According to the 2025 State of Cloud Security Report, 55% of organizations are now multi-cloud by design, with some managing deployments across as many as five cloud providers. The rationale is clear: multi-cloud computing offers tangible benefits, including provider specialization, improved resiliency, performance optimization, and reduced dependency on a single vendor.
Yet with these advantages come increased complexity, especially when it comes to securing these environments. Multi-cloud security was a key focus of a recent Cloud Security Live session featuring Ben Godard, Head of Security at Spotnana, and Ashish Rajan, host of the Cloud Security Podcast and co-host of AI Security Podcast.
Drawing on Ben’s experience leading security efforts at multiple organizations, including Microsoft and now Spotnana, the conversation offered pragmatic lessons for teams grappling with multi-cloud challenges. In this post, we examine five key takeaways from the session.
1. Multi-cloud isn’t always a choice—it’s a reality
While many organizations adopt multi-cloud for strategic reasons, such as avoiding vendor lock-in, for others it emerges organically.
- Different teams bring different cloud expertise. In an effort to accommodate the expertise of existing and new team members, organizations often adopt multiple cloud providers over time.
- Cloud specialization drives the need for diversification. For example, some organizations may use AWS for infrastructure, Azure for automation, and GCP for Workspace automation—each selected for specific strengths.
- Even if your stack is “single-cloud,” your ecosystem probably isn’t. SaaS providers, CI/CD services, and identity platforms may use different cloud providers, requiring a multi-cloud approach to gain unified visibility.
Rather than an edge case, multi-cloud adoption is the new normal for organizations.
2. Identity is the cornerstone of multi-cloud security
In modern cloud security, identity is the new perimeter—and the most critical layer to secure.
- The cloud “domain admin” is now a privileged identity. In a multi-cloud world, gaining access to a user or service account can grant lateral movement across environments.
- SSO and strong identity mapping across clouds is foundational. Cloud identities (human and non-human) must ultimately trace back to individuals, ensuring attribution during investigations.
- Service identities require the same scrutiny as human users. Just because they don’t go on vacation doesn’t mean they should be overlooked. Least privilege must apply to machine accounts too.
“Your biggest threat is identity,” Ben emphasized. “If you don’t know who did something and why, everything else is noise.”
3. Prioritize unified, cloud-agnostic visibility
Each cloud provider offers powerful native security tooling—e.g., AWS GuardDuty, Microsoft Defender, GCP Chronicle—but these don’t work well in isolation.
- Incidents don’t care about cloud boundaries. Attackers will pivot from AWS to Azure if the opportunity presents itself. Security teams need the same flexibility in detection and response.
- Switching between consoles is inefficient and error-prone. Especially during an incident, toggling between interfaces or correlating logs wastes critical time.
- A single pane of glass, even if not perfect, is more actionable. While native security tools offer some advantages over cloud-agnostic tools, they don’t outweigh the benefits of gaining unified visibility across a multi-cloud estate.
The ability to correlate logs, identities, and events across environments—especially during an investigation—can mean the difference between containment and compromise.
4. Embrace exploitability in Vulnerability Management
Traditional vulnerability management often centers around CVE scores, patch SLAs, and compliance reporting. It doesn’t reflect the reality of severe security incidents such as data breaches.
- Attackers don’t always need CVEs. More often than not, breaches stem from weak identities, over-permissioned roles, or misconfigurations.
- Risk context matters more than raw counts. Vulnerabilities behind air-gapped firewalls or in dormant workloads are less urgent than those exposed to public internet or accessible from lateral paths.
- Prioritize vulnerabilities that are reachable and exploitable. The ability to tie a vulnerability to a critical asset—and see where it sits in the attack chain—is where multi-cloud vulnerability management must evolve.
Organizations should identify their crown jewels and focus remediation on what attackers are most likely to target.
5. Bridge skill gaps with training and AI Security
No single person or team can be an expert in all cloud platforms. The learning curve between clouds is real.
- Transitioning skills from one cloud to another is difficult. Going from AWS to Azure or another cloud is like driving on the opposite side of the road. It requires new skills, knowledge, and orientation.
- Upskilling takes time and strategic timing. Organizations should understand that it takes time and capacity to learn new platforms properly.
- AI tools can accelerate onboarding. Using AI security tools can accelerate remediation workflows when relied upon for guidance and not perfect answers.
AI won’t eliminate the need for cloud fluency, but it can democratize access to knowledge and help teams operate across unfamiliar terrain with more confidence.
Mastering the multi-cloud mindset
The session underscored a key reality: multi-cloud security demands a unified approach.
From identity governance to risk prioritization, unified visibility to skills development, organizations must evolve from siloed cloud thinking to a holistic cloud strategy. Attackers won’t stop at cloud boundaries—and defenders can’t afford to either.As the multi-cloud landscape continues to expand, the principles shared by Ben and Ashish provide a clear and actionable blueprint for navigating this complexity with confidence. Catch their entire discussion and all the other sessions here.
