Technology Shield — Cloud PaaS Assessment Framework
A structured methodology for assessing Platform-as-a-Service offerings across GCP, AWS, and Azure, producing Cloud Blueprints that guide organisations to securely adopt cloud services.
Version: 0.1.0 Status: Draft Author: Technology Shield Last Updated: 2026-03-25
1. Purpose
Cloud services remove operational burden, but they are easy to misconfigure, exposing sensitive systems and information. Every PaaS service comes with its own security model, shared responsibility boundary, default configurations, and operational characteristics.
This framework provides a repeatable, structured method to:
- Assess any PaaS service across GCP, AWS, and Azure
- Produce a Cloud Blueprint that tells organisations how to securely adopt the service
- Identify control strengths and weaknesses inherent to the service
- Surface cautions — the non-obvious risks that catch organisations off guard
The output is a Cloud Blueprint: a living document that serves as the authoritative reference for secure adoption of a specific cloud service within the organisation.
2. Assessment Dimensions
Every PaaS service is assessed across eight dimensions:
| # | Dimension | What It Covers |
|---|---|---|
| 1 | Identity and Access | Authentication, authorisation, privilege model, service accounts, federation |
| 2 | Network and Exposure | Network integration, public/private endpoints, ingress/egress controls, DNS, TLS |
| 3 | Data Protection | Encryption at rest, in transit, key management, data residency, classification support |
| 4 | Logging and Monitoring | Audit logs, operational logs, metrics, alerting, SIEM integration |
| 5 | Configuration and Hardening | Defaults vs. hardened settings, policy enforcement, drift detection |
| 6 | Availability and Resilience | SLAs, redundancy, backup, disaster recovery, regional failover |
| 7 | Compliance and Governance | Regulatory certifications, tagging, cost controls, org policy support |
| 8 | Supply Chain and Dependencies | Underlying dependencies, update cadence, deprecation risk, vendor lock-in |
3. Assessment Process
Phase 1 — Service Profiling
Capture the fundamental characteristics of the service.
| Field | Description |
|---|---|
| Service Name | Official name (e.g. AWS Lambda, Azure App Service, GCP Cloud Run) |
| Provider | AWS / Azure / GCP |
| Service Category | Compute / Storage / Database / Messaging / Analytics / ML / Integration / other |
| Shared Responsibility Boundary | What the provider manages vs. what the customer manages |
| Deployment Model | Regional / Zonal / Global / Edge |
| Maturity | GA date, current generation, known deprecation plans |
| Pricing Model | Per-request / per-hour / reserved / consumption-based |
Phase 2 — Dimension Assessment
For each of the eight dimensions, evaluate:
| Assessment Field | Description |
|---|---|
| Native Controls | What security controls does the service provide out of the box? |
| Default Posture | What is the security posture if deployed with defaults? (Typically weak) |
| Hardened Posture | What does the service look like when properly configured? |
| Control Strength | Where is the service genuinely strong? What controls are well-implemented? |
| Control Weakness | Where is the service weak, limited, or absent? What gaps exist? |
| Compensating Controls | What external controls are needed to close the gaps? |
| Cautions | Non-obvious risks, common misconfigurations, footguns, and operational surprises |
| Regulatory Considerations | Specific compliance implications (data residency, audit, retention) |
Phase 3 — Risk Rating
Each dimension receives a risk rating:
| Rating | Definition |
|---|---|
| Strong | Native controls are comprehensive, well-documented, and effective with minimal additional effort |
| Adequate | Native controls exist but require configuration and supplementary measures |
| Weak | Significant gaps exist; compensating controls are essential |
| Absent | The service provides no meaningful control in this dimension; external solutions are required |
Phase 4 — Blueprint Generation
Compile the assessment into a Cloud Blueprint (see Section 5).
4. Control Strength / Weakness Model
This is the heart of the framework. For each service, we produce a clear, honest picture:
Control Strength
These are areas where the cloud service provides genuine, well-implemented security capability. They represent areas of advantage — controls that work well, are well-documented, and reduce the customer's burden.
Example: AWS S3 Block Public Access is a strong preventative control that stops accidental public exposure at the account level.
Control Weakness
These are areas where the cloud service has gaps, poor defaults, limited functionality, or architectural limitations that create risk. They represent areas requiring attention — either compensating controls, additional tooling, or conscious risk acceptance.
Example: Azure App Service default TLS settings accept TLS 1.0/1.1 unless explicitly configured otherwise.
Cautions
These are the non-obvious things. They are not necessarily weaknesses in the traditional sense, but operational, architectural, or behavioural characteristics that catch organisations off guard.
Categories of caution:
| Category | Description |
|---|---|
| Default Danger | Insecure defaults that are not immediately obvious |
| Blast Radius | Misconfiguration in one area that cascades to unexpected places |
| Visibility Gap | Actions or changes that are not logged or are difficult to detect |
| Privilege Escalation Path | Combinations of permissions that create unintended elevation |
| Data Leakage Vector | Paths through which data can leave the boundary unexpectedly |
| Operational Trap | Behaviours that work in dev/test but fail or become dangerous at scale |
| Lock-In Risk | Architectural decisions that create vendor dependency |
| Deprecation Risk | Services or features likely to be retired or superseded |
5. Cloud Blueprint Template
Each assessed service produces a Cloud Blueprint:
# Cloud Blueprint: [Service Name]
| Field | Value |
|---|---|
| Provider | AWS / Azure / GCP |
| Service | |
| Category | |
| Blueprint Version | 0.1.0 |
| Assessment Date | |
| Assessed By | |
| Status | Draft / Current / Under Review / Deprecated |
## Executive Summary
<!-- 3-5 sentences: what this service is, its security posture in brief,
and the top things organisations must know before adopting it. -->
## Shared Responsibility Boundary
<!-- Diagram or table showing provider vs. customer responsibility -->
## Assessment Summary
| Dimension | Rating | Key Finding |
|---|---|---|
| Identity and Access | Strong / Adequate / Weak / Absent | |
| Network and Exposure | | |
| Data Protection | | |
| Logging and Monitoring | | |
| Configuration and Hardening | | |
| Availability and Resilience | | |
| Compliance and Governance | | |
| Supply Chain and Dependencies | | |
## Control Strengths
<!-- Numbered list of genuine security advantages -->
## Control Weaknesses
<!-- Numbered list of gaps, poor defaults, or limitations -->
## Cautions
<!-- Numbered list of non-obvious risks, organised by caution category -->
## Secure Adoption Guide
### Prerequisites
<!-- What must be in place before deploying this service -->
### Hardened Configuration Baseline
<!-- Specific settings to apply, with rationale -->
### Network Architecture
<!-- How to integrate into the organisation's network and zoning model -->
### Identity Configuration
<!-- Service accounts, roles, least privilege setup -->
### Data Protection Configuration
<!-- Encryption, key management, classification -->
### Logging Configuration
<!-- What to enable, where to send it, retention -->
### Monitoring and Alerting
<!-- Key metrics, alert conditions, runbooks -->
### Compensating Controls
<!-- External controls needed to close gaps -->
## Compliance Notes
<!-- Regulatory considerations specific to this service -->
## Related Patterns
<!-- Links to Pattern Blueprints that use this service -->
## Review Schedule
<!-- When this blueprint should be re-assessed -->
6. Cross-Cloud Comparison View
For organisations operating across multiple clouds, we produce comparison matrices:
Service Equivalence Map
| Capability | AWS | Azure | GCP |
|---|---|---|---|
| Container Orchestration | EKS | AKS | GKE |
| Serverless Compute | Lambda | Functions | Cloud Functions / Cloud Run |
| Managed Database (Relational) | RDS / Aurora | Azure SQL / Flexible Server | Cloud SQL / AlloyDB |
| Object Storage | S3 | Blob Storage | Cloud Storage |
| Message Queue | SQS | Service Bus / Queue Storage | Pub/Sub |
| API Gateway | API Gateway | API Management | API Gateway / Apigee |
| Secret Management | Secrets Manager | Key Vault | Secret Manager |
| Identity Platform | IAM + Cognito | Entra ID | Cloud Identity + IAM |
Comparative Security Assessment
For equivalent services across providers, produce a side-by-side:
| Dimension | AWS [Service] | Azure [Service] | GCP [Service] |
|---|---|---|---|
| Identity and Access | Rating + summary | Rating + summary | Rating + summary |
| Network and Exposure | |||
| Data Protection | |||
| ... |
This allows organisations to make informed platform choices based on security posture, not just features or cost.
7. Assessment Cadence
| Trigger | Action |
|---|---|
| New service adoption | Full assessment before production use |
| Major service update | Re-assess affected dimensions |
| Annual review | Re-assess all blueprints for currency |
| Security incident | Re-assess the involved service immediately |
| Regulatory change | Re-assess compliance dimension |
8. Governance Integration
Cloud Blueprints connect to the broader governance ecosystem:
- Pattern Blueprints reference Cloud Blueprints for cloud-specific implementations
- Security Reference Architecture defines the zoning model that Cloud Blueprints must respect
- Secure Development Framework enforces Cloud Blueprint configurations through CI/CD policy-as-code
- Risk Register captures residual risks identified in Cloud Blueprint assessments
- Exception Process handles deviations from Cloud Blueprint recommendations
9. Starter Blueprints
Technology Shield recommends assessing these high-impact services first:
Tier 1 — Assess Immediately
- Compute: Container platforms (EKS, AKS, GKE), Serverless (Lambda, Functions, Cloud Run)
- Storage: Object storage (S3, Blob, Cloud Storage)
- Identity: IAM, service accounts, workload identity
- Networking: VPC/VNet, load balancers, DNS
Tier 2 — Assess Before Scaling
- Database: Managed relational and NoSQL services
- Messaging: Queues and event-driven services
- Secrets: Secret and key management services
- API: API gateways and management platforms
Tier 3 — Assess for Specialised Use
- ML/AI: Managed ML platforms and AI services
- Analytics: Data warehousing and pipeline services
- IoT: Device management and edge services
10. How Technology Shield Helps
Assessment Delivery: We conduct PaaS assessments using this framework and deliver production-ready Cloud Blueprints for your environment.
Framework Adoption: We train your teams to conduct their own assessments using this framework, building internal capability.
Continuous Assurance: We provide ongoing re-assessment services tied to your cloud service catalogue, keeping blueprints current as services evolve.
Multi-Cloud Strategy: For organisations spanning providers, we produce cross-cloud comparison views that inform platform and service selection decisions based on security posture.