Course Navigation
6 min read·Lesson 10 of 10

Multi-Cloud Security: CSPM, CNAPP, and Beyond

When workloads span AWS, Azure, GCP, and SaaS. The tools and patterns that keep multi-cloud manageable without doubling your security team.

Pure single-cloud organisations are now rare. Acquisitions, SaaS sprawl, AI services, and regulator-mandated diversity push everyone toward at least two clouds. Multi-cloud security is not about treating clouds identically — it is about giving your team one operating model across them.

Why Multi-Cloud Security Is Hard

  • Each cloud has its own IAM, log format, KMS, network primitives.
  • Detection rules must be re-implemented per cloud or unified at a higher layer.
  • Skills shortage — engineers fluent in all three are uncommon.
  • Compliance evidence has to be collected three different ways.
  • Each cloud's "best practice" subtly differs.

The trap is "lowest common denominator" — using only features all three share — which leaves a lot of value on the table. Better: use each cloud's native strengths, then pick a small unification layer for the things you must do consistently.

The Unification Stack

LayerUnify with
IdentitySingle IdP (Entra ID, Okta, Google) federated to every cloud + SSO for SaaS
SecretsHashiCorp Vault or Akeyless across clouds; or Cloud-native + sync
LoggingSIEM or security data lake — Sentinel, Splunk, Chronicle, Panther
PostureCSPM / CNAPP — Wiz, Prisma Cloud, Lacework, Orca, Sysdig, Microsoft Defender for Cloud (multi-cloud)
PolicyOpen Policy Agent / Sentinel / Kyverno across Terraform, Kubernetes, runtime
TelemetryOpenTelemetry for metrics, traces, logs
IaCTerraform / OpenTofu, Pulumi, or per-cloud-native with shared modules

CSPM (Cloud Security Posture Management)

CSPM tools answer: "what is misconfigured across all my clouds, ranked by risk?"

  • Connect via read-only role to each account/subscription/project.
  • Run continuous checks against benchmarks (CIS, PCI, internal policy).
  • Build a graph of resources, identities, and network paths to surface attack chains.
  • Report findings with severity, remediation steps, ownership.

Examples: Wiz, Prisma Cloud, Lacework, Orca, Defender for Cloud (Foundational CSPM is free, Defender CSPM paid), Aqua, Tenable Cloud Security.

CWPP (Cloud Workload Protection Platform)

CWPP focuses on the workload itself — VMs, containers, serverless — at runtime.

  • Vulnerability scanning (agent or agentless).
  • Runtime threat detection (Falco-style).
  • Image and registry scanning.
  • Kubernetes admission policies.

Examples: Sysdig Secure, Aqua, Defender for Containers/Servers, Wiz Runtime, Trend Micro Cloud One.

CNAPP (Cloud-Native Application Protection Platform)

CNAPP = CSPM + CWPP + IaC scanning + supply-chain + runtime — unified from "code to cloud." A single dashboard ties a CVE in a container image to the production deployment to the IAM role to the data it can reach.

Strengths:

  • Prioritises findings by reachability and blast radius — not just CVE severity.
  • One agent / one onboarding instead of many tools.
  • Unified inventory across clouds.

Trade-offs:

  • Pricey — typically a per-workload subscription.
  • Vendor lock-in to the platform's data model.
  • Onboarding takes effort to integrate IaC pipelines, registries, identity systems.

For organisations of any meaningful scale, a CNAPP usually pays for itself in operational consistency and reduced point-tool sprawl.

SaaS Security Posture Management (SSPM)

The modern enterprise also runs many SaaS tools: Microsoft 365, Google Workspace, Salesforce, GitHub, Slack, Zoom, Jira. SSPM tools (AppOmni, Adaptive Shield, Obsidian Security) extend posture management into them — checking sharing settings, IAM, integrations, OAuth grants.

OAuth-grant abuse is one of the fastest-growing attack vectors. Audit grants in your IdP and SaaS apps regularly.

Multi-Cloud Identity

The single highest-leverage unification:

  • One IdP for all human access (engineers, ops, business).
  • Federation: AWS IAM Identity Center, Azure AD as IdP for Azure (native), GCP Workforce Identity Federation.
  • SSO + MFA + conditional access (block from anonymising proxies, require compliant device).
  • Just-in-time elevation for sensitive roles.
  • Periodic access reviews from a single source of truth.

If a person leaves the company, disabling their IdP account should remove access to every cloud and SaaS app within minutes.

Multi-Cloud Networking

  • Hub-and-spoke per cloud (Transit Gateway / Virtual WAN / Network Connectivity Center).
  • Cross-cloud connectivity via VPN or transit providers (Megaport, Aviatrix, Equinix Fabric).
  • Segment by environment (prod / non-prod) and trust zone, not by cloud.
  • Egress filtering and DNS centralised through a security VPC where possible.

Standardised Telemetry

OpenTelemetry produces the same metric/log/trace shape regardless of cloud. The OTel Collector forwards to your unified backend (Datadog, Honeycomb, New Relic, your SIEM). Standardising telemetry makes investigation across clouds practical.

Common Anti-Patterns

  • "We will treat all clouds identically." Rarely works — let each cloud be itself; unify the layer above.
  • Per-cloud security teams with their own tools — duplication and gaps.
  • No unified inventory — you cannot protect what you do not know exists.
  • Rebuilding GuardDuty / Defender / SCC functionality with custom rules instead of using the managed services and consolidating findings.
  • Multi-cloud with one team's worth of headcount — staffing matters.

The Buy-vs-Build Reality

For multi-cloud, the operational cost of rolling your own is steep. Most organisations land on:

  • Native services within each cloud (free / inexpensive, deeply integrated).
  • One CNAPP for cross-cloud posture, runtime, and IaC scanning.
  • One SIEM for centralised detection and case management.
  • One IdP for identity.
  • Minimal custom glue to tie them together.

That stack covers most of the value with a manageable team. Resist the temptation to add another tool unless it solves a problem the current ones cannot.

Course Conclusion

You now have the conceptual foundation for cloud security: shared responsibility, identity, network, encryption, workloads, data, detection, response, compliance, and multi-cloud. Each is the topic of entire books and certifications, but the patterns repeat. AWS SCS-C02, Azure AZ-500, and GCP PCSE all test the same fundamentals — only the service names differ.

From here, the path is hands-on: stand up a landing zone, audit one of your existing accounts against CIS, run a tabletop, automate one detection. Each of those exercises will teach you more than another book chapter could.

Key Takeaways

  • Most organisations are multi-cloud, even unintentionally. Plan for it.
  • CSPM finds misconfigurations; CWPP protects workloads; CNAPP combines both with code-to-cloud context.
  • A single identity provider (Entra ID, Okta, Google Workspace) federated to every cloud beats per-cloud users.
  • Centralise logs, secrets, and policy where possible; standardise on OpenTelemetry and OPA where not.
  • Avoid lowest-common-denominator design — use the strengths of each cloud, but unify the controls that matter.
🎉

Course Complete!

You've finished Cloud Security Fundamentals. Now put your knowledge to the test with real exam-style practice questions.

Practice AWS SCS C02 QuestionsPractice AZ 500 QuestionsPractice GCP PCSE QuestionsExplore More Courses