What should be the primary focus area during a cloud security assessment?

In cloud security assessments, controlling identities and access is the central concern because the biggest risk often comes from who can reach what and with what permissions. IAM configuration and governance determine whether users and services have just enough access to do their jobs, whether multi-factor authentication is enforced, how credentials and API keys are managed, and how external identities are handled. A strong IAM posture reduces the chances of credential theft, privilege escalation, and data exfiltration, and it helps prevent lateral movement within the cloud environment. In practice, an assessment focuses on checking roles and permissions, identifying overly permissive access, removing stale or unused accounts, ensuring proper secret management, and validating access reviews and policy enforcement. The other options—network latency, physical data center security, and VM CPU performance—relate more to performance or physical/operational concerns and do not address the primary security risk in cloud deployments.