Skip to main content
โšก Calmops
๐Ÿค– AI ๐Ÿ—๏ธ Architecture ๐ŸŒ Web ๐Ÿ—ƒ๏ธ Database โš™๏ธ DevOps ๐ŸŒ Network ๐Ÿ’ป Programming ๐Ÿงฎ Algorithms ๐Ÿ“ Software Eng. โ˜๏ธ Cloud ๐Ÿ”’ Security ๐Ÿ“ˆ Finance More โ†’

Cloud Security Best Practices: Protecting Your Infrastructure 2026

Created: March 9, 2026 CalmOps 4 min read

Introduction

Cloud computing has transformed how we build and deploy applications, but it also introduces new security challenges. This guide covers essential cloud security practices for protecting your infrastructure.

Cloud Security Fundamentals

Shared Responsibility

You Manage Cloud Provider Manages
Data Physical infrastructure
Applications Network infrastructure
Identity (partially) Hypervisor
OS (PaaS/SaaS) Hardware

Security Principles

  • Least privilege: Minimum permissions
  • Defense in depth: Multiple layers
  • Assume breach: Plan for incidents
  • Automate: Reduce human error
  • Zero trust: Never trust, always verify

Zero Trust Architecture

# Zero Trust principles
zero_trust:
  identity:
    - "Verify identity continuously"
    - "Use strong authentication"
    - "Grant least privilege access"
  
  network:
    - "Micro-segmentation"
    - "Encrypt all traffic"
    - "Implement SASE"
  
  devices:
    - "Endpoint detection"
    - "Device compliance"
    - "Mobile device management"
  
  data:
    - "Classify data"
    - "Encrypt at rest and in transit"
    - "Prevent data loss"

Zero Trust Implementation

# Zero trust policy evaluation
class ZeroTrustPolicy:
    def __init__(self, user, resource, context):
        self.user = user
        self.resource = resource
        self.context = context
    
    def evaluate(self):
        # Identity verification
        if not self.verify_identity():
            return False
        
        # Device posture
        if not self.verify_device():
            return False
        
        # Access level
        if not self.verify_access():
            return False
        
        # Context analysis
        if not self.analyze_context():
            return False
        
        # Continuous validation
        return self.continuous_monitor()
    
    def verify_identity(self):
        """Verify user identity with MFA"""
        return self.context.mfa_verified
    
    def verify_device(self):
        """Check device compliance"""
        return self.context.device.encrypted and self.context.device.managed
    
    def verify_access(self):
        """Verify least privilege access"""
        return self.user.has_permission(self.resource, self.context.action)
    
    def analyze_context(self):
        """Analyze request context"""
        return not self.context.anomalous and self.context.risk_score < 50
    
    def continuous_monitor(self):
        """Monitor session continuously"""
        return self.context.session_valid

## Identity and Access Management

### IAM Best Practices

#### Principle of Least Privilege

```json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::bucket/*",
    "Condition": {
      "IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
    }
  }]
}

Identity Best Practices

  • Use IAM roles, not access keys
  • Enable MFA for all users
  • Regular access reviews
  • Rotate credentials
  • Use identity providers

Service Accounts

  • Dedicated service accounts
  • No root account usage
  • Regular key rotation
  • Limited permissions

Network Security

VPC Design

Internet Gateway
    โ†“
Load Balancer (public subnet)
    โ†“
Application Servers (private subnet)
    โ†“
Database (isolated subnet)

Security Groups

# Inbound rules - web server
- Type: HTTP (80)
  Source: 0.0.0.0/0
- Type: HTTPS (443)
  Source: 0.0.0.0/0

# Outbound rules
- Type: ALL
  Dest: 10.0.0.0/8

Network Access Control

  • Private subnets for sensitive workloads
  • NAT gateways for outbound
  • VPN for admin access
  • Web Application Firewall (WAF)

Data Protection

Encryption

  • At rest: EBS volumes, S3, databases
  • In transit: TLS/SSL everywhere
  • Key management: KMS, cloud HSM

Data Classification

Level Examples Controls
Public Marketing Minimal
Internal Docs Auth required
Confidential Customer data Encryption, audit
Restricted PII, keys Strict access

Secrets Management

  • Use secrets managers (AWS Secrets Manager, HashiCorp Vault)
  • Never commit secrets
  • Rotate regularly
  • Audit access

Container Security

Image Scanning

  • Scan in CI/CD pipeline
  • Block high vulnerabilities
  • Use minimal base images
  • Keep updated

Runtime Security

securityContext:
  runAsNonRoot: true
  runAsUser: 10000
  readOnlyRootFilesystem: true
  capabilities:
    drop:
    - ALL

Kubernetes Security

  • RBAC for access
  • Network policies
  • Pod security policies
  • Secrets encryption

Monitoring and Incident Response

Logging

  • Enable CloudTrail
  • Centralize logs
  • Retention policies
  • Real-time alerting

Monitoring

  • GuardDuty (threats)
  • Config (compliance)
  • Security Hub (centralized)
  • Custom metrics

Incident Response

  1. Detect: Alerts, monitoring
  2. Contain: Isolate affected
  3. Eradicate: Remove threat
  4. Recover: Restore services
  5. Post-mortem: Learn and improve

Cloud Provider Services

AWS

  • IAM: Identity management
  • Security Hub: Centralized
  • GuardDuty: Threat detection
  • WAF: Web application firewall
  • KMS: Key management
  • Detective: Investigation
  • Inspector: Vulnerability management

GCP

  • IAM: Identity management
  • Security Command Center
  • VPC Service Controls
  • Cloud Armor
  • Chronicle: SIEM

Azure

  • Azure AD
  • Security Center
  • Key Vault
  • Firewall
  • Microsoft Defender for Cloud

AI Security in Cloud (2026)

Securing ML Models

# Model access control
class MLSecurity:
    def __init__(self, model):
        self.model = model
    
    def validate_input(self, user_input):
        # Input validation
        sanitized = sanitize(user_input)
        
        # Prompt injection detection
        if detect_prompt_injection(sanitized):
            raise SecurityException("Potential injection detected")
        
        # Rate limiting
        if rate_limit_exceeded(user_input):
            raise RateLimitException("Too many requests")
        
        return sanitized
    
    def protect_output(self, output):
        # PII detection
        if contains_pii(output):
            output = redact_pii(output)
        
        return output

Guardrails for AI

# AI safety guardrails
ai_guardrails:
  input_filtering:
    - block_prompt_injection
    - block_jailbreak_attempts
    - validate_schema
  
  output_filtering:
    - detect_pii
    - filter_sensitive_content
    - validate_format
  
  rate_limiting:
    - requests_per_minute: 60
    - tokens_per_minute: 100000
  
  logging:
    - log_all_requests
    - log_anomalies
    - audit_trail

Model Security

  • Model theft prevention: Access controls, watermarking
  • Adversarial protection: Input validation, output filtering
  • Data poisoning prevention: Data validation, anomaly detection
  • Privacy: Differential privacy, federated learning

Compliance

Common Frameworks

  • SOC 2
  • GDPR
  • HIPAA
  • PCI DSS

Automation

  • Infrastructure as Code
  • Policy as Code (OPA)
  • Automated compliance checks
  • Continuous monitoring

Conclusion

Cloud security requires attention at every layer. Implement identity controls, encrypt data, monitor continuously, and plan for incidents. Security is an ongoing process.

Resources

Comments