Module 15: Cloud Data Storage Architectures
Storage architecture questions test whether you can match the right storage type to the right use case while understanding the security implications of each choice. The exam expects you to think about storage as a security decision, not just a capacity decision.
Cloud Storage Types
Object Storage
Data is stored as discrete objects, each with a unique identifier, metadata, and the data itself. There is no hierarchy — objects exist in flat namespaces (buckets). Object storage is designed for scalability and accessibility, making it ideal for unstructured data: images, videos, backups, logs.
Security considerations the exam tests: bucket policies and ACLs (misconfigured public access is a top breach cause), versioning for integrity protection, server-side encryption options, and cross-region replication implications.
Exam trap: Public cloud storage buckets (S3, Azure Blob, GCS) have been the source of countless data breaches due to misconfigured access policies. If a question describes exposed data in cloud storage, misconfigured bucket permissions is almost certainly the answer.
Block Storage
Data is stored in fixed-size blocks on volumes that attach to compute instances like virtual hard drives. Block storage provides the lowest latency and highest I/O performance. It is used for databases, operating system volumes, and performance-sensitive applications.
Security considerations: volume encryption (should be enabled by default), snapshot security (snapshots inherit the volume's encryption but may be shared insecurely), and orphaned volumes (detached volumes containing sensitive data that are not deleted).
File Storage
Network-accessible file systems using protocols like NFS or SMB/CIFS. File storage provides a familiar hierarchical structure for applications that require shared file access across multiple instances.
Security considerations: network exposure (file shares accessible from the wrong subnets), protocol security (SMBv1 is deprecated and vulnerable), and access control granularity (file-level permissions).
Database Storage
Managed database services (relational and NoSQL) that abstract underlying storage. The exam tests security considerations specific to managed databases: encryption at rest and in transit, access control (IAM vs. database-level authentication), backup encryption, and audit logging.
Content Delivery Networks (CDNs)
CDNs cache content at edge locations globally. While not traditional storage, CDNs create additional copies of data that must be accounted for in security assessments. The exam tests awareness that CDN-cached data exists outside your primary security boundary.
Storage Security Fundamentals
Encryption at Rest
All cloud storage should be encrypted at rest. The exam differentiates between provider-managed keys (default encryption), customer-managed keys (customer controls key lifecycle), and customer-provided keys (customer brings their own keys). The tradeoff is always control versus convenience.
Access Controls
Cloud storage access controls operate at multiple levels: IAM policies (who can access the storage service), resource policies (rules attached to the storage resource itself), and network controls (which networks can reach the storage endpoint). The exam expects you to understand that all three layers must be correctly configured.
Data Integrity
Cloud storage should provide integrity verification through checksums, versioning, and immutable storage options. The exam may present scenarios where data integrity is compromised due to unauthorized modification, and test whether you recognize the controls that would have prevented it.
Key Takeaways
Choose storage types based on use case and security requirements. Object storage is for unstructured data at scale — watch for misconfigured access. Block storage provides performance for databases — encrypt volumes and manage snapshots. File storage enables shared access — secure the network and protocol. Always encrypt at rest, control access at multiple layers, and verify data integrity.