The migration to cloud computing has transformed how UK businesses operate, delivering unprecedented flexibility, scalability, and cost efficiency. Yet this transformation has also created a vast and complex attack surface that many organisations are not adequately protecting. Cloud environments — whether built on Microsoft Azure, Amazon Web Services, Google Cloud, or a combination of platforms — require a fundamentally different security approach from traditional on-premises infrastructure, and too many UK businesses are applying outdated security models to modern cloud architectures.
The shared responsibility model that underpins all major cloud platforms means that while the cloud provider secures the underlying infrastructure, the customer is responsible for securing everything they deploy within it — their data, their identities, their configurations, their applications, and their access controls. Misunderstanding this division of responsibility is one of the most common causes of cloud security breaches, with misconfiguration consistently ranking as the number one cloud vulnerability worldwide.
This guide provides a comprehensive framework for securing your cloud environment, covering identity and access management, network security, data protection, monitoring, compliance, and incident response. Whether you are running a single Microsoft 365 tenant or managing a complex multi-cloud infrastructure across Azure and AWS, these principles and practices will help you build a security posture that protects your business while enabling the agility that cloud computing promises.
The Shared Responsibility Model
Understanding the shared responsibility model is the starting point for cloud security. Every major cloud provider — Microsoft, Amazon, and Google — operates on the same principle: the provider is responsible for the security of the cloud (the physical data centres, the hypervisors, the network fabric, and the storage infrastructure), while the customer is responsible for security in the cloud (their data, their identities, their configurations, and their applications).
The exact division of responsibility varies depending on the service model. In Infrastructure as a Service (IaaS) — such as Azure Virtual Machines or AWS EC2 — the customer is responsible for the operating system, middleware, applications, and data. In Platform as a Service (PaaS) — such as Azure App Service or AWS Lambda — the provider manages the operating system and runtime, and the customer is responsible for the application code and data. In Software as a Service (SaaS) — such as Microsoft 365 or Salesforce — the provider manages almost everything, and the customer is primarily responsible for identity management, access controls, and data classification.
The single most common cloud security mistake made by UK businesses is assuming that the cloud provider handles all security. This assumption leads to misconfigured storage buckets that expose sensitive data to the internet, overly permissive access controls that grant unnecessary privileges, unmonitored admin accounts that become attack vectors, and unencrypted data stores that violate GDPR requirements. The cloud provider secures the infrastructure — your responsibility is to secure how you use it. Ignoring this distinction is the root cause of the majority of cloud security incidents.
Identity and Access Management
Identity is the new perimeter. In a cloud environment, where there are no physical firewalls between your users and your data, controlling who can access what — and under what conditions — is the most critical security control. A compromised identity with excessive privileges is the fastest path to a devastating breach.
Multi-Factor Authentication (MFA). MFA should be mandatory for every user account without exception. This is not optional — it is the single most effective control against credential-based attacks, which account for over 80% of cloud breaches. For Microsoft 365 and Azure, enable MFA through Conditional Access policies. Use phishing-resistant MFA methods (such as FIDO2 security keys or Microsoft Authenticator number matching) rather than SMS-based verification, which is vulnerable to SIM swapping attacks.
Least Privilege Access. Every user, service account, and application should have the minimum permissions required to perform their function — nothing more. Audit your Azure role assignments, AWS IAM policies, and Microsoft 365 admin roles regularly. Remove any standing admin access that is not actively needed. Use just-in-time (JIT) access through Azure AD Privileged Identity Management (PIM) to grant temporary elevated access only when needed and only with approval.
Conditional Access. Conditional Access policies add context-aware controls to every authentication attempt. You can require MFA when accessing from unfamiliar locations, block access from non-compliant devices, restrict access to specific applications based on user risk level, and enforce stricter controls for sensitive operations. For UK businesses, configuring Conditional Access to flag sign-ins from outside the UK (or from known high-risk countries) provides an additional layer of protection against international credential abuse.
| Security Control | Priority | Complexity | Impact |
|---|---|---|---|
| Multi-Factor Authentication | Critical — implement first | Low | Blocks 99.9% of credential attacks |
| Conditional Access Policies | Critical | Medium | Context-aware access decisions |
| Least Privilege / JIT Access | High | Medium | Limits blast radius of compromise |
| Data Encryption (at rest and in transit) | High | Low | Protects data if accessed |
| Security Monitoring and Alerting | High | Medium-High | Detects breaches faster |
| Network Segmentation | Medium-High | High | Contains lateral movement |
| Vulnerability Scanning | Medium | Low-Medium | Identifies weaknesses proactively |
Network Security in the Cloud
Cloud network security requires a different mindset from traditional perimeter-based security. In a cloud environment, you must assume that the network is hostile and design your security controls accordingly. This zero-trust approach means that every connection is authenticated, every request is authorised, and every transaction is encrypted.
For Azure environments, use Network Security Groups (NSGs) to control traffic flow between subnets and resources. Deny all inbound traffic by default and explicitly allow only the traffic that is required. Use Azure Firewall or a third-party network virtual appliance for centralised traffic inspection and policy enforcement. For resources that do not need public internet access, use Private Endpoints to eliminate their exposure to the public internet entirely.
For AWS environments, use Security Groups and Network ACLs to control traffic at the instance and subnet level. Implement AWS WAF (Web Application Firewall) to protect web-facing applications from common attacks. Use VPC Flow Logs to monitor and analyse network traffic patterns for anomalies.
Regardless of the cloud platform, ensure that all data in transit is encrypted using TLS 1.2 or later. Disable older protocols (TLS 1.0, 1.1, SSL) which have known vulnerabilities. For sensitive workloads, consider implementing mutual TLS (mTLS) for service-to-service communication within your cloud environment.
Secure Cloud Configuration
- MFA enforced on all accounts without exception
- Least privilege access with JIT elevation
- Conditional Access based on risk signals
- Default-deny network security rules
- Private endpoints for internal services
- Encryption at rest and in transit (TLS 1.2+)
- Centralised logging and real-time alerting
- Regular configuration audits and reviews
Common Cloud Misconfigurations
- No MFA on admin or privileged accounts
- Standing global admin access for multiple users
- No Conditional Access policies configured
- Default allow-all network rules unchanged
- Storage accounts exposed to public internet
- Data transmitted without encryption
- No logging enabled or logs never reviewed
- Configuration never audited after initial setup
Data Protection and Encryption
Protecting data in the cloud requires a layered approach that covers data at rest, data in transit, and data in use. For UK businesses subject to GDPR, these protections are not optional — the regulation requires "appropriate technical and organisational measures" to protect personal data, and encryption is explicitly mentioned as an example of such a measure.
All major cloud platforms provide encryption at rest by default for most services, but you should verify this for every service you use and understand the key management options available. For highest security, use customer-managed encryption keys stored in a dedicated key vault (Azure Key Vault or AWS KMS). This ensures that you — not the cloud provider — control the encryption keys that protect your data.
Implement data classification to identify which data requires the highest levels of protection. Not all data is equally sensitive — a public marketing brochure and a database of customer personal data require very different security treatments. Microsoft Purview Information Protection, Azure Information Protection, and AWS Macie provide automated data classification and labelling capabilities that help you identify and protect sensitive data at scale.
Monitoring and Incident Response
Cloud environments generate enormous volumes of security-relevant data — authentication logs, resource access logs, configuration change logs, network flow logs, and API call logs. Without centralised monitoring and automated alerting, security incidents can go undetected for weeks or months, giving attackers ample time to exfiltrate data, establish persistence, and escalate their access.
Enable logging for every cloud service you use. In Azure, this means enabling Azure Activity Log, Azure AD Sign-in and Audit Logs, Azure Monitor, and Microsoft Defender for Cloud. In AWS, enable CloudTrail, GuardDuty, Security Hub, and VPC Flow Logs. Centralise these logs in a Security Information and Event Management (SIEM) platform — Microsoft Sentinel for Azure environments, or a third-party SIEM for multi-cloud deployments.
Configure automated alerts for high-risk events: impossible travel (a user signs in from London and then from Tokyo within an hour), bulk file downloads, changes to admin roles, creation of new admin accounts, modifications to security policies, and access from blacklisted IP addresses. These alerts should trigger immediate investigation by your security team or managed security provider.
Develop a cloud-specific incident response plan that defines how you will investigate, contain, eradicate, and recover from a cloud security incident. This plan should account for the unique characteristics of cloud environments — such as the ability to snapshot compromised resources for forensic analysis, the need to coordinate with the cloud provider's security team, and the regulatory obligations under GDPR to report breaches to the ICO within 72 hours.
Compliance and Governance
UK businesses operating in the cloud must navigate a complex regulatory landscape that includes GDPR, the Data Protection Act 2018, industry-specific regulations (FCA for financial services, NHS Digital for healthcare), and voluntary frameworks such as Cyber Essentials and ISO 27001. Your cloud security strategy must address all applicable requirements and provide auditable evidence of compliance.
GDPR requires that personal data processed in the cloud is protected by appropriate technical and organisational measures, that you have a lawful basis for any international data transfers (relevant when using non-UK cloud regions), and that you can demonstrate accountability through documented policies, impact assessments, and records of processing activities. Ensure your cloud configuration supports these requirements — for example, by restricting data residency to UK and EU regions, implementing access controls that limit who can view personal data, and maintaining audit logs that demonstrate compliance.
Use the compliance tools provided by your cloud platform. Microsoft Compliance Manager, AWS Audit Manager, and Google Cloud's compliance reporting tools provide frameworks for assessing your compliance posture, identifying gaps, and tracking remediation efforts. These tools are particularly valuable when preparing for audits or responding to ICO enquiries, as they provide pre-built assessment templates for common UK and international regulatory frameworks.
Cyber Essentials and Cyber Essentials Plus — the UK government-backed cyber security certification schemes — now explicitly cover cloud services within their scope. If your organisation processes data in the cloud, your Cyber Essentials assessment must include the security controls applied to those cloud services. This includes access control, secure configuration, malware protection (for IaaS instances), security update management, and firewall/boundary controls. Achieving Cyber Essentials Plus with cloud services in scope demonstrates to clients, partners, and regulators that your cloud environment meets a recognised security standard.
Building a Cloud Security Roadmap
Securing a cloud environment is not a one-time project — it is an ongoing programme that evolves alongside your cloud usage and the threat landscape. Build a phased roadmap that prioritises the highest-impact controls first and gradually builds towards a mature, comprehensive security posture.
Phase 1 (Immediate): Enable MFA for all users. Implement Conditional Access policies. Enable default encryption. Turn on logging and basic alerting. Review and remediate the most critical misconfigurations identified by your cloud platform's security assessment tool (Microsoft Secure Score, AWS Security Hub).
Phase 2 (30-60 days): Implement least privilege access and JIT elevation. Deploy network segmentation. Configure data loss prevention policies. Establish a regular patching and update cadence for IaaS resources. Begin security awareness training for all staff.
Phase 3 (60-90 days): Deploy a SIEM for centralised monitoring. Implement automated incident response playbooks. Conduct a penetration test of your cloud environment. Develop a cloud-specific incident response plan. Begin working towards Cyber Essentials certification if not already certified.
Phase 4 (Ongoing): Conduct regular security reviews and configuration audits. Run tabletop exercises to test incident response. Stay current with cloud provider security updates and new features. Review and update policies as your cloud usage evolves. Consider advanced protections such as Cloud Access Security Brokers (CASB) and Zero Trust Network Access (ZTNA).
Secure Your Cloud Environment with Expert Help
Cloudswitched provides cloud security assessment, implementation, and ongoing management for UK businesses using Microsoft Azure, Microsoft 365, and multi-cloud environments. From initial security audits and Cyber Essentials preparation to SIEM deployment and 24/7 monitoring, we help you build a cloud security posture that protects your data, satisfies regulators, and lets you focus on growing your business.
Book a Cloud Security Assessment
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.