The FCA's operational resilience rules (PS21/3) reached full compliance maturity in March 2025, and the Cyber Security and Resilience Bill currently progressing through UK Parliament will sharpen expectations further. Yet most UK financial services firms we audit are still running multi-cloud estates with the same control gaps we flagged three years ago — fragmented IAM, inconsistent logging, and no unified policy plane across AWS, Azure, and GCP.
The problem isn't the cloud platforms themselves. Each provider gives you robust native controls. The problem is that "robust" in AWS doesn't map cleanly to "robust" in Azure, and your CISO ends up signing off a risk register that papers over the seams. When the FCA's important business services rules require you to demonstrate impact tolerances across the full stack, those seams become audit findings.
Our consultants have spent the last eighteen months running CloudAuditX assessments across UK banks, asset managers, and payment institutions. Five control gaps appear in nearly every engagement. Close them now and you'll be ahead of the regulator and your peers.
Gap 1: Fragmented Identity and Access Management
Every cloud has its own IAM model. AWS uses IAM roles and SCPs. Azure uses Entra ID, RBAC, and Conditional Access. GCP uses IAM bindings and Organisation Policies. Most firms federate authentication to a central IdP — usually Entra ID or Okta — then declare the job done.
It isn't. Authorisation still lives in each cloud, and privilege creep accumulates silently. A developer granted temporary Owner rights in an Azure subscription for a 2023 migration still has them in 2026. Nobody has run a cross-cloud entitlement review because there's no single tool to do it.
Fix this with a Cloud Infrastructure Entitlement Management (CIEM) layer that ingests entitlements from all three providers and flags effective permissions, not just assigned ones. Run quarterly access recertification against the consolidated view. Tie privileged access to just-in-time elevation through PIM in Entra, IAM Identity Center in AWS, and Privileged Access Manager in GCP.
Gap 2: Inconsistent Logging and Detection Coverage
CloudTrail in AWS, Activity Log and Defender for Cloud in Azure, Cloud Audit Logs in GCP — three log schemas, three retention defaults, three pricing models. Teams tune detection rules in whichever cloud they know best and let the others drift.
The FCA expects you to detect and respond to incidents affecting important business services within your declared impact tolerance. If your detection coverage in GCP is six months behind your AWS coverage, you cannot evidence that tolerance honestly.
Pick one normalisation target — OCSF or your SIEM's native schema — and pipe every cloud's audit log through it. Build detection rules against the normalised schema, not the native one. Document log retention as a single policy that applies everywhere, and align it to the seven-year financial records requirement under the FCA Handbook (SYSC 9).
Gap 3: No Unified Cloud Governance Framework
A cloud governance framework isn't a SharePoint document listing approved services. It's the policy-as-code layer that enforces guardrails at deployment time. AWS Service Control Policies, Azure Policy, and GCP Organisation Policies all do this — but they need a single owner and a single source of truth.
We see firms where the AWS landing zone has 40 SCPs, the Azure tenant has six policies, and GCP runs with defaults. That's not a governance framework. That's three different risk appetites operating under one company name.
Define controls once in a control catalogue mapped to ISO 27001:2022 Annex A and the NCSC Cloud Security Principles. Translate each control into the native policy language of each cloud. Version-control the lot in Git. Make policy violations break the build, not the audit.
Gap 4: Encryption Key Management Without a Strategy
KMS in AWS, Key Vault in Azure, Cloud KMS in GCP. Each defaults to provider-managed keys. For most workloads that's fine. For workloads holding personal data subject to UK GDPR, or material non-public information under MAR, customer-managed keys with HSM backing are the defensible position.
The gap we see: firms enable customer-managed keys in one cloud and forget the others. Or they use customer-managed keys but never rotate them, never audit who can use them, and never test recovery. A key you can't recover is a data loss event waiting to happen.
Define a key hierarchy: which workloads need CMK, which need HSM-backed CMK, which can use provider defaults. Automate rotation. Test recovery quarterly. Log every key use and alert on anomalies.
Gap 5: Third-Party and SaaS Cloud Exposure
Your AWS Azure GCP unified security strategy means nothing if your critical SaaS vendors are storing customer data in cloud configurations you've never assessed. The FCA's operational resilience rules and the forthcoming Cyber Security and Resilience Bill both push accountability for third-party cloud risk onto the regulated firm.
Run SaaS Security Posture Management (SSPM) against your tier-one vendors. Demand SOC 2 Type II reports and read them — actually read the exceptions section. Map each critical SaaS to the important business services it supports and include it in your impact tolerance testing.
How Pyralink Helps
Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), Founder and Managing Director. Our team works with UK financial services firms on exactly the gaps above.
CloudAuditX is our multi-cloud auditing platform. It ingests configuration and entitlement data from AWS, Azure, and GCP, normalises it against a single control catalogue, and produces evidence packs aligned to ISO 27001, the NCSC Cloud Security Principles, and FCA operational resilience expectations.
Our fractional vCISO service (from £497/month) gives you board-level cloud security leadership without a permanent hire. We also deliver ISO 27001 certification support and compliance programme management. Pyralink carries £5M professional indemnity insurance.