CloudLearn
Back

What is security?

Protecting systems and data-concepts that apply in every environment.

Confidentiality, integrity, availability

Security is often described as protecting three things: confidentiality (only the right people see data), integrity (data is not altered wrongly), and availability (systems are there when needed).

These three principles form the "CIA triad," a fundamental model for thinking about security. Every security measure addresses one or more of these concerns. Encryption protects confidentiality, checksums protect integrity, and redundancy protects availability.

Security: The CIA TriadConfidentialityOnly authorized userscan access dataExamples:Encryption, Access ControlIntegrityData remains accurateand unalteredExamples:Checksums, Digital SignaturesAvailabilitySystems accessiblewhen neededExamples:Backups, Redundancy, MonitoringHow Applications Achieve These GoalsConfidentialityHTTPS/TLSEncryption at restAuthenticationRBACIntegrityDigital signaturesVersion controlAudit logsHash verificationAvailabilityLoad balancingFailover systemsMonitoringAuto-scaling

How it's done in applications

Applications use authentication and authorization to control who can do what. They encrypt data in transit (e.g. HTTPS) and at rest (e.g. encrypted database fields). They log and monitor activity to detect misuse. They patch vulnerabilities and follow secure development practices.

These concepts apply whether the app runs on your own servers or in the cloud. In fact, cloud providers offer many managed security services that handle encryption, access control, and monitoring, making it easier to build secure applications.

Defense in depth

Defense in depth means using multiple layers of security. If one layer fails, others still protect you. For example, you might use: network firewalls, application firewalls, authentication, authorization, encryption, and monitoring.

Each layer adds protection, but also complexity. The key is finding the right balance for your threat model. A public-facing web app needs more layers than an internal tool.

Cloud providers excel at defense in depth. They provide security at the network, compute, storage, and application layers, often with managed services that handle the complexity for you.

Network Firewall

Allow or deny traffic by IP, port, and protocol. First line of defense at the network edge.

App Firewall

Protects the application from attacks (e.g. SQL injection, XSS). Inspects requests before they reach your code.

Authentication

Verifies who the user is—login, password, MFA. No identity, no access.

Authorization

Decides what the user can do—roles, permissions. Same person, different access levels.

Encryption

Scrambles data in transit (HTTPS) and at rest so only authorized parties can read it.

Monitoring

Logs and alerts so you spot anomalies and respond. You can't defend what you can't see.

Multiple layers protect you—if one fails, others still defend your system.

Threat modeling and risk assessment

Security isn't about being perfectly secure-that's impossible. It's about understanding your threats and risks, then applying appropriate controls. Threat modeling helps you identify what could go wrong and how to prevent it.

Common threats include: unauthorized access, data breaches, denial of service attacks, and insider threats. Each threat has different mitigations. Understanding threats helps you prioritize security work.

Risk assessment considers both the likelihood of a threat and its impact. High-impact, high-likelihood threats get the most attention. Low-impact, low-likelihood threats might not be worth mitigating.

High Risk Threats

  • Unauthorized access (data breach)
  • Ransomware attacks
  • Insider threats
  • DDoS attacks

Mitigation Strategies

  • Strong authentication (MFA)
  • Regular backups
  • Access logging & monitoring
  • Rate limiting & CDN

Risk Assessment Matrix

Prioritize threats by likelihood × impact. High-impact, high-likelihood threats get immediate attention. Low-impact, low-likelihood threats might not be worth mitigating.

Security in the development lifecycle

Security from the start - not bolted on at the end. Code reviews, security testing, dependency scanning, and guidelines.

DevSecOps = security inside the pipeline. Checks run on every build: dependency scan, SAST, container scan, secrets detection. Catch issues early when they're cheap to fix.

Cloud providers offer scanning tools and compliance guides. Same idea everywhere: automate checks so humans fix real issues.

DevSecOps = security in the pipeline

Checks run on every build. Catch issues early.

Security checks in CI/CD

Dependency scan

Find vulnerable libraries

SAST

Static code analysis

Container scan

Image vulnerabilities

Secrets detection

Prevent credential leaks

Incident response and monitoring

Incident response = detect → contain → recover. Have a plan before something goes wrong so recovery is fast.

Monitoring and logging = know what "normal" looks like so you spot anomalies. Cloud providers offer logging and alerting; use them.

Plan + monitoring = you're ready when an incident happens.

Incident response = detect → contain → recover. Have a plan before something goes wrong.

Detect

Spot the incident

Contain

Stop it spreading

Recover

Fix and restore

Monitoring & logging

Know what "normal" looks like so you spot anomalies. Use logs and alerts—cloud providers offer both.

Sign in to track progress on your dashboard.

Ready to see how this works in the cloud?

Switch to Career Paths on the Academy page for structured paths (e.g. Developer, DevOps) and provider-specific lessons.

View role-based paths