Security is often described as protecting three things: confidentiality (only the right people see data), integrity (data is not altered wrongly), and availability (systems are there when needed).

These three principles form the "CIA triad," a fundamental model for thinking about security. Every security measure addresses one or more of these concerns. Encryption protects confidentiality, checksums protect integrity, and redundancy protects availability.

Applications use authentication and authorization to control who can do what. They encrypt data in transit (e.g. HTTPS) and at rest (e.g. encrypted database fields). They log and monitor activity to detect misuse. They patch vulnerabilities and follow secure development practices.

These concepts apply whether the app runs on your own servers or in the cloud. In fact, cloud providers offer many managed security services that handle encryption, access control, and monitoring, making it easier to build secure applications.

Defense in depth means using multiple layers of security. If one layer fails, others still protect you. For example, you might use: network firewalls, application firewalls, authentication, authorization, encryption, and monitoring.

Each layer adds protection, but also complexity. The key is finding the right balance for your threat model. A public-facing web app needs more layers than an internal tool.

Cloud providers excel at defense in depth. They provide security at the network, compute, storage, and application layers, often with managed services that handle the complexity for you.

Multiple layers protect you—if one fails, others still defend your system.

Security isn't about being perfectly secure-that's impossible. It's about understanding your threats and risks, then applying appropriate controls. Threat modeling helps you identify what could go wrong and how to prevent it.

Common threats include: unauthorized access, data breaches, denial of service attacks, and insider threats. Each threat has different mitigations. Understanding threats helps you prioritize security work.

Risk assessment considers both the likelihood of a threat and its impact. High-impact, high-likelihood threats get the most attention. Low-impact, low-likelihood threats might not be worth mitigating.

Security from the start - not bolted on at the end. Code reviews, security testing, dependency scanning, and guidelines.

DevSecOps = security inside the pipeline. Checks run on every build: dependency scan, SAST, container scan, secrets detection. Catch issues early when they're cheap to fix.

Cloud providers offer scanning tools and compliance guides. Same idea everywhere: automate checks so humans fix real issues.

Security checks in CI/CD

Incident response = detect → contain → recover. Have a plan before something goes wrong so recovery is fast.

Monitoring and logging = know what "normal" looks like so you spot anomalies. Cloud providers offer logging and alerting; use them.

Plan + monitoring = you're ready when an incident happens.

Incident response = detect → contain → recover. Have a plan before something goes wrong.