Capstone Project & Interview Readiness
Bring together all 11 modules in a culminating assessment — scenario-based simulations, cross-module interview questions, certification guidance, and a quick-reference cheat sheet.
What's Covered
| Section | Format | Modules Tested |
|---|---|---|
| IAM Breach Simulation | 4-stage scenario with decisions | Mod 2 (IAM), 6 (Threat Detection), 10 (IR) |
| Compliance Mapping | 8 controls × 5 frameworks grid | Mod 8 (Compliance & Governance) |
| Mock Interview (30 Qs) | Accordion Q&A — all 11 modules | All modules 1–11 |
| Certification Roadmap | 6 cert cards with exam details | Preparation guidance |
| Quick Reference Cheat Sheet | 8 expandable cards | Key facts for all modules |
IAM Credential Breach — 4-Stage Incident
Work through a real-world IAM breach scenario, one stage at a time. Choose the correct response at each stage to unlock the next. The correct choice for each stage is revealed after selection.
🔴 Stage 1: Detection — Anomalous IAM Activity Detected
ci-deploy service account has performed 47 AssumeRole calls in the past 5 minutes — from an IP address in Ukraine, during off-hours. The account normally runs from GitHub Actions (US East). You have 10 minutes before you expect the attacker to escalate privileges.
What do you do first?
🔴 Stage 2: Containment — Scope of Compromise
backup-svc-2) and attached the AdministratorAccess policy. You need to prevent the backdoor from being used.
What is your immediate containment action?
🔴 Stage 3: Eradication — Root Cause Analysis
ci-deploy key was committed to a public GitHub repository 6 days ago and removed 4 days ago. Trufflesec scanner shows it's also in a Docker image pushed to DockerHub.
Which actions address the root cause? (Choose the most complete response)
🔴 Stage 4: Recovery & Hardening
Which hardening measure is most impactful for preventing this class of attack?
Multi-Cloud Compliance Mapping
For each cloud security control, check all frameworks that mandate or directly address it. Submit for your coverage score and gaps.
| Cloud Security Control | ISO 27001 | SOC 2 | PCI-DSS | GDPR | HIPAA |
|---|---|---|---|---|---|
| Encryption of data at rest | |||||
| MFA for privileged access | |||||
| Audit logging of all admin actions | |||||
| Data breach notification within 72 hours | |||||
| Penetration testing at least annually | |||||
| Data residency controls (store data in specific regions) | |||||
| Vulnerability management and patching SLA | |||||
| Business continuity and disaster recovery planning |
Mock Interview Questions
30 cross-module interview questions spanning the full multi-cloud security curriculum. Click each to reveal the model answer.
☁️ Cloud Foundations (Module 1)
- IaaS (e.g., EC2): CSP secures physical infra, hypervisor, network hardware. Customer secures OS, patches, apps, data, IAM, network config
- PaaS (e.g., App Service): CSP additionally manages OS and runtime. Customer secures application code, data, identity, and access
- SaaS (e.g., Microsoft 365): CSP manages almost everything. Customer responsible for data governance, user identity, and access controls
- IaaS: Max customer responsibility. Customer patches VMs, configures firewalls, manages everything above the hypervisor
- PaaS: Customer focuses on application security, identity, data — not infrastructure
- SaaS: Customer focuses on: who has access (IAM), what data is stored (DLP/classification), and how it's used (governance)
🔐 Cloud IAM (Module 2)
- Use IAM policies with explicit resource ARNs (not
*) and specific actions (not*) - Use IAM Access Analyzer to identify over-permissive policies and unused permissions
- Enable SCPs in AWS Organizations to set permission guardrails at the OU level
- Use permission boundaries to limit what developers can grant to their own created roles
- Rotate and review IAM Access Advisor reports: revoke permissions unused in 90+ days
- Use JIT (Just-in-Time) access via AWS IAM Identity Center for privileged access
- Service Principal: An identity (app registration) used by applications, services, or automation tools to authenticate to Azure. Requires managing credentials (client secret or certificate)
- Managed Identity: A type of service principal whose credentials are managed automatically by Azure. Eliminates the need to store secrets in code or config files. Two types: System-assigned (tied to resource lifecycle) and User-assigned (standalone, can be shared across resources)
🌐 Network Security (Module 3)
| Feature | Security Group | Network ACL |
|---|---|---|
| Scope | Instance/ENI level | Subnet level |
| State | Stateful (return traffic auto-allowed) | Stateless (both directions must be explicitly allowed) |
| Rules | Allow only | Allow and Deny |
| Evaluation | All rules evaluated | Rules evaluated in order (rule number) |
- VPC Peering: Direct, 1-to-1 encrypted connection between two VPCs. Non-transitive (A↔B, B↔C does NOT give A↔C). Scales poorly with many VPCs (n*(n-1)/2 peering connections needed)
- AWS Transit Gateway: Hub-and-spoke architecture. Acts as a regional network transit hub. Any VPC attached can reach any other (if routing allows). Supports thousands of VPCs, cross-region peering, VPN, Direct Connect attachments. Supports route table segmentation for isolation
🔒 Data Security & Encryption (Module 4)
- SSE-S3 (Server-Side Encryption with S3 Managed Keys): AWS manages keys entirely. No audit trail of individual object key usage. Simplest but least control
- SSE-KMS (with AWS KMS): Keys managed in KMS. Full audit trail in CloudTrail (every object decryption is logged). Key rotation, key policies, and cross-account access control possible. Preferred for sensitive/regulated data
- SSE-C (Customer-Provided Keys): Customer supplies and manages the encryption key with each API call. AWS never stores the key. Customer has full key sovereignty but must manage key lifecycle. Highest control, highest operational burden
- Account level: Enable S3 Block Public Access at the AWS account level (prevents any bucket in the account from being made public)
- Organization level: SCP to deny
s3:PutBucketPublicAccessBlockwithBlockPublicAcls: false— prevents disabling public access block - Detection: AWS Config rule
s3-bucket-public-read-prohibitedtriggers alerts if public access detected - CSPM: Wiz/Prisma Cloud continuously scans for public bucket exposure and flags attack paths (public bucket + sensitive data)
- Data classification: Amazon Macie scans S3 buckets for PII/sensitive data and alerts if found in potentially exposed buckets
🔍 CSPM & Cloud Posture (Module 5)
Problems it solves:
- Misconfiguration blindness: 90%+ of cloud breaches involve misconfiguration (Gartner); CSPM provides continuous scanning
- Compliance gap detection: Automatically maps cloud configuration to CIS benchmarks, NIST, SOC 2, PCI-DSS
- Drift detection: Alerts when configuration deviates from approved baseline (IaC drift)
- Multi-cloud visibility: Single view across AWS, Azure, and GCP
- CIS Benchmarks: CIS AWS Foundations Benchmark, CIS Azure Foundations, CIS GCP Foundations — highly specific, actionable control recommendations with scoring levels (L1 basic, L2 advanced)
- AWS Security Hub controls: Mapped to CIS, NIST, PCI-DSS, ISO 27001
- NIST CSF: Five functions framework: Identify, Protect, Detect, Respond, Recover
- Microsoft CAF (Cloud Adoption Framework): Azure security best practices and landing zone design
- Google SLSA: Supply chain levels for software artifacts
🚨 Threat Detection & SIEM (Module 6)
It uses ML models + threat intelligence feeds to detect:
- Reconnaissance: port scans, unusual API calls from Tor nodes
- Credential compromise: unusual IAM AssumeRole calls, API calls from unknown IP
- Cryptomining: connection to known mining pools
- Data exfiltration: unusual S3 object retrieval volumes
- Lateral movement: instance communicating with other accounts unexpectedly
- SIEM (Security Information and Event Management): Aggregates, correlates, and alerts on security events from multiple sources. Human analysts investigate alerts. Examples: Microsoft Sentinel, Splunk, IBM QRadar
- SOAR (Security Orchestration, Automation, and Response): Automates the response to security alerts using playbooks. Reduces MTTR (mean time to respond) by automating routine actions (block IP, disable account, create ticket). Examples: Palo Alto XSOAR, Splunk SOAR, Microsoft Sentinel Automation Rules
⚙️ DevSecOps & Containers (Module 7)
CI/CD pipeline security gates:
- IDE/commit: Pre-commit hooks (git-secrets, detect-secrets) catch secrets before push. SAST in IDE (Snyk, Semgrep plugins)
- Build: SAST scan (Semgrep, SonarQube), SCA (Snyk, OWASP Dependency-Check) for vulnerable libraries
- Container build: Container image scan (Trivy, Snyk Container, ECR/ACR native scanning)
- IaC scan: Checkov, tfsec, KICS for Terraform/CloudFormation/Bicep
- Pre-deploy: DAST (OWASP ZAP, Burp Suite Pro API mode) against staging
- Production: CWPP/CSPM continuous monitoring
- API server: Disable anonymous auth, enable audit logging, restrict API access with network policies
- RBAC: Least-privilege RBAC roles; avoid ClusterAdmin for workloads; use service accounts per workload
- Pod Security: Pod Security Admission (PSA) — enforce Restricted profile; no root containers, no privileged mode, read-only root filesystem
- Secrets: Use External Secrets Operator (ESO) + Vault/AWS Secrets Manager instead of Kubernetes Secrets (base64, not encrypted)
- Network: NetworkPolicies for pod-to-pod microsegmentation; Calico/Cilium for enforcement
- Image supply chain: Only allow signed images (Cosign/Sigstore); scan with Trivy in CI + Falco at runtime
- Runtime: Falco for anomaly detection (unexpected syscalls, file modifications)
📋 Compliance & Governance (Module 8)
- Art. 5 (Data minimization): Implement data classification and retention policies; delete data no longer needed
- Art. 25 (Data protection by design): Encryption by default (SSE-KMS), access controls enforced at design time, not bolted on
- Art. 32 (Security of processing): Encryption at rest and in transit, access controls, regular testing (penetration testing, CSPM)
- Art. 33 (Breach notification): SIEM + SOAR must enable breach detection and notification within 72 hours of becoming aware
- Art. 44 (Data transfers): Use SCCs or adequacy decisions for cross-border transfers; enforce data residency via cloud region policies
- Security (CC): Common Criteria — the only mandatory category. Covers access controls, monitoring, change management, risk assessment. Required for all SOC 2 reports
- Availability: System availability per SLA commitments
- Processing Integrity: Processing is complete, valid, accurate, timely
- Confidentiality: Confidential data is protected per agreements
- Privacy: Personal data collection, use, retention, disclosure
🔭 CASB, DLP & SaaS Security (Module 9)
- Visibility: Discover all cloud apps in use (Shadow IT discovery) — often reveals 10x more apps than IT knows about
- Compliance: Identify which cloud apps meet compliance requirements (ISO, SOC 2, GDPR, HIPAA)
- Data Security: DLP for cloud data — scan content uploaded to cloud apps, block sensitive data exfiltration
- Threat Protection: Detect compromised accounts, malware in cloud storage, insider threats via UEBA
How to address:
- Discover: Deploy CASB to discover all cloud app traffic. Typical organizations find 1,000+ shadow IT apps
- Assess: Evaluate each app's security posture (encryption, SOC 2, data centre location) using CASB app catalogue
- Control: Allow/block/monitor/coach — block high-risk apps (e.g., personal cloud storage), require authentication for medium-risk apps, monitor approved apps
- Govern: Publish an approved app catalogue; create a lightweight IT approval process so employees go to IT first
🛡️ Incident Response & Forensics (Module 10)
- 1. Preparation: IR runbooks for cloud scenarios, SIEM configured, alert thresholds tuned, tabletop exercises, IR team contacts documented
- 2. Detection & Analysis: SIEM alert fires; analyst triages finding; determine scope (which accounts, regions, resources affected); determine blast radius
- 3. Containment: Isolate affected resources (revoke credentials, isolate EC2 in quarantine security group, snapshot for forensics); short-term containment while preserving evidence
- 4. Eradication: Remove malware/backdoors, close attack vector, revoke attacker persistence mechanisms (created IAM users, Lambda functions, scheduled tasks)
- 5. Recovery: Restore from known-good snapshots/IaC, redeploy clean infrastructure, validate integrity
- 6. Lessons Learned / Post-Incident: Timeline reconstruction, root cause analysis, control gap identification, blameless post-mortem, control improvements
- 1. Preserve evidence: Take EBS/disk snapshot before any changes. Tag the snapshot with incident ID. Do NOT terminate the instance yet
- 2. Isolate: Move instance into quarantine security group (no inbound/outbound except forensics access). Revoke public IPs
- 3. Memory capture: For live analysis — use AWS Systems Manager Run Command or Azure RunCommand to dump memory (LiME for Linux, WinPmem for Windows) while instance is live
- 4. Log collection: Preserve CloudTrail/Activity Log/VPC Flow Logs for the incident window; pull OS logs from CloudWatch/Log Analytics
- 5. Forensic workstation: Attach EBS snapshot to a separate forensic EC2. Mount read-only. Analyse with Volatility (memory), Autopsy/TSK (disk), chkrootkit
- 6. Chain of custody: Hash all evidence (SHA-256), document every action with timestamp
🌍 Multi-Cloud & Zero Trust (Module 11)
- Identity (control plane): Azure Entra ID as single IdP → federate to AWS via IAM Identity Center (SAML/OIDC) → enforce Conditional Access (MFA + device compliance + risk score) → JIT privileged access via Entra PIM
- Device: All corporate devices enrolled in Intune → device compliance policy (patch level, disk encryption, AV) → non-compliant blocked by Conditional Access
- Network: Replace VPN with Zscaler ZPA (ZTNA) for all internal app access → Megaport for private AWS-Azure connectivity → microsegmentation within each cloud via Security Groups/NSGs + Kubernetes NetworkPolicies
- Application: Defender for Cloud Apps (CASB) for SaaS → WAF in front of all web apps → per-app access tokens; no shared secrets
- Data: Azure Purview for cross-cloud data classification → DLP policies → SSE-KMS (AWS) + Azure Key Vault (CMK) → Macie for S3 PII detection
- Visibility: Microsoft Sentinel with AWS connector + native Azure telemetry + Wiz for cloud posture → UEBA for insider threat detection
- Vault supports dynamic secrets for AWS (IAM credentials), Azure (service principal creds), GCP (service account keys) — credentials are short-lived, auto-rotated, unique per consumer
- All apps authenticate to Vault via cloud-native identity (AWS IAM role, Azure Managed Identity, GCP service account) — no static credentials
- Vault Enterprise supports DR replication, namespaces for multi-tenant isolation, and Sentinel policies for access governance
- Backup option: AWS Secrets Manager + Azure Key Vault + GCP Secret Manager used natively per cloud, with cross-cloud access via federated identity
🏗️ Architecture & Design (Cross-Module)
Security guardrails applied at landing zone:
- AWS Control Tower: Pre-configured SCPs (deny root login, require CloudTrail, require S3 public access block), audit account, log archive account, automated account vending
- Azure Landing Zone (ALZ): Management group hierarchy, Azure Policy initiatives (mandatory logging, allowed regions, SKU restrictions), Defender for Cloud enabled across all subscriptions
- GCP Landing Zone: Organisation policies (restrict resource locations, disable service account key creation), VPC Service Controls for data perimeter
| Dimension | Proactive (Shift-Left) | Reactive (Detect & Respond) |
|---|---|---|
| When | Before deployment | After deployment / at runtime |
| Tools | IaC scanning, SAST, SCA, pre-commit hooks | CSPM, SIEM, GuardDuty, CWPP |
| Goal | Prevent vulnerabilities from reaching production | Detect and respond to threats in production |
| Cost | Low — fix before deployment | High — breach response, legal, reputation |
| Examples | Checkov failing a Terraform plan in CI/CD | GuardDuty alerting on cryptomining |
- Data security: Training data often contains sensitive PII — classify, encrypt, apply strict access controls. Use data masking/anonymization before training where possible
- Model security: Protect model weights (IP) from exfiltration — encrypt at rest, restrict access to model artifacts in S3/Azure Blob/GCP GCS
- Supply chain: Malicious model weights via Hugging Face — scan with ModelScan; pin model version hashes; use private model registries
- Inference security: Prompt injection attacks, model inversion attacks, data poisoning — apply input/output filtering, rate limiting, audit all inference requests
- Compute isolation: Confidential computing (Azure Confidential VMs, AWS Nitro Enclaves) for sensitive ML workloads
- Compliance: EU AI Act, NIST AI RMF — document training data provenance, model risk assessments
- Phase 1 — Foundations (0-3 months): Asset inventory, cloud account inventory, enable logging (CloudTrail/Activity Log/Audit Logs), enable cloud-native security services (GuardDuty, Defender for Cloud, SCC), establish security baseline (CIS L1)
- Phase 2 — Visibility (3-6 months): Deploy CSPM, aggregate logs into central SIEM, establish alert triage process, document Shared Responsibility boundaries, conduct first threat model
- Phase 3 — Governance (6-12 months): Implement Policy-as-Code (OPA + Terraform), establish security review in SDLC, introduce IaC scanning in CI/CD, start compliance programme (SOC 2 or ISO 27001 if required)
- Phase 4 — Maturity (12+ months): ZTA implementation, Zero Trust network access, SOAR automation, red team exercises, advanced threat hunting
- Platform model: Build a security internal developer platform — developers "order" compliant infrastructure via Terraform modules with security built in. Security team is a platform provider, not a gatekeeper
- Paved paths: Make the secure way the easy way — pre-approved, pre-secured IaC templates, container base images, approved SaaS app catalogue
- Security champions: Embed security-trained engineers in each squad — first line of defence, bridge between security team and developers
- Automated guardrails: Security gates in CI/CD (SAST, SCA, IaC scan) catch issues automatically without human review for every PR
- Blameless culture: When security issues are found, focus on system/process improvement — not individual blame. Developers report security issues faster when not afraid of punishment
- JIT (Just-in-Time) access: Privileged roles not permanently assigned — requested on-demand, approved, granted for a time window, then automatically revoked. Azure PIM, AWS IAM Identity Center time-based access
- Session recording: Record privileged sessions (AWS Session Manager, Azure Bastion) for compliance and forensics. Eliminates the need for static SSH keys on VMs
- Credential vaulting: Privileged credentials stored in vault, checked out, rotated after use. HashiCorp Vault, CyberArk Privilege Cloud
- Ephemeral access: No persistent access — every access is temporary and audited
- PEDM: Privilege Elevation and Delegation Management for workstations — elevate specific commands, not full admin accounts
- Confidentiality in cloud: Misconfigured S3 buckets, over-permissive IAM, unencrypted data — mitigated by SSE-KMS, CSPM, DLP, CASB
- Integrity in cloud: Unauthorized changes to cloud configuration, container image tampering, IaC drift — mitigated by IaC (immutable infra), image signing (Cosign/Sigstore), CloudTrail immutability (S3 Object Lock), AWS Config change tracking
- Availability in cloud: DDoS attacks, misconfigured auto-scaling, AZ/region outages, accidental resource deletion — mitigated by AWS Shield/Azure DDoS Protection, multi-AZ/multi-region architectures, deletion protection, resource locks
- AI-native security operations: LLM-powered threat detection and response (Microsoft Copilot for Security, AWS Security Lake + Amazon Bedrock). Natural language queries replace complex SIEM search syntax. AI-generated playbooks and auto-triage.
- Post-quantum migration: NIST PQC algorithms (CRYSTALS-Kyber, Dilithium, SPHINCS+) being adopted by cloud providers. Organisations must inventory cryptographic usage and begin migration plans
- Platform engineering for security: Security as an internal API — developers provision security capabilities (secrets, certificates, WAF rules) via self-service platform APIs, enabling security at developer speed
- SASE consolidation: VPN fully replaced; network security and connectivity converged into single cloud-delivered service across most enterprise organisations
- AI security as its own discipline: Prompt injection, model poisoning, adversarial ML, LLM jailbreaking — a new attack surface requiring specialised skills and tooling
Cloud Security Certifications
The six most relevant certifications for a cloud security career, with exam details and study guidance.
Azure Security Technologies
Primary Azure security certification. Validates skills in securing identities, platforms, data, and applications in Azure.
- Manage identity & access (Entra ID, PIM, Conditional Access)
- Secure networking (NSG, Azure Firewall, Private Endpoints)
- Manage security operations (Sentinel, Defender for Cloud)
- Secure data and applications (Key Vault, encryption)
Format: ~65 MCQ + case studies · Passing: 700/1000 · Duration: 2 hours
Security Specialty (SCS-C02)
AWS's dedicated security certification. Validates advanced skills in securing AWS workloads.
- Threat detection and incident response (GuardDuty, IR automation)
- Security logging and monitoring (CloudTrail, Security Hub)
- Infrastructure security (VPC, WAF, Shield)
- Identity and access management (IAM, SCP, Organizations)
Format: 65 MCQ/multi-response · Passing: 750/1000 · Duration: 3 hours
Professional Cloud Security Engineer
GCP's professional-level security certification. Tests ability to design and implement secure GCP infrastructure.
- Configuring access within a cloud solution environment
- Securing network configuration (VPC, Private Google Access)
- Ensuring data protection (CMEK, DLP API, Secret Manager)
- Managing operations within a cloud solution environment
Format: ~50 MCQ · Passing: ~70% · Duration: 2 hours
Certificate of Cloud Security Knowledge
The original cloud security certification from the Cloud Security Alliance. Vendor-neutral, covers all clouds.
- CSA Cloud Controls Matrix (CCM) — 197 controls across 17 domains
- ENISA cloud risk framework
- Governance, risk, and compliance for cloud
- Required baseline for many cloud GRC roles
Format: 60 MCQ (open book) · Passing: 80% · Duration: 90 min
Certified Information Security Manager
Management-focused security certification. Valued for security management, governance, and leadership roles.
- Information security governance and strategy
- Information risk management
- Information security programme development
- Incident management and response
Format: 150 MCQ · Passing: 450/800 · Duration: 4 hours · Requires 5yr experience
Certified in Risk & Info Systems Control
IT risk management certification. Valued for cloud GRC, third-party risk, and security risk roles.
- IT risk identification and assessment
- IT risk response and mitigation
- Risk and control monitoring and reporting
- IT risk and third-party governance
Format: 150 MCQ · Passing: 450/800 · Duration: 4 hours · Requires 3yr experience
Quick Reference Cheat Sheet
Expandable topic cards for last-minute revision before interviews or exams.
| Who owns it? | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical security, hardware, hypervisor | CSP | CSP | CSP |
| OS, runtime, middleware | Customer | CSP | CSP |
| Application code | Customer | Customer | CSP |
| Data, classification, access | Customer | Customer | Customer |
| Identity (who can log in) | Customer | Customer | Customer |
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Access control model | IAM Policies (JSON) | RBAC Roles | IAM Policies + Roles |
| Service identity | IAM Role (for EC2, Lambda) | Managed Identity | Service Account |
| SSO / federation | IAM Identity Center | Entra ID | Workforce Identity Federation |
| Org-level guardrails | SCPs (Service Control Policies) | Azure Policy / Management Groups | Organisation Policies |
| Privileged access management | IAM Identity Center + JIT | Entra PIM | Privileged Access Manager |
| Term | Meaning |
|---|---|
| CMK (Customer Managed Key) | Key you create and manage in KMS/Key Vault — full lifecycle control |
| MMK (AWS Managed Key) | Key AWS manages on your behalf — less control, auto-rotation |
| SSE-KMS | S3 server-side encryption using AWS KMS — audit trail per object |
| BYOK (Bring Your Own Key) | Import your own key material into cloud KMS |
| HYOK (Hold Your Own Key) | Key never leaves your HSM — cloud provider encrypts/decrypts via API calls to your HSM |
| Envelope encryption | Data encrypted with DEK; DEK encrypted with KEK stored in KMS |
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Virtual network | VPC | VNet | VPC (global) |
| Instance-level firewall | Security Group (stateful) | NSG (stateless-ish) | Firewall Rules |
| Private connectivity to CSP | Direct Connect | ExpressRoute | Cloud Interconnect |
| Private endpoint to service | VPC Endpoint (PrivateLink) | Private Endpoint | Private Service Connect |
| WAF | AWS WAF + Shield | Azure WAF (AFD/AppGW) | Cloud Armor |
| Hub-spoke routing | Transit Gateway | Virtual WAN / Hub VNet | VPC Network Peering (no TGW equiv) |
| Service | Provider | What it Detects |
|---|---|---|
| GuardDuty | AWS | Anomalous IAM, crypto mining, port scan, DNS exfiltration |
| Defender for Cloud | Azure | VM threats, IAM anomalies, SQL injection, AKS attacks |
| Security Command Center | GCP | Misconfigurations, threats, vulnerabilities, data exposure |
| Macie | AWS | PII/sensitive data in S3 buckets |
| AWS Security Hub | AWS | Aggregates findings from GuardDuty, Inspector, Macie, partner tools |
| Microsoft Sentinel | Azure | Multi-cloud SIEM with native connectors for AWS, GCP |
| Framework | Focus | Who needs it | Key requirement |
|---|---|---|---|
| ISO 27001 | ISMS — comprehensive security management | Enterprise, global orgs | Risk assessment, ISMS, annual audit |
| SOC 2 Type II | SaaS security controls effectiveness | SaaS companies, cloud providers | 6-12 month operational audit of TSC |
| PCI-DSS v4.0 | Card data environment security | Anyone handling payment card data | Network seg, encryption, pen test, ASV scan |
| GDPR | EU personal data protection | Any org with EU citizen data | 72hr breach notification, data residency, DPIA |
| HIPAA | US healthcare data (PHI) | US healthcare orgs, BAs | BAA required, encryption, audit controls |
| FedRAMP | US federal cloud security | Cloud services for US government | NIST 800-53 controls, annual 3PAO audit |
| Stage | Tool Type | Example Tools |
|---|---|---|
| Pre-commit | Secret detection hook | git-secrets, detect-secrets, gitleaks |
| Build (SAST) | Static code analysis | Semgrep, SonarQube, CodeQL, Snyk SAST |
| Build (SCA) | Dependency vulnerability scan | Snyk, OWASP Dependency-Check, Grype |
| Container build | Image vulnerability scan | Trivy, Snyk Container, AWS ECR scanning |
| IaC pre-deploy | IaC security scan | Checkov, tfsec, KICS, Terrascan |
| Staging (DAST) | Dynamic app testing | OWASP ZAP, Burp Suite Pro API mode |
| Production | CSPM + CWPP | Wiz, Prisma Cloud, Lacework, Falco |
ZT Pillars: Identity → Device → Network → Application → Data
Key standard: NIST SP 800-207 (August 2020)
Origin: Google BeyondCorp (post-2009 Aurora attack)
SASE components: SD-WAN + ZTNA + CASB + SWG + FWaaS
SSE: SASE minus SD-WAN (security-only)
ZTNA vs VPN: ZTNA = per-app, identity-based; VPN = full network segment
Vendors: Zscaler (ZIA+ZPA), Netskope, Palo Alto Prisma Access, Microsoft Entra
Inter-cloud private connectivity: Megaport VXC · Equinix Fabric · Direct Connect + ExpressRoute at same colo
Federated IdP: Azure Entra ID / Okta → AWS IAM Identity Center + GCP Workforce Identity Federation