Mapping of On-Premises Security Controls vs. Major Cloud Providers Services

By Adrian Grigorof, CISSP, CRISC, CISM, CCSK and Marius Mocanu, CISSP, CISM, C|EH, SCF
Last update: July 9, 2019

The migration of on-premises applications to the cloud invariably are followed by the replication of the functionality of security controls to cloud-based equivalents. However, the demarcation of these controls tend to blur in the cloud, with functionality overlapping, becoming more granular and offered at different tiers.

This chart should be used as a high level view of cloud security controls that could be used to replicate the on-prem functionality.

Firewall & ACLs Security Groups

AWS Network ACLs
Network Security Groups

Azure Firewall
Cloud Armor

VPC Firewall
VCN Security Lists Cloud Security Groups NAT Gateway
IPS/IDS 3rd Party Only Azure Firewall 3rd Party Only 3rd Party Only 3rd Party Only Anti-Bot Service

Website Threat Inspector
Web Application Firewall

AWS Firewall Manager
Application Gateway Cloud Armor Oracle Dyn WAF Cloud Internet Services Web Application Firewall
Log Analytics
AWS Security Hub

Amazon GuardDuty
Azure Sentinel

Azure Monitor
Chronicle Backstory

Event Threat Detection
Oracle Security Monitoring and Analytics IBM Log Analysis

Cloud Activity Tracker
Antimalware 3rd Party Only Microsoft Antimalware

Azure Security Center
3rd Party Only 3rd Party Only 3rd Party Only Server Guard
Data Loss Prevention
Amazon Macie Information Protection
Cloud Data Loss Prevention API 3rd Party Only 3rd Party Only Web Application Firewall
File Integrity Monitoring
3rd Party Only Azure Security Center 3rd Party Only 3rd Party Only 3rd Party Only 3rd Party Only
Key Management Key Management Service KMS) Key Vault Cloud Key Management Service Cloud Infrastructure Key Management Key Protect

Cloud Security
Key Management Service
Encryption At Rest EBS/EFS Volume Encryption

Storage Encryption for Data at Rest Part of Google Cloud Platform Cloud Infrastructure Block Volume Hyper Protect Crypto Services Object Storage Service
DDoS Protection AWS Shield Built-in DDoS defense Cloud Armor Built-in DDoS defense Cloud Internet Services Anti-DDoS
Email Protection 3rd Party Only Office Advanced Threat Protection Various controls embeded in G-Suite 3rd Party Only 3rd Party Only 3rd Party Only
SSL Decryption
Reverse Proxy
Application Load Balancer Application Gateway HTTPS Load Balancing 3rd Party Only Cloud Load Balancer Server Load Balancer (SLB)
Endpoint Protection 3rd Party Only Microsoft Defender ATP 3rd Party Only 3rd Party Only 3rd Party Only Server Guard
Certificate Management AWS Certificate Manager Key Vault 3rd Party Only 3rd Party Only Certificate Manager Cloud SSL Certificates Service
Container Security Amazon EC2 Container Service (ECS) Azure Container Service (ACS) Kubernetes Engine Oracle Container Services Containers - Trusted Compute Container Registry
Identity and Access Management Identity and Access Management (IAM) Azure Active Directory Cloud Identity

Cloud IAM
Oracle Cloud Infrastructure IAM Cloud IAM

App ID
Resource Access Management
Privileged Access Management (PAM) 3rd Party Only Azure AD Privileged Identity Management 3rd Party Only 3rd Party Only 3rd Party Only 3rd Party Only
Multi-Factor Authentication AWS MFA (part of AWS IAM) Azure Active Directory Security Key Enforcement Oracle Cloud Infrastructure IAM App ID Resource Access Management
Centralized Logging


S3 Bucket Logging
Azure Audit Logs Stackdriver Logging

Access Transparency
Oracle Cloud Infrastructure Audit Log Analysis with LogDNA Log Service
Load Balancer Application Load Balancer

Classic Load Balancer
Azure Load Balancer Cloud Load Balancing

HTTPS Load Balancing
Cloud Infrastructure Load Balancing Cloud Load Balancer Server Load Balancer
LAN Virtual Private Cloud (VPC) Virtual Network Virtual Private Cloud Network Virtual Cloud Network (VCN) VLANs Virtual Private Cloud (VPC)
WAN Direct Connect ExpressRoute Dedicated Interconnect FastConnect Direct Link VPN Gateway

Express Connect
VPN VPC Customer Gateway

AWS Transit Gateway
Virtual Network

Google VPN Dynamic Routing

Gateway (DRG)

Secure Gateway
VPN Gateway
Governance Risk and Compliance Monitoring AWS Security Hub

AWS Compliance Center
Azure Security Center

Azure Policy
Cloud Security Command Center 3rd Party Only 3rd Party Only ActionTrail
Backup and Recovery AWS Backup

Amazon S3 Glacier
Azure Backup

Azure Site Recovery
Object Versioning

Cloud Storage Nearline
Archive Storage IBM Cloud Backup Hybrid Backup Recovery
Vulnerability Assessment Amazon Inspector

AWS Trusted Advisor
Azure Security Center Cloud Security Scanner Security Vulnerability Assessment Service Cloud Security Advisor

Vulnerability Advisor
Server Guard

Website Threat Inspector
Patch Management AWS Systems Manager Azure Security Center

Update Management
3rd Party Only IBM Cloud Orchestrator 3rd Party Only 3rd Party Only
Change Management AWS Config Azure Automation (Change Tracking) 3rd Party Only 3rd Party Only 3rd Party Only Application Configuration Management (ACM)

High-definition PDF:
Vector image format (SVG):