8 April 2025

Cloud security has to be native to the cloud

Manual processes can't keep pace with cloud-speed change. Experts are in short supply. Security has to be baked into the infrastructure itself — and into the pipelines that ship it.

Shamsher
  • Security
  • DevSecOps
  • Cloud

It’s no doubt cloud adoption has hit a tipping point, yet the security needed to protect it has stagnated. Security can no longer rely on experts, who are in short supply, or on manual processes, which are unable to keep pace. It needs to be native to the cloud.

What “native” actually means

When we say cloud-native security, we mean three things:

  1. Policy as code. Every guardrail — naming, tagging, region restrictions, allowed SKUs, network controls — expressed in Azure Policy, Defender for Cloud recommendations, or Bicep validation. Reviewable, versioned, auditable.
  2. Pipeline-gated changes. Infrastructure-as-Code goes through the same PR review and automated checks as application code. bicep build, what-if, Checkov, Defender for Cloud GitHub Action — all running on every PR.
  3. Continuous posture management. Defender for Cloud, Microsoft Sentinel, and Azure Monitor producing signal that a small team can actually act on, not a 1,000-finding inbox no-one reads.

The DevSecOps shift

Traditional DevSecOps focuses on shifting application security left into CI. That’s necessary but no longer sufficient. The cloud infrastructure itself is now the dominant attack surface — misconfigured storage, public databases, over-permissive identities, exposed management endpoints.

We change this by addressing cloud infrastructure security inside the same CI/CD pipelines that ship the IaC. Findings come back as PR comments, not after-the-fact tickets. Fixes go in at the source, not as one-off remediations.

Where we start

For most engagements we start with three deliverables:

  • A landing zone baseline that locks down identity, networking, and logging.
  • Pipeline templates that scan IaC, validate against policy, and require approvals before production.
  • A 30-day posture review that turns Defender for Cloud and Sentinel signal into a prioritised remediation backlog.

From there we can extend into Zero Trust Network Access, Fortinet integration, and Essential Eight maturity uplift — whatever the next risk on your map is.