In March 2025, Google agreed to acquire Wiz for $32 billion, the largest cybersecurity acquisition in history, and a clear signal that cloud security had become the industry's center of gravity. Yet most teams still can't answer a basic question: what actually counts as "cloud security" in 2026? It's not one tool. It's a stack of overlapping disciplines, posture management, workload protection, identity, data, and increasingly, the software supply chain that builds and deploys everything running in your cloud. IBM's 2024 Cost of a Data Breach Report put the average breach at $4.88 million, and Verizon's 2024 DBIR found that over 60% of breaches trace back to a human element or a misconfiguration, not a zero-day. This guide breaks down what cloud security covers, where platforms like Wiz stop, and what a complete program looks like today.
What Is Cloud Security?
Cloud security is the set of practices, controls, and tools that protect data, workloads, identities, and infrastructure running in public, private, or hybrid cloud environments. Unlike traditional on-premises security, which assumes a fixed perimeter you can wall off with firewalls, cloud security operates on a shared responsibility model: AWS, Azure, and Google Cloud secure the underlying infrastructure, but you're responsible for how you configure it, who can access it, and what code runs on it. Gartner estimates that through 2025, 99% of cloud security failures will be the customer's fault, not the provider's, mostly from misconfigured storage buckets, overly permissive IAM roles, and unpatched workloads. Cloud security typically spans five domains: cloud security posture management (CSPM), cloud workload protection (CWPP), identity and access management (CIEM), data security, and application/software supply chain security. Missing any one of these leaves a real gap, which is exactly what happened in the 2023 MOVEit breach that hit over 2,700 organizations through a single unpatched file-transfer application.
Why Did Cloud Security Explode as a Category?
Cloud security became a boardroom priority because attackers moved faster than cloud adoption itself. Enterprises now run an average of more than 100 SaaS applications and multiple cloud providers simultaneously, according to multiple 2024 industry surveys, and each new service, container, and API expands the attack surface. The 2021 discovery of Log4Shell (CVE-2021-44228) showed how a single vulnerable library, buried inside millions of cloud-deployed applications, could give attackers remote code execution with almost no effort; Check Point recorded over 100 exploitation attempts per minute in the days after disclosure. Then in March 2024, the xz-utils backdoor (CVE-2024-3094) revealed that even trusted open-source maintainers can be social-engineered into shipping malicious code straight into cloud-hosted Linux distributions. These incidents pushed cloud security beyond "lock down the console" into "verify everything that gets built and deployed," which is why CNAPP (Cloud-Native Application Protection Platform) emerged as the dominant category, and why Wiz built its business on agentless scanning across that stack.
What's the Difference Between CSPM, CWPP, and CNAPP?
CSPM, CWPP, and CNAPP are three layers of cloud protection that get bundled together but solve different problems. CSPM (Cloud Security Posture Management) continuously scans your cloud accounts for misconfigurations, like an S3 bucket left public or a security group open to 0.0.0.0/0, and was the category that put Wiz on the map after its 2020 launch. CWPP (Cloud Workload Protection Platform) secures the actual compute, containers, and serverless functions at runtime, watching for suspicious process behavior or lateral movement. CNAPP combines both, plus CIEM (identity entitlement management) and often vulnerability scanning, into a single platform, which is the model Wiz, Palo Alto Prisma Cloud, and Microsoft Defender for Cloud all compete on today. The gap in this model is upstream: CNAPP tools are excellent at telling you a running container has a vulnerable package, but far weaker at telling you whether the build pipeline that produced that container was tampered with in the first place, which is exactly the class of attack behind the December 2020 SolarWinds compromise that affected roughly 18,000 organizations.
How Is Supply Chain Security Different from Cloud Security?
Software supply chain security protects the pipeline that produces your cloud workloads, not just the workloads themselves, and it's the layer most CNAPP platforms treat as an afterthought. Every artifact running in your cloud passed through a chain: source code, dependencies, CI/CD pipeline, build system, container registry, and deployment target. The 2023 3CX supply chain attack, and the 2024 xz-utils incident before it, both proved that attackers increasingly target that chain rather than the running infrastructure, because compromising one build step can poison every downstream deployment at once. Sonatype's 2024 State of the Software Supply Chain report logged over 512,000 malicious open-source packages discovered that year alone, a number that has roughly tripled since 2022. Posture and workload tools, the core of what Wiz and similar CNAPPs scan, generally start their visibility at the point of deployment. That means a compromised build step, an unsigned artifact, or a poisoned dependency can sail straight past a CNAPP's runtime and configuration checks and land in production looking completely legitimate.
What Should a Modern Cloud Security Program Actually Cover?
A modern cloud security program needs to cover four things end to end: how code is written, how it's built, how it's deployed, and how it runs, because a gap at any single stage undermines the rest. In practice that means combining CSPM for configuration drift, CWPP or runtime protection for active workloads, CIEM for identity sprawl (Microsoft found in 2023 that the average enterprise has more non-human identities than human ones by a factor of 45 to 1), and software supply chain security to verify artifact provenance, SBOM accuracy, and CI/CD integrity before anything reaches the cloud. Frameworks like NIST SP 800-218 (SSDF) and the SLSA framework, developed by Google and now under the OpenSSF, exist specifically because posture and runtime tools alone don't answer "can I trust what's in this container." Teams that only buy a CNAPP typically discover this gap during their first serious audit or incident retro, when they realize they can tell you a workload is misconfigured but not whether the code inside it was ever tampered with.
Is Wiz Enough on Its Own?
Wiz is a strong CSPM and CNAPP platform, but it was built to answer "is my cloud environment configured and running securely," not "can I trust the software that got deployed into it," and that's a meaningfully different question. Wiz's agentless graph-based scanning is genuinely effective at surfacing toxic combinations, like a public-facing VM with an attached role that can reach your production database, and that visibility has real value. But Wiz's coverage starts at the infrastructure and workload layer; it wasn't designed to trace a running container back through its build pipeline, validate SBOM completeness, verify commit signing, or catch a dependency confusion attack before the artifact is even built. For organizations shipping frequently through CI/CD, that upstream blind spot matters more than the acquisition headlines suggest, since Google's own 2024 announcement of the deal emphasized posture management, not supply chain provenance, as Wiz's core strength.
How Safeguard Helps
Safeguard is built to close exactly the gap described above: the space between "my cloud is configured correctly" and "the software running in it can be trusted." Where CNAPP platforms like Wiz start visibility at deployment, Safeguard starts at the source, giving security teams a continuous view of code provenance, dependency risk, build pipeline integrity, and SBOM accuracy across every artifact before it ever reaches a cloud environment. That means catching a poisoned dependency, an unsigned build, or a tampered CI/CD step before it becomes the kind of toxic combination a posture tool would only flag after the fact.
For teams that already run Wiz or another CNAPP for cloud posture and workload protection, Safeguard is a complementary layer rather than a replacement: it plugs into existing CI/CD pipelines, package registries, and SCM platforms to give security and platform engineering teams a single, auditable answer to the question that matters most after an incident like SolarWinds or xz-utils, "can we prove exactly what's running and where it came from." That combination, cloud posture from your CNAPP plus artifact-level supply chain assurance from Safeguard, is what a genuinely complete cloud security program looks like in 2026.