Cloud Security Questions

1.Why is MFA considered more secure than Single Factor

Authentication?
MFA (Multi-Factor Authentication) is considered more secure than
Single Factor Authentication (SFA) because it requires multiple
independent factors to verify a user's identity, such as something
they know, something they have, and something they are. This
layered approach significantly reduces the risk of unauthorized
access, as compromising multiple factors is much harder than
breaching a single factor. For instance, if a password is stolen, an
attacker would still need access to the user's phone or biometric
data to gain entry.
Imagine a hacker steals your email password (Single Factor
Authentication). With just the password, they can easily access
your account. However, with MFA, even if the hacker has your
password, they also need your phone to receive a one-time code
or your fingerprint to log in. Without access to the second factor,
the hacker is blocked, making MFA much more secure.
2.How do Cloud Deployment Models influence the
organization’s security strategy?
Cloud Deployment Models influence security strategies by
defining responsibilities and unique security requirements for
each model:
Private Cloud:
 Responsibility:The organization is fully responsible for
securing the infrastructure, data, applications, and network.
Security strategies focus on robust access control,
encryption, firewalls, and regular audits since there is no
external support. It’s ideal for organizations handling
sensitive data, like financial or healthcare records.
Public Cloud:
  Responsibility: Security is a shared responsibility
between the organization and the cloud provider. The
provider secures the infrastructure (hardware, storage,
networking), while the organization secures its data,
applications, and user access.
Strategies must include strong identity and access
management, data encryption, and compliance monitoring,
compliance with the provider's tools. Organizations should
assess the provider's security certifications and tools.
Hybrid Cloud:
 Responsibility: Both the organization and cloud provider
share security responsibilities, but the organization is
responsible for ensuring secure integration between private
and public clouds.
Strategies focus on securing data transfer (e.g., encryption,
VPNs), maintaining consistent policies across environments,
and managing risks of data exposure when interacting with
the public cloud.
Community Cloud:
 Responsibility: Security is shared among the participating
organizations and the cloud provider.
Strategies emphasize mutual agreement on policies, access
control, and compliance standards. Data segregation and
joint audits are critical to avoid conflicts or breaches across
organizations.
3. Why do companies that want to incorporate work
choose hybrid cloud?
Companies that want to work incorporate often choose hybrid
cloud because it allows seamless integration of different work
environments, such as on-premises systems with cloud-based
tools.
Example: A healthcare company that wants to work incorporate
—integrating secure patient data management with modern,
collaborative workflows—chooses a hybrid cloud solution to meet
its needs.
The company uses a private cloud to securely store sensitive
patient records, ensuring compliance with regulations like HIPAA
and protecting critical data from unauthorized access.
Simultaneously, they leverage a public cloud for tasks like
analyzing anonymized health trends or enabling collaboration
among remote teams using shared tools. This hybrid approach
allows the company to seamlessly combine secure data
management with scalable and efficient operational workflows.
By incorporating both private and public cloud systems, the
company achieves secure integration of sensitive tasks and
flexible workloads, ensuring it can modernize operations without
sacrificing privacy, compliance, or performance.
4.What are the potential risks of not to use MFA in today’s
digital world. Explain by giving at least 2 real life
examples related with Azerbaijan. (Azerbaycan example
tapa bilmedim ☹)
Not using MFA in today’s digital world significantly increases the
risk of unauthorized access to sensitive accounts and data. A
compromised password alone can allow attackers to breach
systems, leading to data theft, financial losses, and reputational
damage. Organizations are particularly vulnerable to phishing and
credential-stuffing attacks, as single-factor authentication cannot
mitigate these risks. Additionally, the lack of MFA exposes
personal and business accounts to brute-force attacks and
automated hacking tools. In a world with increasing cyber threats,
failing to implement MFA leaves systems defenseless against
many common attack vectors.
Twitter Hack of 2020: High-profile Twitter accounts, including
those of Barack Obama and Elon Musk, were hacked through a
social engineering attack. Employees’ accounts without MFA were
compromised, allowing attackers to post fraudulent tweets. This
breach caused reputational damage and financial scams,
highlighting how MFA could have prevented unauthorized access.
Colonial Pipeline Ransomware Attack (2021): Hackers
accessed the systems of the Colonial Pipeline using a
compromised password from an inactive account that did not
have MFA. This breach led to fuel shortages across the U.S.,
significant financial losses, and disruption of critical infrastructure.
MFA could have added an extra layer of security to block
unauthorized entry.
5. How do IaaS, SaaS, PaaS enable scalability for
businesses?
IaaS, SaaS, and PaaS enable scalability for businesses by
providing flexible, on-demand resources that can grow with a
company’s needs, without the need for substantial upfront capital
investment in physical infrastructure.
IaaS enables scalability by allowing businesses to adjust
computing resources like virtual machines, storage, and
networking based on demand. A business can start with a small
virtual server and scale up to thousands of servers as its needs
grow. For instance, an e-commerce site can automatically
increase server capacity during peak shopping seasons (like Black
Friday) and scale back during quieter times. Businesses can
rapidly increase or decrease computing power, storage, or
network bandwidth as required, without purchasing or
maintaining physical servers.
PaaS allows businesses to scale their application environment
without worrying about managing underlying hardware or
software layers. For example, a startup can quickly deploy its app
on Google Cloud, and as traffic to the app increases, the platform
will automatically scale to meet demand. Developers don’t need
to worry about managing the servers or load balancing.
SaaS enables scalability by providing businesses with software
that can be adjusted for increased usage, whether in terms of
users, features, or storage. For example, a company can start
with a small number of users on Salesforce for customer
relationship management (CRM) and scale up as the business
grows. As the company expands, they can add more user licenses
or use additional features without worrying about infrastructure or
software updates.
6. What are the key differences between physical and
virtual servers?
Differences Physical server Virtual server
Hardware Dedicated, fixed Shared hardware running
hardware for one multiple VMs
workload
Cost High upfront and Lower initial and
maintenance costs operational costs
Space Requires dedicated server No need for dedicated
room or data center space for each Virtual
server
Cooling and Consume more power More energy-efficient due
and require specialized to shared resources
Power cooling for each machine
Scalability Slow and costly, requires Rapid and flexible scaling
physical upgrades
Management Manual, hardware-specific Centralized, automated
management management
Disaster Recovery More complex and time- Simplified with snapshots
consuming and VM migration
Security Easier to secure Potential risks exist in
physically isolated system shared environment

Physical servers are dedicated machines with exclusive resources,

offering predictable performance but requiring significant space,
power, and cooling. They have high upfront costs and need
manual management, scaling, and hardware upgrades, which can
be time-consuming. Virtual servers run on shared physical
hardware, allowing multiple virtual machines to coexist, reducing
hardware costs and improving space efficiency. Virtualization
provides easier scaling and centralized management, enabling
quicker provisioning and resource allocation without the need for
new physical hardware. While physical servers offer better
performance isolation, virtual servers are more flexible and cost-
efficient, with improved disaster recovery and uptime through
features like VM migration. Virtual servers also benefit from
reduced power consumption and cooling requirements compared
to physical servers. However, physical servers are preferred for
workloads requiring dedicated resources and high security.
7. Example of Data Ecosystem actors and Trust, Legal,
Cultural aspects
Example: Digital Vaccination Passports
Scenario:
During a public health crisis, a government collaborates with
private companies to implement digital vaccination passports.
These passports store citizens’ vaccination data and are required
for accessing public spaces, traveling, or attending large events.
Actors and Aspects:
1. Citizens (Trust):
Citizens are required to share sensitive health data, such as
vaccination status, through a mobile app or platform. Trust is
critical, as citizens may fear their data being misused,
leaked, or accessed by unauthorized parties. Transparent
policies and clear communication about data use can help
build trust.
2. Companies (Cultural Aspects):
Private companies, such as app developers and airlines,
implement the system and enforce compliance by requiring
vaccination proof. They must consider cultural sensitivities,
such as skepticism about data sharing or privacy concerns in
certain regions, and design systems that respect these
norms. For example, some users may expect local data
storage instead of cloud solutions.
3. Authorities (Legal Aspects):
Governments mandate the use of vaccination passports and
enforce laws to ensure data protection, such as limiting the
scope of data collected and requiring secure storage. Legal
frameworks must address issues like data ownership and
 citizen rights to revoke consent or delete data. Forcing
compliance without proper safeguards could lead to public
backlash or legal challenges.
Outcome:
The system works effectively when:
 Citizens trust that their data is secure and only used for
public health purposes.
 Companies align their implementations with cultural
expectations, minimizing resistance.
 Governments enforce laws that protect citizens' privacy
while ensuring public compliance.
This example highlights how governments and companies can
impose expected actions while balancing trust, cultural norms,
and legal responsibilities.
Non-compliance example: Data Exploitation in Social
Credit Systems
Scenario:
A government implements a social credit system in partnership
with private companies to monitor and evaluate citizens’
behavior. This system collects vast amounts of personal data,
including financial transactions, social media activity, and even
GPS locations, to assign individuals a "credit score."
Actors and Aspects:
Citizens (Trust Violated):
Citizens are required to share their data, often without consent or
transparency about how it is used. Trust is eroded as they realize
the system monitors their behavior and restricts opportunities
(e.g., travel bans or job denials) based on opaque criteria.
Companies (Cultural Exploitation):
Private companies participate by sharing customer data with the
government and benefiting financially through exclusive contracts
or reduced regulatory scrutiny. For example, a tech company
might develop surveillance tools or algorithms used in the
system, ignoring cultural values like privacy or ethical data
handling to maximize profits.
Authorities (Legal Failures):
Governments justify the system as a tool for maintaining social
order but fail to establish adequate legal protections for citizens.
Instead, laws are crafted to legitimize pervasive surveillance,
effectively silencing dissent and enabling authorities to control
citizens through fear.
Harm to Citizens:
 Citizens are denied fundamental rights, such as freedom of
expression or movement, based on their social credit scores.
 Their personal data is exploited without their benefit, and
they have no control over how it is used or stored.
Example Outcome:
This mirrors real-world examples like the Chinese Social Credit
System, where companies and governments collaborate for
mutual gain—enforcing compliance and increasing profits—while
citizens bear the cost of lost privacy, autonomy, and
opportunities. This system showcases how the misuse of a data
ecosystem can exploit citizens instead of serving them.
Scenario Questions
Scenario 1: A cloud provider accidentally leaks personal
data of millions of users. Who is responsible for the
damage?
In this scenario, the primary responsibility for the leaked personal
data lies with the cloud provider. However, responsibility can also
be shared depending on the specific circumstances.
The cloud provider is mainly responsible for securing the
infrastructure and ensuring proper data protection practices. If
the breach happens due to a failure in their systems, such as
misconfigurations or vulnerabilities in their services, they hold
primary liability.
The customer is also responsible for securing their own data
within the cloud environment. If the breach occurs due to poor
security practices by the customer (e.g., failing to configure
access controls or encryption), they share liability.
Authorities also have responsibility to enforce data protection
laws and ensure that organizations comply with security
standards. If they fail to implement or enforce regulations
effectively, they can be held accountable for not providing
adequate oversight to prevent breaches like the one described.
Scenario 2: A company uses cloud data analytics to track
employee productivity without their consent. Is this
ethical?
No, it is not ethical for a company to use cloud data analytics to
track employee productivity without their consent. Employees
have a right to privacy, and monitoring them without consent
violates this fundamental right. Transparency is crucial, and
employees should be informed about how their data is being
used, particularly when it involves productivity tracking. Ethical
principles of fairness and autonomy require that employees have
control over their personal data and consent to its collection.
Without consent, the company risks creating distrust and
negatively impacting employee morale violating ethical standards
of fairness and respect for individual rights. Additionally,
unauthorized tracking could violate data protection laws like
GDPR, which demand transparency and consent. Therefore,
companies must obtain explicit consent before monitoring
employee productivity.
Scenario 3. A user deletes their data from the cloud, but
the provider keeps backups indefinitely. Is this
acceptable?
No, it is not acceptable for a cloud provider to keep backups of a
user's deleted data indefinitely. When data is deleted, users
expect it to be permanently removed, and retaining backups
without consent violates their right to control their data.
Additionally, it may result in legal issues under data protection
laws like GDPR, which mandate data deletion upon request. The
provider could face penalties, damage to reputation, and loss of
user trust.
For example, The Central Bank of Azerbaijan’s March 28, 2024
requirements state that when refusing service sensitive data,
including configuration files and backups must be returned and
deleted without recovery options from the cloud provider.
Scenario 4: A government requests access to cloud data
for national security reasons. Should the provider comply?
A cloud provider should comply with a government request if it
involves national security and is backed by a legal mandate, such
as a court order or an emergency declaration. For example, in
cases of terrorism investigations, law enforcement may request
access to cloud data for intelligence purposes. Compliance should
only occur if the request is legally valid, proportionate, and follows
proper procedures, ensuring transparency and minimizing impact
on users’ privacy. The provider should also inform users, where
possible, unless prohibited by law, to maintain trust and
accountability.
Scenario 5: A cloud service offers "free" storage but
heavily tracks user activities for targeted ads. Is this fair?
No, it is not fair for a cloud service to offer "free" storage while
heavily tracking user activities for targeted ads without clear,
informed consent. Users should be fully aware of how their data is
being used and have the option to opt out or choose a different
service. Ethical practices require transparency and respect for
user privacy, especially when personal data is involved. Offering
free services while exploiting user data for commercial gain
without proper consent can erode trust and violate privacy
expectations. It is important for the service provider to clearly
disclose data usage policies and allow users to make informed
choices. If the service tracks user activities for ads without clear
consent, it could face penalties, including fines or sanctions from
regulatory bodies. For example, in 2019, Google was fined €50
million by the French data protection authority for failing to obtain
proper consent for personalized ads, highlighting the legal
consequences of not complying with data privacy laws.