Solution Atlas
EverydayUser storyConsultative playbook

We are multi-cloud and have no single picture of our security posture

A platform team runs production workloads in Azure, AWS, and a small GCP footprint. Each cloud has its own posture tools, the SOC has three sets of dashboards, and the CISO cannot answer "are we exposed?" without a week of cross-team work.

Trigger
Multi-cloud sprawl; CISO needs a single posture dashboard.
Good outcome
Defender for Cloud across all three hyperscalers, single secure-score view, attack-path analysis enabled.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Production workloads on Azure plus AWS plus a small GCP footprint
  • ·Each cloud has its own posture tooling and dashboard
  • ·SOC works from multiple consoles to triage a single incident
  • ·CISO unable to produce a single secure-score across the estate
  • ·Compliance reporting per cloud, not unified

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.What's your production workload distribution across Azure, AWS, and GCP?

    WhySizes the multi-cloud surface area.

  2. 2.Which posture tools are live in each cloud today — native (Azure Defender, AWS Security Hub, GCP SCC) or third-party?

    WhyDetermines integration points and replacement scope.

  3. 3.When a cross-cloud incident occurs, who triages it and how?

    WhyCross-cloud incidents are where the gap shows.

  4. 4.What compliance frameworks must you attest to — SOC 2, PCI, ISO, FedRAMP?

    WhyDefender for Cloud has built-in frameworks; surfaces which apply.

  5. 5.Where do security alerts route today — one SIEM, many, or per-cloud consoles?

    WhyTests whether Sentinel federation is needed.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Each cloud has its own posture tooling (Azure Defender for Cloud, AWS Security Hub, GCP Security Command Center). SOC works from three dashboards. Alerts route to different SIEMs or per-cloud queues. Compliance reporting produced per cloud and manually reconciled.

Typical concerns

  • ·Cross-cloud blind spots
  • ·Triage time inflated by console-switching
  • ·Inconsistent compliance reporting
  • ·Different control frameworks applied per cloud
  • ·CISO cannot produce a single posture answer

Capability gaps

  • ·Single multi-cloud posture dashboard
  • ·Unified secure-score across hyperscalers
  • ·Attack-path analysis spanning clouds
  • ·Unified compliance attestation
  • ·Single SIEM for all clouds
Target architecture

Defender for Cloud as the multi-cloud CSPM + CWPP plane, with AWS and GCP connectors live. Sentinel as the unified SIEM pulling alerts from all three Defender connectors and non-Microsoft sources. Entra ID P2 + Identity Protection signals cross-cloud. Compliance frameworks mapped once, reported across.

Key capabilities

  • Single multi-cloud secure-score
  • Attack-path analysis spanning clouds
  • Unified SIEM via Sentinel
  • Cross-cloud identity signals
  • Unified compliance attestation

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.CSPM tier — free baseline vs paid CSPM tenant-wide

    Free baseline only

    When it fitsEarly multi-cloud rollout; cost-sensitive.

    Trade-offsNo attack-path analysis, no agentless scanning, no DevOps posture.

    Paid CSPM tenant-wide

    When it fitsProduction estates with meaningful multi-cloud surface.

    Trade-offsPer-resource cost — model carefully for AWS/GCP connectors.

    Default recommendationFree baseline tenant-wide on day one; paid CSPM where workload risk justifies.

  2. Decision 2.AWS/GCP connector scope — full vs selective

    Full estate

    When it fitsUnified posture across all multi-cloud workloads.

    Trade-offsPer-resource billing scales with estate.

    Selective (production-critical only)

    When it fitsCost-sensitive; phased rollout.

    Trade-offsPosture gaps in non-critical workloads.

    Default recommendationSelective by production tier; expand as the secure-score baseline stabilises.

  3. Decision 3.SIEM stance — Sentinel as primary vs federation with existing SIEM

    Sentinel as primary

    When it fitsExisting legacy SIEM up for renewal; consolidate alerting.

    Trade-offsMigration cost; existing detection content to translate.

    Federation with existing SIEM

    When it fitsLegacy SIEM contract has years left.

    Trade-offsTwo SIEMs to operate; not cheaper.

    Default recommendationSentinel primary at next legacy renewal; federate during transition.

Low-risk trial — proof of value

60-day Defender for Cloud rollout across AWS + GCP + Sentinel integration

8 weeks

Defender for Cloud free CSPM enabled tenant-wide. AWS and GCP connectors deployed. Paid CSPM on the most-critical workloads. Sentinel receives Defender alerts from all three clouds. Identity Protection wired. Single secure-score dashboard published to CISO.

Success criteria

  • Single multi-cloud secure-score baseline published
  • Cross-cloud attack-path analysis available for at least one scenario
  • SOC triages a cross-cloud incident from a single Sentinel queue
  • Compliance reporting produced for one shared framework across all clouds

InvestmentDefender CSPM per-resource billing (Azure free, AWS/GCP ~1% of monitored spend). Sentinel consumption. No legacy SIEM contract changes during trial.

Proof metrics

  • ·Single secure-score reported to CISO
  • ·Cross-cloud MTTR reduced versus baseline
  • ·Compliance reporting time reduced by 50%+
  • ·Attack-path scenarios surfaced and remediated

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Multi-cloud CSPM + CWPP. AWS and GCP connectors bring cross-cloud posture into one secure-score dashboard.

Why for this story

Cross-cloud SIEM. Pulls alerts from all three Defender connectors and 350+ non-Microsoft sources into one queue.

Why for this story

Identity Protection signals are cross-cloud — Entra is the identity plane regardless of where the workload runs.

Back to Cloud security posture