What is the correct order in the 4C's framework for Cloud Native Security?

The main idea tested is how to sequence security efforts across a cloud-native stack using the 4C framework. The preferred order starts with securing the overall cloud foundation, then hardening the Kubernetes clusters, then protecting the container images and runtimes, and finally applying cloud-wide governance and policy controls. This ordering makes the most sense because each later layer relies on the protections established at the earlier layers. If the cloud environment isn’t secure, cluster controls can be bypassed or misused; if clusters aren’t secured, container security measures may be ineffective; and governance is most effective when security across the entire stack is already in place. So, Cloud goes first to establish a solid baseline, then Clusters, then Containers, and finally Cloud (representing ongoing governance/compliance across the platform). The other sequences disrupt this layered progression by placing workload-level protections before securing the underlying infrastructure or by duplicating or skipping essential layers, which can leave gaps in the security posture.