Blog | 10-minute Read

The 5 pillars of a secure cloud transformation

David Guest

Solution Architect & Technology Evangelist

Published: 19 July 2022

If you’re serious about cloud transformation, you also need to be serious about security. There are five areas of security that need to be baked into your cloud transformation for it to be both secure and successful.

Cloud transformation is rapidly changing how we work, how organisations operate, and what security looks like in a world beyond traditional firewalls.

COVID-19 accelerated the shift from office working to home working. It’s critical to recognise that as you move to cloud platforms, you need to transform your security posture and controls at the same time.

A secure cloud transformation will constantly evolve as migrations and modernisation take place during the build phase. However, you need to be clear with your goals.

Moving away from the traditional firewall security boundary to a more open cloud deployment, including Platform as a Service (PaaS) deployments, makes your organisation more agile – but it does come with risks.

Without a defined end state and approach to security and governance, your organisation will be more open to advanced security attacks as you go through the transformation journey.

Baking security into your cloud transformation

By April 2020, the Office of National Statistics reported that the number of remote workers had increased to 46% of the UK’s population.

And there’s no going back to business as usual. As of May 2021, 85% of working adults want hybrid office or home-working structures in place at their jobs.

Pandemic pressure has accelerated the cloud transformation revolution. To begin with, it was enough that work from home infrastructure simply worked.

However, that’s no longer the case. If you’re serious about cloud transformation, you also need to be serious about security.

Using our in-depth knowledge of cloud adoption frameworks, we can show you what a secure cloud transformation looks like.

The secure cloud adoption framework (S-CAF) is based on five key pillars, which we’ll discuss here.


Sign up for great content and exclusive invites

Join the Kocho mailing list for latest news, best practice, and educational resources.

Zero trust

When transforming to the Cloud, the concept of providing a secure boundary disappears.

Resources are no longer protected behind firewalls – the very nature of working in the Cloud disperses workloads across many platforms.

However, there is a solution to this potentially crippling business challenge.

That solution is the ‘zero trust’ mindset. Zero trust is a strategic approach to cyber security.

In a nutshell, this involves creating a framework that requires all users, however they are accessing corporate resources, to be authenticated and challenged for authorisation at each stage of their journey.

It also works on the idea of least privileged access, ensuring that any member of an organisation is given the bare minimum access to the resources and applications necessary for their role.

This framework will allow your organisation to modernise with secure remote working, hybrid cloud environments, and keep your security posture protected at all times.

Threat detection and response

As you transform to the Cloud, the perimeter of where business data resides – behind a corporate firewall – shifts to business data residing in cloud platforms.

The removal of these traditional barriers means it’s harder to protect against attackers by preventing access from outside locations – the line between ‘inside’ and ‘outside’ is blurred.

Tools are required to identify threats and correlate these threat indicators against the Cloud platforms where your business data resides.

This is needed to further analyse your environment and user behaviour to respond rapidly to abnormal behaviour or malicious activities.

With traditional barriers removed, your organisation’s attack surface has expanded massively and now includes the following:

  • Internet of Things (IoT) devices.
  • Remote working (including unsecured home routers).
  • Employee mobiles and tablets or Bring Your Own Devices (BYOD).
  • Multi-cloud platforms.
  • Platform as a Service (PaaS).
  • Software as a Service (SaaS).

All these cloud working solutions have given hackers new ways to infiltrate your company data. Your threat response must leverage the power of the Cloud itself to keep up – and it has to easily integrate with your threat detection software.

A great example of this would be Microsoft 365 Defender integrating easily with Microsoft Sentinel.

Using cutting-edge extended detection and response (XDR) solutions that combine threat visibility and response will be crucial in protecting you from continually evolving threats.

Asset protection

The key assets of your organisation are stored in fileservers, databases, and virtual machines.

During your cloud transformation journey, the security model and protection of these assets must be embedded into your cloud adoption framework.

This ensures that as you transform from fileservers to SharePoint sites or Azure files you maintain the security of that asset.

As you move to cloud-hosted and managed databases, known as Database-as-a-Service (DaaS), you keep the data secure by ensuring private endpoints are used.

A container is a standard unit of software that packages up code and everything it needs to run so the application runs quickly and reliably from one computing environment to another.

Moving virtual machines to containers or Dockers ensures the same level of governance and security is applied to the asset.

Furthermore, information protection policies need to be designed and deployed to ensure data is secure when leaving the organisation. Using labels and classifications can help protect that data.

Without robust data protection measures in place, you run the risk of falling foul of compliance regulations. There’s an increasing number of regulations that require your organisation to know exactly where your data is stored, who has access to it, how it’s processed, and how it’s protected.

Failing to meet (and prove you meet) these compliance obligations can be incredibly costly.

For example, infringing UK GDPR regulations can be met with a maximum fine of £17.5 million or 4% of annual global turnover. The EU sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater.

The ICO has also proven that they aren’t at all lax in the enforcement of penalties against any company that is in breach of data protection regulations.

Identity and governance

The natural shift from hosting applications on-premises to hosting applications in the Cloud means that identity needs to be verified and challenged by multiple factors.

Increasingly, business assets aren’t being accessed by employees within a corporate office.

With more and more applications offering the ability for single sign-on, your identity and access management (IDAM) must provide the security requirements for a modern workplace.

The IDAM solution must be flexible to allow security controls across a hybrid environment and multi-cloud platforms. A fantastic example of this is Azure AD.

Azure AD is a cloud-native identity and access management service that gives your employees access to external resources and applications. These include Microsoft 365, the Azure portal, and thousands of other Software-as-a-Service (SaaS) applications.

It can also be configured to work with an on-premises Active Directory. This helps employees access internal resources like apps on your intranet.

Multi-factor authentication (MFA) provides an extra layer of security and verification. You’ll know:

  • Are users genuine?
  • And are they only accessing what they’re permitted to?

Innovation security

Your cloud transformation will be an ongoing process.

More workloads will be modernised over time. To ensure you’re protected against cyber attacks during these processes, innovation security through DevSecOps needs to be implemented and understood throughout the business.

DevSecOps stands for development, security, and operations. It’s an approach to culture, automation, and platform design, integrating security as a shared responsibility throughout the entire IT lifecycle.

This protects workloads and important data throughout the application modernisation journey, and not when the application development is finished. It needs to be woven into the development cycle.

How to bake these areas into a secure cloud transformation

The key to developing these areas is to focus on the security controls that need to be in place when moving from on-premises architecture to single or multi-cloud hybrid architecture.

We hear the same key questions all the time:

  • Where do you place these controls as you transform to the Cloud?
  • How do you protect your business such as databases, fileservers, SaaS, and PaaS offerings?
  • When you move a database from an on-premises architecture and transform it to DaaS, how can you protect it?

The focus should be on the technical assets rather than the concept of zero trust, threat detection, identity, and governance.

The secure cloud adoption framework ensures:

  • Private endpoints are used by default
  • Encryption is configured
  • Cloud Defender is auto deployed
  • Correct backup and retention settings are applied

This is configured within the framework using policies and automation.

The role of development, security, and operations (DevSecOps)

DevSecOps provides a key driver in the innovation security space. Developers are crucial to the success of a secure cloud transformation and they are ignored at your peril.

It’s also critical that security controls and measures are put into the S-CAF model.

Due to the nature of cloud platforms, applications and services can be provisioned quickly via self-service portals. It’s even more important that any misconfigurations are detected and mitigated against.

DevSecOps provides this foundation, along with the insurance that security is embedded throughout the cloud transformation journey.

Policies need to be set at the architecture level so they can evolve alongside the cloud transformation journey.

These policies need to be dynamic and the correct areas for your applications and data (also known as ‘landing zones’) need to be provisioned to ensure a secure infrastructure.


The S-CAF is built to trust AI and threat detection systems. Moving forward, your organisation needs to trust these systems and ensure they are deployed correctly. It’s simply not realistic to have humans monitoring all the security logs coming into the organisation.

Once you have developed the S-CAF to provide the correct security controls as you move into the Cloud, the tooling can be evaluated.

The purpose of the S-CAF is to make sure you have the correct security controls in place for a successful cloud transformation at every stage.

Insulating yourself from the dangers of an open internet is no longer just about putting up a border and stopping people from crossing it. Transforming to the Cloud demands a more agile, modern approach – and hopefully, we’ve shown you what that looks like here.

Key takeaways

  • The explosion in cloud transformation was accelerated by the pressures of the pandemic requiring employees to work remotely.

  • Work from home and hybrid offices are not a blip, they are here to stay. As a result, cloud transformation needs to be done with security in mind.

  • Security in the Cloud presents unique challenges compared to traditional on-premises security where everything sat behind a firewall.

  • There are five main pillars behind secure cloud transformation: adopting a zero trust mindset, threat detection and response, asset protection, identity and governance, and innovation security.

  • DevSecOps are a crucial component of cloud transformation and deploying them properly will bake security into every level and stage.


Sign up for great content and exclusive invites

Subscribe to the Kocho mailing list if you want to receive:

  • The latest Microsoft tech insights
  • Demos and exclusive event invites
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image


David Guest

Solution Architect & Technology Evangelist

David is responsible for developing identity, Microsoft 365 security, and other cloud service solutions – and keeping our clients abreast of the latest technology trends.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.