Glossary/Detection Engineering/Multi-Cloud Security

What Is Multi-Cloud Security? Securing AWS, Azure, GCP

A SOC analyst gets an alert: an IAM role in an AWS account assumed credentials it had never used, then called s3:GetObject on a bucket of customer data. Routine triage. Except the same identity, federated through the company's single sign-on provider, also holds a Contributor role in three Azure subscriptions and an Editor binding on two Google Cloud projects. The analyst has CloudTrail open in one tab. The Azure Activity Log lives in a different portal with a different schema. The Google Cloud Audit Logs sit in a third console with a third query language. Three providers, three telemetry models, one identity, and no single screen that shows where it has been. That gap is the whole problem with multi-cloud security.

Multi-cloud security is the practice of protecting data, applications, and infrastructure spread across two or more public cloud providers at once. It is not three separate cloud security programs running in parallel. It is the discipline of imposing one consistent set of controls, identities, and visibility over environments that each define access, configuration, and logging differently. The hard part is not any single cloud. It is the seams between them.

What Is Multi-Cloud Security?

Most organizations did not choose multi-cloud on purpose. They acquired a company that ran on Azure, inherited a data team standardized on Google BigQuery, and built everything else on AWS. The Flexera 2026 State of the Cloud Report found that hybrid and multi-cloud are now the default posture for large enterprises, frequently arising from mergers, siloed teams, and inherited architecture rather than deliberate strategy. The result is a defender who has to secure clouds they never designed.

Each provider gives you a competent security toolkit for its own estate. AWS has IAM, GuardDuty, and Security Hub. Azure has Entra ID, Defender for Cloud, and the responsibility matrix. Google Cloud has Cloud IAM, Security Command Center, and its "shared fate" model. The trouble is that none of these tools see across the boundary. An over-privileged role in AWS is invisible to Azure's tooling. A misconfigured storage bucket in Google Cloud does not show up in Security Hub. Multi-cloud security is the work of closing those blind spots.

Three forces make it genuinely harder than single-cloud security:

  • Divergent identity models. AWS uses IAM roles and policies. Azure uses role assignments and Entra ID. Google Cloud uses IAM bindings and service accounts. The same human or workload often holds entitlements in all three, and no native tool reconciles them into one effective-permission view.
  • Divergent configuration baselines. What counts as a public, exposed resource is expressed differently in each provider's API. A control that hardens an S3 bucket has no equivalent that automatically hardens an Azure Blob container or a GCS bucket.
  • Divergent telemetry. CloudTrail, Azure Activity Log, and Google Cloud Audit Logs each use a different event schema, field naming, and retention default. Correlating an identity's actions across all three is a data-normalization project before it is a detection problem.

The Shared Responsibility Model Across Providers

Every public cloud splits security duties between the provider and the customer. The provider secures the infrastructure the cloud runs on. The customer secures what they put into it. AWS states this literally: it is responsible for "security of the cloud," and the customer is responsible for "security in the cloud." Azure and Google Cloud express the same split with their own language, but the principle holds across all three.

The boundary is not fixed. It slides with the service model. For infrastructure as a service (IaaS), such as a raw compute instance, the customer owns the guest operating system, patching, network configuration, and everything above it. For platform and software services (PaaS and SaaS), the provider absorbs more of the stack, and the customer's job shrinks toward data and access management. One thing never shifts to the provider: your data, your identities, and your access policies are always yours to secure.

The divergence is what bites in multi-cloud. The line between provider and customer sits in a slightly different place in each cloud, and the wording differs:

AspectAWSMicrosoft AzureGoogle Cloud
Framing"Security of the cloud" vs "security in the cloud"Responsibility matrix across On-prem, IaaS, PaaS, SaaSShared responsibility plus a "shared fate" partnership
Always the customer's jobData, IAM, OS and network config on IaaSData, identities, endpoints, accounts, access managementData, access controls, and identity configuration
Identity serviceAWS IAMMicrosoft Entra IDGoogle Cloud IAM
What the provider addsCompliance attestations, infrastructure controlsDocumented matrix per service tierSecure blueprints, landing zones, risk protection

The practical takeaway: a control that satisfies your responsibility in one cloud does not satisfy it in another. You have to map the boundary three times and then prove you covered the customer side in each.

Identity Is the Cross-Provider Seam

Multi-Cloud Identity Attack Path
One identity. Three clouds. No single alarm.
A federated identity holds standing permissions in every provider. Each cloud treats the activity as legitimate.
INITIAL ACCESS
Federated SSO user
Developer identity phished. One credential, valid everywhere.
AWS
iam:PassRole
Attaches an over-privileged role to a new instance. Quiet escalation.
AZURE
Contributor role
Same identity pivots to enumerate subscriptions and read storage.
GOOGLE CLOUD
Editor binding
Third estate opened. Data access across all three providers.
MITRE T1078
Defense · follow the identity Correlate on the acting principal across CloudTrail, Azure Activity Log, and Google Cloud Audit Logs. Enforce least privilege so one credential cannot open three clouds.

In a single cloud, identity is contained. In multi-cloud, identity is the connective tissue, and that makes it the most dangerous seam. A federated user or workload often holds standing permissions in every provider at once. An attacker who compromises that identity does not breach one cloud. They inherit access to all of them.

Walk the attack path. An adversary phishes a developer whose identity is federated through the corporate identity provider. In AWS, that identity can assume a role with broad s3 and iam:PassRole permissions. The attacker uses PassRole to attach an over-privileged role to a new compute instance, escalating quietly. The same federated identity has a Contributor assignment in Azure, so the attacker pivots to enumerate subscriptions and read storage. It also has an Editor binding on a Google Cloud project, opening a third estate. None of the three native consoles raises an alarm, because in each cloud the identity is using permissions it legitimately holds.

This is why entitlement hygiene matters more in multi-cloud than anywhere else. Two disciplines address it directly. Identity Access Management (IAM) governs who can authenticate and what they are allowed to do, and it is the layer where federation and single sign-on either contain or amplify a compromise. Cloud Infrastructure Entitlement Management (CIEM) goes further: it discovers every identity across all providers, calculates effective permissions, and flags the excessive, unused, and over-privileged entitlements that the attack path above depends on. CIEM exists precisely because no human can hold three providers' permission models in their head and spot the dangerous combination.

The defensive principle is least privilege, enforced identically across clouds. Standing access should be rare. A role that is never used is a role that should not exist. An identity with write access in three clouds is three times the blast radius of one with read access in one.

Posture and Configuration Across Clouds

Misconfiguration is the most common way cloud data ends up exposed, and it is almost always a customer-side mistake: a storage bucket set to public, a security group open to the internet, an unencrypted database, an over-broad firewall rule. In a single cloud, you scan for these against one set of rules. In multi-cloud, the same logical mistake takes a different shape in each provider, and config drift happens three times as fast.

Cloud Security Posture Management (CSPM) is the control that closes this gap. It continuously assesses the configuration state of resources across AWS, Azure, and Google Cloud against a single set of best-practice and compliance baselines, then surfaces the resources that fail. Instead of three separate config audits in three consoles, CSPM gives one prioritized list of misconfigurations regardless of which cloud they live in. It is how a small team holds the customer side of the shared responsibility model across an estate they could not manually inspect.

Posture management and entitlement management are complementary, not interchangeable:

CSPMCIEM
Question it answersHow are resources configured?Who can do what?
Primary targetMisconfigurations, compliance driftIdentities and entitlements
Example findingPublic S3 bucket, open security groupUnused admin role, cross-account PassRole
Failure it preventsExposed data, weak defaultsPrivilege escalation, lateral movement

Both increasingly ship together inside a cloud-native application protection platform (CNAPP), which folds posture, entitlements, and workload protection into one console so the findings share context instead of living in separate tools.

Detecting and Investigating Multi-Cloud Threats

Prevention reduces the attack surface. It does not eliminate it. The SOC still has to detect and investigate what gets through, and this is where multi-cloud hurts most, because the telemetry is fragmented by design.

The three providers emit their audit trails in incompatible formats. AWS CloudTrail logs API calls in one JSON schema. The Azure Activity Log uses another. Google Cloud Audit Logs use a third. The field that names the acting identity, the field that names the source IP, and the field that names the action are all called something different in each. Before an analyst can ask "what did this identity do everywhere in the last hour," someone has to normalize three schemas into one. That normalization is the foundational work of multi-cloud detection, and it is usually done by shipping all three log sources into a single SIEM or a cloud detection and response platform where they can be queried together.

A workable detection program across providers rests on a few practices:

  • Centralize the logs. Ship CloudTrail, Azure Activity Log, and Google Cloud Audit Logs to one place. An incident that crosses providers cannot be reconstructed from three separate consoles.
  • Correlate on identity. Normalize the acting-principal field across all three schemas so one query follows an identity across every cloud it touched. Identity is the join key in a multi-cloud investigation.
  • Alert on the seams. The highest-value detections are cross-provider: an identity active in two clouds within minutes, a federated principal assuming a role it has never used, entitlement changes immediately followed by data access.
  • Baseline per identity, not per cloud. Normal behavior for a workload identity in AWS tells you nothing about whether its Azure activity is normal. Build the baseline around the identity and watch for deviation in any cloud.

The investigation principle is the same one the introduction opened with: in multi-cloud, you follow the identity, not the cloud. The attacker moves between providers by reusing one set of credentials, so the defender has to be able to pivot the same way.

Frequently Asked Questions

What is multi-cloud security?

Multi-cloud security is the practice of protecting data, applications, and infrastructure that run across two or more public cloud providers, such as AWS, Azure, and Google Cloud, at the same time. It focuses on imposing consistent identity, configuration, and monitoring controls over environments that each define security differently, so the gaps between providers do not become attack paths.

How is multi-cloud security different from single-cloud security?

Single-cloud security uses one provider's native tools against one identity model, one configuration baseline, and one log format. Multi-cloud security has to reconcile three of each. The same human or workload identity may hold permissions in every provider, configuration mistakes take a different shape in each, and audit logs use incompatible schemas, so the core challenge is consistency and correlation across the seams.

Who is responsible for security in a multi-cloud environment?

Responsibility is shared, and it shifts with the service model. The provider always secures the underlying infrastructure. The customer always secures their own data, identities, and access policies, and takes on more of the stack for infrastructure services than for software services. In multi-cloud, the customer has to apply that responsibility separately in each provider, because the boundary sits in a slightly different place and is worded differently in each.

What is the difference between CSPM and CIEM?

CSPM (Cloud Security Posture Management) answers "how are my resources configured" by continuously checking cloud configurations against best-practice baselines and flagging misconfigurations like public buckets and open firewall rules. CIEM (Cloud Infrastructure Entitlement Management) answers "who can do what" by discovering identities, calculating their effective permissions, and flagging over-privileged or unused entitlements. Posture management prevents exposed data; entitlement management prevents privilege escalation.

Why is identity the biggest risk in multi-cloud?

Because a federated identity often holds standing permissions in every cloud at once. An attacker who compromises one identity inherits access to all of them and can move between providers by reusing the same credentials, with each cloud treating the activity as legitimate. That makes least-privilege enforcement and entitlement visibility across providers the single highest-leverage control in a multi-cloud program.

What tools help secure a multi-cloud environment?

CSPM tools standardize configuration and compliance checks across providers. CIEM tools manage identities and entitlements across clouds. A cloud-native application protection platform (CNAPP) combines posture, entitlement, and workload protection in one console. For detection, a SIEM or cloud detection and response platform centralizes and normalizes the audit logs from each provider so a SOC can correlate activity across all of them.

Frequently asked questions

What is multi-cloud security?

Multi-cloud security is the practice of protecting data, applications, and infrastructure that run across two or more public cloud providers, such as AWS, Azure, and Google Cloud, at the same time. It focuses on imposing consistent identity, configuration, and monitoring controls over environments that each define security differently, so the gaps between providers do not become attack paths.

How is multi-cloud security different from single-cloud security?

Single-cloud security uses one provider's native tools against one identity model, one configuration baseline, and one log format. Multi-cloud security has to reconcile three of each. The same human or workload identity may hold permissions in every provider, configuration mistakes take a different shape in each, and audit logs use incompatible schemas, so the core challenge is consistency and correlation across the seams.

Who is responsible for security in a multi-cloud environment?

Responsibility is shared, and it shifts with the service model. The provider always secures the underlying infrastructure. The customer always secures their own data, identities, and access policies, and takes on more of the stack for infrastructure services than for software services. In multi-cloud, the customer has to apply that responsibility separately in each provider, because the boundary sits in a slightly different place and is worded differently in each.

What is the difference between CSPM and CIEM?

CSPM (Cloud Security Posture Management) answers "how are my resources configured" by continuously checking cloud configurations against best-practice baselines and flagging misconfigurations like public buckets and open firewall rules. CIEM (Cloud Infrastructure Entitlement Management) answers "who can do what" by discovering identities, calculating their effective permissions, and flagging over-privileged or unused entitlements. Posture management prevents exposed data; entitlement management prevents privilege escalation.

Why is identity the biggest risk in multi-cloud?

Because a federated identity often holds standing permissions in every cloud at once. An attacker who compromises one identity inherits access to all of them and can move between providers by reusing the same credentials, with each cloud treating the activity as legitimate. That makes least-privilege enforcement and entitlement visibility across providers the single highest-leverage control in a multi-cloud program.

What tools help secure a multi-cloud environment?

CSPM tools standardize configuration and compliance checks across providers. CIEM tools manage identities and entitlements across clouds. A cloud-native application protection platform (CNAPP) combines posture, entitlement, and workload protection in one console. For detection, a SIEM or cloud detection and response platform centralizes and normalizes the audit logs from each provider so a SOC can correlate activity across all of them.

Practice track
SOC Analyst Tier 2
Advance your expertise with hands-on labs focusing on threat detection, in-depth log analysis, and the effective use of SIEM tools for investigating and triaging incidents.
Browse SOC Analyst Tier 2 Labs โ†’