Multi-cloud was sold as “avoid vendor lock-in.” In practice, multi-cloud means carrying the attack surface of every cloud you use. Each cloud has its own IAM, its own security tools, its own event schema, its own corner cases. Security teams manage complexity N times instead of once. This module closes the Cloud Mindset track by addressing the tax of multi-cloud.

Why this happens

Acquisitions inherit workloads on different clouds
Different teams choose based on skill or preference
Specific services only on specific clouds (AWS for breadth, GCP for BigQuery, Azure for M365 integration)
Region availability / pricing / compliance drives splits
Vendor-negotiation leverage (whether achieved or not)

Reality: most “multi-cloud” organizations are single-cloud-primary with 10-20% in secondary clouds. The 10-20% carries disproportionate operational cost.

Security costs of multi-cloud

Per-cloud skillset

AWS IAM ≠ Azure RBAC ≠ GCP IAM. Each has syntactic and semantic differences. Security engineers need depth in each. One organization’s AWS expertise may be weak on Azure.

Divergent defaults

AWS: S3 public-block now strong default; legacy accounts weaker
Azure: Security Defaults applies some baselines; custom Conditional Access often disables them
GCP: Organization Policies required for tight defaults

You can’t copy-paste hardening guidance.

N × CSPM

Either one CSPM covering all clouds (commercial tools like Wiz, Orca, Prisma) or native CSPM per cloud (Defender for Cloud + AWS Security Hub + GCP SCC). Either approach is expensive and requires team familiarity.

Identity federation complexity

Entra ID as corporate directory
Federated to AWS via SAML
Federated to GCP via Cloud Identity SAML
Per-cloud roles mapped from SAML claims
Group changes in Entra must propagate
Service accounts per cloud separate

Inter-cloud connectivity

Cloud-to-cloud trust paths (AWS role trusting GCP workload identity, etc.) add new attack vectors. Each federation is a potential compromise path.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

6 more sections locked below

Module 10 · Multi-Cloud — The Complexity Tax 🔒

Why this happens

Security costs of multi-cloud

Per-cloud skillset

Divergent defaults

N × CSPM

Identity federation complexity

Inter-cloud connectivity

Continue reading with Pro tier (₹4,999/year)

Other modules in this track

Module 2 · Cloud IAM — Where Most Breaches Live <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 3 · Metadata Endpoints — Still the Killer Chain <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 7 · Cloud Supply Chain — CI to Production <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>