Moving to the cloud creates a different threat surface. Perimeter-based security does not travel well: when infrastructure spans AWS, Azure, and GCP, and identities include employees, contractors, service accounts, and APIs, the question shifts from who is inside the network to whether every request from every identity is actually authorised.

Most organisations that have moved fast in the cloud have accumulated drift along the way: misconfigured permissions, overly permissive security groups, credentials in code, logging gaps. The cloud platform provides the tools to fix this. What is usually missing is the engineering time and the discipline to close it systematically.

Gradion has delivered cloud infrastructure and security work for clients including a leading B2B marketplace operator - AWS WAF deployment and layered cloud policies as part of an infrastructure hardening programme, reaching 99.9% uptime with a stronger security posture - and a Swiss banking technology provider where we designed a multi-cloud Azure and GCP architecture that passed a Big Four security and compliance audit without revisions, meeting strict FINMA data sovereignty requirements. That work is what this page describes.

Cloud security assessment and hardening

We assess your cloud environment against CIS, NIST, PCI DSS, or SOC 2 benchmarks depending on what your compliance obligations require. Three to five days for the assessment; one to two weeks for hardening. Deliverables: Security Posture Report, Hardening Roadmap, and Monitoring Setup. The hardening is part of the engagement - we do not produce a report and leave the remediation to someone else.

Common findings: public-facing resources that should be private, overly permissive IAM policies, unencrypted storage, missing or incomplete logging, hardcoded credentials in CI/CD pipelines. These are not exotic vulnerabilities. They are the routine accumulation of moving fast without a security baseline.

Identity and access management

Privilege sprawl is the most consistent gap we find. Service accounts with administrator access. MFA not enforced on privileged users. No rotation policy on long-lived credentials. We audit IAM configurations across cloud and on-premises systems, enforce least-privilege access, implement MFA where it is missing, and govern service account permissions. For regulated environments - finance, healthtech, digital identity - we align configurations to FINMA, NIS2, and ISO 27001 requirements, as we did for a Swiss banking technology client operating under FINMA.

Network segmentation

Flat cloud networks make lateral movement easy. We segment workloads by environment and sensitivity: separate VPCs or VNets per tier, private endpoints replacing public service exposure, and east-west traffic controls that contain a compromised workload before it spreads. Network segmentation review is also part of our broader Cybersecurity & Infrastructure Safety Check for organisations that need to assess IT and OT together.

Secrets management and pipeline hardening

Hardcoded credentials in application code and CI/CD pipelines are a persistent and underestimated risk. We audit secrets sprawl, implement centralised secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault), and harden pipeline permissions. This is frequently the highest-impact fix in an engagement because it is both common and easy to miss in a standard audit.

Why Gradion

Gradion is ISO 27001 certified. Our cloud security work is delivered by practitioners who run cloud infrastructure at scale, not advisors producing gap analyses for other teams to close. Jan Moser, our Lead Consultant for Cloud, Security, and DevSecOps, holds certifications as Azure Administrator, Solution Architecture Expert, and Cybersecurity Expert.

Share the environment and what you need to be confident about. We will scope the assessment and tell you where the real exposure sits.