Cloud security and the shared responsibility model

As organisations continue modernising and scaling their cloud estate. One principle must remain constant: the shared responsibility model. Cloud Service Provides (CSPs) secure the infrastructure, hypervisors and core managed services and organisations must secure the configurations, identities, date and workloads they deploy.

But what does this mean?

CSPs such as AWS, Microsoft Azure, and Google Cloud design their platforms with a security-first philosophy. Clients retain significant control over how services are configured and deployed. The risk occurs when misconfigurations, overly permissive access policies, and unmanaged assets remain leading causes of cloud security incidents. This dynamic has led the cloud providers to create and maintain a clear Shared Responsibility Model, which defines where provider and client obligations diverge.

Under this model, the provider is responsible for security of the cloud: securing the infrastructure, hypervisors, and managed services that form the platform foundation. Clients, on the other hand, own security in the cloud: the proper configuration, access control, and monitoring of the workloads, data, and services they deploy. This means, in AWS terminology, this distinction separates infrastructure protection from the clients’ responsibility for their application and data layer security.

As enterprise cloud adoption scales, managing exposure within dynamic, multi-cloud environments has become a critical element of security governance and operational risk management. Technical assurance now extends beyond perimeter defence to continuous visibility, configuration hygiene, and compliance enforcement across distributed workloads.

From CSPM to CNAPP: how the ecosystem evolved

Cloud Security Posture Management (CSPM) tools were designed to solve exactly this by continuously scanning cloud configurations, detect drift, and enforce good practice across services.

Then Cloud-Native Application Protection Platforms (CNAPPs) were developed which offer broader ecosystems that combine CSPM with Cloud Workload Protection (CWPP), Identity Entitlement Management (CIEM), and Data Security Posture Management (DSPM). Together, they give a single, panoramic view of cloud risk.

Still, “single pane of glass” rarely means single definition, hence each vendor interprets these categories differently. For many security teams, even comparing tools becomes an exercise in translation.

Where the challenges lie

In principle CSPM and CNAPP sound clean, however in real life, they’re messy.
Our research and testing showed consistent friction points:

1. Skills and resources: effective deployment demands expertise across cloud architecture, security, and engineering. Tools often fail when teams lack the time or technical depth to operationalise them.
2. No standard vocabulary: “critical”, “high”, and “contextual risk” mean different things in every platform. This lack of severity alignment complicates reporting and governance.
3. Cost unpredictability: usage-based pricing linked to data ingestion or asset count makes cost forecasting difficult at scale.
4. Noise and false positives: the volume of findings can overwhelm even mature teams unless tuning and triage are embedded early.
5. Complex onboarding: deploying integrations and remediation pipelines across dozens of accounts or subscriptions usually needs dedicated engineering effort and vendor support.

The reality is that technology alone isn’t the barrier, instead operating it consistently is.

An effective test framework provides proof, not theory

For CGI, that meant building a bespoke cloud security regression testing framework capable of creating temporary AWS and Azure environments, running controlled misconfiguration tests, collecting data, and tearing everything down automatically to get ready for testing new scenarios.

The aim wasn’t to compare marketing claims but to see how the CNAPP and CSPM ecosystems and tools behave in identical, real-world conditions. Each product faced the same scenarios:

• Infrastructure drift
• Policy violations
• Identity misuse
• Vulnerabilities injected into compute resources and containers
• Data exposure
• Threat intelligence
• Observability during incidents
• User experience and setup challenges

A good framework measures consistency, not perfection while highlighting where a tool delivers repeatable results and where it doesn’t.

Testing times for cloud security

We set out to evaluate today’s leading CSPM and CNAPP platforms in real enterprise conditions, not in isolated labs. Using our AWS and Azure Landing Zone Accelerators, we built full-scale cloud environments complete with guardrails, policies, logging, and automated IaC/PaC pipelines. This meant every scenario reflected how large organisations actually operate.

Across thousands of test runs, some lasting minutes and others days, each cycle followed the same pattern; deploy resources into clean accounts, trigger real-world risks such as misconfigurations or privilege escalations, capture each tool’s findings, validate detection and remediation, then tear everything down for repeatability. This approach revealed not just technical accuracy but also operational maturity and usability.

What we evaluated

Our assessments covered onboarding, resource discovery, misconfiguration detection, automated remediation, identity governance, data protection, threat detection, scalability, and overall UX.

What strong tools have in common

Top performers consistently delivered:

• Complete cross-cloud inventory visibility
• Context-rich risk and attack-path mapping
• Automated remediation workflows
• Strong CIEM capabilities
• Data-aware posture through DSPM integration
• Easy, agentless deployment with IaC support
• A natural fit with existing team workflows

Challenges every industry faces

Whether in finance, healthcare, or the public sector, similar themes emerge: tool sprawl, governance drift, inconsistent metrics, limited automation, and tension between security and developer velocity. The takeaway? CSPM and CNAPP platforms are necessary, but success ultimately relies on the people and processes around them.

How CGI helps close the loop

CSPM and CNAPP technologies provide the instruments, but their real power comes from disciplined operation and continuous assurance.

Cloud security is less about perimeter defence and more about knowing what you have, how it behaves, and who can touch it. CGI approaches cloud security posture as a living discipline, not a static audit.

Through our regression-testing framework and consulting experience, we can help you:

• Validate coverage and blind spots early.
• Integrate posture checks into DevSecOps pipelines.
• Rationalise overlapping toolsets and cost models.
• Embed continuous validation instead of point-in-time audits.
• Implement cloud security programmes and security operations

This evidence-led approach turns visibility into control and control into measurable resilience.

Can you say, right now, that you know what’s running in your cloud, who has access, and how it’s being protected?

If the answer is yes, posture management stops being theory and becomes resilience in action. If it’s no, it’s time to take a look. Either way we can help ensure your cloud security delivers the resilience you need.

Get in touch with us to find out how we can support your cloud security posture.