Resume
Cloud Security
Azure
Zero Trust
Microsoft Security Pro

Securing Apps and Data:
Fabrikam Inc.

Organization

Fabrikam Inc. — U.S. e-commerce · Azure + AWS

Status

Completed

01 // Environment Overview

Fabrikam runs a microservices architecture deployed across Azure Kubernetes Service (AKS) and Amazon EKS, authenticated via OpenID Connect and OAuth 2.0.

Customer data is stored in Azure SQL Database and Cosmos DB. CI/CD runs through GitHub Actions with automatic deployment on successful builds.

Architecture Flow

GITHUB ACTIONS
AKS + EKS
Azure Container Registry
Azure SQL + Cosmos DB
Sentinel + Defender for Cloud

02 // Threat Analysis

Credential Exposure

Static Kubernetes secrets and long-lived tokens with manual rotation create persistent credential theft risk.

Excessive Privileges

Overly permissive IaC templates deploy excessive RBAC roles that are discovered only after deployment.

CI/CD Supply Chain Attack

Malicious dependencies and compromised GitHub Actions workflows can bypass pre-deployment security checks.

Kubernetes Misconfiguration

Admission policy failures allow privileged containers, HostPath mounts, and missing network policies.

Public Database Exposure

Azure SQL and Cosmos DB on public endpoints remain exposed despite TLS encryption in transit.

Open Source Dependency Risk

Unmanaged community packages and absence of centralized scanning creates Log4Shell-class exposure.

03 // Security Controls

Preventive

  • Azure Policy
  • Managed Identities
  • Private Link
  • RBAC
  • IaC Scanning (Checkov/tfsec)
  • GitHub Advanced Security
  • Workload Identity Federation

Detective

  • Defender for Cloud
  • Microsoft Sentinel
  • Azure Monitor
  • Anomaly Detection
  • OAuth Abuse Detection
  • Defender for Cloud Apps

Corrective

  • Automated Remediation Playbooks
  • Incident Response Workflows
  • Continuous Compliance Monitoring
  • Defender XDR Correlation

04 // Zero Trust Mapping

Verify Explicitly
Entra MFA
Conditional Access
App Registrations
Enterprise Applications
Least Privilege
Azure RBAC
Managed Identities
Workload Identities
Azure Policy
Assume Breach
Microsoft Sentinel
Defender XDR
Continuous Monitoring
Threat Hunting

05 // Before vs After Architecture

BEFORE

Original Fabrikam architecture — pre-remediation

Original Fabrikam architecture — pre-remediation

AFTER

Hardened solution architecture — post-remediation

Hardened solution architecture — post-remediation

Original Posture
  • Static Kubernetes secrets
  • Manual secret rotation
  • Public database endpoints
  • Team-specific, siloed monitoring
  • No IaC validation before deployment
  • Developer-dependent secret scanning
  • Inconsistent incident response
Hardened Architecture
  • Managed Identities + Workload Identity Federation
  • Azure Key Vault + automated rotation
  • Private Link for all databases
  • Centralized Microsoft Sentinel SIEM
  • Checkov/tfsec gates in CI/CD pipeline
  • GitHub Advanced Security secret scanning
  • Unified Defender XDR response playbooks

06 // Key Takeaway

"The biggest security improvement was not a specific tool — it was the transition from static credentials and manual reviews to federated identity, centralized governance, and continuous automated enforcement across the entire deployment pipeline."

© 2026 Anagha Shyama Prakash • Cloud Security & Zero Trust Research Archive