Cloud security follows the shared responsibility model: the provider protects the infrastructure and the customer protects identities and data.
The migration to the cloud is unstoppable: more than 85% of Spanish SMEs use at least one cloud service (email, storage, management software, CRM). But the cloud is not secure by default. The security of your data in the cloud is a shared responsibility between you and your cloud provider, and the part that falls to you is the one that most frequently fails. This guide explains what you should do to protect your data, your reputation and your regulatory compliance in cloud environments. If you are looking for the real-world case, jump to the ICT SME case in Las Palmas.
The shared responsibility model
The most important concept to understand about cloud security is that your cloud provider protects the infrastructure (data centers, servers, network, virtualization), but you are responsible for protecting everything you put on top of it: data, configurations, access, applications and users.
In an IaaS (Infrastructure as a Service) model such as AWS, Azure or Google Cloud, you are responsible for the operating system, the applications, the data, the access and the network configuration. In a SaaS (Software as a Service) model such as Microsoft 365, Google Workspace, Salesforce or HubSpot, the provider manages the application and the infrastructure, but you remain responsible for the data, the access, the security configuration and user training.
The most frequent mistake is to assume that if the data is in the cloud, the provider protects it. That is not the case. If an employee shares a public link to a confidential document in Google Drive, the responsibility is theirs, not Google's.
AWS vs Azure vs GCP for SME security
The three major hyperscalers share a similar security architecture but differ in native tooling, cost model and learning curve. A practical summary for a Spanish SME:
| Aspect | AWS | Microsoft Azure | Google Cloud (GCP) |
|---|---|---|---|
| IAM | IAM + IAM Identity Center | Entra ID + RBAC | Cloud IAM |
| Encryption by default | S3, EBS, RDS (AES-256) | Storage, Disks, SQL DB | Storage, Persistent Disk, BigQuery |
| Secrets management | Secrets Manager · KMS | Key Vault | Secret Manager · Cloud KMS |
| Logging and auditing | CloudTrail + GuardDuty | Activity Log + Defender for Cloud | Cloud Audit Logs + SCC |
| Native SIEM | Security Hub + Detective | Microsoft Sentinel | Chronicle (Mandiant) |
| DLP | Macie | Purview DLP | Sensitive Data Protection |
| EU regions with data sovereignty | eu-west-1 (Dublin), eu-west-3 (Paris), eu-south-2 (Aragón) | West Europe, North Europe, Spain Central | europe-west1, europe-west4, europe-southwest1 (Madrid) |
| Certifications | ISO 27001/27017/27018, SOC 2, ENS High | ISO 27001/27017/27018, SOC 2, ENS High | ISO 27001/27017/27018, SOC 2, ENS High |
| SME fit | The broadest ecosystem, a steeper curve | Best Microsoft 365 / AD integration | BigQuery + AI for intensive analytics |
The ten essential cloud security measures
1. Identity and access management (IAM)
Implement the principle of least privilege: each user should have access only to what they need for their job, and nothing more. Use multi-factor authentication (MFA) on all accounts without exception. Review permissions at least quarterly and revoke the access of employees who have changed roles or left the company. Use named accounts (never shared) and disable default or test accounts.
2. Data encryption
Enable encryption in transit (TLS/SSL for all communications) and encryption at rest (encryption of the data stored in the cloud). Most business cloud services offer both by default, but you should verify they are enabled. For especially sensitive data, consider client-side encryption, where you manage the keys and the cloud provider only stores encrypted data that it cannot decrypt.
3. Secure configuration (CIS Benchmarks)
Misconfigurations are the main cause of cloud security breaches. The most frequent are public storage buckets (S3 in AWS, Blob in Azure, GCS in GCP), management ports exposed to the internet (RDP, SSH), weak password policies, the absence of audit logs and overly permissive firewall rules. Use the CIS Benchmarks guides to verify the secure configuration of your cloud services (there are specific benchmarks for AWS Foundations, Azure Foundations, GCP, Microsoft 365 and Kubernetes, among others).
4. A backup independent of the cloud provider
Do not rely exclusively on the cloud provider's redundancy for your backups. A configuration error, ransomware that synchronizes or a malicious action by an employee can delete your data even in the cloud. Keep an independent backup following the 3-2-1 rule described in my cybersecurity plan.
5. Monitoring and logging
Enable audit logs on all cloud services and configure them to record access, data modifications, configuration changes and administrative actions. Review the logs periodically (or set up automated alerts) to detect suspicious activity such as access from unusual locations or mass data modifications.
6. DLP (Data Loss Prevention)
DLP tools monitor and control the flow of sensitive data to prevent leaks. Microsoft 365 and Google Workspace include basic DLP features you can configure to detect and block the sending of sensitive data (card numbers, health data, financial information) by email or file sharing.
7. Secrets and key management
API keys, tokens and service credentials should never be in code, in Git repositories or in environment variables in plain text. Use the provider's secrets manager (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) and rotate keys automatically. Implement GitHub Secret Scanning or equivalent tools in your CI/CD to detect leaks early.
8. Network segmentation
Divide the infrastructure into isolated VPCs/VNets with public and private subnets clearly separated, apply restrictive security groups or NSGs (deny by default) and limit East-West traffic with micro-segmentation where necessary.
9. Patching and vulnerability management
Although the cloud provider patches the underlying infrastructure, in IaaS the customer remains responsible for patching the operating system and the applications it runs. Implement automated patching (Azure Update Manager, AWS Systems Manager Patch Manager, GCP OS Config) and weekly vulnerability scanning.
10. Quarterly security posture review
Carry out formal quarterly reviews with the provider's dashboards (AWS Security Hub, Microsoft Defender Secure Score, GCP Security Command Center) to identify configuration drift, new risks and improvement opportunities.
Regulatory compliance in the cloud
GDPR and data localization
The GDPR requires the personal data of European citizens to be processed with adequate safeguards. If you use cloud services with data centers outside the EU, you must verify that valid transfer mechanisms exist (Standard Contractual Clauses, adequacy decisions). The simplest option for SMEs is to choose providers that offer storage in data centers within the EU (Microsoft 365 EU Data Boundary, AWS eu-south-2 Aragón, GCP europe-southwest1 Madrid).
ENS and cloud services
If your organization is subject to Spain's National Security Framework (ENS), the cloud services you use must comply with the security requirements corresponding to your system's category. The CCN (National Cryptologic Centre) has published specific guides on the use of cloud services in the context of the ENS, and the CPSTIC catalog includes qualified cloud services. For ENS Medium or High, check that the provider has specific ENS certification for the services you are going to contract.
Cloud provider assessment
Before migrating sensitive data to a cloud service, assess the provider in terms of security certifications (ISO 27001/27017/27018, SOC 2, ENS), the location of the data centers, the contractual security and privacy clauses, the encryption capabilities, the data retention and deletion policies, and the incident response mechanisms.
Real-world case: an ICT SME in Las Palmas migrates to Azure with full hardening
A 25-employee ICT SME based in Las Palmas de Gran Canaria, dedicated to the development and operation of a SaaS for tourism management, decided in 2024 to migrate its on-premises infrastructure to Microsoft Azure given the growth of its client base (from 40 to 180 hotels in the Canary Islands and on the mainland in 18 months) and the need to comply with ENS Basic Category as a supplier to the Cabildo of Gran Canaria.
The project ran over 5 months with a total cost of 12,000 € (initial audit 1,800 € + migration plan 1,500 € + hardening per the CIS Azure Foundations Benchmark 4,200 € + deployment of Defender for Cloud + Sentinel 3,000 € + DLP and GDPR policies 1,500 €). Key actions:
- Migration to the Azure Spain Central region with data sovereignty and a cross-region replica in West Europe.
- Entra ID with mandatory MFA for the 25 employees, geolocation-based Conditional Access (Spain + OECD countries) and JIT access for administrators.
- Hardening per the CIS Azure Foundations Benchmark v2.0: 142 controls applied, Secure Score raised from 38% to 87%.
- Microsoft Defender for Cloud + Microsoft Sentinel with 18 custom analytics rules and a virtualized SOC with managed response by a local MSSP.
- Purview DLP with policies for card data (PCI) and special personal data (GDPR Article 9).
- An independent backup (Azure Backup + a quarterly offline copy) with documented bimonthly restore tests.
- ENS Basic certification obtained at month 7, with a favorable renewal in 2025.
Results measured over the 18 months after the migration: zero security breaches, MTTD down from 96h (pre-Sentinel) to 6h, and the company signed 4 new public-sector contracts with a combined value of 95,000 euros thanks to the ENS seal. Incremental monthly cloud cost: 1,800 euros/month (Azure + Sentinel + Defender), lower than the savings in on-premises maintenance.
Mini glossary of cloud security
- IaaS / PaaS / SaaS: Infrastructure / Platform / Software as a Service · cloud service levels with a different split of responsibility.
- CSPM: Cloud Security Posture Management · continuous management of the cloud security posture.
- CIEM: Cloud Infrastructure Entitlement Management · permission management in the cloud.
- CWPP: Cloud Workload Protection Platform · protection of workloads (VMs, containers, serverless).
- SIEM: Security Information and Event Management · correlation and analysis of security logs.
- CASB: Cloud Access Security Broker · an intermediary that applies policies between users and SaaS.
- CIS Benchmarks: secure configuration guides from the Center for Internet Security.
- CPSTIC: the CCN's catalog of ICT security products and services.
- DLP: Data Loss Prevention.
- JIT: Just-In-Time access · temporary administrative access approved on demand.
Do you need to assess the security of your cloud services or migrate securely? Let's talk about an assessment of your cloud environment and a security plan tailored to your services and regulations.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs, based in Aranda de Duero (Burgos).