Multi-Cloud Architecture & Zero Trust
6 hours of structured interview prep covering multi-cloud security design, Zero Trust Architecture, SASE, and inter-cloud connectivity.
Topics Covered
| Topic | Key Areas |
|---|---|
| Multi-Cloud Architecture | Drivers, challenges, security design patterns, unified tooling |
| Zero Trust Architecture | NIST 800-207, BeyondCorp, 5 pillars, principles |
| Secure Inter-Cloud Connectivity | Direct Connect, ExpressRoute, Megaport, SD-WAN |
| Identity-Centric Security | Federated IdP, JIT access, continuous authentication |
| SASE & SSE | ZTNA, CASB, SWG, FWaaS, SD-WAN convergence |
| Future Trends | Confidential computing, quantum-safe crypto, AI SecOps |
Multi-Cloud & Zero Trust Fundamentals
Multi-Cloud vs Hybrid Cloud
| Model | Definition | Example | Key Security Challenge |
|---|---|---|---|
| Multi-Cloud | Services from 2+ public cloud providers | AWS + Azure + GCP | Fragmented visibility, inconsistent IAM |
| Hybrid Cloud | Public cloud + private cloud/on-prem | Azure + on-prem datacenter | Secure connectivity, data sovereignty |
| Poly-cloud | Different clouds for different workloads (best-of-breed) | AWS for AI/ML, Azure for identity | Skills gap, governance complexity |
Zero Trust Architecture — Core Principles
Always authenticate and authorize based on all available data points
Limit user access with JIT and JEA, risk-based adaptive policies
Minimize blast radius, segment access, encrypt end-to-end, use analytics
| ZT Pillar | Focus | Tools/Technologies |
|---|---|---|
| Identity | Strong auth, continuous verification | MFA, Conditional Access, UEBA, Entra ID |
| Device | Device health and compliance | MDM, Intune, device compliance policies |
| Network | Microsegmentation, ZTNA | ZTNA brokers, SD-WAN, network policies |
| Application | Per-session app access | CASB, app proxy, WAF, API gateway |
| Data | Classify, label, protect data | DLP, Azure Purview, CASB, encryption |
SASE Architecture
SASE (Secure Access Service Edge) converges networking (SD-WAN) and security (SSE) into a single cloud-delivered service.
| Component | Type | Function |
|---|---|---|
| SD-WAN | Networking | Intelligent traffic routing across WAN |
| ZTNA | SSE / Security | Zero Trust application access (replaces VPN) |
| CASB | SSE / Security | Cloud app visibility and control |
| SWG | SSE / Security | Secure Web Gateway — web traffic inspection |
| FWaaS | SSE / Security | Firewall-as-a-Service — L7 inspection |
Multi-Cloud Security Design Patterns
| Challenge | Solution Pattern | Tools |
|---|---|---|
| Fragmented identity | Federated IdP as single source of truth | Okta, Azure Entra ID, Ping Identity |
| No single pane of glass | Multi-cloud CNAPP | Wiz, Prisma Cloud, Lacework, Orca |
| Inconsistent policy | Policy-as-Code across all clouds | OPA/Rego, Checkov, Sentinel |
| IaC drift | Immutable infrastructure + IaC scanning | Terraform + Checkov, tfsec |
| Log fragmentation | Central SIEM aggregation | Splunk, Microsoft Sentinel |
| Inconsistent secrets | Multi-cloud secrets manager | HashiCorp Vault, AWS Secrets Manager |
| Inter-cloud connectivity | Private backbone or SD-WAN | Megaport, Equinix, Cisco SD-WAN |
Inter-Cloud Connectivity Options
| Option | Speed | Cost | Use Case |
|---|---|---|---|
| Public internet + TLS | Variable | Low | Non-sensitive, latency-tolerant workloads |
| IPSec VPN tunnel | Up to 1.25 Gbps | Low | SMB/dev environments |
| SD-WAN overlay | High | Med | Branch offices, multi-cloud routing |
| Megaport / Equinix (NaaS) | Up to 100 Gbps | High | Enterprise, low latency cross-cloud |
| AWS Direct Connect + Azure ExpressRoute (same colo) | Dedicated | High | Regulated industries, large data transfers |
Interview Questions & Model Answers
Click to expand each question. Difficulty: Easy Medium Hard
- Multi-cloud: all workloads in public clouds, different providers for different services
- Hybrid: integrates on-prem data centres with cloud for data sovereignty, legacy app support
- Key multi-cloud drivers: avoid vendor lock-in, best-of-breed services, geographic reach, regulatory compliance, M&A
- Fragmented visibility: each cloud has different dashboards, logs, and security tools — no single pane of glass
- Inconsistent IAM: AWS IAM policies, Azure RBAC, and GCP IAM all work differently; policy drift
- Skills gap: need expertise across multiple platforms simultaneously
- Network complexity: connecting VPCs, VNets, and GCP VPCs privately requires complex routing
- Compliance mapping: must demonstrate controls across all environments to auditors
- Data residency: data may land in unexpected regions depending on provider defaults
Three core principles (Microsoft model):
- Verify Explicitly: authenticate and authorize based on all available data points (identity, location, device health, service/workload, data classification, anomalies)
- Use Least Privileged Access: limit user access with JIT/JEA, risk-based adaptive policies, data protection
- Assume Breach: minimize blast radius, segment access, encrypt end-to-end, use analytics to get visibility, drive threat detection
Key innovations:
- Access decisions based on device inventory + user identity + context — not network location
- All corporate resources accessed over the internet with strong authentication (no VPN required)
- Device trust certificate issued to compliant managed devices
- Access proxy (Identity-Aware Proxy) enforces authorization per request
Key components:
- Defines ZTA tenets: all data/services are resources; all communication is secured regardless of network location; access is granted per-session; access policy is dynamic and context-aware
- Identifies ZTA logical components: Policy Engine, Policy Administrator, Policy Enforcement Point (PEP)
- Describes three ZTA approaches: identity-based, network-based, and software-defined perimeter
- Covers ZTA deployment scenarios and migration strategies
- Step 1: Choose a central IdP — Azure Entra ID, Okta, Ping Identity, or Google Workspace
- Step 2: Federate to AWS via SAML 2.0 / OIDC (AWS IAM Identity Center), assign roles via SCIM provisioning
- Step 3: Federate to GCP via Workforce Identity Federation (OIDC/SAML)
- Step 4: Enforce consistent MFA and Conditional Access policies from the central IdP
- Step 5: Use SCIM to automatically provision/deprovision users across all clouds
OPA (Open Policy Agent) is a general-purpose policy engine using the Rego language:
- Write policies once in Rego → enforce across Kubernetes, Terraform, APIs, Envoy, cloud configurations
- Decouples policy decisions from application code
- Enables pre-deployment policy checks in CI/CD (Conftest)
- Cloud-agnostic: works with AWS, Azure, and GCP resources
Components:
- SD-WAN: intelligent WAN routing, traffic optimization
- ZTNA: Zero Trust Network Access — replaces VPN, app-level access
- CASB: Cloud Access Security Broker — SaaS visibility and control
- SWG: Secure Web Gateway — web proxy, malware inspection
- FWaaS: Firewall-as-a-Service — L7 inspection, threat prevention
| Feature | Traditional VPN | ZTNA |
|---|---|---|
| Trust model | Network-based: once connected, trusted | Identity + context: per-request verification |
| Access scope | Full network segment access | Per-application access only |
| Lateral movement | High risk — can reach any internal host | Minimized — no network-level access |
| User experience | Slow, client software required | Seamless, browser-based options |
| Scalability | VPN concentrator bottleneck | Cloud-delivered, elastic |
| Visibility | Limited — IP-level only | Full app-level audit trail |
- AWS: Enable CloudTrail in all regions → send to S3 → stream to SIEM via Kinesis Firehose or direct connector
- Azure: Enable Diagnostic Settings on all resources → send to Log Analytics Workspace → Microsoft Sentinel
- GCP: Enable Cloud Audit Logs → export via Log Sink → Pub/Sub → SIEM connector
- Central SIEM: Microsoft Sentinel (has native AWS + GCP connectors) or Splunk Cloud (AWS/Azure/GCP add-ons)
- Normalization: Use OCSF (Open Cybersecurity Schema Framework) or SIEM-specific data models to normalize across providers
- Retention: Route to cold storage (S3 Glacier, Azure Archive) for long-term compliance retention
- CSPM: Cloud Security Posture Management — misconfiguration detection
- CWPP: Cloud Workload Protection Platform — runtime protection for VMs, containers, serverless
- CIEM: Cloud Infrastructure Entitlement Management — over-privileged IAM detection
- Wiz: agentless, graph-based attack path analysis, all three major clouds
- Palo Alto Prisma Cloud: comprehensive, strong container/K8s security
- Lacework: anomaly-based detection, strong DevSecOps integrations
- Orca Security: agentless SideScanning, no performance impact
- Traditional segmentation: VLANs/subnets — coarse-grained, attacker who breaches a subnet can reach all hosts in it
- Microsegmentation: policies applied per workload/container/VM — even within the same subnet, only authorized communication is allowed
- East-west traffic (server to server) is controlled, not just north-south (internet to server)
- Cloud implementations: AWS Security Groups per EC2/ENI, Kubernetes NetworkPolicies per pod, Istio service mesh (mTLS between microservices)
- Data is encrypted in memory, inaccessible even to the hypervisor, cloud provider, or privileged OS
- Intel TDX (Trust Domain Extensions) and AMD SEV-SNP (Secure Encrypted Virtualization): encrypt VM memory
- Intel SGX (Software Guard Extensions): encrypted CPU enclaves for specific application code
- Use cases: multi-party computation, ML on sensitive data (medical/financial), key management HSMs, blockchain
- Cloud support: Azure Confidential VMs, AWS Nitro Enclaves, GCP Confidential VMs
- Protocol: SAML 2.0 or OIDC used to exchange identity assertions between IdP and cloud SP (Service Provider)
- AWS: IAM Identity Center (SSO) with SAML federation from Entra ID/Okta; Workforce Identity Federation for external IdPs
- Azure: B2B federation with Google Workspace, Salesforce, other Azure ADs
- GCP: Workforce Identity Federation (SAML/OIDC from any IdP)
- Benefits: single set of credentials, centralized MFA policy, instant offboarding across all clouds
- Megaport (NaaS): Connect AWS Direct Connect + Azure ExpressRoute at the same Megaport PoP — private layer 2/3 circuit between clouds, no internet traversal. Best for enterprise.
- Equinix Fabric: Similar to Megaport — software-defined interconnects via Equinix colocation facilities
- IPSec VPN tunnel: AWS VPN + Azure VPN Gateway connected over internet with encryption — functional but subject to internet variability
- Azure ExpressRoute + AWS Direct Connect at same colo: both terminate at same physical facility (e.g., Equinix DC), connected via cross-connect
- Proprietary security services: AWS GuardDuty, Azure Defender — difficult to replace/migrate if changing providers
- IAM model differences: AWS IAM policies don't translate to Azure RBAC — migration requires significant rework
- Logging format lock-in: CloudTrail logs can't be directly ingested by GCP tools without transformation
- Pricing leverage: heavy lock-in reduces negotiation power on renewals
- Resilience risk: a single CSP outage (e.g., AWS us-east-1 2021) takes down everything
- In cloud, there is no physical perimeter — anyone can attempt to call an API from anywhere
- IAM policies become the new firewall — what can this identity do, to what resource, under what conditions?
- Every access decision evaluates: Who (identity) + What device + From where + What resource + What time
- Continuous authentication: re-verify identity throughout a session (not just at login)
- JIT (Just-in-Time) access: privileges granted on-demand for specific tasks, then revoked
- Megaport: Virtual Cross Connects (VXCs) enable point-to-point private circuits between any two cloud/network endpoints on the Megaport fabric, provisioned via portal/API in minutes
- Equinix Fabric: Similar capability across 240+ Equinix IBX data centres globally
- How it works: Company connects its on-prem router to Megaport PoP → provision VXC to AWS Direct Connect gateway + another VXC to Azure ExpressRoute → both clouds now on private fabric
- Benefit: No internet traversal, predictable latency, SLA-backed bandwidth
- SASE maturation: Convergence of networking + security — VPN replacement at scale
- Confidential computing: Encrypt data in use; multi-party compute without revealing inputs
- Post-quantum cryptography: NIST PQC standards (CRYSTALS-Kyber, Dilithium) being adopted by cloud providers; quantum computers threaten RSA/ECC
- AI-driven SecOps: LLM-powered SIEM queries (Microsoft Copilot for Security), automated threat hunting, AI-generated playbooks
- Platform Engineering for security: Security as internal developer platform APIs — developers "order" secure infrastructure
- SBOM + supply chain security: Software Bill of Materials mandated; Sigstore/Cosign for artifact signing
- Identity: Federated IdP (Entra ID/Okta) → MFA enforced for all users → Conditional Access (device compliance, location, risk score) → JIT for privileged access (PIM) → SCIM provisioning to all clouds
- Device: MDM enrollment required (Intune/Jamf) → device health attestation → non-compliant devices blocked regardless of valid credentials
- Network: Replace VPN with ZTNA (Zscaler ZPA/Netskope) → microsegmentation within each cloud VPC/VNet → private inter-cloud connectivity via Megaport → no direct internet-to-internal access
- Application: CASB for SaaS app control → WAF/API gateway for web apps → per-session access tokens → OAuth 2.0 with PKCE
- Data: CNAPP for data classification across all clouds → DLP policies → encrypt all data at rest (CMK) and in transit (TLS 1.3) → data residency controls
- Visibility: Centralized SIEM (Sentinel/Splunk) aggregating all cloud logs → UEBA for behavioral baseline → continuous compliance scanning (Wiz/Prisma)
Multiple Choice Questions
Select an answer then click Check. Explanations shown after each submission.
Zero Trust Pillar Classifier
Classify each scenario into the correct Zero Trust pillar using the dropdown.
Multi-Cloud Security Tool Mapper
Match each tool/service to its primary function in multi-cloud security.
SASE Component Builder
Drag each technology chip into the correct zone — SASE Component or Not SASE.
🌐 SASE Components
Cloud-delivered networking + security convergence
🚫 Not SASE
Traditional or on-premises security/networking
Multi-Cloud Architecture Security Checklist
Assess a fictional multi-cloud organization's security posture. Toggle each control and submit for your score.