Cloud Security for Indian Businesses: The Complete Guide (2026)

Almost every cloud breach in the last five years traced to configuration — not code. Attackers did not break encryption, exploit novel vulnerabilities in AWS, or compromise Microsoft’s infrastructure. They found an S3 bucket with public access, an IAM role with *, a forgotten database with no password, a security group open to 0.0.0.0/0, or a Kubernetes dashboard exposed to the internet. Every one of those was a configuration choice — usually made quickly, often made years ago by an engineer who has since left — that left a door unlocked.

Cloud security in 2026 is about the discipline of closing those doors and keeping them closed as your environment evolves. This is the pillar guide to cloud security for Indian businesses running on AWS, Azure, GCP, or Kubernetes — what actually matters, what the attack surface looks like, what a credible security posture requires, and how the landscape differs from traditional network security.

What cloud security actually is

Cloud security is the practice of securing the cloud resources, data, and workloads your organization runs on public cloud platforms. It covers:

• Identity and access management — who can do what, with what privileges, verified by what authentication
• Network security — what traffic flows where, through what controls, with what logging
• Data protection — encryption, access controls, retention, backup, and sanitization
• Workload security — the security of the compute instances, containers, functions, and managed services you run
• Posture management — continuous assessment of configuration against benchmarks (CIS, NIST, provider well-architected frameworks)
• Incident detection and response — logging, monitoring, alerting, and response capability for security events
• Compliance — demonstrating that the environment meets regulatory and contractual requirements

The shared responsibility model — understood correctly

Every cloud-security conversation starts here because organizations routinely misunderstand it. The shared responsibility model divides security between the cloud provider (AWS, Azure, GCP) and the customer. The provider secures the cloud itself — the physical infrastructure, the hypervisor, the managed-service internals. The customer secures everything in the cloud — their data, their configurations, their IAM, their networks, their applications.

The boundary shifts depending on the service. For IaaS (EC2, VMs), the customer is responsible for OS patching, host firewalls, and almost all security. For PaaS (RDS, Cloud SQL), the provider handles patching but the customer owns IAM, network access, and data encryption. For SaaS (S3, Cognito, Cloud Storage), the provider handles most of the infrastructure but the customer owns access policies, encryption keys, and data classification.

The most commonly mis-assumed responsibility: IAM. Every cloud provider makes IAM the customer’s responsibility. Overpermissioned roles, shared credentials, missing MFA, long-lived access keys — all are customer failures, all are findings in 90% of engagements.

The attack surface — in the order it matters

Identity

IAM is the control plane of cloud security. Compromise identity and you own the environment. The most common weaknesses:

• IAM policies with wildcards ("Action": "*", "Resource": "*") attached to service accounts, CI/CD runners, or individual users
• Long-lived access keys for services that should be using short-lived credentials via role assumption
• Cross-account trust policies with overly permissive Principal configurations
• Missing MFA on privileged users, particularly root accounts
• Orphaned IAM users from departed employees, still active with old credentials
• Missing least-privilege: IAM roles granted at policy creation time and never trimmed as actual permissions requirements became clearer

Data storage

S3 on AWS, Cloud Storage on GCP, Blob Storage on Azure. The default posture on most providers is now private, but the attack surface persists because:

• Bucket-level public access via legacy configuration
• ACLs that allow public read on specific objects within otherwise-private buckets
• Signed URLs with excessive validity windows leaking in logs or chat histories
• Cross-account access granted to vendors that no longer need it
• Encryption keys managed by the provider rather than customer-managed, with implications for legal/regulatory requirements

Network

Security groups, NACLs, VPC peering, ingress rules. The common failures:

• Security groups open to 0.0.0.0/0 on administrative ports (SSH 22, RDP 3389, MongoDB 27017, ElasticSearch 9200)
• Databases reachable from the internet because the customer didn’t realize the managed service defaults to public
• VPC peering to untrusted accounts from acquisitions or legacy contracts
• Missing egress filtering — compromised workloads can reach any destination

Compute workloads

EC2 instances, GKE/EKS pods, Lambda functions, Cloud Run services. Security considerations:

• Outdated OS and runtime with known CVEs
• IMDS v1 allowing SSRF-driven credential theft (AWS IMDSv2 is the fix)
• Overprovisioned container privileges (running as root, privileged containers, host namespace sharing)
• Secrets in environment variables, in container images, or in code repositories

Logging and detection

CloudTrail, Cloud Audit Logs, Azure Activity Log. The failures:

• Logging not enabled across all regions
• Log integrity not protected (logs can be altered by the same accounts being logged)
• Logs retained for 30 days or less, insufficient for typical breach-forensics windows
• No monitoring or alerting built on the logs — logs exist but no one reads them

What a credible cloud security programme looks like

For an Indian SaaS or mid-market organization on any major cloud in 2026, the baseline:

1. IAM discipline — least-privilege roles, no long-lived credentials for humans or services where workload identity is available, MFA enforced, quarterly review of all IAM users and roles
2. Network defaults — private by default, security groups narrowly scoped, databases not internet-accessible, admin access through bastion hosts or SSM/VM-Serial-Access
3. Data protection — encryption at rest on all data stores using customer-managed keys where sensitivity requires, encryption in transit via TLS 1.2+, documented retention and deletion
4. Logging — all regions, centralized to a separate logging account, log integrity via S3 Object Lock or equivalent, minimum 12-month retention, automated alerting on high-signal events
5. Workload hardening — immutable images or automated patching, no secrets in env vars or repos (use Secrets Manager/Parameter Store/Key Vault), container security baseline for K8s workloads
6. Posture management — continuous scanning against CIS Benchmarks, alerts on drift, automated remediation for known-good remediation paths
7. Incident response — documented playbook, runbooks for common scenarios (credential compromise, bucket exposure, suspicious API calls), tabletop exercise at least annually

Organizations meeting all seven are in the top quintile. Most Indian SMEs we audit are at two to four.

Cloud security in Indian regulatory context

India-specific regulatory overlay:

• DPDP Act — “reasonable security safeguards” for personal data; cloud environments holding personal data are directly in scope
• RBI Cybersecurity Framework — regulated entities must maintain specific controls in their cloud environments, including data-localization requirements for payment-system data
• SEBI cybersecurity circulars — apply to market intermediaries using cloud infrastructure
• MeitY data-localization advisories — sector-specific requirements for certain data categories
• DPDP §16 cross-border transfer rules — as country restrictions come into force, some cloud regions may become restricted for Indian data

Deep dives — the cluster

• AWS Security Audit: The 47-Point Checklist
• S3 Bucket Misconfigurations That Still Cause Breaches
• AWS IAM Best Practices for Indian SaaS
• Kubernetes Security: Hardening Guide for Production
• SOC 2 Readiness Assessment for Indian Cloud Startups
• Hardening a New AWS Account in 2 Hours (Runbook) — coming soon
• Cloud Security Posture Management (CSPM) Tools Compared — coming soon
• Azure Security Center: What to Actually Configure — coming soon

Start with a cloud security review

If you need to know where your cloud environment stands against current best practice — and what the 30-day hardening roadmap looks like — book a scoping call. Typical engagement: 1-week configuration audit for a single account, ₹75,000–₹1,75,000. Multi-account and K8s engagements scoped separately. See Cloud Security services for offerings.