Lesson 3 · Cloud security fundamentals

Identity is the new perimeter

9-minute read · beginner

HorizonShield lesson workspace with guided course material and analyst notes
Lesson content is rendered from the Academy CMS and keeps its previous/next course flow.
HS AcademyCloud security fundamentalsLesson 3beginner

In the cloud, the firewall is replaced by identity. If an attacker has a valid token with the right scope, the network controls do not save you. This is why identity hygiene now sits where firewall rules used to.

The three things you need to get right

  • Strong authentication for every human. Multi-factor by default, no exceptions for "convenience" accounts.
  • Short-lived credentials for every workload. No long-lived static keys living in environment variables, ever.
  • Least-privilege roles, reviewed regularly. "Read-only" is not a role you assign once and forget — entitlements drift.

Common findings in cloud assessments

  • Service accounts with administrator-equivalent permissions because nobody knew what was actually needed
  • Long-lived keys committed to source control years ago, still active
  • Multi-factor enrolled for the people who remember to set it up, but not enforced for everyone
  • A handful of "break glass" accounts that turn out to be how 80% of the team logs in day-to-day

A practical playbook

  1. Inventory every identity, both human and machine
  2. Score each by privilege blast radius
  3. Force MFA for the top tier first, work down
  4. Replace long-lived keys with short-lived credential exchanges
  5. Schedule a quarterly access review and actually do it

Takeaway

If you only have time to harden one thing in your cloud, harden identity. Everything else is downstream.

HS Academy

All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.

Sign up free →
← All lessons in Cloud security fundamentals