Security Essentials, Compliance, Shared Responsibility, Migration & Risks
Thursday, 12th March 2026 | 10:00 AM - 12:00 PM IST
Microsoft Teams Meeting
IAM, network security, encryption, monitoring - defense in depth
ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS - what you need to know
Who owns what - the critical model that defines cloud security
The 6 Rs, migration phases, tools, and best practices
Security, availability, compliance, vendor, financial risks
Discussion, key takeaways, and next steps
Defense in Depth - Layered Security Architecture
Security is not a single product - it's a layered approach where each layer adds protection
Key Insight: If one layer fails, other layers continue to protect your assets. Never rely on a single security control.
IAM is the foundation of cloud security - "Who are you, and what can you do?"
| Service | Purpose | Use Case |
|---|---|---|
| IAM | Core identity service | Users, groups, roles, policies |
| Organizations | Multi-account management | Service control policies (SCPs) |
| IAM Identity Center | SSO for AWS | Single sign-on to multiple accounts |
| Cognito | Customer identity | User pools for web/mobile apps |
| Secrets Manager | Secrets management | Rotate database credentials |
| Service | Purpose | Use Case |
|---|---|---|
| Microsoft Entra ID | Identity provider | SSO, MFA, conditional access |
| Azure RBAC | Role-based access | Assign roles to resources |
| PIM | Privileged Identity Mgmt | Just-in-time admin access |
| Managed Identities | Auto-managed identities | VMs, App Service to Azure services |
| Key Vault | Secrets management | Store keys, secrets, certificates |
| Service | Purpose | Use Case |
|---|---|---|
| Cloud IAM | Identity & access | Roles, policies, bindings |
| Cloud Identity | Identity provider | Corporate directory |
| Workforce Identity | Employee SSO | Federation with corporate IdP |
| Service Accounts | Workload identity | GCE, GKE, Cloud Functions |
| Secret Manager | Secrets management | Store API keys, passwords |
Isolate and protect your cloud resources with network-level controls
Security Groups vs NACLs: Security Groups are stateful (return traffic auto-allowed). NACLs are stateless (must allow both directions). Use both for defense in depth!
Protect data throughout its lifecycle - at rest, in transit, and in use
"You can't protect what you can't see" - continuous monitoring is essential
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Audit Logs | CloudTrail | Activity Log | Cloud Audit Logs |
| Metrics | CloudWatch | Azure Monitor | Cloud Monitoring |
| Threat Detection | GuardDuty | Microsoft Defender | Security Command Center |
| Security Hub | Security Hub | Security Center | Security Command Center |
| Vulnerability | Inspector | Defender for Cloud | Container Threat Detection |
Pro Tip: Centralize logs in a single SIEM (Security Information & Event Management) for correlation and alerting. AWS Security Hub, Azure Sentinel, or Google Chronicle.
Industry Certifications and Regulatory Requirements
What: International standard for Information Security Management System (ISMS)
Scope: 114 controls across 14 domains including access control, cryptography, operations security
Who needs it: Any organization handling sensitive data, especially B2B services
Cloud providers: AWS, Azure, GCP all ISO 27001 certified
Validity: 3 years with annual surveillance audits
What: Auditing procedure for service organizations (US-focused)
Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy
Type I vs Type II: Type I = point-in-time; Type II = period of time (usually 6-12 months)
Tip: Always ask for SOC 2 Type II reports from vendors - Type I is less meaningful
What: EU regulation for personal data protection
Applies to: Any organization processing EU residents' data, regardless of location
Key requirements: Data subject rights, consent, breach notification (72 hours), DPO for large orgs
Penalties: Up to €20M or 4% of global annual turnover
Cloud consideration: Data residency - where is data stored? Use EU regions for EU data.
What: US regulation for protected health information (PHI)
Applies to: Healthcare providers, insurers, business associates
Key rules: Privacy Rule, Security Rule, Breach Notification Rule
Cloud consideration: Need BAA (Business Associate Agreement) with cloud provider - must be signed!
What: Security standard for organizations handling credit cards
Levels: 1-4 based on transaction volume (Level 1 = highest, 6M+ transactions/year)
12 Requirements: Network security, access control, encryption, monitoring, policies
Cloud tip: Use PCI-compliant services (PCI DSS Level 1 service providers). Tokenize card data when possible.
Important: Cloud provider compliance does NOT automatically make you compliant! You must implement controls in YOUR use of the cloud.
Where your data lives matters - different countries have different requirements
Who is Responsible for What?
Security is a shared responsibility - but what YOU are responsible for depends on the service model
Critical Understanding: Regardless of service model (IaaS, PaaS, SaaS), these are ALWAYS the customer's responsibility:
Common Failure: "We use SaaS, so security is handled" - WRONG! Misconfigured SaaS (public S3 buckets, weak passwords, no MFA) causes most breaches!
Case 1: Capital One (2019) - Attacker exploited misconfigured WAF on EC2. 100M+ records exposed. Customer configuration failure.
Case 2: Multiple S3 Bucket Leaks - Companies left S3 buckets public. Personal data, military files, voter records exposed. Customer configuration failure.
Case 3: TeamViewer (2016) - breached through compromised user credentials, no MFA. Customer identity failure.
Pattern: Most "cloud breaches" are actually customer configuration or identity failures, not provider infrastructure failures!
The 6 Rs, Phases, Tools & Best Practices
Every workload needs a migration strategy - choose the right one for each application
| Strategy | Effort | Speed | Cloud Optimization | Best For |
|---|---|---|---|---|
| Rehost | Low | Fast | Low | Legacy apps, tight deadlines |
| Replatform | Medium | Medium | Medium | Quick wins, managed services |
| Repurchase | Low | Fast | High | Commodity software (CRM, HR) |
| Refactor | High | Slow | High | Strategic apps, cloud-native |
| Retire | Low | Fast | N/A | Unused/redundant apps |
| Retain | None | N/A | N/A | Not ready, compliance, recent investment |
Tip: Start with assessment. 15-20% of applications can typically be retired. Don't migrate what you don't need!
| Tool | Purpose |
|---|---|
| Migration Hub | Central tracking of all migrations |
| Application Discovery Service | Discover on-premises inventory & dependencies |
| Database Migration Service (DMS) | Migrate databases with minimal downtime |
| Server Migration Service (SMS) | Replicate on-premises VMs to AWS |
| DataSync | Transfer files to S3/EFS/FSx |
| Snow Family | Physical data transfer (Snowball, Snowmobile) |
| Tool | Purpose |
|---|---|
| Azure Migrate | Unified migration platform |
| Azure Database Migration Service | Migrate databases to Azure |
| Azure Data Box | Physical data transfer |
| Site Recovery | Disaster recovery & migration |
| App Service Migration Assistant | Migrate web apps to App Service |
| Tool | Purpose |
|---|---|
| Migration Center | Discovery and assessment |
| Database Migration Service | Migrate databases to Cloud SQL |
| Transfer Appliance | Physical data transfer |
| Migrate to Virtual Machines | VM migration to GCE |
| Storage Transfer Service | Transfer data to Cloud Storage |
Risk Identification, Assessment & Mitigation
AWS us-east-1 Outage (Dec 2021): Multi-hour outage affecting major services. Companies relying on single region went down. Mitigation: Multi-region architecture.
Capital One Breach (2019): 100M+ records exposed via misconfigured WAF on EC2. Mitigation: Security reviews, guardrails, CSPM tools.
Cost Surprise Examples: Crypto miners on compromised accounts, runaway ETL jobs, unmonitored test environments generating $50K+ bills. Mitigation: Budgets, alerts, least privilege.
Key Lesson: Most cloud incidents are preventable with proper controls. Implement guardrails BEFORE migrating workloads!
Defense in depth with multiple layers. IAM is foundational. Encrypt everything. Monitor continuously.
Know your requirements. Leverage provider certifications but implement YOUR controls. Data residency matters.
Identity, data, and configuration are ALWAYS your responsibility. Provider compliance ≠ your compliance.
Assess first. Choose the right strategy for each workload. Start small, learn, then scale. 15-20% can be retired!
Most "cloud breaches" are configuration failures. Implement guardrails early. Multi-region for critical workloads.
Questions & Discussion
Next Session: Advanced Topics & Hands-on Labs