Cloud management: how to govern multi-cloud environments without losing control

Most organizations do not plan to have multi-cloud environments. They end up with them because different teams made different decisions at different times. Marketing adopted a SaaS platform on AWS. Development deployed on Azure. The ERP vendor runs on Google Cloud. Backup infrastructure sits in the Datto Cloud. The result is a multi-cloud environment with no unified governance model and no single team that owns it.

According to the 2026 Kaseya State of the MSP Report, cloud and hosting services represent 34% of MSP revenue, reflecting how central cloud management has become to the MSP service portfolio. Flexera’s State of the Cloud Report found that over 87% of organizations now have a multi-cloud strategy, with most managing workloads across more than one provider. The challenge is not adopting multiple clouds. It is governing them coherently once you have them. Kaseya’s platform supports over 50,000 MSPs and IT teams managing exactly these environments worldwide.

Why multi-cloud governance is harder than single-cloud management

Multi-cloud management is harder than single-cloud management not because any individual cloud is difficult, but because the aggregate visibility and governance problem is significant. Each provider has its own console, its own logging format, its own billing structure, its own IAM model, and its own security controls. Managing them individually produces fragmented visibility. Managing them consistently requires a governance layer that abstracts those provider-specific differences.

The distinction between accidental and deliberate multi-cloud matters operationally. Gartner defines accidental multi-cloud as the result of inadequate governance, mergers and acquisitions, or independent team decisions rather than a coordinated strategy. Accidental multi-cloud environments tend to have no unified identity model, inconsistent security standards, invisible cost exposure, and undocumented workload dependencies. Deliberate multi-cloud environments have all of the same complexity, but with governance structures designed to address it from the start.

Most SMB and mid-market clients managed by MSPs are accidental multi-cloud. The governance work is retroactive. An MSP taking on a new client should expect to find cloud workloads spread across providers with no unified tagging strategy, multiple administrator accounts with excessive permissions, no cross-provider backup policy, and billing that no one has reviewed in months. That is the starting point, not the exception.

Unified monitoring across providers

Alerts from AWS CloudWatch, Azure Monitor, and Google Cloud Operations are formatted differently, delivered through different channels, and have no native correlation layer between them. An MSP managing clients across all three providers cannot realistically monitor each provider’s console separately for each client. The operational math does not work.

A unified monitoring layer normalizes telemetry from multiple cloud providers alongside on-premises infrastructure and endpoints into a single alert stream and management console. Kaseya Intelligence ingests and correlates this telemetry, applying automated pattern recognition to identify anomalies and configuration drift across hybrid environments without requiring a technician to manually review events from each provider.

For MSPs, multi-tenant visibility is the operational requirement: one console that shows alert status, backup health, and configuration compliance across all clients and all cloud environments simultaneously. An MSP that needs to log into 30 separate AWS consoles to check the health of 30 clients’ cloud environments is not operating a scalable service.

Identity governance in multi-cloud environments

Identity is the perimeter in cloud environments, and in a multi-cloud environment, identity governance is the most complex security challenge. Each provider has its own IAM model. AWS uses roles and policies. Azure uses Entra ID and RBAC. Google Cloud uses its own IAM system. Users and service accounts frequently need access across more than one of these, creating a sprawling identity landscape with multiple places to misconfigure permissions.

The practical risks: users with excessive permissions in one provider’s environment because those permissions were copied from another without review. Service accounts with credentials that have not been rotated. Administrator accounts that were created for a project and never deprovisioned. IAM configurations that look correct within each provider’s console but collectively grant more access than any individual review would approve.

Governance across this landscape requires visibility into who has access to what, across all providers, and automated enforcement of least-privilege policies. Kaseya 365 User provides the identity and access management layer across Microsoft 365 and connected cloud environments, with multifactor authentication enforcement and credential monitoring through Dark Web ID to detect exposed credentials before they are exploited.

Regular IAM access reviews should be scheduled for every managed cloud environment: quarterly at minimum, monthly for environments handling sensitive data. Access reviews are not the kind of task that happens organically. They need to be on a calendar and produce a documented output.

Cost visibility and FinOps

Multi-cloud billing is the most immediately visible governance problem. Multiple providers, multiple billing models, multiple invoice formats, and no native aggregation layer means that cost visibility requires deliberate effort. Without it, cloud spend accumulates in ways that no one fully understands until a bill lands that is significantly higher than expected.

FinOps is the practice of using cloud billing data to inform resource decisions in real time, rather than reviewing costs reactively at the end of the month. The core FinOps disciplines map directly onto the multi-cloud management challenge.

Tagging and attribution. Resources that are not tagged cannot be attributed to a team, a project, or a client. A consistent tagging strategy, applied at provisioning and enforced through policy, is the foundation of cost visibility across providers. Without tags, cost data is an aggregate number with no actionable decomposition.

Waste identification. Unattached storage volumes, idle compute instances, orphaned load balancers, and forgotten test environments are present in almost every multi-cloud environment that has been operating for more than six months. A monthly waste review across all providers is standard practice in well-governed environments.

Reserved capacity. On-demand pricing is the most expensive operating model for stable workloads. AWS Reserved Instances, Azure Reserved VM Instances, and equivalent constructs across providers offer discounts that require a usage commitment. Identifying which workloads are stable enough to commit and purchasing reserved capacity accordingly is a recurring advisory service that MSPs can deliver as part of cloud management.

Anomaly alerting. Unexpected cost spikes are almost always detectable before they appear on the bill. Budget alerts and anomaly detection in AWS Cost Explorer and Azure Cost Management provide early warning that prevents a provisioning mistake or runaway process from becoming a significant cost event.

Security posture management

Security configuration standards vary by provider, and ensuring consistent security posture across a multi-cloud environment requires policy management that spans the stack. The most common security gaps in multi-cloud environments are not provider-specific failures. They are governance failures: controls that are configured correctly in one environment but missed in another because there was no unified policy enforcement mechanism.

The five security baselines that should be verified across every cloud environment in a managed portfolio:

1. Audit logging enabled in all regions. AWS CloudTrail and Azure Monitor Activity Logs are the source of truth for incident investigation. Without them, you are working blind.

2. Encryption at rest on all storage resources. Default encryption should be enabled at the account or subscription level so that new resources are encrypted unless explicitly overridden.

3. No public access blocks disabled. S3 public access blocks and Azure equivalent settings should be enabled at the account level to prevent accidental public exposure.

4. MFA on all privileged accounts. Every administrator account across every provider should have MFA enforced. No exceptions.

5. No overly permissive security groups or firewall rules. Unrestricted inbound access (0.0.0.0/0) on management ports is consistently identified in cloud security assessments and consistently present when environments have not been formally reviewed.

Kaseya SIEM ingests telemetry from major cloud platforms alongside endpoint and email data, normalizing security events across providers into a single detection layer. Kaseya Intelligence applies automated response to detected anomalies, closing the loop between detection and remediation without waiting for a technician to review and act.

Backup governance across clouds

Each cloud provider’s native backup covers its own workloads within its own ecosystem. Cross-provider backup governance, ensuring that everything across all clouds is backed up, verified, and recoverable to an independent location, requires a backup management layer that spans providers.

Native backup tools leave three specific gaps in multi-cloud environments. First, they do not provide cross-provider visibility: an MSP cannot see the backup status of AWS workloads and Azure workloads from a single console. Second, they store backups within the provider’s ecosystem, which means a compromised account or provider-side incident affects both primary data and backup. Third, they do not address SaaS data, which requires separate protection via cloud-to-cloud backup.

Datto’s backup portfolio addresses all three scenarios: Datto SIRIS and Datto Endpoint Backup with Disaster Recovery for on-premises and server workloads replicating to the independent Datto Cloud, Datto Backup for Microsoft Azure for Azure VM and Azure Files protection outside the Azure ecosystem, and Datto SaaS Protection for Microsoft 365 and Google Workspace data. All are visible from the Datto Partner Portal’s unified backup status page, giving MSPs a single view of backup health across all workload types and all clients.

For a full treatment of backup architecture across the three cloud use cases, see Cloud backup: a practical guide for IT teams and MSPs.

Documentation and configuration management

Multi-cloud environments without documentation are operationally fragile. The number of resources, providers, configurations, and dependencies involved in a typical SMB multi-cloud environment is large enough that relying on institutional knowledge instead of documented records creates meaningful risk. When the person who built the environment leaves, or when an incident requires rapid investigation at 2 a.m., documentation is the difference between a structured response and a guessing exercise.

IT Glue provides the documentation infrastructure for multi-cloud environments: provider access credentials with per-client isolation, architecture diagrams, IAM structure documentation, runbooks for common recovery scenarios, and integration with Compliance Manager GRC for automated compliance evidence generation. The same documentation discipline that applies to on-premises infrastructure applies equally to cloud environments, and the pace of change in cloud environments makes keeping it current harder and more important.

Configuration drift, the accumulation of unreviewed changes that diverge from the intended environment state, is the underlying cause of most cloud security incidents. A storage bucket that was configured correctly at deployment and inadvertently made public three months later by a change no one documented is a real and common scenario. Continuous configuration monitoring through Kaseya Intelligence detects these deviations before they become incidents.

How Kaseya supports multi-cloud management for MSPs

Kaseya 365 and Datto RMM extend agent-based monitoring, patch management, and automation to cloud-hosted VMs alongside on-premises endpoints, from a single multi-tenant console.

Kaseya SIEM normalizes security telemetry from AWS, Azure, and Google Cloud alongside endpoint and email data into a unified detection layer.

Kaseya Intelligence applies automated pattern recognition and response across managed cloud environments, detecting configuration drift and anomalous activity without manual review.

Kaseya 365 User provides identity and access management across Microsoft 365 and connected cloud environments, including MFA enforcement and Dark Web ID credential monitoring.

IT Glue stores cloud environment documentation with per-client isolation, version history, and direct integration with Compliance Manager GRC.

Datto’s backup portfolio provides independent, immutable backup across on-premises workloads, Azure infrastructure, and SaaS applications, with unified backup status visibility from a single Datto Partner Portal console.

Explore Kaseya’s IT operations and cloud management solutions