Cloud, Container, and Virtualization Operations
Key Takeaways
- Cloud security operations require understanding shared responsibility for IaaS, PaaS, and SaaS.
- Misconfiguration is a common cloud risk, especially public storage, excessive IAM permissions, and exposed management interfaces.
- Container security includes trusted images, minimal base images, scanning, secrets management, and runtime controls.
- Virtualization security depends on hypervisor patching, VM isolation, templates, snapshots, and administrative access control.
- Infrastructure as code helps consistency but can also rapidly deploy insecure settings if not reviewed.
Cloud, Container, and Virtualization Operations
Cloud and virtualization do not remove security operations. They change who manages each layer and how quickly mistakes can scale.
Shared Responsibility
| Model | Provider usually manages | Customer usually manages |
|---|---|---|
| IaaS | Facilities, hardware, core virtualization | OS, applications, data, IAM, network rules |
| PaaS | Platform runtime and more infrastructure | Application code, data, IAM, configuration |
| SaaS | Application platform and infrastructure | Users, data, sharing, identity integration, settings |
The exam often asks which party is responsible. In SaaS, the provider patches the service, but the customer still manages accounts, access, data, and sharing settings.
Cloud Operations Controls
| Control | Purpose |
|---|---|
| IAM least privilege | Limits cloud API and resource access |
| MFA for administrators | Protects management plane access |
| Security groups and network ACLs | Restrict network paths |
| Cloud logging | Records API calls, authentication, and resource activity |
| CSPM | Finds risky cloud configurations |
| Secrets manager | Stores credentials outside code and images |
| Tagging | Supports ownership, cost, data classification, and response |
| IaC review | Prevents insecure templates from being repeatedly deployed |
Container Security
| Area | Good practice |
|---|---|
| Image source | Use trusted registries and signed images where available |
| Base image | Use minimal, maintained images |
| Vulnerability scanning | Scan images before deployment and during runtime lifecycle |
| Secrets | Do not bake secrets into images or environment files in source control |
| Privileges | Avoid privileged containers and unnecessary root execution |
| Runtime | Limit capabilities, monitor behavior, and segment workloads |
Virtualization Security
| Risk | Control |
|---|---|
| Hypervisor compromise | Patch hypervisor and restrict admin access |
| VM sprawl | Inventory, ownership, and lifecycle management |
| Insecure templates | Harden golden images before cloning |
| Snapshot exposure | Protect and expire snapshots containing sensitive data |
| Escape or lateral movement | Isolation, segmentation, and least privilege |
Practical Scenario
A team deploys a containerized API into a cloud environment. Strong operations would include least-privilege service roles, private network placement where possible, TLS at ingress, image scanning in CI, no hardcoded secrets, runtime logging, resource limits, patched worker nodes, and a reviewed infrastructure-as-code template.
Common Exam Traps
| Trap | Better exam reasoning |
|---|---|
| "The cloud provider secures everything." | Shared responsibility leaves identity, data, and configuration with the customer. |
| "A container is a full VM." | Containers share the host kernel and need image and runtime controls. |
| "Snapshots are harmless temporary files." | Snapshots can contain sensitive data and must be protected. |
| "IaC is automatically secure." | IaC needs review, scanning, and change control. |
Quick Drill
Pick the likely control:
- Find public storage buckets: CSPM or cloud security posture rule.
- Prevent secrets in images: secrets manager and CI scanning.
- Harden many identical VMs: secure golden image template.
- Track who changed a cloud firewall rule: cloud audit logs.
- Reduce container privilege: run as non-root and drop capabilities.
In a SaaS application, who is usually responsible for disabling a former employee account?
Which actions improve container security? Choose two.
Select all that apply
A cloud team repeatedly deploys the same overly permissive security group from a template. What should be reviewed first?