Bridging Security Gaps in Multi-Cloud Systems: Insights from Developer Practices

Jayasudha Yedalla; Jeffrey Butler

doi:10.24018/ejece.2025.9.4.740

Research Article

Jayasudha Yedalla

Colorado Technical University, USA

* Corresponding author

Jeffrey Butler

Colorado Technical University, USA

10.24018/ejece.2025.9.4.740

Read Counter
191

Downloads
83

Citations

Share

Submitted 2025-06-25
Published 2025-08-12

Read counter = 191 times

Abstract

As organizations increasingly adopt the use of multi-cloud infrastructure, they encounter challenges in ensuring consistent security across different platforms. Developers and software engineers working in multi-cloud environments face challenges such as tool fragmentation, compliance visibility, and integration across different cloud services or servers. This study discovered the strategies created by developers to secure multi-cloud systems, by analyzing insights from interviews with ten experienced professionals. Five findings were derived from the analysis application security, monitoring and compliance, threat detection, risk governance, and microservice infrastructure security. The findings of the study also point out how relevant shift-left security, zero-trust architecture, and AI-driven threat detection address the challenges encountered by developers. This study provides improved understanding about developer-led strategies which help bridge security gaps within multi-cloud environments and offers better guidance to improve cross-platform security.

Keywords: Developer-led strategies multi-cloud security shift-led security zero trust architecture

Introduction

As organizations increasingly adopt the use of multi-cloud environments for performance, flexibility, and cost benefits, they face certain challenges, such as fragmented tools, inconsistent application programming interfaces (APIs), limited visibility across platforms, and a great increase in risk management, bad services, and data spread across providers. Thus, the security approach has become urgent. This study aims to explain the developer-led strategies for securing multi-cloud infrastructures. This approach enhances gaps in integration, identity management, and threat detection using zero-trust architecture and shift-left security, while also incorporating insights ideas from experienced developers. This research contributes to the understanding of how proactive, developer-driven methods can bridge security gaps in multi-cloud systems.

Overview of Existing Research on Multi-CloudSecurity

Many organizations are shifting to multi-cloud environments to avoid vendor lock-in and to increase performance. However, they face-new security challenges because of tool proliferation, different APIs, and inefficiency in congruent control [1]. Compared to single-cloud environments, multi-clouds require agile and compatible security structures.

The lack of visibility and uniform policy enforcement on each platform, combined with efforts to make compliance and access control challenging, particularly in hybrid systems [2]. This has resulted in increased complexity of governance models that do not compromise security, which allows for the required scalability.

Zero-trust architecture and shift-left security are two strategies that can address this problem. NIST defines that a zero-trust architecture eliminates implicit trust and requires constant authentication [3], which works the prevention of lateral attacks in distributed systems [4]. The concept of Shift-Left Security to identify vulnerabilities as early as possible in the development process while being compatible with agile software development [5], [6].

The arrival of new AI tools and the IoT can also impact hybrid cloud security challenges. AI facilitates live monitoring of threats and decreases the amount of manual work [7], [8]. Nevertheless, there is a risk in the integration of cloud and the IoT frameworks, which should be addressed by improving cross-platforming policies and dynamic governance [8].

Limitations of Traditional Perimeter-Based Security Models in Multi-Cloud Environments

Legacy perimeter-based security approaches are based on guarding a fixed network perimeter security, which is becoming complicated in the multi-cloud world with the dynamic, distributed, and borderless nature of the contemporary infrastructure. In the traditional configuration, firewalls and other types of security controls and access policies reside at the edge of a trusted internal network. However, policies in multi-cloud systems are difficult to define and follow, as the data and services running in them are distributed across numerous cloud providers. Therefore, it is challenging to produce and track a unified center of control [3]. With the move in the workload in organizations between the use of private and public clouds, traditional perimeter defenses are unable to keep up with increasingly complex and mobile assets [9].

Such an outdated approach also experiences issues with the enforcement of equal authentication and authorization policies, exposing visibility gaps and ending up in disparate security controls [2]. These are further aggravated by the variety of API standards and conformity requirements between platforms, which traditional models cannot account for [3], [7], [10]. Furthermore, the traditional approach that relies on the belief that external factors remain the only source of attacks owing to the interaction of developers and services with remote cloud resources is no longer relevant. This has led to the embracing of more dynamic security frameworks, such as the zero-trust architecture, which presupposes zero trust by actively authenticating all users and devices continuously regardless of location [3], [4].

The flaws of perimeter-based models in a multi-cloud environment emphasize the necessity of decentralized, developer-led, and policy-sensitive security measures following the flexible architecture of modern IT systems in the enterprise [6].

Key Concepts and Gaps in the Literature

The move to multi-cloud environments has introduced complex security challenges. Based on the reviewed literature, several emerge:

Key Concepts from Literature

1. Challenges Bring Fragmentation to Tooling; Developers regularly experience inconsistencies in tools and interfaces when developing across cloud platforms. Such division cause inefficiencies, a higher risk of misconfiguration, and difficulty in maintaining a harmonious security posture [11].

2. Enhanced Compliance Visibility; Multi-cloud infrastructure usually does not provide a centralized compliance monitoring mechanism in a centralized platform. It is challenging for organizations to keep up with the regulatory demands of such an environment, and such requirements can differ among jurisdictions and platforms [12], [13].

3. Shift-Left Security and Early Integration in Development; Shift-Left Security is a practice that promotes security incorporation in the early stages of the development life cycle. Developers should also incorporate security verifications during coding and testing stages to mitigate the vulnerabilities before they advance to the production stage [9], [11].

4. Zero Trust Architecture; Contrary to the conventional approach of a perimeter-stacked security structure, Zero Trust presupposes no implicit trust, and all users and devices should be verified on an ongoing basis. As distributed, cloud-native environments have become more diverse, this approach has become even more pertinent [3].

5. Artificial Intelligence; in threat detection, response, and Artificial Intelligence is finding applications to provide automation and improvement of threat detection across cloud systems. Methods such as neural networks can detect anomalies and malicious traffic with high accuracy [7], [14]. Fig. 1 provides a visual summary of these challenges and mitigation strategies.

Gaps in the Literature

Despite these innovations, several critical gaps persist

Although the security of clouds is receiving increased interest at the architectural and organizational levels, there are no studies that specifically address the needs and workflow of developers. According to [6], [15], most developers find themselves without any strategies that they can apply, especially in an agile and DevOps environments. Moreover, issues of cross-cloud integration have been extensively discussed, but there are not many useful, developer-driven studies that tackle important aspects of this process, including identity management, compliance, and tool orchestration across multiple clouds [8]. These disparities indicate the necessity of increasing the level of applied research that provides developers with unambiguous, practical instructions on how to achieve security in fragmented multi-cloud setups, and how to apply general concepts of security to practice.

This evidence explains the necessity of additional studies to provide developers with practical and straightforward advice on creating fragmented, multi-cloud environments. Closing this divide would enable developers to align the top-level security principles with different bottom-up security applications.

Problem Statement and Research Questions

With organizations moving toward a multi-cloud infrastructure to achieve greater flexibility, cost-efficiency, and vendor freedom, they are likewise subject to a more divided and complicated security environment. In contrast to classic single-cloud or on-premises systems, multi-cloud systems present various alternatives in terms of configuration, tools, and security protocols on platforms [8]. Such fragmentation poses significant challenges to developers desiring consistent security practices.

Tool fragmentation is a fundamental problem, which means that security tools, interfaces, and standards differ among cloud providers. This inconsistency requires developers to adjust and address tooling inconsistencies [11]. In addition, visibility is reduced because organizations find it difficult to monitor, audit, and enforce regulations in multiple cloud environments [12]. Such complexity makes it more likely to experience security breaches and noncompliance with standards such as GDPR, HIPAA, or ISO/IEC 27001.

Another issue is integration, particularly regarding the management of identity, access control, and secure communication between cloud providers. Such issues are further aggravated by the absence of fine-grained developer-centered measures to fill in these gaps [6]. Despite the existence of conceptual frameworks such as shift-left security and zero-trust architecture, their actual execution, particularly by developers, has been poorly studied [3], [9], [16].

Method

This study used a qualitative research design, through which the focus was to understand how developers solve security problems in multi-cloud systems. Semi-structured interviews were chosen so that the participants could be more detailed in sharing their experiences while maintaining a focus on multiblade security [6]. This method is appropriate for revealing the fine-grained, real-life behavior of software developers, particularly in under-researched areas, such as Mulita cloud security.

Participants

The study involved ten software developers with extensive experience dealing directly and practically with application management or protection in multi-cloud infrastructures. Purposive sampling was conducted to select participants and target professionals with relevant backgrounds in DevOps, cloud architecture, and cybersecurity. This sampling plan was appropriate for selecting participants with critical knowledge for the study.

Data Collection

Data was collected through one-on-one interviews using video conferencing tools. The interview guidance focused on the following major topics:

✓ The issues developers must deal with in developing within cloud platform fragmentation.

✓ The instruments and structures are used to ensure the security of native cloud applications.

✓ Individual cases of compliance, threat detection and policy enforcement.

This framework enabled the respondents to interrogate not only organizational limitations but their approaches to the solution of the problem which contributed to a better understanding of developer-led security [6].

Analysis

The interview data were interpreted using thematic analysis. The transcription and coding of the responses were performed using the Dedoose platform, which is a common tool for the analysis of qualitative data and allows the structured coding and identification of patterns [17]. Tool fragmentation, Shift-left security, zero-trust architecture, and AI-based threat detection were the key themes found during the analysis, which are in line with the fundamental concepts in the published literature [3], [7], [18]. Participant inputs were also analyzed for common strategies and pain points, providing deeper insights into what developers are actually doing in the field of securing multi-cloud systems.

Results, Interpretation, and Application

Key Results: Five Main Themes

Based on insights gathered from interviews and literature, five key themes emerged as core components of developer-led security strategies in multi-cloud environments (Fig. 2).

1. Application Security: One example into which developers focused their attention was the necessity to secure applications at the code level, which implied secure coding and continuous testing. This is in line with Shift-Left Security, whose framework encourages the addition security in the early stages of development [16].

2. Monitoring and Compliance: Continuous monitoring and audit trails were highlighted as critical to ensuring regulatory compliance across multiple cloud providers. Developers noted the difficulty of managing compliance due to limited visibility, especially when switching between providers [12].

3. Threat Detection: A variety of respondents said that they used AI-enabled tools to automate threat identification, especially when dealing with malware and suspicious traffic patterns. This trend is supported by studies [10] and [7], which show the effect of machine learning on security responsiveness.

4. Risk Governance: There is an ever-growing role of developers in risk governance, where they balance agility and security policies. This has traditionally been treated as the realm of IT administrators, but today developers own risk assessment and mitigation strategies in deployed applications [6].

5. Microservices Infrastructure Security: As microservices and containerization grow in use, developers need to secure interservice communication and keep the configuration safe. As proposed by [2], such hybrid environments are complex, especially when they contain more than one cloud, in terms of access control. Zero-trust principles are increasingly being used to control access at all levels of the cloud stack. Zero Trust strategies can mitigate internal and external threats by implementing ever-present verification [3].

✓ Artificial intelligence enhanced tools are employed to enhance threat detection abilities and speed. These tools can monitor complex, multi-cloud infrastructures in real-time, enabling a quicker response to incidents [7], [19].

Interpretation

The research findings point to an evolving role for developers in cloud security implementation:

Developers are starting to integrate security more securely earlier in the lifecycle as enabled by Shift-Left Security. This causes vulnerabilities to be identified and addressed prior to deployment [2].

Application

The practical implications of these findings are of significant value to developers and organizations.

Encourage Developer-Led Efforts: Organizations need to give developers a proactive role in security by incorporating security roles as part of their daily activities [6].

✓ Embrace Multi-architecture Toolchains: Multi-architecture toolchains can mitigate the degree of tool fragmentation by facilitating security frameworks that allow security policies to be enforced at a more consistent level across the platforms [11].

✓ Bridge Visibility in Control Gaps: Integration of monitoring, identity management, and threat detection tools can bridge operational gaps in-hybrid- and multi-cloud environments [8], [20].

Discussion

The results of this study strengthen the belief that developers should be at the heart of the process of securing multicloud environments, which is largely a domain of system architects and IT security departments. Compared to single-clouds, multiple-clouds provide unique issues and problems, such as fragmentation in the tools, differences in the degree of compliance, and restricted visibility across platforms. Such problems cannot be comprehensively addressed using conventional perimeter-based security systems.

In this regard, zero-trust architecture and shift-left security have become the most important approaches to integration. Zero Trust encourages ongoing authentication, eliminates implicit trust in the system, and is forceful in distributed, dynamic cloud infrastructures [3]. Shift-Left Security is supplementary to this by allowing security to be built into the product at the earliest stages of development as a result, threats are intercepted by developers and addressed before the product is deployed [8].

AI-driven threat detection is a promising technology that can aid with anomaly detection and shorten response time. But although such tools add considerably to the technical value, according to the study, actual progress would be a developer-led security practice. Current frameworks and solutions do not consider the practical requirements of developers, who play a key role in operationalizing security for multi-cloud services.

Moreover, the absence of cross-cloud integration strategies at the developer level indicates an urgent research gap. Current offerings tend to have a top-down infrastructure-oriented perspective and leave developers without proper direction and guidance on how to handle identity management and compliance orchestration across multiple platforms [5], [6].

Multi-cloud security is not a purely technical issue but also an organizational one. The success lies in how effectively teams will adopt developer-informed governance, cross-platform compatibility, and the desire to construct uniform security platforms that fit the conditions of real-world workflows.

Conclusion

Developers have a vital role to play when considering security issues in multi-cloud environments. With an increasing number of organizations using such environments, security management is becoming increasingly complex and decentralized. Ineffective and incomplete tools, patchy compliance, and poor visibility are dangerous problems that cannot be fixed using perimeter-based models only.

Incorporating a zero-trust architecture and shift-left security is an effective move towards constant checks and guidance at the early development stages. By using AI, it is possible to detect threats in real-time and allow the platform to become more resilient. Nevertheless, the future development of multi-cloud security assumes the prioritization of developer-oriented approaches, unification, and viable cross-cloud deployments.

Finally, to fill such gaps, both technical innovation and firm organizational backing, as well as openness to embrace governance that considers the views and practical experience of the developers themselves, will are needed.

References

Alonso M, Deshmukh R, Singh K. Unified security frameworks for cloud-native applications. J Cloud Secur. 2023;11(2):108–22.
Google Scholar

Kanungo S. Access control in hybrid and multi-cloud ecosystems. IEEE Cloud Comput. 2023;10(1):67–76.
Google Scholar

Chandramouli R, Scarfone K, Souppaya M. Zero Trust Architecture (NIST Special Publication 800-207). Gaithersburg, MD: National Institute of Standards and Technology; 2023. doi: 10.6028/NIST.SP.800-207.
Google Scholar

Chimakurthi A. Zero trust principles in multi-cloud security. J Inf Secur. 2020;9(3):33–45.
Google Scholar

Mahajan P, Madaan L, Dhole A. Automated and unified security management in multi-cloud architectures [Internet]. ResearchGate; 2025 May [cited 2025 Aug 7]. Available from: https://www.researchgate.net/publication/392524082_Automated_and_Unified_Security_Management_in_Multi-_Cloud_Architectures/.
Google Scholar

Rahman MA, Williams L. Developers’ security practices in modern software development processes: a grounded theory. Empir Softw Eng. 2021;26(5):89. doi: 10.1007/s10664-021-09965-2.
Google Scholar

Baladari M. Artificial intelligence and threat detection in cloud environments. Int J AI Cybersecur. 2024;5(1):23–39.
Google Scholar

Bass L, Weber I, Zhu L. DevOps: A Software Architect’s Perspective. Boston: Addison-Wesley; 2015.
Google Scholar

Seth D, Nerella H, Najana M, Tabbassum A. Navigating the multi-cloud maze: Benefits, challenges, and future trends. Int J Glob Innov Solut (IJGIS). 2024 Jun 10. doi: 10.21428/e90189c8.8c704fe4.
Google Scholar

Agourram ID. Exploring the cloud security landscape: challenges, solutions, and insights from academic inquiry [Internet]. 2024 [cited 2025 Aug 7]. Available from: https://www.researchgate.net/publication/391836455.
Google Scholar

Campbell J. Application security in the cloud. DevSecOps Rev. 2021;7(4):58–70.
Google Scholar

Somasundaram V, Krishnan R, Rajagopal M. Governance and compliance in multi-cloud security. J Enterp IT. 2023;19(3):202–17.
Google Scholar

Cate M. Challenges and best practices in cloud security across multi-cloud environments. ResearchGate. 2025 May [cited 2025 Jul 29]. Available from: https://www.researchgate.net/publication/392079824_Challenges_and_Best_Practices_in_Cloud_Security_Across_Multi-Cloud_Environments.
Google Scholar

Islam MR. Secure multi-cloud architectures: best practices for data protection. J Artif Intell Gen Sci (JAIGS). 2024;6(1):564–76.
Google Scholar

Colotti M. Multi-cloud strategies for resilient enterprise computing. J Syst Softw. 2023;190:110–23.
Google Scholar

Wang W, Zhu M, Zeng X, Ye X, Sheng Y. Malware traffic classification using convolutional neural network for representation learning. 2017 International Conference on Information Networking (ICOIN), 2017, pp. 712–17. doi: 10.1109/ICOIN.2017.7899588.
Google Scholar

Schrama A. Managing Multi-Cloud Systems. Gudimetla SR, Kotha NR: TU Delft Institutional Repository; 2018.
Google Scholar

Anh NH. Hybrid cloud migration strategies: balancing flexibility, security, and cost in a multi-cloud environment. Trans Mach Learn Artif Intell Adv Intell Sys. 2024 Oct 7;14(10):14–26..
Google Scholar

Gudimetla SR, Kotha NR. Cloud security: bridging the gap between cloud engineering and cybersecurity. Webology. 2018;15(2):321–30. (ISSN: 1735-188X).
Google Scholar

Botta A, de Donato W, Persico V, Pescapé A. Integration of cloud computing and internet of things: a survey. Future Gener Comput Syst. 2016;56:684–700. doi: 10.1016/j.future.2015.09.021.
Google Scholar

Downloads

PDF
HTML
EPUB
JATS XML

How to Cite

[1]

2025. Bridging Security Gaps in Multi-Cloud Systems: Insights from Developer Practices. European Journal of Electrical Engineering and Computer Science. 9, 4 (Aug. 2025), 13–17. DOI:https://doi.org/10.24018/ejece.2025.9.4.740.

Issue

Vol. 9 No. 4 (2025)

License

This work is licensed under a Creative Commons Attribution 4.0 International License.

[1] Alonso M, Deshmukh R, Singh K. Unified security frameworks for cloud-native applications. J Cloud Secur. 2023;11(2):108–22.
Google Scholar

[2] Kanungo S. Access control in hybrid and multi-cloud ecosystems. IEEE Cloud Comput. 2023;10(1):67–76.
Google Scholar

[3] Chandramouli R, Scarfone K, Souppaya M. Zero Trust Architecture (NIST Special Publication 800-207). Gaithersburg, MD: National Institute of Standards and Technology; 2023. doi: 10.6028/NIST.SP.800-207.
Google Scholar

[4] Chimakurthi A. Zero trust principles in multi-cloud security. J Inf Secur. 2020;9(3):33–45.
Google Scholar

[5] Mahajan P, Madaan L, Dhole A. Automated and unified security management in multi-cloud architectures [Internet]. ResearchGate; 2025 May [cited 2025 Aug 7]. Available from: https://www.researchgate.net/publication/392524082_Automated_and_Unified_Security_Management_in_Multi-_Cloud_Architectures/.
Google Scholar

[6] Rahman MA, Williams L. Developers’ security practices in modern software development processes: a grounded theory. Empir Softw Eng. 2021;26(5):89. doi: 10.1007/s10664-021-09965-2.
Google Scholar

[7] Baladari M. Artificial intelligence and threat detection in cloud environments. Int J AI Cybersecur. 2024;5(1):23–39.
Google Scholar

[8] Bass L, Weber I, Zhu L. DevOps: A Software Architect’s Perspective. Boston: Addison-Wesley; 2015.
Google Scholar

[9] Seth D, Nerella H, Najana M, Tabbassum A. Navigating the multi-cloud maze: Benefits, challenges, and future trends. Int J Glob Innov Solut (IJGIS). 2024 Jun 10. doi: 10.21428/e90189c8.8c704fe4.
Google Scholar

[10] Agourram ID. Exploring the cloud security landscape: challenges, solutions, and insights from academic inquiry [Internet]. 2024 [cited 2025 Aug 7]. Available from: https://www.researchgate.net/publication/391836455.
Google Scholar

[11] Campbell J. Application security in the cloud. DevSecOps Rev. 2021;7(4):58–70.
Google Scholar

[12] Somasundaram V, Krishnan R, Rajagopal M. Governance and compliance in multi-cloud security. J Enterp IT. 2023;19(3):202–17.
Google Scholar

[13] Cate M. Challenges and best practices in cloud security across multi-cloud environments. ResearchGate. 2025 May [cited 2025 Jul 29]. Available from: https://www.researchgate.net/publication/392079824_Challenges_and_Best_Practices_in_Cloud_Security_Across_Multi-Cloud_Environments.
Google Scholar

[14] Islam MR. Secure multi-cloud architectures: best practices for data protection. J Artif Intell Gen Sci (JAIGS). 2024;6(1):564–76.
Google Scholar

[15] Colotti M. Multi-cloud strategies for resilient enterprise computing. J Syst Softw. 2023;190:110–23.
Google Scholar

[16] Wang W, Zhu M, Zeng X, Ye X, Sheng Y. Malware traffic classification using convolutional neural network for representation learning. 2017 International Conference on Information Networking (ICOIN), 2017, pp. 712–17. doi: 10.1109/ICOIN.2017.7899588.
Google Scholar

[17] Schrama A. Managing Multi-Cloud Systems. Gudimetla SR, Kotha NR: TU Delft Institutional Repository; 2018.
Google Scholar

[18] Anh NH. Hybrid cloud migration strategies: balancing flexibility, security, and cost in a multi-cloud environment. Trans Mach Learn Artif Intell Adv Intell Sys. 2024 Oct 7;14(10):14–26..
Google Scholar

[19] Gudimetla SR, Kotha NR. Cloud security: bridging the gap between cloud engineering and cybersecurity. Webology. 2018;15(2):321–30. (ISSN: 1735-188X).
Google Scholar

[20] Botta A, de Donato W, Persico V, Pescapé A. Integration of cloud computing and internet of things: a survey. Future Gener Comput Syst. 2016;56:684–700. doi: 10.1016/j.future.2015.09.021.
Google Scholar