Cloud-native architectures have introduced a fundamental shift in how security and governance are applied within modern IT environments. While traditional preventive IT General Controls (ITGCs) were designed for static, centralised systems, their application in dynamic, decentralised, and automated cloud-native systems remains ambiguous and often ineffective. This study investigates the patterns of failure in preventive controls across cloud-native environments and analyses the extent to which governance frameworks fail to enforce security proactively. Employing a meta-synthetic approach, this research reviews documented cloud breach incidents from 2021 to 2024 to extract recurring failure patterns. These incidents were analysed and mapped against major security control domains, including identity and access management, configuration hardening, and observability. The findings highlight systemic gaps in the implementation of preventive measures, particularly in areas where infrastructure is governed as code, and runtime dynamics alter control effectiveness. Furthermore, the study examines how existing governance frameworks such as ISO 27001, COBIT, and NIST CSF are often too abstract or outdated to directly translate into executable policies within CI/CD pipelines and cloud-native infrastructures. The study reveals that misconfigurations, inadequate identity management, and runtime blind spots are among the most common contributors to control failures. These issues are compounded by the lack of real-time enforcement mechanisms and the misalignment between policy design and operational realities. Based on these findings, the paper proposes a shift toward Governance-as-Code and continuous control validation as critical strategies for modern preventive governance. In conclusion, the paper demonstrates that traditional ITGCs, while still conceptually relevant, require operational reengineering to remain effective in cloud-native ecosystems. A governance model that is executable, context-aware, and runtime-integrated is essential for proactive security and sustained compliance in modern digital infrastructure.

S. Garg, S. Bawa, and J. Singh, “Cloud computing security: Attacks, threats, and solutions,” Future Generation Computer Systems, vol. 117, pp. 579–598, 2021. https://doi.org/10.1016/j.future.2020.12.001

P. Patel, A. Ramachandran, and S. N. Srirama, “A Cloud-Native Approach for Scalable Multi-Tenant Applications Using Kuber-netes,” IEEE Access, vol. 9, pp. 11722–11736, 2021. https://doi.org/10.1109/ACCESS.2021.3051463

N. Gruschka et al., “Privacy Issues and Data Protection in Big Data: A Case Study Analysis under GDPR,” Computer Law & Se-curity Review, vol. 37, p. 105405, 2020. https://doi.org/10.1016/j.clsr.2020.105405

M. Ali, M. S. Akbar, and M. Usman, “Security in Cloud of Things: Integrating Cloud and IoT securely,” Journal of Network and Computer Applications, vol. 168, p. 102761, 2020. https://doi.org/10.1016/j.jnca.2020.102761

International Organization for Standardization, ISO/IEC 27001:2022 - Information Security, Cybersecurity and Privacy Protection. Geneva: ISO, 2022.

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 2.0, 2024. https://www.nist.gov/cyberframework

ISACA, COBIT 2019 Framework: Governance and Management Objectives, Rolling Meadows, IL: ISACA, 2019.

ENISA, Threat Landscape 2023 – Cloud Threats, European Union Agency for Cybersecurity, 2023. https://www.enisa.europa.eu

IBM Security, Cost of a Data Breach Report 2023, IBM Corp., 2023. https://www.ibm.com/reports/data-breach

A. R. Sampaio, L. M. Silva, and H. Madeira, “Security Challenges and Opportunities of DevSecOps: A Systematic Literature Review,” Journal of Systems and Software, vol. 195, p. 111555, 2023. https://doi.org/10.1016/j.jss.2022.111555

H. Kazim and V. Zhu, “Security and Privacy in DevOps: A Multivocal Literature Review,” Information and Software Technology, vol. 143, p. 106751, 2022. https://doi.org/10.1016/j.infsof.2021.106751

S. Youssef and N. Abouzakhar, “Security Governance in Cloud Computing: A Literature Review,” Procedia Computer Science, vol. 177, pp. 325–331, 2020. https://doi.org/10.1016/j.procs.2020.10.045

H. Takabi, “Modern Security Governance for Cloud-Native Systems,” IEEE Cloud Computing, vol. 10, no. 1, pp. 65–74, Jan. 2023. https://doi.org/10.1109/MCC.2023.3238984

Center for Internet Security, Cloud Security Configuration Guide v2.0, CIS, 2023. https://www.cisecurity.org

Cloud Security Alliance, Top Threats to Cloud Computing: Pandemic Eleven, CSA, 2022. https://cloudsecurityalliance.org

Palo Alto Networks Unit42, Cloud Threat Report 2H 2023, 2023. https://unit42.paloaltonetworks.com

D. Chatterjee, S. Ghosh, and A. N. Mitra, “Secure Cloud Governance in Agile IT Landscapes,” ACM Computing Surveys, vol. 55, no. 3, pp. 1–36, 2023. https://doi.org/10.1145/3512766

F. Hussain, S. A. Hussain, and A. Hassan, “Cybersecurity in Cloud Systems: A Governance and Compliance Perspective,” Com-puters & Security, vol. 125, p. 102959, 2023. https://doi.org/10.1016/j.cose.2022.102959

R. Widyastuti and M. A. Putra, “Governance-as-Code for Compliance Enforcement in Cloud-Native Systems,” International Journal of Information Management Data Insights, vol. 2, no. 2, p. 100120, 2022. https://doi.org/10.1016/j.jjimei.2022.100120

S. Purdy and C. Madden, “Runtime Governance of Cloud-Native Architectures Using Policy-as-Code,” Journal of Cloud Compu-ting, vol. 12, no. 1, pp. 1–15, 2023. https://doi.org/10.1186/s13677-023-00412-z

M. A. Rahman and F. Alotaibi, “A Comparative Study of IT Governance Frameworks in the Era of Digital Transformation,” In-ternational Journal of Information Management, vol. 61, p. 102435, 2021. https://doi.org/10.1016/j.ijinfomgt.2021.102435

A. De Haes, W. Van Grembergen, and R. S. Debreceny, “COBIT 5 and Enterprise Governance of Information Technology: Build-ing Blocks and Research Opportunities,” Journal of Information Systems, vol. 34, no. 2, pp. 233–259, 2020. https://doi.org/10.2308/isys-52650

M. Sookhak et al., “Cloud-native security: State-of-the-art and research directions,” Journal of Systems Architecture, vol. 112, p. 101836, 2021. https://doi.org/10.1016/j.sysarc.2020.101836

R. Ismail and T. Almunawar, “Revisiting COBIT in Cloud-Based IT Environments,” Procedia Computer Science, vol. 179, pp. 673–680, 2021. https://doi.org/10.1016/j.procs.2021.01.058

N. A. Rizal and N. H. Zakaria, “Cloud Service Governance: Integration of COBIT and ISO Standards,” Journal of King Saud Uni-versity - Computer and Information Sciences, vol. 35, no. 3, pp. 341–348, 2023. https://doi.org/10.1016/j.jksuci.2021.03.001

M. Chamola et al., “Security and Privacy Issues in Modern Cyber-Physical Systems: Challenges and Solutions,” IEEE Access, vol. 9, pp. 29230–29265, 2021. https://doi.org/10.1109/ACCESS.2021.3058533

Cloud Security Alliance, Cloud Controls Matrix v4.0, 2021. https://cloudsecurityalliance.org

H. Assal and S. Chiasson, “Security in the Cloud: A User-Centric Threat Taxonomy,” ACM Transactions on Internet Technology, vol. 21, no. 3, pp. 1–23, 2021. https://doi.org/10.1145/3446282

N. U. Hassan and S. A. Madani, “Cloud Misconfiguration: Origins, Detection Techniques, and Future Research Directions,” Fu-ture Generation Computer Systems, vol. 128, pp. 239–253, 2022. https://doi.org/10.1016/j.future.2021.10.015

Palo Alto Networks Unit 42, Cloud Threat Report: Misconfiguration Risks and Real-World Exploits, 2023. https://unit42.paloaltonetworks.com

A. Ferrari, E. Russo, and M. Mori, “Authentication Pitfalls in Cloud APIs: A Systematic Review,” Journal of Cloud Computing, vol. 11, no. 1, pp. 1–19, 2022. https://doi.org/10.1186/s13677-022-00291-x

ENISA, Threat Landscape for Supply Chain Attacks, European Union Agency for Cybersecurity, 2022. https://www.enisa.europa.eu

M. Owaida, “API Security in Cloud-Native Applications: A Systematic Mapping Study,” Journal of Systems and Software, vol. 190, p. 111363, 2022. https://doi.org/10.1016/j.jss.2022.111363

L. Garcia, T. L. Alves, and E. B. Marques, “Cloud Monitoring and Forensics: Challenges and Emerging Directions,” Digital In-vestigation, vol. 38, p. 30121, 2021. https://doi.org/10.1016/j.diin.2021.301121

S. Pearson and M. Sebastian, “Bridging the Governance Gap in Cloud Security,” Computer Law & Security Review, vol. 40, p. 105618, 2021. https://doi.org/10.1016/j.clsr.2021.105618

P. K. Sharma and J. H. Park, “Blockchain-based Distributed Framework for Secure and Trustworthy Data Governance in Cloud Environments,” IEEE Access, vol. 9, pp. 134090–134103, 2021. https://doi.org/10.1109/ACCESS.2021.3115904

H. Liu, Y. Wang, and Q. Li, “Governance-as-Code: Automating Policy Enforcement in DevOps Pipelines,” Future Generation Computer Systems, vol. 127, pp. 345–358, 2022. https://doi.org/10.1016/j.future.2021.09.003

M. Sharif, A. Khan, and I. Khan, “Compliance Enforcement in Cloud Deployments: Policy, Tools, and Challenges,” Journal of Cloud Computing, vol. 10, no. 1, p. 33, 2021. https://doi.org/10.1186/s13677-021-00250-z

Cloud Security Alliance, Cloud Threats and Incidents Report 2023, 2023. https://cloudsecurityalliance.org

IBM Security, X-Force Threat Intelligence Index 2024, IBM Corp., 2024. https://www.ibm.com/reports/xforce

K. Almutairi, H. B. Hashem, and A. Almogren, “Operationalizing Cloud Security Controls: From Frameworks to Code,” Comput-ers & Security, vol. 123, p. 102916, 2023. https://doi.org/10.1016/j.cose.2022.102916

G. Smith and R. Kumar, “DevSecOps Misalignment with Governance Frameworks: A Case Study,” Journal of Software: Evolu-tion and Process, vol. 34, no. 2, p. e2367, 2022. https://doi.org/10.1002/smr.2367

A. L. Pinto and J. Rosado, “Multi-Cloud Governance Challenges: A Systematic Literature Review,” Information and Software Technology, vol. 139, p. 106698, 2021. https://doi.org/10.1016/j.infsof.2021.106698

K. Hashmi and N. Mavridis, “Security Policy Enforcement in DevOps: Toward Governance-as-Code,” Computers & Security, vol. 114, p. 102577, 2022. https://doi.org/10.1016/j.cose.2021.102577

S. B. Hill and T. Mahoney, “Security Automation in the Age of DevSecOps: A Survey of Runtime Governance Models,” Journal of Cloud Computing, vol. 10, p. 44, 2021. https://doi.org/10.1186/s13677-021-00263-8

E. Adegbite, H. Takabi, and A. X. Liu, “Governance-as-Code: Automating Information Security Governance in Cloud Infrastruc-ture,” Journal of Information Security and Applications, vol. 63, p. 103045, 2022. https://doi.org/10.1016/j.jisa.2021.103045

N. Xiong and A. R. Butt, “Policy-as-Code: Security Policy Enforcement for Cloud Deployments Using OPA,” IEEE Transactions on Cloud Computing, early access, 2023. https://doi.org/10.1109/TCC.2023.3248755

R. Kalman and M. Morillo, “Infrastructure Compliance via Declarative Policies: Empirical Evidence from Kubernetes,” Future Generation Computer Systems, vol. 136, pp. 142–153, 2023. https://doi.org/10.1016/j.future.2022.06.012

A. Meidan et al., “Behavioral Governance in Cloud Environments: From Monitoring to Enforcement,” ACM Transactions on Cyber-Physical Systems, vol. 6, no. 3, pp. 1–24, 2022. https://doi.org/10.1145/3435781

C. Rong, Z. Y. Tan, and H. Jin, “Semantic Governance for Multi-Cloud Architectures,” IEEE Transactions on Services Compu-ting, vol. 16, no. 1, pp. 158–169, 2023. https://doi.org/10.1109/TSC.2021.3061374

L. H. Vu and J. Kim, “Governance-Aware Service Mesh: Toward Secure Microservice Communication,” Journal of Systems Ar-chitecture, vol. 128, p. 102482, 2022. https://doi.org/10.1016/j.sysarc.2022.102482

Cloud Security Alliance, Top Threats to Cloud Computing: Navigating the Era of Cloud Complexity, CSA, 2023. https://cloudsecurityalliance.org

ENISA, Threat Landscape 2023 – Cloud Infrastructure Incidents, European Union Agency for Cybersecurity, 2023. https://www.enisa.europa.eu

Palo Alto Networks Unit42, Cloud Threat Report 1H 2024, 2024. https://unit42.paloaltonetworks.com

A. Martin and P. Jamal, “Mapping Preventive Control Failures in Cloud Security Incidents,” Journal of Cybersecurity and Privacy, vol. 3, no. 1, pp. 24–38, 2023. https://doi.org/10.3390/jcp3010003

Published by Malikussaleh University, Indonesia

Editor E-mail: journalijesty@gmail.com

The works in the IJESTY Journal are licensed under a Creative Commons Attribution 4.0 International Public License (CC BY 4.0).