Cloud Security Pitfalls
Explore the risks companies face when migrating to the cloud, and learn how to address them in a SOC.
easy
30 min
28
To access material, start machines and answer questions login.
Many companies migrate their on-premises resources to the cloud to gain benefits such as cost savings, greater stability, and improved security. However, not all recognize the new risks that come with this transition, often leaving their assets even less protected than before. This beginner-friendly room outlines the risks and common pitfalls companies face when migrating to the cloud, and helps you understand how to protect them as a SOC analyst.
Learning Objectives
- Learn the main cloud models: IaaS, PaaS, and SaaS
- Explore security risks coming from the cloud providers
- Understand the core concepts of security in the cloud
- Identify the challenges of monitoring clouds as a SOC
Prerequisites
- Know how the web and web applications work
- Preferably, complete the SOC Level 1 path
Continue to the next task!
What Is Cloud
The cloud is a paradigm in which computing resources are hosted and managed by third-party providers and delivered on demand via the Internet. Users can access, configure, and pay for these services as needed, without owning or maintaining the underlying hardware. AWS, Google Drive, and even TryHackMe are all "clouds" of some sort. There are three main cloud service models you should know about: IaaS, PaaS, and SaaS. Let's explore them one by one!
IaaS
Managing a server room or data center can be challenging: You are fully responsible for its physical security, hardware stability, software updates, network routing, and many other tasks. Every IT company needs some computing power to run its business, but not every company has the expertise or resources to maintain and properly secure its own servers.
That's the problem Infrastructure as a Service (IaaS) tries to solve. IaaS is a cloud service model where computing infrastructure is provided online on demand. For example, with an IaaS provider like Amazon AWS, Google Cloud, or Microsoft Azure, you can launch any virtual machine in the cloud just by clicking a button in a web GUI, without worrying about power outages and hardware failures.
PaaS
For some companies, IaaS is not enough. For example, software developers don't want to bother with launching virtual machines - all they want is to write the source code, click a button, and see their application up and running, without caring much how and where it actually runs. Such requests are covered with Platform as a Service (PaaS) - a cloud service model for simple development and hosting web applications.
Interestingly, TryHackMe also offers PaaS features, as you can create your own private or public rooms and then host them in the cloud, without knowing how it works internally. In turn, TryHackMe uses IaaS (Amazon AWS) to host its infrastructure, including in-room virtual machines. Other PaaS offerings include Vercel, Heroku, and Google App Engine.
SaaS
Software as a Service (SaaS) allows users and companies to launch complex applications in the cloud without installing any software on their computers. Slack, Zoom, Gmail, Dropbox, and Google Docs are among the thousands of SaaS offerings. Unlike the previous models, SaaS is always a final product that can be used by a non-technical audience. Let's see a comparison table below for a simpler understanding:
| SaaS | Not SaaS Alternative |
|---|---|
| Google Docs (Web application, saves docs in the cloud) |
Microsoft Word (Desktop program, controllable updates, saves docs locally) |
| Dropbox (Web application, saves files in the cloud) |
Synology NAS (Hardware device, can work offline, saves files locally) |
| MS Intune (Cloud MDM, where endpoints connect to the Microsoft servers in the cloud) |
ME Endpoint Central (On-premises MDM, where endpoints connect to the local Endpoint Central server you control) |
It's fun to think about how you can combine the models. For example, if you develop a cat image generator, make it a public web service, and host it in AWS, you'll get SaaS on IaaS (or CataaS). What you should remember is that the "as a service" approach always implies some form of abstraction, where a maintenance burden is taken from you and delegated to a cloud service provider.
Which cloud model allows you to migrate a big on-premises network to the cloud?
Which cloud model do Elastic Cloud and CrowdStrike Falcon fit into?
Note: You may need to perform external research to answer this question.
Security of the Cloud
Cloud computing is a complex topic, but it is built on top of the same core technologies as traditional on-premises. For instance, AWS often shares insights into its internal architecture (video 1, video 2), where familiar concepts like TCP/IP and Linux play a key role. There is even a saying that "the cloud is just someone else's computer". This is why you must know that clouds are not invulnerable and, just like your computer, are at risk of attacks. Security of the cloud provider's internal infrastructure is often called Security of the cloud:
Risk of Cloud Vulnerabilities
Biggest clouds are built with security in mind, and it's extremely rare to see them getting breached. However, it's still possible, and when they occur, attackers often target the provider's largest customers. Treat this as a form of supply chain risk - don't blindly trust the cloud provider, but apply the same defensive principles: segment the network, analyze login activity, and monitor endpoint behavior.
For less popular cloud services, the chance of compromise is much higher. There were many cases where a breach of a local IaaS provider resulted in the deployment of malware on all hosted VMs, or where a breach of SaaS led to the exposure of sensitive data. This is why you should carefully choose your cloud vendor and decide what to entrust them with.
Risk of Poor Cloud Visibility
The risks associated with cloud breaches are amplified by the fact that, as an end user, you have no visibility into the cloud provider's internal environment. For example, between August 8 and August 18, 2025, adversaries used stolen Salesloft (SaaS) OAuth tokens to exfiltrate data from certain SaaS customers' tenants. As an end user, you can't detect it, as the malicious activity occurred entirely within SaaS infrastructure - essentially, "someone else's computer".
No matter how mature your SOC is, using cloud services means entrusting your data to third-party vendors, who will never provide their internal security logs upon request. This is especially critical to maintain control over SaaS usage. Other departments may unknowingly upload sensitive data to untrusted SaaS applications, creating shadow IT risks that can later lead to unexpected breaches.
Incidents of the Cloud
| Cloud Provider | Security Incident Incident | Potential Impact |
|---|---|---|
| Okta (SaaS) |
In 2023, the threat actors had gained access to the Okta support case management system, containing the customers' HAR files with Okta session tokens. | The attackers stealthily log in to the Okta tenants of the impacted customers. |
| BeyondTrust (SaaS) |
In 2024, the threat actors had compromised some of its Remote Support SaaS instances that were used to provide remote access services to 17 customers. | The attackers gain stealthy Remote Support access to the impacted BeyondTrust customers. |
| Google Cloud (IaaS) |
In 2025, a minor vulnerability in GCP Cloud Run allowed unauthorized access to the victims' container images. | The attacker accesses restricted container images or injects malicious code there. |
Is the cloud provider responsible for securing and monitoring its own infrastructure (Yea/Nay)?
But should you trust the cloud provider without watching for supply chain threats? (Yea/Nay)
Security in the Cloud
The previous task was about the security of the cloud - something that the cloud provider takes care of. However, it's still your responsibility to protect resources in the cloud: VMs you host in IaaS, applications you build with PaaS, or credentials to your SaaS accounts. Everything you have in the cloud requires the same level of monitoring and hardening as on-premises systems. Check out the Shared Responsibility Model for more details.
Cloud Migration Pitfalls
There is a misconception that migrating an old, unpatched virtual machine to the cloud somehow makes it new and secure, or that moving files to Google Drive guarantees protection from ransomware. Neither is true. While cloud environments can reduce exposure to certain traditional attack vectors, they also introduce new, cloud-specific threats that are often overlooked by IT teams.
Another issue is that people tend to apply their on-premises security practices to cloud environments. For instance, it is acceptable to use 12-character passwords without MFA in an isolated Active Directory network, but it is critically dangerous in public clouds accessible from anywhere. Cloud security requires a unique approach, which you will learn about in the following rooms.
Logging in Clouds
Since you can't install the SIEM agent in the cloud and collect logs from there the same way as from on-premises, you have to rely on the cloud provider's solution. Some vendors provide comprehensive logging services, such as AWS CloudTrail, which you will learn in the next room. However, in the majority of cases, cloud logging is limited, especially in SaaS, where:
- Paid Logs: Logging to SIEM may require an additional payment or license
- Poor Format: Log fields may be incomplete, unstructured, or not documented
- Lack of Integration: In some cases, solutions don't support logging to SIEM at all
Incidents in the Cloud
| Victim | Security Incident | Caused Impact |
|---|---|---|
| Capital One Bank | A misconfiguration in the bank's AWS resources allowed the attackers to access all data within the bank's S3 cloud storage. | Adversaries stole 1 million Social Insurance Numbers and 140 thousand Social Security numbers of the bank's credit card customers. |
| Various Companies | Hundreds of SaaS customers are breached every year due to simple mistakes, such as weak passwords, leaked API keys, or stolen cookies. | Adversaries leverage SaaS access to mine valuable information like passwords, contracts, or network maps (MITRE Examples). |
Does moving an unpatched server to the cloud make it secure again? (Yea/Nay)
What is the first mentioned blocker to integrate most cloud products with SIEM?
What to Protect and Monitor
The effort required to build monitoring in the cloud differs depending on the cloud service model. For example, SaaS is the simplest, as all you have to do is ingest the logs in SIEM via the provider's API and monitor for risky actions, such as when a confidential Google Drive document is made public, an internal GitHub repository is downloaded, or when someone logs in to Notion from a suspicious IP and exports all corporate pages. On the other hand, covering IaaS is a more challenging task, as you need to cover both:
- Workloads: Monitor virtual machines or containers, same as in on-premises
- Cloud Services: Monitor database queries, storage access, and many more
- Control Plane: Monitor logins and actions within the cloud admin console
Data Sources for Monitoring
On-premises endpoint monitoring typically relies on EDR, SIEM, and forensic tools. But in the cloud, the tools change drastically. EDRs are often unsupported due to containerized workloads and auto-scaling; SIEM integration with the provider's logging APIs may be difficult; and forensic investigation is constrained by a lack of accessible memory or disk artifacts. The image below illustrates the differences in cloud and on-premises logging:
Common Cloud Security Tools
Many specialized solutions begin to pop up to cover what traditional tools can't cover in the clouds. Cloud Access Security Brokers (CASB) enforce security policies, Cloud Workload Protection Platforms (CWPP) protect against malware, Cloud Security Posture Management (CSPM) alert on misconfigurations, and so on. While we encourage you to read about them more, you can still set up monitoring just with SIEM and have a decent SOC coverage:
| Recommended Action | Description |
|---|---|
| 1. List your clouds | Identify all cloud platforms where your organization stores or processes critical data |
| 2. Know the risks | Prepare a plan for a potential cloud vendor's breach, even if the likelihood is low |
| 3. Enable cloud logs | Turn on vendor-provided cloud audit logs in all identified clouds, including SaaS |
| 4. Enable workload logs | For IaaS, don't forget that your VMs require the same logging as in on-premises |
| 5. Collect the logs | Forward the logs to your SIEM, as they aren't kept in the cloud for a long time |
| 6. Monitor for anomalies | Build SIEM detection rules by alerting on suspicious logins and administrative actions |
What term describes cloud compute resources like VMs or containers?
Which of the mentioned cloud security tools do Falco and Tetragon fit into?
Note: You may need to perform external research to answer this question.
Cloud Security Challenge
In this task, you will explore the differences between cloud service models and repeat the Shared Responsibility Model - what you manage versus what the vendor manages. Visit the static site below, complete the exercises, and get the flags!
| Access | Granted |
| URL | Static Site |
What is the flag you get after completing the first exercise?
What is the flag you get after completing the second exercise?
In this room, you explored the differences between IaaS, PaaS, and SaaS cloud service models, uncovered often-overlooked risks, and examined common pitfalls organizations face when migrating to the cloud. You also learned that protecting clouds is not easy, and that there are many challenges in log collection and SOC coverage to ensure proper security monitoring. In the upcoming rooms, you will dive deeper into the technical details using AWS (IaaS) and Entra ID (SaaS) as examples. Hope you enjoyed the room!
Complete the room!
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in