AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix – Your Partner in Cloud Security Excellence

Multi-Cloud CSPM for a GCP-Heavy FinTech: Securing GKE Workloads Across GCP and Azure

  • Wednesday, Jul 01, 2026

Customer Snapshot

AttributeDetails
IndustryFinTech / SaaS
Company Size200–500 employees
Cloud EnvironmentGCP (70%), Azure (30%)
WorkloadsVMs + GKE (Kubernetes-heavy)
DatabasesMySQL (primary), MongoDB
Code & CI/CDGitHub, Jenkins Plugins
IAM Profile10–15 people with console access
ComplianceISO 27001, SOC 1, SOC 2, GDPR
Existing EvaluationsWiz, Orca
Primary InterestCSPM (with appetite for full platform)
Products Hosted2 enterprise SaaS products on GCP using OLTP

The Situation: A FinTech Outgrowing Manual Cloud Security

This is a profile we see frequently in FinTech SaaS. A company running two enterprise products on GCP, processing financial transactions via OLTP, with a secondary Azure footprint handling roughly 30 percent of their infrastructure. The engineering team had grown quickly, the cloud surface had expanded across both providers, and the security function was lean by design — not under-invested, but deliberate. A VP of Digital Transformation covering automation, customer success, and marketing, paired with a security-focused counterpart. Two people making decisions for a cloud environment that spans two providers, multiple GKE clusters, a mix of VMs, and databases handling real financial data.

They came looking for CSPM. That is where the conversation started. But it became clear very quickly that the actual need was broader: multi-cloud visibility, Kubernetes security for GKE, compliance evidence generation for four frameworks, and a platform that could grow with them across code security and cloud posture without adding another three tools to the stack.

They had already looked at Wiz and Orca. Both were on the table. A colleague had recommended evaluating Cloudanix alongside those two, and the conversation that followed revealed why a CNAPP+ approach fits this profile better than a pure-play CNAPP.

The Core Tension

Two clouds. GKE as the primary compute surface. Four compliance frameworks running in parallel. A small team evaluating three vendors. And a recognition that buying a CSPM tool today means buying into a platform for the next 2–3 years. So the choice needs to cover not just today’s gap but tomorrow’s surface.

The team was technically sophisticated. They had already used an AI tool to generate a comparison between Wiz, Orca, and Cloudanix before the first call. They knew the feature landscape. What they needed was clarity on which platform would cover the most surface without requiring them to bolt on additional point tools as their security maturity grew.

Where the Gaps Were?

Multi-Cloud Without Unified Visibility

Running 70% GCP and 30% Azure means operating across two completely different security models: GCP’s IAM hierarchy (organization → folder → project → resource) and Azure’s management group / subscription model. Each has its own native security tooling (GCP Security Command Center and Microsoft Defender for Cloud) and each provides a single-cloud view only.

For a team of this size, context-switching between two cloud provider consoles, two security dashboards, two sets of findings, and two compliance reporting mechanisms is not sustainable. The question they were asking was straightforward: can we see GCP and Azure in one place, with one set of findings, one compliance view, and one prioritisation model?

Neither GCP SCC nor Defender for Cloud can answer that question. They are designed for their own cloud and have no cross-cloud correlation capability.

GKE as a First-Class Security Surface

With GKE handling the majority of compute workloads, Kubernetes security is not an add-on concern; it is the primary attack surface. GKE-specific security gaps that need dedicated coverage:

  • Pod security misconfigurations: Privileged pods, host PID/network sharing, containers running as root, missing security contexts, overly permissive pod security policies.
  • RBAC sprawl: ClusterRoleBindings granting excessive permissions, service accounts with more access than their workloads require, default service accounts left active.
  • Network policy gaps: Missing or overly permissive NetworkPolicies that allow lateral movement between namespaces.
  • Image security: Containers pulling from public registries without vulnerability scanning, unsigned images, base images with known CVEs.
  • GKE-specific configuration: Binary Authorization not enforced, Workload Identity not configured (falling back to node-level service accounts), private clusters not enabled, legacy ABAC still active.
  • Secrets in plain text: Kubernetes secrets stored without encryption at rest, or worse, hardcoded in pod specs and ConfigMaps.

Most CSPM tools treat Kubernetes as a checkbox. They run CIS Kubernetes Benchmark checks and call it done. For a team where GKE is 70%+ of compute, that level of coverage is insufficient. They need a platform that treats GKE clusters, namespaces, workloads, and RBAC as first-class graph entities with the same depth of analysis applied to cloud resources.

Four Compliance Frameworks Running Simultaneously

ISO 27001, SOC 1, SOC 2, and GDPR each with different control structures, different audit cycles, and different evidence requirements. For a FinTech processing financial transactions, these are not optional checkboxes. They are conditions of doing business with enterprise customers and operating in regulated markets.

The compliance challenge for this team was not understanding the frameworks; it was generating evidence across two cloud providers and their Kubernetes workloads without spending weeks assembling spreadsheets before every audit. They needed continuous compliance posture mapped to all four frameworks, with evidence exportable in formats auditors accept.

Manual compliance reporting across GCP + Azure + GKE for four frameworks requires dedicated headcount. This team did not have that luxury and should not need it.

Jenkins CI/CD Without Integrated Security Gates

Jenkins with plugins as the CI/CD layer means the build pipeline exists but security scanning within that pipeline is either absent or bolted on without integration into the broader security posture. The risk: code ships to GKE clusters without pre-deployment security checks, and findings in production have no lineage back to the commit that introduced them.

For a team running two enterprise OLTP products, a vulnerability in production that could have been caught at build time is not a minor miss, it is a financial and compliance risk.

Why Wiz and Orca Were Not the Complete Answer?

The team had already evaluated Wiz and Orca. Both are strong products. But for this specific profile (GCP-heavy, GKE-first, multi-cloud, with compliance requirements across four frameworks and a small team that cannot afford tool sprawl) there are structural gaps:

What Wiz Does Well and Where It Stops?

Wiz excels at agentless cloud posture, attack-path visualisation, and toxic-combination detection. It has strong GCP coverage and a well-built enterprise sales motion. For a team evaluating CSPM only, Wiz is a credible choice.

Where it stops for this team:

  • SaaS-only deployment. No option to deploy inside the customer’s own GCP or Azure account. For a FinTech handling transaction data, data residency and egress control matter.
  • No JIT access. As the team matures and needs to eliminate standing privilege across GCP, Azure, GKE, and databases, Wiz has no broker for that.
  • No Database Activity Monitoring. With MySQL and MongoDB handling OLTP transactions, the team will eventually need query-level monitoring, dynamic PII masking, and destructive-query prevention. Wiz does not cover the data tier.
  • Closed graph. You cannot bring your own rules, your own data, or query the asset graph in natural language.

What Orca Does Well and Where It Stops?

Orca pioneered SideScanning for agentless cloud visibility and provides broad multi-cloud coverage including GCP and Azure. Solid CSPM with reasonable Kubernetes support.

Where it stops for this team:

  • Similar limitations on JIT and DAM. No built-in Just-In-Time access brokering, no database activity monitoring.
  • No coding agent security. As AI coding tools enter this team’s workflow (a matter of when, not if, for a FinTech engineering team of this size), neither Wiz nor Orca offers an on-host firewall for coding agents.
  • Support model. Ticket-based support versus engineering-led, shared-channel support is a meaningful difference for a small team that needs answers quickly.

The structural point: both Wiz and Orca solve today’s CSPM problem. Neither solves tomorrow’s JIT, DAM, or AI-agent security problem without adding more tools. For a team evaluating a 2–3 year platform decision, that matters.

How Cloudanix Addresses This Situation?

Unified Multi-Cloud Dashboard: GCP + Azure in One View

Cloudanix connects to GCP projects and Azure subscriptions via read-only service accounts and app registrations which is agentless, and requires no infrastructure changes. Both clouds appear in a single dashboard with:

  • Findings normalised across providers (the same misconfiguration in GCP IAM and Azure AD appears with the same severity, the same remediation guidance, and the same compliance mapping).
  • Cross-cloud correlation: an identity in Azure AD that has permissions reaching GCP resources via federated access is visible as a single attack path, not two separate findings in two separate tools.
  • Aggregate posture scoring across both clouds, with the ability to drill into per-project (GCP) or per-subscription (Azure) views.

For a team that is 70% GCP and 30% Azure, this means they are not running two security workflows. They are running one.

Cloudanix CSPM Dashboard — Unified view across GCP and Azure

GKE and Kubernetes Security as a First-Class Citizen

Cloudanix treats GKE clusters, namespaces, workloads, RBAC bindings, network policies, and pod security configurations as first-class entities in the unified asset graph. This means:

  • Kubernetes Security Posture Management (KSPM): Continuous assessment against CIS Kubernetes Benchmark, GKE-specific hardening guidelines, and custom rules. Not just a one-time scan, but continuous monitoring as cluster configurations drift.
  • Workload-level visibility: Every pod, deployment, and statefulset assessed for security context misconfigurations, privilege escalation paths, and image vulnerabilities.
  • RBAC analysis: Over-permissive ClusterRoleBindings and RoleBindings surfaced with specific remediation steps. Default service accounts that should be disabled, flagged automatically.
  • Network policy assessment: Namespaces without NetworkPolicies identified. Overly permissive policies that allow cross-namespace traffic flagged with blast-radius context.
  • GKE-specific checks: Workload Identity configuration, Binary Authorization enforcement, private cluster mode, legacy ABAC detection, node auto-upgrade status, and Shielded GKE Nodes validation.
  • Image vulnerability scanning: Container images assessed for known CVEs with EPSS and KEV correlation. So the team knows not just that a CVE exists, but whether it is actively exploited and whether their specific workload is exposed.

For this team, where GKE is the dominant compute surface, this is the difference between a CSPM that checks cloud resources and ignores the workloads running on them, and a platform that treats the entire stack (cloud infrastructure, Kubernetes orchestration, and container workloads) as a unified security surface.

Cloudanix CSPM — Kubernetes workload findings with remediation guidance

Compliance Across Four Frameworks Without Manual Assembly

Cloudanix maps findings to ISO 27001, SOC 1, SOC 2, and GDPR out of the box all four frameworks this team needs, plus 11 more (HIPAA, PCI DSS, NIST, FedRAMP, HITRUST, RBI, MAS, APRA, DPDPA, CIS, OWASP).

The compliance engine runs across both GCP and Azure findings, and across Kubernetes workloads within those clouds. This means:

  • One compliance dashboard showing posture against all four frameworks simultaneously.
  • Control-level evidence that maps specific GCP/Azure/GKE findings to specific ISO 27001 Annex A controls, SOC 2 Trust Service Criteria, and GDPR Articles.
  • Continuous monitoring compliance posture updates as findings are remediated or new misconfigurations are introduced. The team sees their audit readiness in real time, not once a quarter.
  • Audit-ready evidence export in Excel and PDF formats that auditors accept. No manual spreadsheet assembly. No weeks of preparation before an ISO 27001 surveillance audit or SOC 2 report period.

For a FinTech operating under four frameworks across two clouds, this eliminates the single largest time sink: manually correlating findings to controls and assembling evidence packages.

Cloudanix Compliance Dashboard — Multi-framework posture across GCP and Azure

Code Security Integrated with Jenkins and GitHub

Cloudanix integrates with GitHub repositories and CI/CD pipelines to provide security scanning that connects to the cloud posture layer:

  • SAST, SCA, and secrets scanning on every pull request in GitHub, with findings surfaced as PR comments so developers see security issues before code merges.
  • 2,000+ secret patterns detected including GCP service account keys and Azure client secrets that would grant cloud access if leaked.
  • CI quality gates via Jenkins integration, so builds that introduce critical vulnerabilities or expose secrets are flagged before deployment to GKE clusters.
  • Code-to-cloud lineage: When a vulnerability is found in a running GKE workload, the platform traces it back to the specific commit, PR, and repository that introduced it. The team does not just know there is a CVE in production; they know exactly where it entered the codebase.

For a team running two enterprise OLTP products on GKE, deploying through Jenkins, with code on GitHub, this means security is part of the development workflow, not a separate console to check after the fact.

1,000+ Checks with GenAI Remediation Playbooks

Every finding across GCP, Azure, and GKE includes actionable remediation guidance. For critical and high-severity issues, GenAI-powered playbooks provide:

  • Step-by-step fix instructions specific to the cloud provider and resource type.
  • Copy-paste-ready gcloud CLI commands for GCP, az CLI commands for Azure, and kubectl commands for GKE.
  • Terraform and CloudFormation snippets where applicable.
  • Blast-radius context: what other resources are affected if this misconfiguration is exploited.

For a lean team where the security function is not separate from operations, this is the difference between an alert that creates research work and an alert that creates immediate action.

Cloudanix CSPM — Detailed findings with remediation guidance

The Platform Grows With the Team

This team came for CSPM. But they expressed interest in the entire platform. With Cloudanix, the expansion path is natural and does not require additional vendors:

  • Today: CSPM + Compliance + Code Security across GCP and Azure.
  • Next: CIEM (Cloud Infrastructure Entitlement Management) for the 10 to 15 console users, surfacing over-permissive roles, unused permissions, and identity risk.
  • Then: Just-In-Time Access for GCP, Azure, GKE, and databases. Eliminate standing privilege entirely. Broker time-bound, scoped access via Slack or Teams with full audit trail.
  • Eventually: Database Activity Monitoring for MySQL and MongoDB query-level monitoring, dynamic PII masking for GDPR-regulated data, destructive-query prevention, and keyless database access.

This is the structural advantage over Wiz and Orca for this team: they are not buying a CSPM today and then shopping for a JIT vendor, a DAM vendor, and a coding-agent-security vendor over the next two years. They are buying into a platform that covers all of those surfaces on a single asset graph, with a single rule engine.

Platform Impact

30 min Agentless onboarding for GCP + Azure | 2 clouds Unified in a single dashboard | 1,000+ checks Including GKE-specific rules | 4 frameworks ISO 27001, SOC 1, SOC 2, GDPR mapped continuously | 10–15 users Identity visibility without separate CIEM tool | 2 products Code-to-cloud lineage via GitHub + Jenkins

The Bigger Picture: Why FinTech Multi-Cloud Profiles Need CNAPP+

This company’s situation (GCP-primary with Azure secondary, GKE as the compute backbone, multiple compliance frameworks, a small security function, and enterprise products handling financial transactions) is increasingly common in FinTech SaaS.

The typical arc: The company builds on a single cloud (GCP, in this case), adds a secondary provider as enterprise customers demand specific cloud presence or as specific workloads benefit from Azure services, and suddenly the security tooling that worked for single-cloud no longer provides a unified picture. Native tools (GCP SCC, Defender for Cloud) are locked to their respective providers. Point-tool CNAPPs cover posture but not identity, access, or the data tier. And the team (small by design, stretched across both clouds and compliance obligations) cannot afford to manage three to five separate security tools.

The answer is not to buy the loudest CNAPP and bolt on point tools as gaps emerge over the next two years. The answer is to choose a platform that covers the surface today (CSPM, KSPM, compliance, code) and has a clear, shipping path to the surface you will need tomorrow (JIT, DAM, CIEM, AI-agent security).

That is what CNAPP+ means in practice. Not a marketing label, but a platform decision that saves a lean FinTech team from the tool sprawl that created the problem in the first place.

Key Outcomes

30-Minute Onboarding: Agentless connection to GCP projects and Azure subscriptions. ✅ Unified Multi-Cloud View: GCP and Azure in a single dashboard with normalised findings. ✅ GKE-First Kubernetes Security: KSPM with CIS Benchmark, GKE hardening, RBAC analysis, and workload-level visibility. ✅ Four-Framework Compliance: ISO 27001, SOC 1, SOC 2, and GDPR mapped continuously with audit-ready evidence export. ✅ Code Security Integration: GitHub + Jenkins with SAST, SCA, secrets scanning, and code-to-cloud lineage. ✅ GenAI Remediation: Copy-paste-ready gcloud, az, and kubectl commands for every finding. ✅ Single Platform Path: CSPM → CIEM → JIT → DAM without adding vendors. ✅ Wiz/Orca Gaps Covered: JIT access, Database Activity Monitoring, CloudPrem, and BYOR — surfaces neither competitor ships today.

Running GKE Workloads Across GCP and Azure?

If your infrastructure is GCP-heavy with Azure secondary, your compute runs primarily on GKE, and you need compliance evidence across ISO 27001, SOC 2, and GDPR without assembling spreadsheets; Cloudanix was built for this. One platform, one graph, agentless onboarding in 30 minutes, and a path from CSPM to full CNAPP+ without tool sprawl.

Book a Free Assessment to see your GCP and Azure environment through Cloudanix — unified findings, compliance mapping, and GKE security posture — in under 30 minutes.

Related Resources

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo