Solution Atlas
EverydayUser storyConsultative playbook

We're across multiple clouds and have no single view of our security position

The platform team runs production workloads in Azure, AWS, and a small Google Cloud footprint. Each cloud has its own security tooling, the security operations team works from three sets of dashboards, and the CISO can't answer "are we exposed?" without a week of cross-team work.

Trigger
Multi-cloud sprawl; the CISO needs a single security view.
Good outcome
One dashboard shows the security score across all three clouds and which exposed paths an attacker could take. The CISO can answer "are we exposed?" in a meeting, not a week.
Discovery — signals and questions

Signals validating this story

  • ·Production workloads on Azure plus AWS plus a small GCP footprint
  • ·Each cloud has its own posture tooling and dashboard
  • ·SOC works from multiple consoles to triage a single incident
  • ·CISO unable to produce a single secure-score across the estate
  • ·Compliance reporting per cloud, not unified

Discovery questions

  1. 1.What's your production workload distribution across Azure, AWS, and GCP?

    WhySizes the multi-cloud surface area.

  2. 2.Which posture tools are live in each cloud today — native (Azure Defender, AWS Security Hub, GCP SCC) or third-party?

    WhyDetermines integration points and replacement scope.

  3. 3.When a cross-cloud incident occurs, who triages it and how?

    WhyCross-cloud incidents are where the gap shows.

  4. 4.What compliance frameworks must you attest to — SOC 2, PCI, ISO, FedRAMP?

    WhyDefender for Cloud has built-in frameworks; surfaces which apply.

  5. 5.Where do security alerts route today — one SIEM, many, or per-cloud consoles?

    WhyTests whether Sentinel federation is needed.

Baseline architectureTarget architecture
Baseline architecture

Each cloud has its own posture tooling (Azure Defender for Cloud, AWS Security Hub, GCP Security Command Center). SOC works from three dashboards. Alerts route to different SIEMs or per-cloud queues. Compliance reporting produced per cloud and manually reconciled.

Typical concerns

  • ·Cross-cloud blind spots
  • ·Triage time inflated by console-switching
  • ·Inconsistent compliance reporting
  • ·Different control frameworks applied per cloud
  • ·CISO cannot produce a single posture answer

Capability gaps

  • ·Single multi-cloud posture dashboard
  • ·Unified secure-score across hyperscalers
  • ·Attack-path analysis spanning clouds
  • ·Unified compliance attestation
  • ·Single SIEM for all clouds
Target architecture

Defender for Cloud as the multi-cloud CSPM + CWPP plane, with AWS and GCP connectors live. Sentinel as the unified SIEM pulling alerts from all three Defender connectors and non-Microsoft sources. Entra ID P2 + Identity Protection signals cross-cloud. Compliance frameworks mapped once, reported across.

Key capabilities

  • Single multi-cloud secure-score
  • Attack-path analysis spanning clouds
  • Unified SIEM via Sentinel
  • Cross-cloud identity signals
  • Unified compliance attestation
Architecture decisions
  1. 1.CSPM tier — free baseline vs paid CSPM tenant-wide

    Free baseline only

    Fits whenEarly multi-cloud rollout; cost-sensitive.

    Trade-offsNo attack-path analysis, no agentless scanning, no DevOps posture.

    Paid CSPM tenant-wide

    Fits whenProduction estates with meaningful multi-cloud surface.

    Trade-offsPer-resource cost — model carefully for AWS/GCP connectors.

    Default recommendationFree baseline tenant-wide on day one; paid CSPM where workload risk justifies.

  2. 2.AWS/GCP connector scope — full vs selective

    Full estate

    Fits whenUnified posture across all multi-cloud workloads.

    Trade-offsPer-resource billing scales with estate.

    Selective (production-critical only)

    Fits whenCost-sensitive; phased rollout.

    Trade-offsPosture gaps in non-critical workloads.

    Default recommendationSelective by production tier; expand as the secure-score baseline stabilises.

  3. 3.SIEM stance — Sentinel as primary vs federation with existing SIEM

    Sentinel as primary

    Fits whenExisting legacy SIEM up for renewal; consolidate alerting.

    Trade-offsMigration cost; existing detection content to translate.

    Federation with existing SIEM

    Fits whenLegacy SIEM contract has years left.

    Trade-offsTwo SIEMs to operate; not cheaper.

    Default recommendationSentinel primary at next legacy renewal; federate during transition.

Low-risk trial — proof of value

60-day Defender for Cloud rollout across AWS + GCP + Sentinel integration

~8 weeks

Defender for Cloud free CSPM enabled tenant-wide. AWS and GCP connectors deployed. Paid CSPM on the most-critical workloads. Sentinel receives Defender alerts from all three clouds. Identity Protection wired. Single secure-score dashboard published to CISO.

Success criteria

  • Single multi-cloud secure-score baseline published
  • Cross-cloud attack-path analysis available for at least one scenario
  • SOC triages a cross-cloud incident from a single Sentinel queue
  • Compliance reporting produced for one shared framework across all clouds

InvestmentDefender CSPM per-resource billing (Azure free, AWS/GCP ~1% of monitored spend). Sentinel consumption. No legacy SIEM contract changes during trial.

Proof metrics

  • ·Single secure-score reported to CISO
  • ·Cross-cloud MTTR reduced versus baseline
  • ·Compliance reporting time reduced by 50%+
  • ·Attack-path scenarios surfaced and remediated

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Back to Cloud security posture