Cloud Security Basics Every Filipino Business Owner Should Know
Diwa “Wawi” del Mundo
Founder & CEO · Apper Cloud Labs
Cloud security sounds intimidating. Phrases like "zero trust architecture," "identity federation," and "cryptographic key management" are enough to make any business owner's eyes glaze over.
But here's the thing: most cloud security breaches in the Philippines and globally don't happen because of sophisticated attacks that require deep technical defenses. They happen because of simple, preventable mistakes. Weak passwords. Public storage buckets. No MFA. Overly permissive access.
You don't need to be a security engineer to make your cloud environment meaningfully more secure. You need to understand five things — and make sure someone is actually doing them.
82%
of breaches involve a human element — not a sophisticated hack
₱15M+
average cost of a data breach in Southeast Asia
280 days
average time to identify a breach — by which point it's too late
The one concept you need to understand: shared responsibility
AWS and GCP are responsible for the security of the cloud — the physical data centers, the hardware, the underlying network infrastructure. You are responsible for security in the cloud — everything you put on top of that infrastructure.
This means: if you configure your storage bucket to be publicly accessible, that's on you. If you give every developer admin access to your production environment, that's on you. The cloud provider won't stop you from making insecure choices — that's your job.
Shared responsibility doesn't mean shared blame. When something goes wrong in your cloud environment, the question is always: who configured it that way?
The five basics every business owner should know
Turn on MFA for every account — no exceptions
Multi-Factor Authentication (MFA) means logging in requires something you know (password) AND something you have (your phone). Even if someone steals your password, they can't get in without your phone. This is the single most impactful security control you can implement, and it takes fifteen minutes to set up. The root account on your AWS or GCP organization should never be accessible without MFA.
Apply least-privilege access — give people only what they need
Every person and system in your cloud environment should have access to only the things they need to do their job — nothing more. Your developer doesn't need access to billing. Your application doesn't need read/write access to every database. IAM (Identity and Access Management) is where this is configured. Overly permissive IAM is one of the most common sources of accidental data exposure.
Never make storage public unless you mean to
S3 buckets on AWS and Cloud Storage on GCP can be configured as publicly accessible. Sometimes that's intentional — you're hosting a public website. But often it's accidental — someone ticked the wrong box and all your internal documents are now readable by anyone on the internet. Run a storage audit today. Make sure everything that's public is supposed to be public.
Encrypt data at rest and in transit
Data at rest means data sitting in your storage, databases, and backups. Data in transit means data moving between systems or between your cloud and users. Both should be encrypted. AWS and GCP make this easy — encryption at rest is often one checkbox, and HTTPS/TLS for transit is straightforward to enforce. If your cloud provider offers encryption, use it.
Enable logging and actually look at the logs
AWS CloudTrail and GCP Cloud Audit Logs track every API call, every login, every configuration change in your environment. This is how you know if someone is doing something they shouldn't. The logs are useless if nobody reads them. At minimum, set up alerts for: root account logins, failed login attempts, IAM policy changes, and new user creation.
The mistakes I see most often in Philippine businesses
Root account credentials shared via chat
I have seen, more than once, AWS root credentials shared in a Viber or Telegram group. The root account is the most powerful credential in your cloud environment — it can do anything, including delete everything. It should have a unique, strong password, MFA enabled, and should almost never be used for day-to-day operations. Create individual IAM users for your team.
No one monitors costs — until the bill arrives
This is partly a security issue. Unusual cost spikes are often the first sign that something has gone wrong — a compromised account spinning up expensive compute instances, or someone running a crypto miner on your cloud. Set up billing alerts at thresholds that would surprise you. If you normally spend ₱50,000/month on cloud, you should get an alert if spending is on track to hit ₱100,000.
Using the same password across cloud and other services
If your cloud account password is the same one you use for your personal email, and your personal email gets compromised in a data breach, your cloud is now also compromised. Use a password manager, use unique passwords, use MFA. This sounds basic because it is — and yet.
Do this today
When to get professional help
The five basics above are things your team can handle. But there's a point where you need a professional security assessment:
- Before you handle customer financial data or sensitive personal information
- Before you pursue government or enterprise contracts that require compliance
- After a security incident — to understand what happened and close the gaps
- When your environment has grown significantly and you haven't done a review in over a year
A proper cloud security assessment goes deep: penetration testing, IAM audits, network configuration review, data classification. That's not a weekend DIY project. But the basics above? Those you can do right now.
Security isn't about being paranoid. It's about making sensible choices that significantly reduce your risk without adding unnecessary friction to your operations. Start with the basics. Build from there.
Diwa “Wawi” del Mundo
Founder & CEO, Apper Cloud Labs
Wawi holds all 13 AWS certifications alongside CISSP and CCSP — one of the most credentialed cloud architects in the Philippines. He founded Apper Cloud Labs in 2019 to make enterprise-grade cloud and AI expertise accessible to Philippine SMBs.