Automotive Multi-Cloud Security Framework: Cloud Compliance for ISO 21434 and TISAX

Winners Consulting Services Co., Ltd. points out that a 2025 study published on arXiv is the first to propose an "Automotive Multi-Cloud Security Framework (AMCSF)" for the automotive industry. It clearly reveals that as Software-Defined Vehicle (SDV) architecture becomes widespread, the threat has shifted from individual vehicles to the cloud backend that manages the entire fleet. This means that Taiwanese OEMs and Tier-1/Tier-2 suppliers must establish a multi-cloud security defense layer in parallel with their ISO/SAE 21434 and UNECE R155 compliance frameworks to truly meet the holistic cybersecurity requirements of a TISAX assessment.

About the Author and This Research

This paper was authored by researcher Geol Kang and published on the academic preprint platform arXiv (2025), positioning it as applied research at the intersection of automotive cybersecurity and cloud infrastructure. arXiv is a rapid publication platform widely used by academic communities in fields like computer science, engineering, and physics. A paper's publication here means its content is immediately available for global practitioners, but it has not undergone formal peer review, and readers should understand its academic standing accordingly.

Geol Kang's research methodology combines a Systematic Literature Review with a comparative analysis of industry practices, covering OEM and Tier-1 cloud backend architecture design, vSOC operational models, and DevSecOps integration. The result is an actionable five-layer architectural model. For the Taiwanese automotive supply chain, this paper's value lies in being one of the few framework studies that simultaneously integrates the ISO/SAE 21434 vehicle lifecycle process, Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platforms (CWPP), providing an architectural blueprint with a solid foundation for implementation.

The SDV Era: The Cloud Backend is Now the Largest Attack Surface

The paper's core insight is that with the proliferation of Software-Defined Vehicles (SDVs), the target of cyberattacks has shifted from the ECUs or communication modules of a single vehicle to the centralized cloud backend systems that manage the entire fleet. Once the backend is compromised, the impact is no longer limited to one car but extends to tens of thousands of online vehicles simultaneously. This is a qualitative shift, and existing Threat Analysis and Risk Assessment (TARA) processes, which are bounded by the individual vehicle, must be expanded to the cloud infrastructure layer.

Key Finding 1: The AMCSF Five-Layer Architecture Integrates the ISO/SAE 21434 Lifecycle

The Automotive Multi-Cloud Security Framework (AMCSF) proposed by Geol Kang consists of five defense layers: Identity and Access Management, Data Security and Encryption, Network Segmentation and Zero Trust, Cloud Security Posture Management (CSPM), and Security Monitoring and Response. Each layer corresponds to specific lifecycle process requirements in ISO/SAE 21434, ensuring that cloud security design remains within the overall compliance framework for vehicle cybersecurity. For Taiwanese OEMs that need to comply with both UNECE R155 and ISO/SAE 21434, this means that regulatory compliance must be incorporated into cloud architecture design from the very beginning, rather than being retrofitted later.

Key Finding 2: Misconfiguration in Multi-Cloud Environments is the Highest Priority Risk

Through comparative analysis, the paper points out that the most common and highest-risk issue in multi-cloud environments is not zero-day vulnerabilities but cloud service misconfigurations. When automotive companies use multiple cloud platforms like AWS, Azure, and Google Cloud to manage fleet data, maintaining consistent security policies across platforms becomes difficult. This makes the implementation of CSPM tools a necessary infrastructure component, not an optional one. The Microsoft extended cloud logging implementation guide released by CISA on January 15, 2025, also confirms the central role of cloud log monitoring in overall cybersecurity compliance.

Key Finding 3: Protection Must Cover Both the Vehicle and the Cloud Infrastructure

The paper explicitly concludes that in the modern automotive ecosystem, protecting only the vehicle itself (in-vehicle ECUs, CAN Bus, OTA mechanisms) is insufficient. The cloud backend must be protected simultaneously, and the security measures for both must work in concert to manage risks effectively. This echoes the requirements in ISO/SAE 21434 for distributing cybersecurity responsibilities across the supply chain (Clause 15) and establishing an organizational-level Cybersecurity Management System (CSMS), which is also a core principle of the UNECE WP.29 R155 regulatory framework.

Practical Implications for Taiwan's Automotive Supply Chain: The Compliance Boundary is Expanding

The reality for Taiwan's automotive supply chain is that European OEMs are increasingly requiring Tier-1 and even Tier-2 suppliers to obtain TISAX labels. The "Prototype Protection" and "Information Security" modules in the TISAX assessment already cover security requirements for cloud environments. Geol Kang's paper provides a clear warning: if Taiwanese suppliers focus only on ISO/SAE 21434 compliance for in-vehicle systems while neglecting multi-cloud security configurations for their backend, they will expose significant gaps during customer audits.

Specifically, Taiwanese companies should focus on three aspects: First, the scope of vehicle cybersecurity compliance must clearly define whether cloud services fall within the supplier's responsibility boundary. Second, if a company uses more than one cloud platform, a unified security policy management mechanism must be established. Third, the lifecycle management for road vehicle cybersecurity needs to extend to anomaly detection and incident response processes in the cloud backend. The UNECE WP.29 R155 regulation requires vehicle manufacturers to ensure cybersecurity management throughout the entire supply chain, and as part of that chain, Taiwanese suppliers are indirectly bound by this requirement.

Winners Consulting Services Helps Taiwanese Companies Build an Integrated Security Framework for Vehicles and the Cloud

Winners Consulting Services Co., Ltd. assists Taiwanese automotive supply chain companies in obtaining TISAX labels, implementing the ISO/SAE 21434 standard, and complying with UNECE WP.29 vehicle cybersecurity regulations. To address the multi-cloud security architecture gaps identified in Geol Kang's paper, we offer the following concrete implementation path:

1. Months 1-3 — Cloud Security Posture Diagnosis: We assess the company's current use of cloud services (including SaaS, PaaS, IaaS) and benchmark it against the TISAX Information Security module and the organizational security requirements of ISO/SAE 21434 Clauses 5-6. This identifies misconfiguration risks and compliance gaps, producing a prioritized remediation list.
2. Months 4-7 — AMCSF-Aligned Mechanism Implementation: Following the paper's five-layer architecture, we sequentially establish identity and access control policies, cloud network segmentation rules, and configure CSPM tools. Monitoring metrics are integrated into the existing vSOC or security monitoring processes, ensuring operational compliance with UNECE R155 requirements for a CSMS.
3. Months 8-12 — TISAX Assessment Preparation and Audit Drills: We remediate gaps related to cloud environment controls in the TISAX assessment, conduct internal audit drills to ensure documented evidence is complete, and help the company be fully prepared to apply for a TISAX assessment by the end of the 12-month implementation cycle.

Frequently Asked Questions

How does the AMCSF five-layer framework correspond to ISO/SAE 21434? Do Taiwanese companies need to implement all layers?

The five layers of the AMCSF (Identity Management, Data Security, Network Segmentation, CSPM, and Security Monitoring) correspond to various organizational and engineering requirements in different clauses of ISO/SAE 21434, but full implementation of all layers is not always necessary. For Taiwanese Tier-2 suppliers with a limited cloud footprint, we recommend prioritizing the first layer (Identity and Access Management) and the fourth layer (CSPM) to meet TISAX Information Security module requirements. Other layers can be progressively implemented as business operations expand. Winners Consulting Services suggests defining the applicable scope during the initial 1-3 month diagnostic phase to avoid over-investing resources.

When Taiwanese companies apply for a TISAX assessment, are cloud security configurations part of the scope?

Yes, cloud security configurations are within the scope of a TISAX assessment, which is based on the VDA ISA questionnaire (currently version 6.0). This questionnaire includes security controls for cloud service usage, covering access control, data classification, supplier management, and incident response, all of which can extend to the company's cloud environment. If your company uses platforms like AWS or Azure for development, testing, or production, the auditor will request corresponding security configuration profiles and policies. We recommend starting a cloud security configuration review at least six months before applying for TISAX to ensure all documented evidence is complete.

What are the practical implementation steps and timeline for a TISAX assessment?

A TISAX assessment implementation is typically divided into four phases. The first phase (months 1-3) involves a gap analysis against the VDA ISA questionnaire to identify deficiencies. The second phase (months 4-6) focuses on establishing or enhancing management systems, technical controls, and documented processes. In the third phase (months 7-9), internal audits and management reviews are conducted to simulate the official assessment. The final phase (months 10-12) involves submitting the formal assessment application and cooperating with the audit provider. Overall, the entire process from initiation to obtaining the TISAX label takes approximately 9-12 months, depending on the company's existing cybersecurity maturity.

How can the costs and expected benefits of implementing a multi-cloud security framework be evaluated?

The cost of implementing a multi-cloud security framework varies significantly based on company size and infrastructure maturity. For small to medium-sized suppliers (using 1-3 cloud platforms, IT team under 50), the annual license for a CSPM tool typically ranges from NT$500,000 to NT$1,500,000, plus initial consulting fees. In terms of benefits, a comprehensive framework reduces the risk of data breaches from misconfigurations, can shorten the TISAX remediation timeline by 2-3 months, and strengthens the ability to respond to customer audits. This indirectly helps secure supply chain orders, with an estimated return on investment period of 18-24 months.

Why choose Winners Consulting Services for automotive cybersecurity (AUTO) matters?

Winners Consulting Services Co., Ltd. specializes in automotive cybersecurity, offering comprehensive services for ISO/SAE 21434 implementation, TISAX assessment guidance, and UNECE WP.29 regulatory compliance. Our team is proficient in both in-vehicle system security and cloud infrastructure security, enabling us to help Taiwanese suppliers address compliance gaps in both vehicles and cloud backends under a single, unified service framework. Compared to hiring separate consultants, our integrated approach saves communication costs and ensures a consistent compliance strategy, which is ideal for Tier-1 and Tier-2 suppliers preparing for their first TISAX assessment or needing to quickly enhance their security posture to meet client demands.