> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/google-cybersecurity-professional-cert/3.-connect-and-protect-networks-and-network-security/module-4/cloud-hardening/cryptography-and-cloud-security.md).

# Cryptography and Cloud Security

#### 🔒 Fun and ADHD-Friendly Notes on Cryptography and Cloud Security ☁️🔐

***

#### **1. Cloud Security: What’s the Deal?**

* Just like traditional networks, **cloud networks** need to be secured using a mix of **hardening practices** and **cryptography**.
* As more stuff moves into the **cloud**, you’ve got to know how to **lock it down**!

***

#### **2. Cloud Security Hardening Techniques** 🛡️

Here are some **tools and techniques** to help secure your cloud fortress:

**1. Identity Access Management (IAM)**

* **IAM** is like a gatekeeper for your cloud. It manages **who** gets in and **what** they can access.
* Keep it tight—don’t let unauthorized users run wild! 🎮

**2. Hypervisors**

* Hypervisors help cloud providers **run virtual machines**. They separate the hardware from the software.
  * **Type 1**: Runs on hardware (e.g., VMware ESXi).
  * **Type 2**: Runs on software (e.g., VirtualBox).
* Here’s the completion of that thought:

**Watch out!** Misconfigurations can lead to **VM escapes**, where attackers break into the **host system** and potentially access other virtual machines (VMs) running on the same host. This could compromise the entire cloud environment.

**CSPs (Cloud Service Providers)** handle the **hypervisors** for you and are responsible for applying **security patches** and **updates** to prevent these types of attacks. However, as the customer, it’s important to ensure your **virtual machines** are properly configured, and you use **best practices** to minimize the risk of misconfigurations or vulnerabilities that could lead to a VM escape.

So, while CSPs manage the hypervisors, you’re still responsible for securing your own **VMs and configurations**!

No worries! Let’s continue where we left off:

**2. Hypervisors (continued)**

* **VM escapes** are like someone escaping from a room in your cloud house and taking over the whole building.
* **Good news**: Your cloud service provider (**CSP**) manages hypervisors and applies regular patches. You don’t usually deal with hypervisors directly, but it’s good to know what they are!

**3. Baselining 🏷️**

* A **baseline** is like a **snapshot** of your cloud setup when it’s properly configured. It helps you compare changes and see if anything weird is happening.
  * **Example**: Make sure only admins can get into the cloud portal, set strong passwords, encrypt files, and turn on threat detection.
* Baseline = reference point for a **healthy cloud environment**. If things drift from the baseline, it’s a sign something might be off!

***

#### **3. Cryptography in the Cloud** 🔑💻

Let’s talk about how **cryptography** keeps your cloud data safe!

**Encryption**

* **Encryption** is like turning your data into a **secret code** that no one can read unless they have the key.
  * Data gets scrambled into **ciphertext** and only decrypted with a secret key.
* The cloud loves encryption because it’s a key way to keep **data safe and confidential**.

**Cryptographic Erasure (Crypto-Shredding) ✂️🗝️**

* Imagine if you could **shred** the key to your secret code. That’s **cryptographic erasure**.
  * When you want to destroy data in the cloud, instead of trying to delete everything, you just **destroy the encryption key**. Now, no one can decrypt the data!
* Crypto-shredding is super useful because even if someone finds your data, it’s **useless** without the key.

***

#### **4. Key Management** 🔐

**Managing encryption keys** is critical for keeping your data secure. Here are some key tools:

**Trusted Platform Module (TPM)**

* A **TPM** is like a **vault** that stores passwords, certificates, and encryption keys safely on your computer.

**Cloud Hardware Security Module (CloudHSM)**

* **CloudHSM** is a cloud-based **lockbox** that stores and manages your encryption keys for you. It also handles things like encryption and decryption operations.
* You can keep your encryption keys, or let the **CSP** handle it—just be careful! If you lose your keys, the **CSP** can’t help you get them back.

***

#### **5. The Shared Responsibility Model** 🤝

* **CSPs** handle the security of the **cloud infrastructure** (data centers, hypervisors, physical stuff), while **you** (the user) are responsible for securing your **data and configurations**.
* Always know where your responsibilities start and stop—don’t assume the CSP has it covered!

***

#### **6. Key Takeaways** 📝

* **Cloud security hardening** is crucial! Make sure you use tools like **IAM**, **hypervisor protection**, **baselining**, and **cryptography** to secure your cloud environment.
* Always know what’s **your responsibility** vs. the **CSP’s responsibility**—this is what the **shared responsibility model** is all about!

Now you’re ready to keep your cloud fortress safe and secure! ☁️🔒
