Cloud and Hybrid Security Models

What the Exam Is Really Testing

Organizations move to the cloud expecting to hand off security along with the infrastructure. Then a misconfigured S3 bucket leaks customer data, and they learn the hard way: the cloud provider was never responsible for that access policy.

The cloud does not eliminate risk. It redistributes it.

Every question about cloud security ultimately asks: who is responsible for this control, and what happens when that boundary is misunderstood?

The Shared Responsibility Model

This is the single most tested cloud concept on the exam. The shared responsibility model defines who secures what in a cloud environment.

The division depends on the service model:

Infrastructure as a Service (IaaS)

The provider manages: physical data center, networking hardware, hypervisors.

The customer manages: operating systems, applications, data, identity, access controls, encryption.

Example: AWS EC2, Azure Virtual Machines. You get a virtual machine. Everything from the OS up is your problem.

Platform as a Service (PaaS)

The provider manages: everything in IaaS plus the operating system, runtime, and middleware.

The customer manages: applications, data, and user access.

Example: Azure App Service, Google App Engine. You deploy code. The provider handles the platform underneath.

Software as a Service (SaaS)

The provider manages: the entire stack including the application.

The customer manages: data, user access, and configuration settings.

Example: Microsoft 365, Salesforce. You configure and use the application. The provider runs everything.

The pattern to internalize:

As you move from IaaS to SaaS, the provider assumes more responsibility — but the customer always retains responsibility for data and access.

No matter the model, you never hand off data classification, user permissions, or identity governance to the provider.

Cloud Deployment Models

The exam tests four deployment models:

• Public cloud — Resources shared across multiple tenants. Cost-effective, scalable. Security depends on provider controls and customer configuration. Examples: AWS, Azure, GCP.
• Private cloud — Dedicated infrastructure for a single organization. Greater control, higher cost. Can be on-premises or hosted by a third party.
• Hybrid cloud — Combines public and private cloud. Data and workloads move between environments. Requires consistent security policies across both.
• Community cloud — Shared infrastructure among organizations with common concerns (compliance requirements, industry regulations). Cost shared among members.

Exam scenarios often present hybrid environments where the challenge is maintaining consistent controls across boundaries.

Third-Party Vendors and MSPs

Cloud adoption introduces third-party risk. When your data sits on someone else's infrastructure, you need governance beyond technical controls.

Key considerations:

• Managed Service Providers (MSPs) — Organizations that manage IT infrastructure on your behalf. They introduce supply chain risk. You must assess their security posture.
• Managed Security Service Providers (MSSPs) — Specialized MSPs focused on security operations: SIEM monitoring, incident response, vulnerability management.
• Vendor assessment — Due diligence before onboarding. Review SOC 2 reports, penetration test results, compliance certifications.
• Right to audit — Contract clauses that allow you to audit the vendor's controls. Critical for regulated industries.

The exam tests whether you understand that outsourcing operations does not outsource accountability.

Cloud Security Controls

Four controls appear frequently on the exam:

Cloud Access Security Broker (CASB)

A CASB sits between users and cloud services. It enforces security policies on cloud usage.

Functions:

• Visibility into cloud application usage (shadow IT detection)
• Data loss prevention for cloud-stored data
• Threat protection and anomaly detection
• Compliance enforcement across cloud services

Deployment modes: inline (proxy-based) or API-based. Inline provides real-time enforcement. API-based provides visibility and post-action enforcement.

Secure Web Gateway (SWG)

An SWG filters and monitors outbound web traffic. It prevents users from accessing malicious or policy-violating websites.

Functions:

• URL filtering and categorization
• Malware inspection of web downloads
• SSL/TLS inspection for encrypted traffic
• Policy enforcement for acceptable use

Cloud-Native Firewalls

Provider-managed firewalls that operate within the cloud environment. They filter traffic between cloud resources and between the cloud and the internet.

Examples: AWS Security Groups and Network ACLs, Azure Network Security Groups. These operate at the virtual network layer, not the physical perimeter.

Next-Generation Secure Web Gateway

Combines SWG, CASB, and DLP into a single solution. Often part of a Secure Access Service Edge (SASE) architecture. This convergence reflects how modern organizations consolidate cloud security controls.

Pattern Recognition

When you see cloud scenarios on the exam, look for these patterns:

• Responsibility confusion — The scenario describes a breach where the customer assumed the provider handled a control. The answer clarifies the shared responsibility boundary.
• Shadow IT — Employees using unapproved cloud services. The answer involves CASB deployment or acceptable use policies.
• Data sovereignty — Data stored in regions with different legal requirements. The answer involves selecting appropriate cloud regions or deployment models.
• Hybrid inconsistency — Different security policies in on-premises vs cloud environments. The answer involves policy unification.

Trap Patterns

Watch for these common traps:

• "The cloud provider handles security" — Never fully true. The customer always retains some responsibility. Any answer suggesting total provider ownership is wrong.
• Confusing deployment models with service models — Public/private/hybrid describes where. IaaS/PaaS/SaaS describes how much is managed. These are independent axes.
• Assuming private cloud eliminates risk — Private cloud increases control but introduces cost, complexity, and operational burden. It does not eliminate threats.
• Ignoring data in the shared model — Data protection is always the customer's responsibility, regardless of the service model.

Scenario Practice

Question 1

A company migrates its web application to a PaaS environment. After the migration, customer data is exposed due to misconfigured access permissions on the database.

Who is responsible for this security failure?

A. The cloud provider, because they manage the platform
B. The customer, because data access configuration is their responsibility
C. Both parties equally under the shared responsibility model
D. The application developer who wrote the original code

Question 2

An organization discovers that employees are using an unapproved file-sharing cloud service to exchange sensitive documents.

What is the BEST control to address this?

A. Block all cloud services at the firewall
B. Deploy a CASB to gain visibility and enforce policies on cloud usage
C. Send an email reminding employees of acceptable use policies
D. Migrate all data to a private cloud environment

Question 3

A healthcare organization needs to store patient records in the cloud but must comply with data residency requirements that restrict data to domestic servers.

Which cloud deployment model BEST addresses this requirement?

A. Public cloud with no restrictions on region
B. Community cloud shared with international partners
C. Private cloud or public cloud with region-locked deployment
D. Hybrid cloud with unrestricted data replication

Key Takeaway

Cloud security is about understanding boundaries — who controls what, where data lives, and what happens when assumptions are wrong.

Before answering any cloud question, ask: What service model is in use? Where does provider responsibility end? Who owns the data? What visibility does the organization have?

The cloud shifts infrastructure. It never shifts accountability.