Description

This curriculum spans the technical, operational, and governance dimensions of cloud migration with a scope and granularity comparable to a multi-phase internal capability program delivered across a large organisation’s infrastructure and security teams.

Module 1: Strategic Assessment and Cloud Readiness

Evaluate existing on-premises workloads for cloud suitability based on performance dependencies, data gravity, and compliance constraints.
Conduct application portfolio analysis to classify systems by migration complexity (e.g., lift-and-shift, refactor, retire).
Define business KPIs for migration success, including TCO reduction targets and system availability benchmarks.
Assess organizational readiness by auditing internal skill gaps in cloud operations and security.
Select migration scope by prioritizing non-customer-facing systems for initial pilot migrations.
Negotiate data egress cost implications with cloud providers during contract scoping.
Establish a cross-functional migration governance board with representation from IT, security, and finance.
Document legacy system interdependencies using network flow analysis and configuration management databases.

Module 2: Cloud Provider Selection and Contract Negotiation

Compare SLA terms across AWS, Azure, and GCP for mission-critical workloads, focusing on uptime guarantees and penalty structures.
Negotiate enterprise discount agreements based on committed spend, factoring in reserved instance utilization forecasts.
Validate regional compliance alignment (e.g., GDPR, HIPAA) before selecting cloud regions for data residency.
Assess multi-cloud management tooling compatibility with existing monitoring and identity systems.
Define exit strategies and data portability requirements in provider contracts to avoid lock-in.
Compare managed service capabilities across providers for databases, Kubernetes, and AI/ML workloads.
Evaluate provider-specific integration with existing enterprise identity providers (e.g., Active Directory).
Quantify network latency differences between provider edge locations and user populations.

Module 3: Network Architecture and Connectivity Design

Design hybrid DNS strategies to resolve on-premises and cloud resources during phased migration.
Implement AWS Direct Connect or Azure ExpressRoute with redundant circuits and BGP failover.
Size transit gateways or cloud routers based on peak inter-VPC and on-premises traffic patterns.
Configure DNS forwarding rules to support split-horizon resolution during cutover.
Segment cloud workloads using VPC peering or shared services hubs with strict routing policies.
Enforce encryption for data in transit using TLS 1.3 and IPsec for site-to-site tunnels.
Plan for asymmetric routing scenarios in multi-region active-passive deployments.
Implement bandwidth throttling for non-critical data transfers to preserve production performance.

Module 4: Identity, Access, and Privilege Management

Integrate cloud IAM with on-premises identity providers using SAML or SCIM for just-in-time provisioning.
Enforce least-privilege access by mapping existing AD groups to cloud roles with boundary conditions.
Implement cross-account IAM roles with trust policies to limit lateral movement.
Rotate long-lived access keys using automated credential rotation workflows.
Define service account governance policies for non-human identities in containerized environments.
Enable detailed CloudTrail or Azure Activity Log integration with SIEM for privilege escalation detection.
Configure conditional access policies based on IP location, device compliance, and MFA status.
Establish break-glass account procedures with time-limited access and mandatory dual approval.

Module 5: Data Migration and Storage Strategies

Select between online and offline data transfer methods (e.g., Snowball, Azure Data Box) based on data volume and RTO.
Validate data integrity post-migration using cryptographic checksum comparisons.
Implement tiered storage policies using lifecycle rules to move data from hot to cold storage.
Encrypt data at rest using customer-managed keys (CMKs) with key rotation schedules.
Design cross-region replication for critical databases with conflict resolution protocols.
Assess performance impact of storage backend choices (e.g., EBS gp3 vs. io2) on application latency.
Plan for schema migration when moving from on-premises RDBMS to managed cloud database services.
Establish data retention and deletion workflows aligned with legal hold requirements.

Module 6: Application Refactoring and Modernization

Decompose monolithic applications into microservices using domain-driven design principles.
Migrate stateful applications by externalizing session storage to managed Redis or database services.
Containerize legacy applications using Docker with minimal configuration changes for lift-and-shift.
Implement API gateways to manage versioning and rate limiting for refactored services.
Adapt configuration management to cloud-native patterns using parameter stores or secrets managers.
Refactor batch jobs to use serverless functions with event-driven triggers and timeout handling.
Integrate health checks and readiness probes for Kubernetes orchestration compatibility.
Modify logging pipelines to forward structured logs to cloud-native observability platforms.

Module 7: Security, Compliance, and Audit Controls

Deploy cloud security posture management (CSPM) tools to detect misconfigurations in real time.
Implement network security groups and firewall rules with least-permissive inbound/outbound rules.
Conduct penetration testing under provider-approved scopes and disclosure policies.
Map cloud controls to compliance frameworks (e.g., SOC 2, ISO 27001) using automated compliance dashboards.
Enforce encryption standards through policy-as-code using AWS Config or Azure Policy.
Isolate PCI-DSS workloads in dedicated accounts or subscriptions with restricted access paths.
Conduct forensic readiness planning by preserving disk snapshots and logging artifacts.
Implement DDoS protection at the edge using cloud provider CDN and WAF services.

Module 8: Monitoring, Observability, and Incident Response

Configure centralized logging with deduplication and retention policies across hybrid environments.
Define SLOs and error budgets for cloud services using Prometheus or Cloud Monitoring metrics.
Instrument applications with distributed tracing to diagnose latency across microservices.
Set up alerting thresholds based on historical baselines to reduce false positives.
Integrate incident response runbooks with cloud-native event triggers and paging systems.
Validate backup and restore procedures for cloud-native databases and file systems.
Conduct chaos engineering experiments to test failover mechanisms in staging environments.
Optimize monitoring costs by filtering low-value telemetry at the source.

Module 9: Cost Management and Optimization

Implement tagging strategies for cost allocation across departments, projects, and environments.
Use reserved instance and savings plan recommendations based on 30-day utilization patterns.
Right-size overprovisioned VMs using performance telemetry and autoscaling baselines.
Enforce budget alerts with automated actions (e.g., stop non-production instances) at threshold breaches.
Compare spot instance risk profiles across providers for fault-tolerant batch workloads.
Optimize data transfer costs by caching content at the edge and minimizing cross-region replication.
Decommission orphaned resources (e.g., unattached disks, idle load balancers) using automated cleanup jobs.
Conduct monthly cost review meetings with stakeholders using chargeback reports.