The programThe Cloud Security ProgramProgram overview
  1. Foundation — accounts, identity & guardrailsPublished
  2. Network & Perimeter — segmentation & private connectivityComing Aug 2026
  3. Data & Secrets — encryption, KMS & storageComing Sep 2026
  4. Detection & Response — logging, CSPM & threat detectionComing Oct 2026
  5. Govern & Comply — policy-as-code & continuous complianceComing Nov 2026
Frameworks14 Jul 20268 min read

The Cloud Security Program: A Multi-Cloud Security Playbook for AWS, GCP & Azure

A phased, monthly program to build real security into AWS, GCP and Azure — this overview maps the five phases; each month a deep, technical part ships.

Securing a cloud estate is not a checklist you run once — it is a program. The default posture of every cloud account is optimised for getting started fast, not for staying secure, and the gap between the two is where nearly every cloud breach lives: a public storage bucket, an over-permissive role, a long-lived access key in a repo, a region nobody was supposed to deploy into. Closing that gap across AWS, GCP and Azure all at once — accounts, identity, network, data, detection and governance — is how teams end up with a sprawl of half-configured services and no real security. So we are running it the way it actually works: as a phased program, released one deep, technical part per month. This overview is the map. It frames the five phases, shows where you are heading, and links each installment as it ships — so you can adopt the program at a pace a lean team can sustain, one phase at a time, each building on the last.

The guiding principle underneath every part is the same: make the secure configuration the default, enforced by the platform — not a rule people are asked to remember. In the cloud, a guardrail that a team can click past is not a control. A guardrail the platform refuses to let them cross is.

Why multi-cloud security is its own discipline

Cloud security is not "server security with a web console." The threat model is different. There is no network perimeter to hide behind; the control plane — the APIs that create, configure and destroy every resource — is the perimeter, and it is reachable from the internet by anyone with a credential. That inverts the priorities: identity, configuration and the API audit trail matter more than patching a host, because a single leaked key or an over-broad role can expose an entire environment in one call.

It gets sharper when you run more than one cloud. Most startups and SMEs do — GCP for the data platform, AWS for the product, Azure because of Entra ID and Microsoft 365, or some inheritance from an acquisition. Each cloud has its own identity model, its own policy engine, its own logging pipeline and its own set of ways to accidentally make something public. Securing three clouds by learning three unrelated products is exhausting and error-prone. Securing them by applying one method expressed three ways is tractable — and that is what this program teaches.

Underneath all of it sits the shared-responsibility model. The provider secures the cloud — the hardware, the hypervisor, the managed-service backplane. You secure what you put in it — your identities, your configurations, your data, your network rules, your code. Every provider publishes this line, and every serious cloud incident happens on the customer's side of it. This program is the customer's side, done properly.

Why a phased, monthly program

Three reasons this beats a single mega-guide you skim once and forget:

  • It matches how a team absorbs change. Each phase is a few weeks of focused work layered on top of normal delivery. A month is enough to adopt one phase properly across all three clouds before the next lands.
  • Each phase de-risks the next. You cannot meaningfully control your network before the account structure and identity that own it exist. You cannot detect threats before logging is turned on and centralised. The order is deliberate.
  • It compounds into compliance. Done in sequence, the program turns frameworks like ISO 27001, SOC 2, ENS, NIS2 and DORA — and the CIS cloud benchmarks — from a future crisis into a natural output of how you already run, because the controls and their evidence are produced along the way.

The program map

The program moves through five phases. The overview you are reading is Part 0; Parts 1–5 each ship as a standalone, technical deep-dive with real configuration, code and a scope-bounded "definition of done" — and every part covers AWS, GCP and Azure side by side.

The five-phase program

  1. 01

    Foundation

    Accounts, identity & guardrails

  2. 02

    Network & Perimeter

    Segmentation & private connectivity

  3. 03

    Data & Secrets

    Encryption, KMS & storage hardening

  4. 04

    Detection & Response

    Logging, CSPM & threat detection

  5. 05

    Govern & Comply

    Policy-as-code & continuous compliance

Here is the arc of the five monthly parts:

  • Part 1 — Foundation. Account and organization structure, centralised identity, and preventative guardrails that individual teams cannot override — the ground everything else stands on. (Available now.)
  • Part 2 — Network & Perimeter. Segmentation, private connectivity, controlled egress, and edge protection (WAF/DDoS) across the three clouds.
  • Part 3 — Data & Secrets. Encryption everywhere, KMS and key management, a secrets baseline, storage hardening, and data-residency controls.
  • Part 4 — Detection & Response. Centralised cloud logging, CSPM, threat detection, a SIEM pipeline, and an incident-response plan you have rehearsed.
  • Part 5 — Govern & Comply. Policy-as-code guardrails, continuous compliance against the CIS benchmarks, drift detection, and framework mapping.

Each part is deliberately scope-bounded: it tells you exactly what is in scope, what is explicitly not (yet), the concrete configuration for each cloud, and how to know the phase is done before you move on.

The three clouds, one method

The single most useful thing to internalise before Part 1: the concepts are the same across AWS, GCP and Azure — only the service names differ. Every cloud gives you a way to group workloads into an isolating hierarchy, a way to centralise human identity, a way to grant machines credentials without long-lived keys, a way to enforce org-wide rules a team cannot override, and a way to record every API call. Learn the concept — a preventative, org-wide guardrail; a centralised audit log; workload identity without static keys — and the three implementations become translations of one idea rather than three things to memorise.

That is why every part of this program is structured as a three-column comparison. When you see that an AWS Service Control Policy, a GCP Organization Policy and an Azure Policy are the same control wearing three different badges, a multi-cloud estate stops being three times the work and becomes one method applied three times.

How to use this program

  • Start with Part 1 and go in order. The sequence is load-bearing; skipping ahead leaves gaps the later phases assume are closed.
  • Adopt one phase per month. Read the part, implement it against your own accounts, reach its "definition of done", then move on. A phase half-done is worse than a phase not started, because it creates a false sense of coverage.
  • Do all three clouds, even the small one. The forgotten Azure subscription or the one-project GCP org is exactly where an incident starts. If you only run one cloud today, read only that column — the method still holds.
  • Keep the evidence. From Part 1 onward, every guardrail and log pipeline you stand up should emit evidence as it runs. By Part 5 that evidence is your compliance story — no pre-audit scramble.

Conclusion

Cloud security is built the same way you build the product: iteratively, pragmatically, and close to the platform you already run on. This program gives you the sequence and the depth — a phase a month, each shippable, each building on the last, each covering AWS, GCP and Azure together — so security compounds quietly in the background instead of arriving as a fire drill after a finding. Begin with Part 1 — Foundation, and the rest follows.

The program is exactly the outcome ISMShed is built to support: it connects to the cloud accounts and guardrails you stand up across these phases and turns their posture into continuous, framework-mapped audit evidence across ISO 27001, ENS, NIS2, DORA, SOC 2 and GDPR — with an AI Compliance Copilot to keep the control-to-configuration mapping current. And when you want experienced hands to sequence the rollout across your clouds, Axelia's cloud-security and GRC consultants can run the program alongside you. Start with Part 1 — the rest compounds from there.

Up next
Foundation — accounts, identity & guardrails

Talk to an expert

Don't wait for the guide. Book a call with our AI-CISO team and get a tailored roadmap to ISO 27001, NIS2, ENS or DORA compliance.