed in memory.
Cloud encryption best practice,AES 256 for storage, TLS 1.3 for
(11:05):
transit, hardware securitymodules, key management
services, and customer managedkeys.
Failure pattern (11:12):
if attackers steals unencrypted cloud
backups, full breach with nomalware involved.
CASB, the security guard betweenyou and the cloud.
CASB is the cloud accesssecurity broker.
It sits between the user andcloud services.
(11:34):
It enforces access policies,DLP, encryption, anatomy
detection, malware scanning,shadow IT discovery.
CASB protects against employeesuploading data to personal cloud
storage, weak cloudauthentication, risky SaaS
(11:54):
usage, and unauthorized filesharing.
SASE, the future of cloud nativesecurity.
SASE is Secure Access ServiceEdge.
It converges VPN, Firewall as aservice, CASB, ZTNA, DLP, and
(12:17):
web filtering into onecloud-delivered security
platform.
Why is it does it exist?
Your users don't live on yourland anymore, don't use your
firewall anymore, don't sit inyour building anymore.
Security has to move where theusers are.
(12:37):
Virtual security, when oneserver becomes 100 servers.
Virtual machine virtualizationallowed one physical server to
become dozens of virtualsystems.
But now one exploit, one escape,one hypervisor bug can destroy
hundreds of systems at once.
Virtualization threat landscape,VM escapes attacks, hypervisor
(13:01):
exploits, snapshot theft, livemigration interception, poison
VM image, and memory scrapping.
Security controls forvirtualization, hardening
hypervisors, sign VM images,segmented virtual networks,
separated management planes andencrypted snapshots, and also
(13:24):
role-based administrator access.
Containers and orchestrationsecurity.
Containers, Docker, Kubernetesbrought microservices,
portability, and speed, but alsoimage poisoning, insecure API,
exposed architecture,dashboards, and supply chain
(13:45):
malware.
Container security requiressigned container images, private
registries, secret management,API gateway security, runtime
monitoring and networksegmentation.
Hybrid cloud security, wheremost enterprises failed.
Hybrid means an on-premisesystems and a cloud systems
(14:07):
connected via VPN or directfiber.
Hybrid security risk, dataleakage between trusted zones,
inconsistent identity policies,misaligned encryption, split
monitoring tools, and visibilitygaps.
Here's a scenario.
One on-prem server trusts cloudarchitecture incorrectly.
(14:29):
Attackers pivot into an internalnetwork.
This is how hybrid breachesspread laterally.
Monitoring and logging in thecloud.
You cannot secure what youcannot see.
Cloud security depends oncontinuous logging, behavioral
analytics, real-time learning,centralized semi, and sore
(14:51):
automation.
Cloud logs include API calls,login locations, privilege
escalation, file access, networktraffic, configuration changes.
Exam truth, if there are nologs, there is no security.
(15:23):
Because in today's world, thecloud doesn't fail from fire or
flood, it fails from leakcredentials, exposed storage,
poisoned updates, and blanktrusts.
This is the battlefield ofmodern cybersecurity.
The most common cloud attacks inthe real world.
Cloud breaches today follow thesame repeatable patterns.
(15:45):
Public storage exposure, publicS3 buckets, open Azure blobs,
unsecure Google cloud storage.
Results?
Millions of records leak withouta single exploit.
The attacker didn't break in,the door was left open.
2.
Stolen API keys and accesstokens.
Hard coded in apps stored inGitHub left in scripts.
(16:08):
Result, attackers deploy cryptominers, exfiltrate data, or
destroy environments.
3.
VM and snapshot theft.
Stolen disk image, unencryptedbackups, deattached volumes.
Result complete systemreconstruction by attackers.
4.
Supply chain attacks.
Compromise third-partylibraries, poison updates,
(16:31):
malicious container images.
Results attackers inheritedtrust access automatically.
VM Escape, the one thatterrifies engineers.
A VM escape occurs when anattacker breaks out of virtual
machine and gains access to thehost hypervisor.
From there, they can view otherVMs, inject malware, scrap
(16:53):
memory, and steal encryptionkeys.
Defense against VM escape ishardening hypervisors, patch
kernels, hardware assistedvirtualization, strict VM
isolation, and dedicatedmanagement networks.
Zero trust in the cloud.
Trust nothing, verifyeverything.
(17:15):
Zero trust means don't trustusers, don't trust devices,
don't trust locations, don'ttrust networks, verify every
request.
Zero trust requires multi-factorauthentication everywhere,
device health validation,continuous behavior analysis,
(17:36):
micro segmentation, encryptedtraffic only, and zero trust,
the cloud isn't trusted, noteven by themselves.
Compliance and governance in thecloud.
Cloud system must follow logsand regulations, not just best
practice.
(18:15):
Cloud governance control dataclassification retention
policies, legal holds, audittrails, chain of custody,
geofences, security plus courttruth.
Compliance doesn't make yousecure, but ignoring it
guarantees failure.
(18:40):
Multi-cloud security, the nextmajor challenge.
Multi-cloud means AWS, Azure,Google Cloud, all at once.
Risk, inconsistent identityaccess management, two overload,
unmatched logging, duplicatesecrets, broken visibility.
(19:00):
Solution, centralized identity,unified semi, SASE, and
cross-platform CSPM tools.
The human factor, how most cloudbreaches actually start.
Nearly all major cloud breachesbegins with phishing, MFA
(19:21):
fatigue attacks, reusepasswords, social engineering,
and admin overprivileging.
The cloud doesn't fail first.
People do.
The future cloud securitybattlefield.
In the next decade, it willfocus on AI driven attacks,
(19:42):
automated defense, quantumresistant encryption,
confidential computing,sovereign clouds, encrypted
memory processing.
And the war won't be fought withfirewalls alone.
It will be fought withautomation, behavior analysis,
machine.
Speed defense and trustlessdesign.
(20:06):
Alright, that'll do it for thischapter.
Now on to the four CamtiaSecurity Plus questions.
You know how we do it.
I read the question, then I readthe four multiple choices, then
I read it again.
I give you five seconds.
And you try to see if you canget the right answer.
(20:27):
Question number one Anorganization stores customer
backups and encrypted cloudstorage, but attacker steals the
encrypted keys from acompromised administrator
account.
Which security failure occurred?
A weak cipher selection, bbroken access control, c lack of
(20:47):
tokenization, or D missing datamasking.
Read it again.
An organization stores backupsin an encrypted cloud storage,
but attackers steal theencryption keys from a
compromised administrativeaccount.
Which security failure occurred?
A weak cipher selection?
B broken access control.
(21:09):
C lack of tokenization or Dmissing data masking.
I'll give you five seconds tothink about it.
Five, four, three, two, one.
And the answer is B brokenaccess control.
Encryption is useless ifattackers can access the keys.
The real failure is improperidentity access management
(21:31):
protection of encrypted keys.
The protection of encryptedkeys.
Question two.
Which technology acts assecurity enforcement point
between the users and the SaaSapplication?
A VPN B firewall compliancefirewall appliance.
C Cloud Access Security Brokeror D packet shaper.
(21:55):
I'll read it again.
Which technology acts assecurity enforcement point
between users and SaaS?
CAAS applications.
A VPN B firewall appliance CCloud Access Security Broker or
D packet shaper.
(22:15):
I'll give you five seconds.
Think about it.
Five, four, three, two, one.
The answer is C.
Cloud Access Security Broker.
A CASB enforces policies, DLP,encryption, and access control
between users and cloudservices.
Alright, we're halfway there.
(22:35):
Hopefully you are two for two.
Alright, question number three.
An attacker successfullycompromises one virtual machine,
then gain access to thehypervisor, allowing control of
other guest systems.
What type of attack occurred?
A container break, B lateralmovement, C VM escape, or D API
(22:58):
injection.
I read it again.
An attacker successfullycompromised one virtual machine
and then gains access to thehypervisor, allowing control of
other guest systems.
What type of attack occurred?
A container break.
B lateral movement c VM escapeor D API injections.
(23:19):
I'll give you five seconds.
Think about it.
The answer, this is an easy one,right?
You should have gotten this oneright.
The answer is C VM escape.
VM escape occurs when anattacker breaks out of a guest
VM and compromises the hosthypervisor.
Alright, last one.
(23:42):
Which security model requiresverification of every request
regardless of network location?
A defense in debt.
B trusted perimeter.
C role based access or D zerotrust.
Read it again.
Which security model requiresverification of every request
regardless of network location?
(24:04):
A defense of debt.
B trusted perimeter.
C role based access or D zerotrust.
I give you five seconds.
Think about it.
Five, four, three, two, one.
And of course, the answer is Dzero trust.
Zero trust assumes no device,user, or location is
(24:26):
automatically trusted, eveninside the network.
Alright, hopefully you went fourfor four and you got them all
right.
Listen, these questions, ofcourse, we we touch upon the
topic right before I give youthe questions, right?
The key is is try to listen tothe questions, you know, a week
later when you already listenedto everything and just listen to
(24:47):
the questions, see if you get itright.
That's the real knowledge if youif you're ready to take the
exam.
Alright, let's close this up.
The cloud is no longer thefuture, it is the present
foundation of business,healthcare, government,
education, entertainment, andglobal communication.
But every advantage bringsresponsibility.
(25:10):
Cloud security is not aboutcastles and molts anymore.
It's about identity, visibility,automation, verification.
This concludes our podcast oncloud and virtual security for
the Comte Security Plus exam.
I'm Professor J-Rod, andremember stay vigilant, stay
adaptive, and as always, keeptapping into technology.
(26:04):
You can follow me at TikTok atProfessor Jrod at J R O D, or
you can email me atprofessorjrodjrod at gmail.com.
And welcome to Technology Tap.
I'm Professor J.
Rod.
In this episode, Cloud andVirtualization, let's tap in.
(01:09):
Hi, this is Professor J Rod.
Welcome to Technology Tap.
For those of you not familiarwith this podcast, in this
podcast, we do I try to help mystudents with their A Plus,
Deborah Plus, Security Plus.
And coming soon, Tech Plus.
So if you want to follow me, youcan follow me at Instagram at
Professor J Rod at TikTok atProfessor J Rod LinkedIn.
(01:33):
Look me up under Professor Jrod.
And I'm also, if you want to buyme a coffee, those who know me
know that I love coffee.
You can go to buymeacoffee.comslash professor J Rod.
Alright, on this episode, we'regoing to talk about cloud and
virtualization.
There was a time when everycomputer program lived inside
one machine (01:56):
one hard drive, one building, one locked server
room.
But today, your data can live inVirginia, Oregon, Ireland,
Singapore, and a backup copy inanother hemisphere all at once.
Welcome to the age of cloudcomputing.
Today we're gonna do a deep diveinto cloud and virtualization
(02:17):
security, one of the mostimportant domains of the CompTea
Security Plus exam.
This is the story of howcomputing left the building, how
virtualization reshapedinfrastructure, how security
followed behind at full sprint,and why misconfiguration, not
malware, is the number one cloudthreat.
(02:38):
Let's tap in.
What is cloud computing really?
Cloud computing is defined ason-demand network access to
shared pool of configurablecomputing resources.
Those resources include servers,storage, database, networking,
applications, analytics, andintelligence services.
(03:02):
And the organizations that sellthese, they are called cloud
service providers.
For example, Amazon WebServices, Microsoft Azure,
Google Cloud Platform, OracleCloud, IBM Cloud.
Cloud computing exists becauseit solves four massive business
problems.
Elasticity, scale instantly,scalability, grow without
(03:27):
rebuilding, pay per use, nocapital hardware costs, and
resistancy fail overautomatically.
Or in plain English, you don'tbuy the data center, you rent
the power of one.
The four types of cloud.
Security plus exam requires youto master four cloud type.
(03:48):
Public cloud, owned by aprovider, shared infrastructure,
internet access, cheap, highlyscalable.
Examples AWS, Azure, GoogleCloud.
Security risk, theirmulti-tenant exposure and
misconfiguration.
Private cloud, owned by oneorganization, on-premise or
(04:10):
hosted, high control, high cost.
Security advantage, full controlof data.
Community cloud shared betweensimilar organizations, example,
hospital, universities,financial institutions, security
focused, regulatory compliance,and hybrid cloud combines public
(04:32):
and private.
Most common real-worlddeployment used for burst
computing, backup, disasterrecovery, sensitive workloads.
Biggest security challenge, datamovement between trusted zones.
Cloud locations anddecentralized computing.
(04:52):
Cloud computing is notcentralized.
It operates in a decentralizedgeographic model.
This means regions, availabilityzones, redundant replicas,
global loan, load balancing,security implications, and an
outage in one city no longermeans a system-wide outage
unless your securityarchitecture is poorly designed.
(05:16):
Cloud architecture concepts.
In the Security Plus exam, thereare three major architectural
technologies that dominate.
One is the thin client.
A thin client has no processingpower, boots from cloud servers,
and stores no permanent data.
Security advantage, stolendevice equals no stolen data.
(05:39):
Right?
Because everything's on thecloud.
There's nothing on the client.
Transit gateways connectsmultiple VPCs, data centers,
branch soffice, VPN.
Security risk, singlemisconfigured gateway can expose
the entire enterprise.
Serverless infrastructure, alsocalled function as a service.
(06:01):
You deploy code while theprovider manages servers, RAMs,
OS, and patching.
Security advantage, reduceattack surface, security risk,
visibility of blind spots.
And the four you have four cloudservice models.
These are the ones that are mosttested on the exam.
(06:22):
First one is SaaS Software as aservice.
You use email, CRM, officetools.
You manage users, passwords, andthe data.
Vendor manages everything else.
Example, Office 365, GoogleWorkspace, Salesforce.
Next, we have PLAS Platform as aService.
(06:43):
You deploy your own application.
Vendor manages OS, runtime,patching, database platform, and
it's perfect for developers.
IaaS infrastructure as aservice, you control the OS, the
patching, the firewall, and theapplication.
The vendor controls the physicalhardware.
And this leads to maximumflexibility and maximum
(07:06):
responsibility.
And XAAS, anything as a service,everything, cybersecurity, DRAS,
DBAS, ALS, and storage as aservice.
Next, let's talk about cloudmanagement and service
providers.
Cloud management can be handledby local IT staff, managed
(07:29):
service providers, or managedsecurity service providers.
MSSPs provide 24-7 monitoring,SEM, SOC, threat hunting,
incident response, especiallycritical for small business,
healthcare, education, andfinancial services.
MamaLith versus microservices,Mammalith applications, one
(07:51):
massive code base, all servicestightly linked, one crash equals
everything crashes.
Microservices, small specializedservice, each with its own log,
authentication, database, andAPIs.
Faster updates, betterscalability, more attack
services, and API securitybecomes mission critical.
(08:19):
So we define deployment models,service models, cloud locations,
microservices, and the businessthat and the business forces
that pushed computing offphysical servers and into the
virtual infrastructure.
Now we secure it because themoment data leaves your
building, trust becomesarchitecture and architecture
becomes survival.
(08:41):
Cloud security, architecture,and control.
The shared responsibility model.
The most dangerousmisunderstanding in cloud
security.
The number one cause of cloudbreaches is not hacking, it's
misunderstanding responsibility.
Every cloud provider uses ashared responsibility model,
(09:02):
meaning the provider sharessecures the cloud, the customer
secures what's in the cloud.
Provider always secure thephysical building, the power,
the HVAC system, the physicalserver, the storage hardware,
then the fiber backbones.
Use secure, depending on ifyou're using IAS, PAS or SAS,
identities, passwords, accesscontrol, encryption, data
(09:26):
classification, firewall rules,patching, antivirus, and
application security.
Real world breach problem.
A company exposed millions ofrecords because AWS secured the
hardware, but the company leftan S3 bucket public.
No malware, no hackers, justmisconfiguration.
(09:49):
Identity is the new perimeter.
In cloud security, the firewallis no longer the perimeter.
Identity is.
Cloud platform relies onidentity and access management,
role-based access control, leastprivilege, multi-factor
authentication, and API tokens.
Core IAM security rules (10:08):
no shared admin accounts, no
permitted access keys, MFA onall privileged users, road-based
permission only and continuouslyauditing.
Breach scenario (10:22):
an exposed API key in GitHub allow attackers to
spit up servers and mine cryptoand rack up$100,000 in cloud
charges.
Cloud security failures not costmoney by the minute.
Encryption in the cloud must beprotected in three states.
(10:45):
Cloud data exists in threedifferent states: data at rest,
store on disk, data in transitwhen it's moving across the
networks, and data in use whenit's being processed in memory.
Cloud encryption best practice,AES 256 for storage, TLS 1.3 for
(11:05):
transit, hardware securitymodules, key management
services, and customer managedkeys.
Failure pattern (11:12):
if attackers steals unencrypted cloud
backups, full breach with nomalware involved.
CASB, the security guard betweenyou and the cloud.
CASB is the cloud accesssecurity broker.
It sits between the user andcloud services.
(11:34):
It enforces access policies,DLP, encryption, anatomy
detection, malware scanning,shadow IT discovery.
CASB protects against employeesuploading data to personal cloud
storage, weak cloudauthentication, risky SaaS
(11:54):
usage, and unauthorized filesharing.
SASE, the future of cloud nativesecurity.
SASE is Secure Access ServiceEdge.
It converges VPN, Firewall as aservice, CASB, ZTNA, DLP, and
(12:17):
web filtering into onecloud-delivered security
platform.
Why is it does it exist?
Your users don't live on yourland anymore, don't use your
firewall anymore, don't sit inyour building anymore.
Security has to move where theusers are.
(12:37):
Virtual security, when oneserver becomes 100 servers.
Virtual machine virtualizationallowed one physical server to
become dozens of virtualsystems.
But now one exploit, one escape,one hypervisor bug can destroy
hundreds of systems at once.
Virtualization threat landscape,VM escapes attacks, hypervisor
(13:01):
exploits, snapshot theft, livemigration interception, poison
VM image, and memory scrapping.
Security controls forvirtualization, hardening
hypervisors, sign VM images,segmented virtual networks,
separated management planes andencrypted snapshots, and also
(13:24):
role-based administrator access.
Containers and orchestrationsecurity.
Containers, Docker, Kubernetesbrought microservices,
portability, and speed, but alsoimage poisoning, insecure API,
exposed architecture,dashboards, and supply chain
(13:45):
malware.
Container security requiressigned container images, private
registries, secret management,API gateway security, runtime
monitoring and networksegmentation.
Hybrid cloud security, wheremost enterprises failed.
Hybrid means an on-premisesystems and a cloud systems
(14:07):
connected via VPN or directfiber.
Hybrid security risk, dataleakage between trusted zones,
inconsistent identity policies,misaligned encryption, split
monitoring tools, and visibilitygaps.
Here's a scenario.
One on-prem server trusts cloudarchitecture incorrectly.
(14:29):
Attackers pivot into an internalnetwork.
This is how hybrid breachesspread laterally.
Monitoring and logging in thecloud.
You cannot secure what youcannot see.
Cloud security depends oncontinuous logging, behavioral
analytics, real-time learning,centralized semi, and sore
(14:51):
automation.
Cloud logs include API calls,login locations, privilege
escalation, file access, networktraffic, configuration changes.
Exam truth, if there are nologs, there is no security.
(15:23):
Because in today's world, thecloud doesn't fail from fire or
flood, it fails from leakcredentials, exposed storage,
poisoned updates, and blanktrusts.
This is the battlefield ofmodern cybersecurity.
The most common cloud attacks inthe real world.
Cloud breaches today follow thesame repeatable patterns.
(15:45):
Public storage exposure, publicS3 buckets, open Azure blobs,
unsecure Google cloud storage.
Results?
Millions of records leak withouta single exploit.
The attacker didn't break in,the door was left open.
2.
Stolen API keys and accesstokens.
Hard coded in apps stored inGitHub left in scripts.
(16:08):
Result, attackers deploy cryptominers, exfiltrate data, or
destroy environments.
3.
VM and snapshot theft.
Stolen disk image, unencryptedbackups, deattached volumes.
Result complete systemreconstruction by attackers.
4.
Supply chain attacks.
Compromise third-partylibraries, poison updates,
(16:31):
malicious container images.
Results attackers inheritedtrust access automatically.
VM Escape, the one thatterrifies engineers.
A VM escape occurs when anattacker breaks out of virtual
machine and gains access to thehost hypervisor.
From there, they can view otherVMs, inject malware, scrap
(16:53):
memory, and steal encryptionkeys.
Defense against VM escape ishardening hypervisors, patch
kernels, hardware assistedvirtualization, strict VM
isolation, and dedicatedmanagement networks.
Zero trust in the cloud.
Trust nothing, verifyeverything.
(17:15):
Zero trust means don't trustusers, don't trust devices,
don't trust locations, don'ttrust networks, verify every
request.
Zero trust requires multi-factorauthentication everywhere,
device health validation,continuous behavior analysis,
(17:36):
micro segmentation, encryptedtraffic only, and zero trust,
the cloud isn't trusted, noteven by themselves.
Compliance and governance in thecloud.
Cloud system must follow logsand regulations, not just best
practice.
(18:15):
Cloud governance control dataclassification retention
policies, legal holds, audittrails, chain of custody,
geofences, security plus courttruth.
Compliance doesn't make yousecure, but ignoring it
guarantees failure.
(18:40):
Multi-cloud security, the nextmajor challenge.
Multi-cloud means AWS, Azure,Google Cloud, all at once.
Risk, inconsistent identityaccess management, two overload,
unmatched logging, duplicatesecrets, broken visibility.
(19:00):
Solution, centralized identity,unified semi, SASE, and
cross-platform CSPM tools.
The human factor, how most cloudbreaches actually start.
Nearly all major cloud breachesbegins with phishing, MFA
(19:21):
fatigue attacks, reusepasswords, social engineering,
and admin overprivileging.
The cloud doesn't fail first.
People do.
The future cloud securitybattlefield.
In the next decade, it willfocus on AI driven attacks,
(19:42):
automated defense, quantumresistant encryption,
confidential computing,sovereign clouds, encrypted
memory processing.
And the war won't be fought withfirewalls alone.
It will be fought withautomation, behavior analysis,
machine.
Speed defense and trustlessdesign.
(20:06):
Alright, that'll do it for thischapter.
Now on to the four CamtiaSecurity Plus questions.
You know how we do it.
I read the question, then I readthe four multiple choices, then
I read it again.
I give you five seconds.
And you try to see if you canget the right answer.
(20:27):
Question number one Anorganization stores customer
backups and encrypted cloudstorage, but attacker steals the
encrypted keys from acompromised administrator
account.
Which security failure occurred?
A weak cipher selection, bbroken access control, c lack of
(20:47):
tokenization, or D missing datamasking.
Read it again.
An organization stores backupsin an encrypted cloud storage,
but attackers steal theencryption keys from a
compromised administrativeaccount.
Which security failure occurred?
A weak cipher selection?
B broken access control.
(21:09):
C lack of tokenization or Dmissing data masking.
I'll give you five seconds tothink about it.
Five, four, three, two, one.
And the answer is B brokenaccess control.
Encryption is useless ifattackers can access the keys.
The real failure is improperidentity access management
(21:31):
protection of encrypted keys.
The protection of encryptedkeys.
Question two.
Which technology acts assecurity enforcement point
between the users and the SaaSapplication?
A VPN B firewall compliancefirewall appliance.
C Cloud Access Security Brokeror D packet shaper.
(21:55):
I'll read it again.
Which technology acts assecurity enforcement point
between users and SaaS?
CAAS applications.
A VPN B firewall appliance CCloud Access Security Broker or
D packet shaper.
(22:15):
I'll give you five seconds.
Think about it.
Five, four, three, two, one.
The answer is C.
Cloud Access Security Broker.
A CASB enforces policies, DLP,encryption, and access control
between users and cloudservices.
Alright, we're halfway there.
(22:35):
Hopefully you are two for two.
Alright, question number three.
An attacker successfullycompromises one virtual machine,
then gain access to thehypervisor, allowing control of
other guest systems.
What type of attack occurred?
A container break, B lateralmovement, C VM escape, or D API
(22:58):
injection.
I read it again.
An attacker successfullycompromised one virtual machine
and then gains access to thehypervisor, allowing control of
other guest systems.
What type of attack occurred?
A container break.
B lateral movement c VM escapeor D API injections.
(23:19):
I'll give you five seconds.
Think about it.
The answer, this is an easy one,right?
You should have gotten this oneright.
The answer is C VM escape.
VM escape occurs when anattacker breaks out of a guest
VM and compromises the hosthypervisor.
Alright, last one.
(23:42):
Which security model requiresverification of every request
regardless of network location?
A defense in debt.
B trusted perimeter.
C role based access or D zerotrust.
Read it again.
Which security model requiresverification of every request
regardless of network location?
(24:04):
A defense of debt.
B trusted perimeter.
C role based access or D zerotrust.
I give you five seconds.
Think about it.
Five, four, three, two, one.
And of course, the answer is Dzero trust.
Zero trust assumes no device,user, or location is
(24:26):
automatically trusted, eveninside the network.
Alright, hopefully you went fourfor four and you got them all
right.
Listen, these questions, ofcourse, we we touch upon the
topic right before I give youthe questions, right?
The key is is try to listen tothe questions, you know, a week
later when you already listenedto everything and just listen to
(24:47):
the questions, see if you get itright.
That's the real knowledge if youif you're ready to take the
exam.
Alright, let's close this up.
The cloud is no longer thefuture, it is the present
foundation of business,healthcare, government,
education, entertainment, andglobal communication.
But every advantage bringsresponsibility.
(25:10):
Cloud security is not aboutcastles and molts anymore.
It's about identity, visibility,automation, verification.
This concludes our podcast oncloud and virtual security for
the Comte Security Plus exam.
I'm Professor J-Rod, andremember stay vigilant, stay
adaptive, and as always, keeptapping into technology.
(26:04):
You can follow me at TikTok atProfessor Jrod at J R O D, or
you can email me atprofessorjrodjrod at gmail.com.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!