Cloud Security Essentials — Module 2 (Premium)

☁️ Cloud Security Essentials — Module 2

Premium Theory + Real Example + 18-Question Quiz Focus: Microsoft 365 & Google Workspace

1) Theory — What makes SaaS secure (or not)

Most breaches in Microsoft 365 and Google Workspace aren’t “hacks” of Microsoft or Google — they’re misconfigurations, weak identity, and risky sharing. Attackers exploit permissive external sharing, stolen credentials, insecure legacy protocols, and over-privileged service accounts/OAuth apps. Good cloud security is identity-first: strong authentication, least privilege, governed sharing, and continuous monitoring.

Get up to 70% off NordPass Premium
Affiliate link — helps keep our training free.
Key points (at a glance):
  • Identity is the perimeter: enforce MFA (prefer phishing-resistant), conditional access/context-aware access.
  • Least privilege: minimize global admins; time-bound and scoped roles; review app consents regularly.
  • Secure sharing: default to “internal,” require expiration and audit for external links/guests.
  • Device posture: require compliant/managed devices for sensitive apps; block legacy protocols.
  • Observe & respond: centralize logs, DLP on sensitive data, alert on anomalous sign-ins and mass sharing.

1.1 Common failure points

  • “Anyone with the link” sharing: links get forwarded/embedded; sensitive files leak without detection.
  • Too many global admins: broad standing privileges = high blast radius if phished.
  • Legacy/weak auth: basic auth/IMAP/POP enabled; MFA exceptions; SMS-only factors.
  • Unvetted OAuth apps: employees grant risky scopes (read mail/drive) to 3rd-party apps via consent phishing.
  • Unmanaged devices: downloads to personal laptops/phones; data exits corporate control.

1.2 Control set that actually moves risk

  • MFA & Conditional Access (M365) / Context-Aware Access (GW): block risky sign-ins; require compliant devices for sensitive apps.
  • Privileged Access Management: reduce global admins; use just-in-time elevation and approval workflows.
  • External sharing guardrails: internal-only by default; guest accounts over open links; expiring links; domain allowlists.
  • DLP & labels: classify sensitive data (PII/financial); block external sharing or require encryption.
  • OAuth governance: restrict user consent; only allow verified apps; review tokens/scopes periodically.
  • Disable legacy protocols: turn off basic auth/IMAP/POP where possible; enforce modern auth.
  • Logging & SIEM: send audit/sign-in/share logs to a central platform; alert on mass access or unusual egress.

1.3 Practical baseline (M365 & Google Workspace)

  1. Enforce MFA for all; prefer authenticator app/Passkeys; block SMS push fatigue.
  2. Conditional/Context rules: block from unknown countries/ISPs; require managed device for Drive/SharePoint.
  3. Trim roles: max 2–3 permanent global admins; use role-based, temporary elevation for tasks.
  4. External sharing: default internal; guests must sign-in; require link expiry and owner review.
  5. Lock legacy: disable basic auth; IMAP/POP off unless exception with compensating controls.
  6. App control: restrict user consent; approve only vetted OAuth apps; rotate API keys/secrets.
  7. DLP: detect PII/financial data; block public shares; alert owners; auto-expire risky links.
  8. Audit & response: stream logs to SIEM; build alerts for mass downloads/shares and impossible travel.

1.4 Incident playbook (consent grant / account takeover)

  1. Contain: revoke tokens/sessions; disable suspicious OAuth app; force password reset & MFA re-registration.
  2. Scope: review audit logs (app activity, Drive/SharePoint access, mailbox rules, forwarding).
  3. Eradicate: remove malicious inbox rules/filters; delete persistence (app passwords, legacy protocols).
  4. Recover: restore permissions; rotate secrets; re-share with least privilege.
  5. Notify: if sensitive data accessed, follow legal/compliance guidance for breach handling.
  6. Improve: restrict future consent; tighten sharing defaults; add device requirements.
Get up to 75% off NordVPN + 3 months free
Affiliate link — helps keep our training free.

2) Real-world example

OAuth consent–phishing in a sales org: Staff received a “CRM enhancer” prompt asking for permission to read mail and Drive files. Several users clicked “Allow.” The app quietly exfiltrated proposals and client lists for weeks. No password was stolen — the attacker lived off granted API access. The breach ended only after security revoked app tokens, blocked user consent, and tightened external app policy.

3) Assessment — 18 Professional Questions

Choose the best answer for each question. Answers and feedback appear after you submit.

1) Biggest risk with “Anyone with the link” sharing?

2) Fastest control to reduce successful password reuse attacks across M365/GW?

3) Which policy best prevents risky consent to unknown OAuth apps?

4) Best default stance for external sharing in Drive/SharePoint?

5) Which control reduces risk from unmanaged personal devices accessing cloud data?

6) You find five standing global admins. Best improvement?

7) Which is the clearest sign of consent-phishing success?

8) What should replace open links for external collaboration?

9) Strongest stance on legacy protocols (IMAP/POP/basic auth)?

10) Best way to stop data leaving via mass downloads to personal laptops?

11) You discover a mailbox auto-forward to a personal Gmail. First response?

12) Which DLP policy helps most for PII in cloud docs?

13) After consent-phishing, which action removes the attacker’s access most directly?

14) Best monitoring signal for suspicious exfiltration via Drive/SharePoint?

15) Strongest setting for new links to sensitive docs?

16) Which control reduces MFA fatigue attacks the most?

17) Best way to scope privileges for IT staff administering a single app?

18) A contractor needs temporary access to a folder with PII. Best approach?

4) Finish

When you’re done, mark this module as completed to update your Premium Hub progress.

✅ Mark this module complete

NordVPN — up to 75% off NordPass — up to 70% off
Affiliate links — support our free training.