How to secure your cloud environment — Microsoft Azure, AWS, Google Cloud, and SaaS applications — with practical guidance for Hong Kong small and medium businesses without dedicated cloud security teams.
The most important concept for understanding cloud security is the shared responsibility model. Cloud providers (AWS, Microsoft Azure, Google Cloud) take responsibility for securing the underlying infrastructure — the physical hardware, the hypervisor layer, the network infrastructure, and the core platform services. The cloud customer — your business — is responsible for everything built on top of that infrastructure: your data, your access management, your application configuration, your network settings, and your compliance obligations. Misunderstanding this boundary is the root cause of many cloud security incidents.
For Software-as-a-Service (SaaS) applications — Microsoft 365, Google Workspace, Salesforce, Xero, and similar cloud-delivered applications — the provider manages more of the stack, but the customer still retains responsibility for identity and access management (who has access to what), data configuration (what data is shared and with whom), and security settings (whether MFA is required, what retention policies are configured). "It's in the cloud so the provider handles security" is a dangerous and incorrect assumption that has led to significant data breaches at Hong Kong businesses.
Identifying the specific security responsibilities your business holds for each cloud service you use is the starting point for cloud security. A cloud security inventory — listing each SaaS and IaaS service, the provider's responsibility, and your business's specific responsibilities — provides clarity that is prerequisite to effective cloud security management. The HKPC's cloud security guidelines provide a framework appropriate for HK SMEs, and each major cloud provider publishes detailed shared responsibility documentation that specifies exactly where provider responsibility ends and customer responsibility begins.
Identity is the new perimeter in cloud environments. Where traditional IT security relied on network firewalls to control access to resources, cloud resources are accessible from anywhere with valid credentials. This makes identity and access management (IAM) the most critical security domain in cloud environments. Strong IAM prevents unauthorised access even when attackers obtain valid credentials; weak IAM means any compromised account provides extensive access to cloud resources.
For Microsoft 365 and Azure environments — the most common cloud platform for Hong Kong businesses — Microsoft Entra ID (formerly Azure Active Directory) is the central identity service. Key Entra ID security configurations for HK SMEs: enable MFA for all users (not just administrators) using Microsoft Authenticator push notifications or FIDO2 keys; configure Conditional Access policies that require compliant devices or additional verification for access from unfamiliar locations; enable Entra ID Protection which uses Microsoft's machine learning to detect and respond to suspicious sign-in activity; disable legacy authentication protocols (SMTP AUTH, Basic Auth) that bypass modern authentication controls.
Privilege minimisation in cloud environments addresses a common configuration error: over-permissioned accounts and service identities. Global Administrator accounts in Microsoft 365 should be limited to 2-3 named individuals for emergency use, not used for day-to-day administration. AWS root account access should be protected with hardware MFA keys and never used for routine operations. IAM roles with least-privilege permissions should be assigned to applications and services rather than using administrator credentials. Regular access reviews — auditing who has which permissions in cloud environments — catch permission creep that accumulates over time as roles change.
Most Hong Kong SMEs rely on a growing portfolio of SaaS applications — Microsoft 365, Google Workspace, Xero or QuickBooks Online, Salesforce or HubSpot, Slack or Teams, project management tools, and HR systems. Each of these applications holds sensitive business data and requires specific security configuration. The challenge for SMEs is that each SaaS vendor presents a different security settings interface, at different levels of complexity, with different default configurations that may or may not represent good security practice.
A pragmatic approach to SaaS security for HK SMEs focuses on three configuration areas for each application: access control (who can log in, using what authentication method, from which devices), data sharing controls (what data can be shared externally, with whom, and under what conditions), and audit logging (whether security-relevant events are logged and monitored). Most enterprise-grade SaaS products have security configuration centres or trust portals that consolidate these settings. For Microsoft 365, Microsoft's Secure Score provides a specific security improvement roadmap with clear prioritised recommendations.
Third-party application integrations — OAuth connections between SaaS applications that allow one application to access data in another — create shadow IT risk in cloud environments. Employees routinely authorise third-party apps to access corporate Google Workspace or Microsoft 365 data without IT awareness. A rogue or poorly secured third-party application with access to your corporate email or files is a significant data exposure risk. Periodically reviewing and revoking unused third-party application authorisations in Google Workspace Admin Console or Microsoft 365 Admin Center prevents accumulation of these implicit permissions.
A critical misunderstanding among many Hong Kong businesses is that cloud providers back up your data. Cloud providers protect their infrastructure from failure — they guarantee the availability and durability of their storage services — but they do not protect against user-initiated deletion, ransomware encryption of cloud-synced files, or accidental overwrites. Microsoft, Google, and AWS all explicitly state that data backup is the customer's responsibility. Many HK businesses have discovered this distinction too late, after accidental deletion or ransomware encrypted their cloud-synced files.
Protecting Microsoft 365 data requires third-party backup because Microsoft's native retention policies are designed for compliance purposes (preventing premature deletion) rather than data recovery. Products including Veeam Backup for Microsoft 365, Datto SaaS Protection, and AvePoint Cloud Backup provide point-in-time recovery of Microsoft 365 mailboxes, SharePoint files, OneDrive, and Teams data independent of Microsoft's retention settings. Similarly, Google Workspace data should be backed up using third-party solutions that provide granular recovery at the item level.
Immutable backups — backup copies that cannot be modified or deleted, even by administrators — are the critical defence against ransomware variants that target backup systems. Ransomware operators increasingly identify and encrypt or delete backup copies before deploying their main ransomware payload, ensuring victims have no recovery option. Backup solutions that support immutable storage (Object Lock in AWS S3, Azure Blob immutability policies, or backup platforms that implement WORM storage) preserve recovery capability even when ransomware operators systematically target backup infrastructure.
