Cloud adoption · Governance · DevSecOps

Cloud adoption, governance
& DevSecOps — end to end.

Cloud adoption strategy, cloud governance frameworks and DevSecOps pipelines — from landing zone design to policy-as-code, from classified NATO environments to commercial multi-cloud. Resilience, security and operational maturity built in at the architecture stage, not bolted on after go-live.

Adoption without governance is technical debt at scale

Cloud migrations that skip governance create the same problems on-premises did — but faster and at higher cost. I anchor every adoption engagement on three pillars: a landing zone that enforces security and cost controls from day one, a governance model that scales with the organisation, and a DevSecOps pipeline that makes compliance a side effect of delivery rather than a separate phase.

Patterns: Landing zone · CAF · Well-Architected · Policy-as-code · DevSecOps · FinOps · Zero Trust · SRE

What I offer

Cloud adoption · governance · DevSecOps services

🗺️
Cloud adoption strategy

Cloud readiness assessment, migration roadmap, CAF / Well-Architected alignment — phased adoption with security and cost controls from day one.

Adoption roadmap delivered
🏗️
Landing zone design

Multi-account landing zone — guardrails, identity federation, network topology, logging and FinOps baselines. AWS Control Tower · Azure Landing Zone · GCP Foundation.

Governed from day one
📋
Cloud governance framework

Policy-as-code, tagging standards, cost allocation, compliance dashboards — governance that scales without manual overhead. Delivered in NATO Secret and commercial environments.

Policy-as-code in production
⚙️
DevSecOps pipeline

CI/CD with integrated security gates — SAST, DAST, container scanning, secrets management (HashiCorp Vault), compliance-as-code. Jenkins · GitLab CI · GitHub Actions.

Security in every build
🐳
Container & platform engineering

Kubernetes, OpenShift, Docker — hardened container platforms with RBAC, network policy, image signing and CIS Benchmark compliance.

CIS-compliant clusters
📈
Resilience & FinOps

Active-active HA, DR orchestration, SRE practices — combined with cost governance. 99.999% availability and -35% infrastructure cost in the same programme.

99.999% · -35% cost

Selected engagements

Cloud mandates — institutional track record

NATO / NCIA — CS-NDW Cloud Adoption · DevSecOps · 2023–2024 · The Hague
Defined and operationalised the cloud governance framework for the NATO Digital Workplace (CS-NDW) programme — cloud adoption roadmap, security cloud architecture, DevSecOps integration across classified NATO environment. Policy-as-code, Zero Trust alignment, classification-aware access controls. Stakeholder governance across 32 NATO nations.
Classified · NDANATO SecretCloud governance · DevSecOpsZero Trust · Policy-as-code32 NATO nations
NATO / NCIA — Hybrid-cloud migration · 2023–2024 · The Hague
Migrated all NATO content-collaboration systems to hybrid cloud. PAM/IAM, SIEM/SOAR and GRC integrated with satellite and terrestrial networks. Immutable / audit-ready versioning. NIST 800-53, ISO 27001, NCA ECC alignment. 3rd-line operational support across classified estates.
NATO SecretHybrid cloud · PAM/IAMSIEM/SOAR · GRCNIST 800-53 · NCA ECC
EEAS — Cloud migration · DR · DevSecOps · 2022–2023 · Brussels
Cloud-security and architecture across AWS, Azure and GCP — containerisation, serverless and hybrid-cloud patterns for operational resilience. Disaster Recovery Centre design and implementation for EEAS critical mission systems: RTO/RPO definition, failover testing, continuity evidence. AWS Well-Architected, Azure CAF, ISO 22301 / 27031 / NIST CSF aligned.
EU classifiedAWS · Azure · GCPDR · ISO 22301DevSecOps · ContainersAzure CAF
U.S. DoD — JEDI / JWCC · Multi-cloud CAM · 2019–2022 · via Innovation Center
Advisory architect for Cloud Access Management (CAM) — zero-trust multi-cloud access layer across AWS GovCloud, Azure Gov, GCP GovCloud and OCI. ITAR, FedRAMP High and DoD IL5 compliant. JADC2 interoperability integration. Subcontract via Innovation Center — no direct DoD contract.
Multi-cloud · Zero TrustFedRAMP · ITAR · DoD IL5AWS · Azure · GCP · OCIJADC2
Innovation Center — DevSecOps · Containers · 2019–2024 · Worldwide / Bucharest
Containerised workloads (Docker, Kubernetes, OpenShift) with DevSecOps pipelines (Jenkins, GitLab CI/CD, HashiCorp Vault) enforcing security-as-code across delivery. CIS Kubernetes Benchmark, OWASP, NIST 800-53, ISO 27001 aligned.
Kubernetes · OpenShiftDevSecOps · GitLab CI/CDHashiCorp VaultNIST 800-53 · CIS Benchmark
UN OICT / UN HQ — Hybrid cloud · Active-active DC · 2016–2019 · New York
Active-active data-centre architecture with automated failover (VMware SRM + Azure Site Recovery) — 99.98% availability, RTO < 4h, RPO 15 min (tested). Drove cloud requirements, security controls and implementation (Azure and AWS) alongside IoT, DLT, big data, DevSecOps and Office 365 adoption. Significant cost savings via Microsoft / Oracle / Cisco renegotiation.
Active-active DCAzure · AWS99.98% availability · RTO < 4hISO 22301 · NIST CSF
NATO HQ — DR · Server virtualization · 2015–2016 · Brussels
Designed and executed NATO HQ's first disaster-recovery centre failover. Successful DR and business continuity plan. Led server virtualization — 90% of systems infrastructure virtualised. AIS audits and system accreditation for classified systems.
DR · BCP90% virtualisationClassified systemsAIS accreditation
European Central Bank — Cloud & Digital Architecture · 2014–2015 · Frankfurt
Led Solution Design team for ECB cloud / digital architecture and cryptocurrency infrastructure. Identified and documented business flows, data exchanges, identity authorisation and security levels. Integrations with European and governmental agencies. Updated Business Continuity Plan.
Cloud architectureDigital · CryptocurrencyBCP · IdentityEU governmental integrations

Visual reference

Cloud platform infographic

Cloud Resilience & Digital Backbone — Marius Russo-Got

Building a resilient digital backbone?

99.999% availability architecture, DR design, backbone consolidation — available for retained mandates.