Cloud infrastructure powers the majority of San Diego businesses, from SaaS startups on AWS to healthcare organizations on Azure to defense contractors using GovCloud. The shared responsibility model means that while cloud providers secure the infrastructure, you are responsible for securing everything you build and deploy on it.
This guide covers the four pillars of cloud security, the most common misconfigurations that lead to breaches, and practical steps to secure your cloud environment regardless of which provider you use.
Four Pillars of Cloud Security
The foundation of cloud security. Implement least-privilege access, enforce MFA on all accounts, use role-based access control, and eliminate long-lived credentials.
- Enforce MFA on all user and admin accounts
- Implement least-privilege access policies
- Use temporary credentials and role assumption
- Conduct quarterly access reviews
- Disable root/owner accounts for daily use
- Implement just-in-time access for privileged operations
Protect data at rest, in transit, and in use across all cloud services. Encryption, key management, and data classification are essential.
- Encrypt all data at rest (AES-256 or equivalent)
- Enforce TLS 1.2+ for all data in transit
- Implement customer-managed encryption keys (CMEK)
- Classify data and apply appropriate controls
- Enable versioning and soft delete on storage
- Implement DLP policies for sensitive data
Segment and protect your cloud network architecture. Defense in depth prevents lateral movement when perimeter controls fail.
- Implement VPC/VNet segmentation and isolation
- Use private endpoints for service-to-service communication
- Deploy WAF for internet-facing applications
- Enable DDoS protection on public endpoints
- Restrict security group and NSG rules to minimum needed
- Implement network flow logging and monitoring
Continuous monitoring across all cloud services and accounts. You cannot protect what you cannot see.
- Enable cloud-native logging (CloudTrail, Activity Log, Audit Log)
- Centralize logs in SIEM or log management platform
- Configure alerts for high-risk actions and anomalies
- Monitor for configuration drift and compliance violations
- Implement threat detection (GuardDuty, Defender, SCC)
- Establish 24/7 monitoring with MDR or internal SOC
Top Cloud Misconfigurations
Cloud misconfigurations cause the majority of cloud breaches. These are the most common issues we find during cloud security assessments for San Diego businesses.
Public S3 Buckets / Storage Blobs
Risk: Data exposure of sensitive files to the entire internet
Fix: Enable block public access at the account level. Audit all buckets for public ACLs and policies.
Overly Permissive IAM Policies
Risk: Users and services with more access than needed, increasing blast radius
Fix: Implement least-privilege policies. Use IAM Access Analyzer to identify unused permissions.
Unencrypted Data Stores
Risk: Data exposed if storage is accessed through misconfiguration or breach
Fix: Enable default encryption on all storage services. Use KMS-managed keys for sensitive data.
Open Security Groups / Firewalls
Risk: Services exposed to the internet (SSH, RDP, databases)
Fix: Restrict inbound rules to specific IPs and ports. Never allow 0.0.0.0/0 on management ports.
Missing MFA on Root/Admin Accounts
Risk: Single credential compromise leads to full account takeover
Fix: Enable MFA on all root, admin, and privileged accounts. Use hardware security keys for critical accounts.
Disabled Logging and Monitoring
Risk: No visibility into malicious activity or configuration changes
Fix: Enable CloudTrail/Activity Logs in all regions. Configure alerts for high-risk API calls.
Unused or Stale Credentials
Risk: Old API keys and service accounts become attack vectors
Fix: Rotate credentials regularly. Disable accounts and keys not used in 90+ days.
No Backup or DR Strategy
Risk: Data loss from accidental deletion, ransomware, or service outages
Fix: Implement automated backups with cross-region replication. Test restore procedures quarterly.
Cloud Security Checklist
- MFA enabled on all accounts (root, admin, developer, service)
- Least-privilege IAM policies with no wildcard permissions
- All data encrypted at rest and in transit
- Cloud logging enabled in all regions and accounts
- No public-facing storage buckets or database instances
- Security groups restricted to minimum required access
- Automated backups with cross-region replication
- Vulnerability scanning on all compute instances and containers
- Infrastructure-as-code with security review in CI/CD pipeline
- Cloud security posture management (CSPM) tool deployed
- Incident response plan covering cloud-specific scenarios
- Regular access reviews and credential rotation
Cloud Compliance Requirements
Continuous monitoring, access controls, encryption, change management, incident response across cloud infrastructure.
ePHI encryption at rest and in transit, access logging, BAAs with cloud providers, backup and disaster recovery.
Network segmentation, encryption, access controls, vulnerability management, logging for cardholder data environments.
CUI protection in cloud environments, FedRAMP-authorized services, access controls, audit logging, incident response.
Cloud Security for San Diego Businesses
San Diego’s tech ecosystem spans SaaS startups deploying on AWS, healthcare organizations migrating to Azure, defense contractors operating in GovCloud, and biotech firms using multi-cloud architectures for research workloads. Each requires cloud security tailored to their industry, compliance requirements, and risk profile.
Our team provides cloud security assessments, architecture reviews, and ongoing monitoring for San Diego businesses across all major cloud platforms. We identify misconfigurations, implement security controls, and help maintain compliance in dynamic cloud environments.