Beyond Visibility: Building Secure‑by‑Design Cloud Architectures with Native
Cloud security leaders are tired of déjà vu.
The same alerts fire. The same misconfigurations reappear. The same conversations about “shared responsibility” keep cycling through executive meetings, even as cloud security budgets grow.
For many CISOs, the uncomfortable truth is this: visibility has improved, but architecture has not kept pace.
That is the gap Native aims to close.
I spoke with Gal Ordo, Co Founder and Chief Product Officer at Native, about why he and his co founders left AWS to build what he describes as an “operating system” for cloud guardrails, and why he believes the next frontier for CISOs is architectural control, not just more findings.
From AWS to Native: Turning principles into practice
Gal and his co founders spent years inside AWS building and running core security services. That experience shaped both the problem they saw and the way they are solving it today.
As Gal explained in our conversation, “We saw that cloud providers provide very strong technical security capabilities that customers can use in order to create secure by design environments. But we also saw that the vast majority of the customers that we’ve been speaking to have been far from leveraging optimally.”
The core issue is not a lack of features from the major cloud providers. It is the difficulty of translating security intent into consistent, enforceable, multi cloud guardrails that actually shape how engineers build and operate.
Gal described Native’s founding vision this way: “We built Native with the vision of being an operating system to those built in native security capabilities. That’s why we’re called Native, to allow customers to talk in those security outcomes that I mentioned before, translate them into multi cloud controls across each of the providers.”
For CISOs, that “operating system” metaphor matters. Rather than inserting yet another overlay that scans and shouts, Native plugs directly into the policy, identity and configuration solutions that already exist in AWS, Azure, Google Cloud and Oracle Cloud. The goal is not more insight about what is wrong. The goal is to make entire classes of bad outcomes structurally impossible.
Secure by design, not secure by dashboard
Every CISO has heard the phrase “secure by design.” Fewer can say that their cloud estate actually reflects it.
In Gal’s view, most organizations have stopped short of what secure by design really requires. It is not just more visibility or more prevention rules on top of misaligned architectures. It is the hard work of shaping the environment so that dangerous states never materialize.
As he put it, “When I say security by design, it goes way beyond the visibility that is available today via the cloud security tools. What it actually means is that people need to go into the environment and configure it such that, for example, AI environments are not able to access the internet, production and non production can never talk to one another, that only allowed geographies are being used, and so on and so forth.”
These are not one off checks. They are architectural laws. They must hold regardless of whether a change comes from a console, a CI CD pipeline, or a newly adopted managed service.
Native focuses squarely on this layer. The platform is designed primarily for cloud security architects and engineering leaders, the people tasked with turning high level CISO intent into enforceable guardrails.
“We are basically a platform for cloud security architects and engineers to go and build guardrails around the use of the cloud,” Gal said.
For CISOs, this is where strategic outcomes like “no direct internet exposure for sensitive AI workloads” or “strict separation between production and non production” stop being policy documents and start becoming living, enforced constraints.
Multi cloud reality and consistency of control
Very few large enterprises are truly single cloud anymore. Most are “multi by accident,” then slowly forced to become “multi by design.”
Gal sees this trend firsthand with Native’s customers.
“Some of the use cases that we are seeing with our customers is, I have done some work to harden my primary provider. How do I do that for all of my other providers and get control consistency?” he explained.
This is where a platform that speaks the language of multiple providers becomes essential. Native connects to the four major clouds and translates outcome driven intent into provider specific controls, while preserving consistency at the policy level.
For a CISO, that means the concept of “internet isolation for AI environments” can be defined once, then implemented across AWS, Azure, Google Cloud and Oracle Cloud in a way that respects each provider’s native mechanisms.
That consistency is not just a convenience. It is a governance necessity. Audit teams, regulators and boards expect a coherent story about how risk is managed across the entire cloud footprint, not four different stories for four different clouds.
Beyond frameworks: From best practices to enforced patterns
Many organizations lean heavily on frameworks such as the AWS Well Architected Framework. Those are valuable, but they often stop at the level of guidance, not enforcement.
Gal drew a sharp distinction: “Well Architected is more of a framework, like it’s a set of basically best practices that you need to accomplish and achieve that are specific to AWS. It’s not a technical capability that you can use.”
Native’s role is to embody those best practices, and many others, in actual technical architecture: policies, permissions, configuration baselines and guardrails that can be deployed, simulated and maintained.
“These are more like architectural recommendations, where we are actually a tool, where customers can do and build with the tools. So we give them the actual technical architecture to either go install or we install on their behalf,” he added.
For CISOs, this helps close one of the most persistent gaps in cloud governance. Written standards have long outpaced their automated enforcement. Native is part of a new wave of tooling that aims to bring those closer together, so that “our standard” and “our actual environment” are not two different things.
Two key innovations: Simulation and security initiatives
Native ships features continually, but two capabilities are particularly important from a CISO perspective: policy simulation and security initiatives.
First, simulation.
Any CISO who has lived through a broken policy rollout understands the risk. One ambitious guardrail can bring down production, anger developers and damage security’s credibility. Historically, the only way to test the blast radius of architectural changes was to painstakingly assemble data from many sources, or to run policies in “audit only” mode for months.
Native tackles that pain directly.
“One of those is the policy simulation, which allows customers to understand the impact of architectural guardrails they’re going to install prior to installation time, so that they can do that with confidence,” Gal said.
He contrasted this with the legacy approach: “Previously, to do that, customers either had to manually collect information from dozens of different sources that we use to understand what’s going to be policy impact, or rather write a policy then put it on audit mode for months to wait and see what could have happened, which really slows down progress.”
Instead, Native runs those simulations in near real time.
“We are doing the simulation on a near real time basis. So a customer says, this is the policy that they want to enforce. Within seconds, they get the simulation, good or not good, and they can move on like that, to install the policy,” he explained.
For CISOs, this is more than a convenience feature. It reduces the organizational friction of strong guardrails. Security teams can propose bolder architectural controls, backed by evidence about their operational impact, not guesswork.
The second innovation is what Native calls security initiatives.
“We understand that putting in policies to CISOs is not about the technical controls. Rather, it’s about the security outcomes they look to achieve, data protection, least privilege, so on and so forth,” Gal said.
In response, Native has introduced outcome oriented packages inside the product.
“We’ve launched those packages within the products to actually allow our customers to understand what’s the best way in order to enforce those journeys, those set of guidelines within the cloud providers,” he added.
This aligns closely with how CISOs frame their programs to boards and executives. Initiatives are not named after IAM policy types. They are named after outcomes like “data protection” or “privileged access reduction.” Native’s approach echoes that language, while still connecting it to concrete technical changes in each cloud.
Complementing, not replacing, CNAPP and visibility tools
One of the common questions from CISOs evaluating any new security platform is, “How does this fit with what we already have?”
Native’s positioning is intentionally complementary to existing CNAPP and cloud security posture management tools like Wiz.
Gal addressed this directly: “In general today, when people say cloud security, the first thing that pops to mind is Wiz or other CNAPP tools that go in and provide customers with visibility into things that are on with their environments.”
Those platforms are valuable, but they mostly tell you where you stand. They do not fundamentally reshape the architecture that produces the findings.
“Those tools, while they provide visibility, they do not allow customers to make the needed architectural changes in order to get to a place where those bad things never happen,” he said.
That is where Native comes in.
“We allow customers to reason about the architecture of the cloud, to make sure that it’s customized and tailored to their needs, such that, on the one hand, it enables the business to still move fast, but on the other they can do so securely, knowing that nothing will be exposed if it doesn’t need to be exposed,” Gal explained.
Interestingly, there is significant overlap in customer bases.
“In fact, all of our customers have Wiz or some other CNAPP,” he noted.
For CISOs, the message is not “replace your CNAPP.” It is “augment your visibility stack with an architectural control layer that reduces the volume and severity of what those tools surface.”
What this means for CISOs
Taken together, Native’s approach speaks to several strategic priorities that many CISOs share.
- Rather than chasing alerts about misconfigurations that should never have been possible, shift investment into guardrails that prevent unsafe states from arising.
- Align architecture with business level outcomes. Express security goals the way boards and executives understand them, then translate those into multi cloud controls through a platform designed for that purpose.
- Reduce the blast radius of change. Use simulation to anticipate the impact of new policies before they hit production, so security can move faster without sacrificing reliability or trust.
- Make multi cloud manageable. Apply consistent intent across AWS, Azure, Google Cloud and Oracle Cloud, while respecting each provider’s native capabilities.
- Complement, rather than fight, existing tools. Let CNAPP and CSPM platforms do what they do best, while Native focuses on the architectural levers that those tools are not built to pull.
A call to action for security leaders
For many CISOs, the next twelve to eighteen months will be defined by two pressures that seem at odds.
On one side, boards and regulators expect tighter control over cloud risk, particularly in areas like AI, data residency and third-party exposure.
On the other, business units expect more autonomy, faster delivery and greater use of managed cloud services.
Tools like Native exist precisely at that intersection. They aim to let the business move quickly, within a set of guardrails that make catastrophic failure far less likely.
If you find that your cloud program is rich in dashboards but poor in durable architectural controls, it may be time to rethink your priorities.
Start with a small, high value initiative: for example, “no direct internet access for production AI workloads,” or “strict isolation between production and non-production.” Ask your teams not only how they will detect violations, but how they will make those violations structurally impossible.
Then explore how an architectural guardrail platform, built on the same native capabilities your cloud providers already expose, can help enforce those decisions consistently across all of your environments.
The future of cloud security leadership will not be won by whoever has the most findings. It will be led by those who quietly, confidently, and predictably prevent the worst outcomes from ever becoming possible in the first place.
Learn more about them at Native Security
About the Author
Pete Green is the CISO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
