Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
AI Controls Matrix (AICM)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog
Card testing is hitting revenue, not just fraud. What should payment companies do now? Register for this March 10 webinar →

Securing the Modern Cloud: 5 Best Practices for Protecting Multi-Cloud Workloads

Published 03/02/2026

Home
Industry Insights
Securing the Modern Cloud: 5 Best Practices for Protecting Multi-Cloud Workloads
Originally published by Tenable.
Written by Thomas Nuth.

In the landscape of modern enterprise IT, cloud security posture management (CSPM) often takes center stage by focusing on the underlying multi-cloud infrastructure and detecting misconfigurations. However, infrastructure is only half of the equation. To achieve comprehensive security, organizations must also secure cloud workloads—the applications, services, and associated resources that run within that infrastructure.

Securing these workloads is increasingly complex because cloud environments are inherently dynamic, distributed, and multi-layered. The sheer variety of workloads—ranging from virtual machines and container images to databases and serverless functions—creates a vast and constantly shifting attack surface.

 

The Challenge of Multi-Cloud Complexity

Many organizations now deploy workloads across multiple cloud service providers (CSPs). This multi-cloud strategy requires security teams to maintain consistent visibility and protection across disparate environments. Cloud workload integrity is no longer optional; it is essential for operational resilience. As noted in the Cloud Security Alliance (CSA) "Security Guidance for Critical Areas of Focus in Cloud Computing," securing these workloads is not just about data protection—it is about ensuring business operations continue without interruption.

To achieve this, organizations should look toward integrated cloud-native application protection platforms (CNAPP) that offer robust workload protection to prevent, detect, and address exposures like vulnerabilities, misconfigurations, and insecure APIs.

 

1. Implement Continuous and Contextualized Vulnerability Management

Traditional periodic scanning is insufficient for the rapid pace of cloud deployments. Security teams must automate the continuous scanning of workloads to detect vulnerabilities across operating systems, containers, and virtual machines the moment they appear.

However, detection is only the first step. Effective cloud vulnerability management requires contextual analysis. A cloud workload protection tool should enrich detected vulnerabilities with granular data, such as severity ratings and exploit details. This context allows teams to prioritize remediation based on actual risk rather than just "CVSS scores." For example, a vulnerability becomes a high priority if it exists on a workload that is publicly exposed and has excessive permissions—a "toxic combination" that significantly increases the likelihood of a breach.

 

2. Leverage Agentless Scanning for Holistic Visibility

To protect workloads in a cloud-native manner, organizations need scanning methods that do not interfere with performance. Agentless scanning is a highly effective approach that uses cloud service provider APIs to gather security data.

This method provides a holistic view of the security posture at scale without the administrative overhead of managing agents on every individual machine. It offers visibility into cloud workload inventory, telemetry, and various risks—including data exposure, overprivileged identities, malware, and misconfigurations—across Kubernetes clusters and serverless functions.

 

3. Adopt Build-to-Runtime Container Security

Containers are a critical component of modern workloads, but their ephemeral nature makes them difficult to track. Security must be an end-to-end process, baked directly into DevOps workflows and CI/CD pipelines.

This lifecycle approach starts during the build process, giving developers visibility into risks such as outdated operating system images or known vulnerabilities early in the development cycle. Automated scanning should also be applied to container registries (such as DockerHub or Amazon ECR) and continue into production runtime environments, where attackers frequently target buggy or misconfigured containers.

 

4. Utilize Automated Compliance Monitoring

Cloud computing is subject to a complex web of global cybersecurity laws and industry standards. Improperly secured workloads can lead to significant regulatory penalties and legal risks.

Because cloud environments change so rapidly, keeping workloads compliant requires a methodical, automated approach. Modern protection systems can automatically identify compliance violations and provide pre-built policies and templates, which dramatically simplifies the process of maintaining a continuous audit-ready state.

 

5. Prioritize Centralized Security Visibility

Fragmented security tools lead to fragmented security posture. Organizations should strive for a unified, contextually rich view of all multi-cloud workload resources.

Industry experts emphasize that the most effective cloud security programs are built on independence and transparency. Relying on consolidated exposure management platforms helps provide better context and allows teams to drive efficient actions from a "single source of truth." A centralized interface for multi-cloud visibility and reporting allows security and development teams to collaborate effectively and focus their efforts on the risks that matter most to the business.

About the Author

Thomas Nuth is a seasoned cybersecurity executive with over 15 years of experience driving global go-to-market strategy, brand development, and market adoption for some of the world’s most innovative security companies. With a deep understanding of the evolving threat landscape—from cloud-native risk to AI-powered attacks—Thomas has played a pivotal role in shaping industry narratives and positioning next-gen technologies at the forefront of the cybersecurity conversation. Before joining Tenable, Thomas held positions at Wiz, Qualys, Fortinet, Forescout, and other innovative leaders in cybersecurity.

Continuous Assurance MetricsComplianceVulnerabilitiesMisconfigurationDevSecOps

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Introductory Guidance to CCM
TAISE Instructor-Led Training: Virtual or In-Person
Register now to attend in NYC, Singapore, and Paris
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
What is a Risk Engineer?

Published: 03/02/2026

The Visibility Gap in Autonomous AI Agents

Published: 02/24/2026

RBI’s .bank.in Mandate: A New Trust Anchor for Digital Banking — and Why It’s Only the Beginning

Published: 02/24/2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

Published: 02/23/2026