Cloud server, cloud server consulting, Digital business

Strategies and techniques for securely migrating data to the cloud.

Practical strategies and security‑first techniques for migrating data to the cloud, enabling compliant, resilient, and scalable transformation while minimizing risks during cloud adoption. | Chiến lược và kỹ thuật chuyển đổi dữ liệu lên điện toán đám mây an toàn
20
Jan

Over the past decade, cloud computing has evolved from a purely technological advantage into a core foundation for the survival and growth of modern enterprises. This transition goes far beyond a simple shift in cost structure—from capital expenditure (CapEx) to operational expenditure (OpEx)—and has become a powerful enabler of innovation, elastic scalability, and faster time‑to‑market.

However, as data—the most valuable asset of any organization—moves out of the physical “safe zone” of on‑premises data centers and into virtualized cloud infrastructures, enterprises face a fundamental security paradox. While cloud platforms provide more advanced and mature security capabilities, the migration phase itself is the moment when data is most vulnerable to risks such as loss, leakage, and cyberattacks.

In the Vietnamese market, this trend is accelerating rapidly, particularly among mid‑market enterprises and within the financial and banking sectors, where competitive pressure is forcing organizations to accelerate digital transformation initiatives. Nevertheless, empirical evidence shows that many enterprises still approach security with a “fix‑after‑the‑fact” mindset (“better late than never”) rather than adopting a “secure by design” philosophy.

Multiple studies indicate that security considerations are often deprioritized during the early stages of cloud migration projects, only receiving attention after regulatory intervention or following a security incident. This practice leads to the accumulation of significant security technical debt, posing long‑term threats to system stability, operational resilience, and regulatory compliance.

This report delivers a comprehensive and in‑depth analysis of secure cloud data migration, focusing on both strategic and technical dimensions. It addresses:

  • Critical technical challenges associated with cloud data migration
  • Vietnam‑specific regulatory and compliance requirements (notably Decree No. 53 on cybersecurity and Decree No. 13 on personal data protection)
  • Security architecture optimization across leading cloud platforms, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)

The objective is to provide enterprises with a structured, security‑first framework for migrating data to the cloud—one that balances agility, compliance, and risk management while enabling sustainable digital transformation.

1. Legal and Compliance Framework: Data Localization and Protection Strategy in Vietnam

The complexity of data migration is not limited to technical execution alone—it is heavily shaped by legal requirements around data sovereignty and privacy. In Vietnam, any cloud migration strategy must be designed in strict alignment with two critical regulatory instruments: Decree No. 53/2022/NĐ‑CP and Decree No. 13/2023/NĐ‑CP.

1.1. Decree No. 53/2022/NĐ‑CP: Data Localization and Commercial Presence Requirements

Effective since October 1, 2022, Decree 53 provides detailed guidance on the implementation of the Cybersecurity Law, introducing clear data localization requirements. This is typically the first regulatory barrier that solution architects need to consider when designing cloud data flows.

Scope of Applicability and Responsibilities

The Decree does not apply uniformly to all enterprises; instead, it draws a clear distinction between domestic enterprises and foreign service providers.

Domestic enterprises
This group includes companies established under Vietnamese law, including FDI enterprises. These organizations are subject to the strictest requirements and must store regulated data locally within Vietnam.
Practically, this means that when migrating to the cloud, enterprises must:
Prioritize cloud regions or availability zones located within Vietnam, or
Adopt Hybrid Cloud architectures to keep sensitive datasets on‑premises or in local private clouds.

Foreign enterprises providing cross‑border services
Entities offering services such as telecommunications, e‑commerce, or online payments are only required to localize data and establish a branch or representative office in Vietnam when all three triggering conditions are met:

1. Their services are used to violate Vietnam’s cybersecurity regulations
2. A formal request has been issued by the Department of Cybersecurity (A05)
3. The enterprise fails to comply fully with the request

This conditional framework significantly affects how global cloud providers and SaaS platforms structure their Vietnam market entry strategies.

Mandatory Data Categories

Article 26 of Decree 53 clearly defines three categories of data that must be stored domestically, forming the basis for data classification prior to migration:

1. Personal data – Identifiable information of users accessing services in Vietnam
2. User‑generated data – Including account names, session timestamps, credit card details, email addresses, IP login/logout records, and registered phone numbers
3. Relationship data – Information about user relationships, group memberships, and interactions in digital environments

Retention Periods and Implementation Timelines

  • Minimum data retention period: 24 months
  • System logs required for investigations: minimum 12 months
  • Foreign enterprises have 12 months from receiving a formal request from the Ministry of Public Security to complete infrastructure setup and establish commercial presence in Vietnam

1.2. Decree No. 13/2023/NĐ‑CP: Personal Data Protection and Cross‑Border Transfers

Decree 13 represents a major milestone in personal data protection in Vietnam. While it aligns broadly with GDPR‑style principles, it introduces country‑specific compliance mechanisms that organizations must carefully navigate.

Cross‑Border Data Transfer Impact Assessment (TIES)

One of the most significant challenges in adopting public cloud platforms with overseas data centers—such as AWS Singapore or Azure Hong Kong—is compliance with cross‑border data transfer regulations.

Data Controllers and Data Processors are required to prepare a Cross‑Border Personal Data Transfer Impact Assessment dossier, which must include:

  • A detailed description of data types, processing purposes, and transfer scope
  • A risk assessment of potential impacts on data subject rights
  • Security and protection measures implemented by the overseas data recipient
  • Contractual agreements that clearly allocate compliance responsibilities between transferring and receiving parties

This dossier must be available on demand for audits by the Ministry of Public Security, and a notification must be submitted within 60 days from the start of data processing activities. As a result, compliance checkpoints must be embedded directly into the migration planning phase, not treated as an afterthought.

Implications for Cloud Service Provider (CSP) Selection

Enterprises must prioritize CSPs that can demonstrably support compliance with these regulations.

  • Domestic CSPs such as VNG Cloud, Viettel IDC, and CyHome have rapidly achieved certifications like ISO 27018 and adapted their infrastructure to fully support in‑country data storage.
  • For global CSPs (AWS, Azure, GCP), Hybrid Cloud and Multi‑Cloud architectures have become the dominant approach:
    • Sensitive data (PII) remains on local infrastructure or private cloud
    • Non‑identifiable or low‑risk workloads leverage the scalability and compute power of international public clouds

This architectural pattern balances regulatory compliance with performance and innovation.

2. Migration Strategy and Risk Management: The 6‑R Model

Choosing the right migration strategy affects not only cost and performance, but also the organization’s security risk exposure. The “6 Rs” framework—Rehost, Replatform, Refactor, Repurchase, Retire, Retain—is widely recognized as the gold standard for structuring migration decisions.

Each approach carries a distinct risk profile, and effective cloud migration depends on matching the right strategy with appropriate security controls, governance models, and compliance safeguards. The following sections provide a detailed analysis of security risks and mitigation strategies associated with each migration path.

Table 2: Cloud Migration Strategies: Security Risks and Mitigation Overview

Strategy Definition & Mechanism Business Value Primary Security Risks Mitigation Strategies
Rehost (Lift & Shift) Move applications and workloads from on‑premises to IaaS cloud without changing source code. Fastest migration speed; immediate CapEx reduction; suitable for short‑term modernization initiatives. Inherited vulnerabilities from legacy systems; oversized resources; limited inherent cloud security controls; increased attack surface in public cloud environments. Perform system hardening immediately after migration; leverage AWS Systems Manager or Azure Automation for baseline configuration; enforce Network Security Groups and micro‑segmentation.
Replatform (Lift, Tinker & Shift) Partial optimization—e.g., migrating databases to AWS RDS / Azure SQL while retaining application logic. Reduced operational burden (patching, backups); leverages basic cloud‑native capabilities without major refactoring. Misconfiguration risks; incompatibilities between application and managed services; insecure connectivity between application and database layers. Review SSL/TLS configurations end‑to‑end; enforce IAM‑based authentication; enable managed database security features.
Refactor (Re‑architect) Redesign applications using cloud‑native architectures (serverless, microservices, containers). Maximum scalability, resilience, and innovation velocity; deep integration with DevSecOps pipelines. High complexity; increased exposure to new vulnerabilities (code injection, broken access control) if security is not embedded early. Integrate SAST/DAST into CI/CD pipelines; deploy WAF and RASP (Runtime Application Self‑Protection); train development teams on DevSecOps practices.
Repurchase (Drop & Shop) Replace legacy systems with SaaS platforms (e.g., Salesforce, Microsoft 365). Always up‑to‑date functionality; rapid deployment; shifts infrastructure security responsibility to the vendor. Loss of direct control; vendor dependence; risk of Shadow IT and data fragmentation. Integrate SSO/MFA via centralized Identity Providers (IdP); assess vendor security posture (SOC 2, ISO 27001); use CASB solutions for data visibility and control.
Retire Decommission applications that are obsolete or redundant. Reduced attack surface; lower operating and maintenance costs. Data loss risk; accidental deletion of data required for audits or future regulatory compliance. Implement data archiving policies; move legacy data to cold storage (e.g., AWS Glacier, Azure Archive) prior to system shutdown.
Retain Keep applications on‑premises due to technical constraints, regulatory requirements, or data localization mandates. Maintains system stability; ensures compliance at low transformation cost. Becoming a security bottleneck; limited scalability; exposure if legacy systems are not regularly patched. Maintain incident response procedures; apply network segmentation between on‑prem and cloud environments; schedule frequent security assessments.

In‑Depth Analysis: Security Technical Debt in Rehost (Lift‑and‑Shift) Migrations

Although Rehost remains the most commonly used strategy for large‑scale cloud migrations, it carries a hidden but material risk often referred to as Security Technical Debt.

When an organization migrates a legacy Windows Server 2008 R2 instance or an outdated Linux kernel to the cloud, it is not merely moving data and workloads—it is also transferring unpatched vulnerabilities into a new environment. In traditional on‑premises environments, these legacy systems are frequently protected by multiple layers of physical firewalls, internal network segmentation, and sometimes even air‑gapped architectures.

Once deployed in a public cloud environment, however, the security assumptions change fundamentally. If Security Groups or Network Access Control Lists (virtual firewalls) are misconfigured, these legacy servers may be directly exposed to the public internet. In this context, vulnerabilities that were previously mitigated by physical and network isolation can suddenly become exploitable.

For this reason, any Rehost strategy must be explicitly paired with a post‑migration modernization plan. This typically includes:

  • Operating system upgrades or in‑place patching
  • Network segmentation and zero‑trust controls
  • Gradual refactoring of high‑risk workloads

Without this follow‑up modernization, Rehost simply defers risk rather than reducing it, embedding security debt into the cloud environment and increasing long‑term exposure.

3. Technical Architecture: Network Connectivity and Data‑Path Security

In any cloud data migration model, network connectivity is the lifeline. The choice of connectivity method affects not only performance—latency, throughput, and reliability—but also the security posture of data in transit.

3.1. Internet VPN (Site‑to‑Site VPN): Flexible but Limited

Mechanism
A site‑to‑site VPN establishes an encrypted tunnel using IPsec over the public internet, securely connecting on‑premises infrastructure to cloud environments.

Strengths

  • Rapid deployment
  • Low upfront cost
  • No complex physical installations
  • Flexible scalability across multiple locations

Security and Performance Limitations

  • Traffic traverses the public internet, resulting in variable performance (jitter, packet loss)
  • Bandwidth is typically capped (often around 1.25 Gbps per tunnel)
  • While payloads are encrypted, VPN endpoints themselves can become targets of DDoS attacks, potentially disrupting availability

Recommended Use Cases: Internet VPNs are well‑suited for:

  • Small and medium‑sized enterprises (SMBs)
  • Proof‑of‑Concept (PoC) initiatives
  • Migration of low‑volume or non‑sensitive datasets

3.2. Dedicated Connectivity (Direct Connect / ExpressRoute / Interconnect): The Enterprise Standard

For large organizations—particularly banks and financial institutions—dedicated private connectivity is not optional; it is a prerequisite for meeting SLA, regulatory, and security requirements.

AWS Direct Connect & Azure ExpressRoute
These services provide private physical connections from customer data centers to cloud service provider (CSP) infrastructure, completely bypassing the public internet.

Key Advantages

  • High bandwidth capacity (up to 100 Gbps)
  • Low and predictable latency
  • Stronger security through physical network isolation

Encryption Considerations and the Role of MACsec

A common misconception is that dedicated connections are inherently secure by default. In reality, traditional Direct Connect or ExpressRoute traffic is not encrypted at the application or transport layer, unless applications explicitly implement SSL/TLS.

To achieve maximum security, particularly to protect against traffic eavesdropping at physical interconnection or colocation facilities, organizations should deploy MACsec (IEEE 802.1AE).

Why MACsec Matters

  • Provides Layer 2 (Data Link Layer) encryption
  • Secures data point‑to‑point between customer edge routers and CSP routers
  • Operates at wire speed, significantly outperforming IPsec on high‑bandwidth links (10 Gbps and above)
  • Ideal for regulated industries handling sensitive or mission‑critical data

When properly implemented, MACsec transforms dedicated connectivity from a performance‑focused solution into a defense‑in‑depth component of the enterprise security architecture.

Table 3: Comparison of Connectivity Options for Cloud Data Migration

Criteria Site‑to‑Site VPN AWS Direct Connect / Azure ExpressRoute Google Cloud Interconnect
Transmission Environment Public internet (shared) Dedicated private physical network Dedicated private physical network
Default Security Model IPsec encryption (Layer 3) No built‑in encryption (private line) No built‑in encryption (private line)
Advanced Encryption Options Not applicable (encryption already via IPsec) Supports MACsec (Layer 2) on 10/100 Gbps ports Supports IPsec over Interconnect and MACsec for Dedicated Interconnect
Maximum Bandwidth ~1.25 Gbps per tunnel Up to 100 Gbps Up to 100 Gbps
Latency Variable, unpredictable Low and consistent Low and consistent
Cost Profile Low (VPN service + data transfer charges) High (port fees, cross‑connect charges, data transfer fees) High

4. Technical Migration Process: Tools and Methodologies

Selecting the right migration tooling is a critical success factor in any cloud transition. The choice of tools directly impacts data integrity, security posture, operational risk, and regulatory compliance throughout the migration lifecycle.

Leading cloud platforms provide purpose‑built migration toolsets, each designed around distinct architectural assumptions. As a result, these tools differ meaningfully in the way they handle data encryption, network isolation, access controls, validation mechanisms, and operational governance. A clear understanding of these differences is essential to making informed, risk‑aware decisions—particularly in regulated or data‑sensitive environments.

4.1. Comparing the Security Architectures of Migration Tools

From a consulting perspective, migration tools should not be evaluated solely on speed or automation. Instead, they must be assessed through a security‑by‑design lens, focusing on several core dimensions:

Operational Architecture
How replication agents, appliances, or APIs interact with source systems and target cloud environments—and how attack surfaces are exposed or minimized.

Data Protection Models
Encryption in transit and at rest, key‑management options (provider‑managed vs. customer‑managed keys), and resistance to interception or tampering.

Network Isolation and Access Control
Support for private connectivity (e.g., PrivateLink, VPC endpoints, service controls), firewall segmentation, and IP‑level restrictions to prevent unnecessary internet exposure.

Validation and Integrity Assurance
Built‑in checksum verification, reconciliation mechanisms, and auditability to ensure data accuracy and defensibility during compliance reviews.

Operational Oversight and Governance
Logging, monitoring, role separation, and compatibility with enterprise IAM and SecOps platforms.

In practice, no single tool is universally better than the others. The optimal choice depends on the organization’s migration strategy (Rehost, Replatform, Refactor), data classification, regulatory obligations, and operational maturity. Mature enterprises often adopt a hybrid tooling strategy, pairing different migration services to address distinct workload profiles.
When evaluated holistically, migration tools are not just execution utilities—they are a foundational security and governance layer within the broader digital transformation journey.

Feature AWS Application Migration Service (MGN) / AWS DataSync Azure Migrate Google Cloud Storage Transfer Service
Operational Architecture DataSync: Source‑side agent establishes outbound TLS 1.2 connections to AWS. Azure Migrate Appliance: An on‑premises intermediary virtual appliance that collects metadata and orchestrates replication workflows. Supports both agentless and agent‑based models. Storage Transfer Service leverages containerized agents to move data into Google Cloud Storage (GCS).
MGN: Uses a dedicated Replication Server in the target VPC to receive data over TCP port 1500.
Data Encryption In transit: TLS 1.2 In transit: HTTPS (TLS 1.2+) In transit: HTTPS/TLS
At rest: Encrypted EBS volumes by default on the Replication Server. At rest: Data encrypted using Microsoft‑managed keys or Customer‑Managed Keys (CMK). At rest: Encryption with Google‑managed keys by default; supports Customer‑Managed Encryption Keys (CMEK).
Validation & Integrity Controls DataSync supports three validation modes: Verify only transferred data, Verify all data, or None. Checksums are calculated at both source and destination. Provides basic integrity validation during transfer; relies on destination storage checksums for verification. Uses CRC32C checksums, calculated on‑the‑fly and compared against Cloud Storage metadata to ensure data consistency.
Network Access Controls Supports VPC Endpoints (PrivateLink) to avoid public internet exposure. MGN allows Security Groups restricted to source IP ranges only. Supports Private Endpoint connectivity for Discovery and Assessment phases. Outbound URL access can be tightly restricted via on‑premises firewalls. Supports VPC Service Controls for perimeter security. Private data transfer via Interconnect or VPN; agents are shielded from public access.

4.2. Agent‑Based vs. Agentless Migration Models: Which Is More Secure?

The debate between agent-based and agentless migration approaches has long been a central topic in discussions of secure cloud migration.

Agent‑Based Model (e.g., AWS Application Migration Service – MGN Agent)

Mechanism
A lightweight software agent is installed on each source server. This agent captures block‑level data changes directly from disks and transmits them to the target cloud environment.

Security Strengths

  • Enables encryption at source before data is transmitted
  • Provides granular control over replication behavior
  • Strong support for physical (bare‑metal) servers and real‑time change data capture (CDC)

Security Risks

  • Requires administrator/root privileges for installation, introducing a new attack surface on production systems
  • Increases operational overhead, as hundreds or thousands of agents must be patched, monitored, and maintained

Agentless Model (e.g., Azure Migrate with VMware)

Mechanism
Uses an intermediary appliance that connects to VMware vCenter or Hyper‑V to take snapshots and replicate data via hypervisor‑level APIs.

Security Strengths

  • No third‑party software installed on production servers
  • Reduces the risk of software conflicts or malware propagation via agents
  • Allows rapid, large‑scale deployment across environments

Security Risks

  • Security depends heavily on hypervisor controls
  • Reduced visibility into the guest operating system compared to agent‑based methods

Recommendation

For highly sensitive or mission‑critical systems, the agentless model is often preferred to minimize direct intervention on production workloads—unless real‑time replication is mandatory, in which case agent‑based CDC may be unavoidable.

5. Data Integrity Assurance: The Mathematics of Trust

When migrating terabytes or petabytes of data, bit corruption, packet loss, or silent data inconsistencies are statistically inevitable. Simply relying on a “Success” status from migration tools is insufficient to guarantee data safety. Enterprises must implement multi‑layered data validation mechanisms.

5.1. Technical Validation Methods

Checksum & Hash Verification (Unstructured Data)

The gold standard for validating files and object storage.

  • Mechanism: Generate cryptographic fingerprints using algorithms such as MD5, SHA‑256, or CRC32C at both source and destination
    Implementation:
  • AWS DataSync’s `VerifyMode: POINT_IN_TIME_CONSISTENT` performs full post‑migration scans to validate every bit
    Google Cloud favors CRC32C due to performance optimization in object storage systems

Row Counts and Aggregation (Structured Data / Databases)

  • Basic validation: Compare row counts between source and target tables
  • Advanced validation: Compute aggregates on key fields (e.g., transaction totals or customer ID hashes). Matching results dramatically reduce the probability of undetected discrepancies

Visual and Sample Testing

Random spot checks on datasets to detect:

  • Character encoding and font issues
  • Schema mismatch causing data truncation
  • Date and format conversion errors

5.2. Post‑Migration Audit Process

A migration is not considered complete until it passes a formal audit sign‑off.

  • Reconciliation Reports: Automated comparison of files or tables between source and target systems
  • Audit Trails: Full retention of migration logs—who executed the migration, timestamps, and checksum results—serving as critical evidence during future compliance audits

6. Identity and Access Management (IAM): Lessons from the Snowflake Breach

IAM is the most critical control plane in cloud security. The large‑scale data breaches affecting Snowflake customers in 2024 provided a stark reminder: even the most secure platforms fail if credentials are compromised.

6.1. Least‑Privilege Principles During Migration

Migration tools often require elevated permissions to read entire databases and write to target environments.

  • Granular permissions: Avoid broad policies such as `AdministratorAccess` or `S3FullAccess`. Instead, define fine‑grained IAM policies (e.g., allow `s3:PutObject` but deny `s3:DeleteObject`) to reduce ransomware and accidental deletion risks.
  • Service accounts: Use IAM roles (AWS) or service accounts (GCP) for automation. These identities must not allow interactive console login.

6.2. Credential Management Best Practices

  • Temporary credentials: Never embed long‑term access keys in code or scripts. Use AWS STS or equivalent mechanisms to issue short‑lived tokens (1–12 hours).
  • Mandatory MFA: All human and privileged accounts involved in migration must enforce multi‑factor authentication. Where service accounts cannot support MFA, apply strict IP whitelisting.

7. Encryption Strategy: Defense in Depth

Encryption must follow a defense‑in‑depth approach, protecting data at every stage.

7.1. Data in Transit

  • TLS 1.2+ is the minimum mandatory standard for all HTTP and API communications
  • Deprecated protocols (SSL, TLS 1.0/1.1) must be fully disabled
  • MACsec should be used for dedicated connections (e.g., Direct Connect) to provide Layer‑2 encryption at wire speed

7.2. Data at Rest

  • Server‑Side Encryption (SSE): CSP‑managed keys (e.g., SSE‑S3, Azure Storage Encryption) for general workloads
  • Customer‑Managed Keys (CMK): Sensitive data such as PII and financial records should be protected using KMS‑managed keys controlled by the enterprise
  • Key lifecycle control: Organizations can immediately revoke keys in the event of a breach, rendering stored data unreadable—even to CSP personnel
  • Separation of duties: Encryption keys should be managed by security teams, independent from storage or operations teams

8. Post‑Migration Monitoring and Real‑World Case Studies

Migration does not end at cutover. Day‑2 operations often introduce the highest security risks if not properly monitored.

8.1. Security Operations (SecOps) and CSPM

Cloud Security Posture Management (CSPM) tools automate continuous security monitoring.

  • Leading tools (2025): Wiz, Orca Security, AWS Security Hub, Microsoft Defender for Cloud
  • Drift detection: Automatically identifies deviations from established security baselines (e.g., a previously private S3 bucket becoming public)
  • Security logging: Integrate AWS CloudTrail or Azure Activity Logs with SIEM platforms such as Microsoft Sentinel to detect anomalous behaviors

8.2. Lessons from Practice: Successes and Failures

Successful Transformations

  • VPBank (Vietnam)
    • Migrated 28 critical applications to AWS within 11 months
    • Used AWS Elastic Disaster Recovery to ensure data resilience
    • Invested heavily in cloud training for 2,000 staff, significantly reducing configuration errors
  • SeABank (Vietnam)
    • Adopted a Hybrid Cloud architecture with Google Cloud (Anthos / GKE Enterprise)
    • Ensured compliance with domestic data residency requirements while leveraging cloud scalability
    • Used Security Command Center for centralized risk visibility

Common Failures: MFA Gaps

Major cloud data breaches rarely stem from broken encryption. Instead, they are overwhelmingly caused by weak identity controls, particularly missing MFA on administrative and service accounts during migration.

Conclusion

Secure data migration to the cloud is not a destination—it is a continuous journey that demands a tight interplay between governance strategy, regulatory compliance, and technical excellence. For enterprises in Vietnam, compliance with Decree No. 53 and Decree No. 13 is not merely a legal obligation—it is an opportunity to standardize and mature data governance practices. By carefully applying the 6 Rs migration model, designing multi‑layer security architectures—from physical connectivity (MACsec) to application‑layer controls (IAM, encryption)—and maintaining continuous oversight through CSPM, organizations can transform the cloud into a resilient digital fortress, enabling secure and sustainable growth for the future.

Keywords

  • migrating data to the cloud
  • benefits of migrating data to the cloud
  • migrating data center to cloud
  • migrating mysql data to cloud sql using database migration service
  • data cloud migration
  • migrating from on prem to cloud
  • migrate data to cloud
  • Digital transformation strategy
  • What is cloud data?
  • Data strategy
  • Common digital transformation strategies
  • FPT’s digital transformation strategy
  • What is cloud data?
  • Cloud computing documentation
  • Cloud computing and big data
  • Migrating data to the cloud
  • How to store data in the cloud

Sources

  1. The Ultimate Guide to a Successful Cloud Migration Strategy – TierPoint, truy cập vào tháng 1 17, 2026, https://www.tierpoint.com/blog/cloud-migration-strategy/
  2. 4 key considerations for a secure cloud migration – RSM US, truy cập vào tháng 1 17, 2026, https://rsmus.com/insights/services/risk-fraud-cybersecurity/4-key-considerations-for-a-secure-cloud-migration.html
  3. Data Migration Risks And The Checklist You Need To Avoid Them – Monte Carlo, truy cập vào tháng 1 17, 2026, https://www.montecarlodata.com/blog-data-migration-risks-checklist/
  4. VPBank Fuels Digital Transformation and Enhances Cloud Skills with AWS, truy cập vào tháng 1 17, 2026, https://aws.amazon.com/solutions/case-studies/vpbank-migration-case-study/
  5. Vietnam: Cybersecurity Data Localization Requirements – International Trade Administration, truy cập vào tháng 1 17, 2026, https://www.trade.gov/market-intelligence/vietnam-cybersecurity-data-localization-requirements
  6. Decree 53 guiding Cybersecurity Law – PwC, truy cập vào tháng 1 17, 2026, https://www.pwc.com/vn/en/publications/2022/220908-pwc-vietnam-legal-newsbrief-decree-53.pdf
  7. vietnam-cybersecurity-regulations-data-storage | DLA Piper, truy cập vào tháng 1 17, 2026, https://www.dlapiper.com/insights/publications/2022/10/vietnam-cybersecurity-regulations-data-storage
  8. What Are The Data Localisation Implications Of Viet Nam’s Decree No. 53/2022 Relating To Cybersecurity? – International Economics Consulting, truy cập vào tháng 1 17, 2026, https://tradeeconomics.com/what-are-the-data-localisation-implications-of-viet-nams-decree-no-53-2022-relating-to-cybersecurity/
  9. Thông tin cá nhân của người dùng tại Việt Nam phải được lưu trữ trong nước, truy cập vào tháng 1 17, 2026, https://mst.gov.vn/thong-tin-ca-nhan-cua-nguoi-dung-tai-viet-nam-phai-duoc-luu-tru-trong-nuoc-197154626.htm
  10. Data protection laws in Vietnam, truy cập vào tháng 1 17, 2026, https://www.dlapiperdataprotection.com/?t=law&c=VN
  11. Những loại dữ liệu nào phải được lưu trữ tại Việt Nam?, truy cập vào tháng 1 17, 2026, https://lsvn.vn/nhung-loai-du-lieu-nao-phai-duoc-luu-tru-tai-viet-nam1660725896-a122651.html
  12. Nghị định số 13/2023/NĐ-CP của Chính phủ: Bảo vệ dữ liệu cá nhân – Hệ thống văn bản, truy cập vào tháng 1 17, 2026, https://vanban.chinhphu.vn/?pageid=27160&docid=207759
  13. TOÀN VĂN: Nghị định 13/2023/NĐ-CP bảo vệ dữ liệu cá nhân – Xây Dựng Chính Sách, Pháp Luật, truy cập vào tháng 1 17, 2026, https://xaydungchinhsach.chinhphu.vn/toan-van-nghi-dinh-13-2023-nd-cp-bao-ve-du-lieu-ca-nhan-119230516104357809.htm
  14. Hướng Dẫn Lập Hồ Sơ Đánh Giá Tác Động Chuyển Dữ Liệu Cá Nhân Ra Nước Ngoài, truy cập vào tháng 1 17, 2026, https://dpo.vn/huong-dan-lap-ho-so-danh-gia-tac-dong-chuyen-du-lieu-ca-nhan-ra-nuoc-ngoai/
  15. Thông báo nội dung Hồ sơ đánh giá tác động chuyển dữ liệu cá nhân ra nước ngoài, truy cập vào tháng 1 17, 2026, https://baovedlcn.gov.vn/thu-tuc-hanh-chinh/ho-so-danh-gia-tac-dong-chuyen-du-lieu-ca-nhan-ra-nuoc-ngoai
  16. Những điều doanh nghiệp cần lưu ý với Nghị định 13/2023/NĐ-CP về Bảo vệ dữ liệu cá nhân | VNG Cloud, truy cập vào tháng 1 17, 2026, https://vngcloud.vn/vi/blog/key-notes-for-businesses-under-decree-13-2023-nd-cp-on-personal-data-protection
  17. CYHOME đáp ứng Nghị định 13/2023/NĐ-CP về Bảo vệ dữ liệu cá nhân, truy cập vào tháng 1 17, 2026, https://www.cyhome.vn/cyhome-dap-ung-nghi-dinh-13-2023-nd-cp-ve-bao-ve-du-lieu-ca-nhan/
  18. 13 cloud migration best practices: 2025 guide – Cortex, truy cập vào tháng 1 17, 2026, https://www.cortex.io/post/cloud-migration-best-practices
  19. Cloud Migration Security Guide: Challenges and Best Practices – TierPoint, truy cập vào tháng 1 17, 2026, https://www.tierpoint.com/blog/cloud-migration-security/
  20. About the migration strategies – AWS Prescriptive Guidance, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/prescriptive-guidance/latest/large-migration-guide/migration-strategies.html
  21. Lift & Shift, Replatform or Refactor? Cloud migration strategies – Luce IT, truy cập vào tháng 1 17, 2026, https://luceit.com/en/blog/cloud/lift-shift-replatform-or-refactor-cloud-migration-strategies/
  22. Cloud Migration Approach: Rehost, Refactor or Replatform? – NetApp, truy cập vào tháng 1 17, 2026, https://www.netapp.com/blog/cvo-blg-cloud-migration-approach-rehost-refactor-or-replatform/
  23. Cloud migration security: Risks, strategies, and best practices – Cortex, truy cập vào tháng 1 17, 2026, https://www.cortex.io/post/cloud-migration-security-risks-strategies-and-best-practices
  24. How to Mitigate the Risks and Challenges in Data Migration – Ankura.com, truy cập vào tháng 1 17, 2026, https://ankura.com/insights/how-to-mitigate-the-risks-and-challenges-in-data-migration
  25. Azure ExpressRoute vs AWS Direct Connect: Key Differences – CloudOptimo, truy cập vào tháng 1 17, 2026, https://www.cloudoptimo.com/blog/azure-expressroute-vs-aws-direct-connect-key-differences/
  26. Site-To-Site VPNs vs. Direct Connect: Which One To Choose? – Check Point, truy cập vào tháng 1 17, 2026, https://sase.checkpoint.com/blog/cloud/site-to-site-vpn-vs-direct-connect
  27. AWS Direct Connect vs. VPN: Performance, Security & Cost – StormIT, truy cập vào tháng 1 17, 2026, https://www.stormit.cloud/blog/comparison-aws-direct-connect-vs-vpn/
  28. Connectivity to other cloud providers – Cloud Adoption Framework – Microsoft Learn, truy cập vào tháng 1 17, 2026, https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/connectivity-to-other-providers
  29. AWS vs Azure vs Google Cloud: A Comparison of Private Connectivity Options – Megaport, truy cập vào tháng 1 17, 2026, https://www.megaport.com/blog/comparing-cloud-providers-private-connectivity/
  30. Comparing The Private Connectivity Offerings Of AWS, Google Cloud & Microsoft Azure, truy cập vào tháng 1 17, 2026, https://blog.consoleconnect.com/comparing-the-private-connectivity-offerings-of-aws-google-cloud-microsoft-azure
  31. AWS VPN Pricing – Cloud VPN – Amazon Web Services, truy cập vào tháng 1 17, 2026, https://aws.amazon.com/vpn/pricing/
  32. Replication related – Application Migration Service – AWS Documentation, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/mgn/latest/ug/Replication-Related-FAQ.html
  33. Azure Migrate Appliance FAQ – Microsoft Learn, truy cập vào tháng 1 17, 2026, https://learn.microsoft.com/en-us/azure/migrate/common-questions-appliance?view=migrate
  34. Data integrity | Storage Transfer Service – Google Cloud Documentation, truy cập vào tháng 1 17, 2026, https://docs.cloud.google.com/storage-transfer/docs/data-integrity
  35. AWS Application Migration Service FAQs, truy cập vào tháng 1 17, 2026, https://aws.amazon.com/application-migration-service/faqs/
  36. Azure security baseline for Azure Migrate | Microsoft Learn, truy cập vào tháng 1 17, 2026, https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-migrate-security-baseline
  37. Storage Transfer Service | Google Cloud, truy cập vào tháng 1 17, 2026, https://cloud.google.com/storage-transfer-service
  38. Configuring how AWS DataSync verifies data integrity, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/datasync/latest/userguide/configure-data-verification-options.html
  39. Verifying end-to-end data integrity | Cloud Key Management Service, truy cập vào tháng 1 17, 2026, https://docs.cloud.google.com/kms/docs/data-integrity-guidelines
  40. Infrastructure security in AWS Application Migration Service, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/mgn/latest/ug/infrastructure-security.html
  41. AWS Application Migration Service best practices | AWS Cloud Operations Blog, truy cập vào tháng 1 17, 2026, https://aws.amazon.com/blogs/mt/aws-application-migration-service-best-practices/
  42. Security Best Practices for Deploying an Appliance – Azure Migrate | Microsoft Learn, truy cập vào tháng 1 17, 2026, https://learn.microsoft.com/en-us/azure/migrate/best-practices-security?view=migrate
  43. Protect file system data | Storage Transfer Service – Google Cloud Documentation, truy cập vào tháng 1 17, 2026, https://docs.cloud.google.com/storage-transfer/docs/on-prem-security
  44. Agent-Based vs Agentless Security: Pros, Cons, and Cloud Comparison | Fortinet, truy cập vào tháng 1 17, 2026, https://www.fortinet.com/resources/cyberglossary/agent-vs-agentless-security
  45. Agentless vs. Agent-Based Cloud Migration: Which Is Better for Your Business?, truy cập vào tháng 1 17, 2026, https://www.datamotive.io/blog/agentless-vs-agent-based-cloud-migration-which-is-better-for-your-business
  46. Agentless vs. Agent-Based Security, truy cập vào tháng 1 17, 2026, https://orca.security/resources/blog/agentless-vs-agent-based-security/
  47. How to Validate Data Integrity After Migration: Expert Guide – Airbyte, truy cập vào tháng 1 17, 2026, https://airbyte.com/data-engineering-resources/validate-data-integrity-after-migration
  48. What methods are used to maintain data integrity during the migration phase?, truy cập vào tháng 1 17, 2026, https://www.tencentcloud.com/techpedia/131665
  49. How do you test db consistency after a server migration? : r/dataengineering – Reddit, truy cập vào tháng 1 17, 2026, https://www.reddit.com/r/dataengineering/comments/1qdp2sl/how_do_you_test_db_consistency_after_a_server/
  50. Data Migration Validation Best Practices for 2025 – Quinnox, truy cập vào tháng 1 17, 2026, https://www.quinnox.com/blogs/data-migration-validation-best-practices/
  51. How to Ensure Data Integrity During Cloud Migration: 8 Key Steps – FirstEigen, truy cập vào tháng 1 17, 2026, https://firsteigen.com/blog/how-to-ensure-data-integrity-during-cloud-migrations/
  52. Unpacking the 2024 Snowflake Data Breach – Cloud Security Alliance (CSA), truy cập vào tháng 1 17, 2026, https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach
  53. Security best practices in IAM – AWS Identity and Access Management, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  54. Best practices for using service accounts securely | Identity and Access Management (IAM) | Google Cloud Documentation, truy cập vào tháng 1 17, 2026, https://docs.cloud.google.com/iam/docs/best-practices-service-accounts
  55. Best practices for identity and access management in cloud-native infrastructure – Datadog, truy cập vào tháng 1 17, 2026, https://www.datadoghq.com/blog/identity-and-access-management-in-cloud-native-infrastructure/
  56. Temporary security credentials in IAM – AWS Identity and Access Management, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
  57. Top Cloud CSPM Vendors in 2025: The Ultimate Guide – SecPod Technologies, truy cập vào tháng 1 17, 2026, https://www.secpod.com/blog/top-cloud-cspm-vendors-2025/
  58. Top 16 CSPM Tools & Software for 2025 – Scrut, truy cập vào tháng 1 17, 2026, https://www.scrut.io/post/top-cspm-tools
  59. Top CSPM Solutions: Which Should You Try? – Wiz, truy cập vào tháng 1 17, 2026, https://www.wiz.io/academy/cloud-security/cspm-solutions-landscape
  60. Ingest and analyze AWS security logs in Microsoft Sentinel – AWS Prescriptive Guidance, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/ingest-analyze-aws-security-logs-sentinel.html
  61. Security in AWS Database Migration Service, truy cập vào tháng 1 17, 2026, https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html
  62. SeABank Case Study | Google Cloud, truy cập vào tháng 1 17, 2026, https://cloud.google.com/customers/seabank