One aspect of enterprise IT that organizations want to be mature is security. Because cloud computing is a still-evolving aspect of IT infrastructure, it is difficult to create a framework that is flexible enough to accommodate constantly changing environments.
To address this challenge, IANS and Securosis developed the Cloud Security Maturity Model (CSMM), a framework to help CISOs define their cloud security goals through a view of assets, automation, zero trust, and security as code. It is a set of guidelines to help IT security teams assess their cloud security posture and determine how to improve security maturity.
Let's take a look at the domains and levels of security described in CSMM and how IT security leaders can use the framework effectively.
The three CSMM security domains
The CSMM identifies the following areas to help security leaders segment where to integrate cloud governance:
Foundational field. When creating initial cloud infrastructure, CSMM recommends creating a baseline first. Gain a comprehensive understanding of current cloud applications and services to provide scalability and flexibility when business goals grow or change. Establishing this core domain provides cloud protection guardrails through which teams can integrate security at a pace that meets business requirements. Examples of core technologies include account security, identity and access management, monitoring, and incident response. Structural field. With the core domain established, the architecture domain consists of different tools and methodologies used to secure cloud technologies. Examples include network, application, workload, and security tools and methods. Security use cases for automation and centralized orchestration are key drivers that lead to flexible and intelligent security components that enable companies to pivot their cloud services as needed. Procedural field. The procedural domain includes the various cloud security automation processes and flows that the business wants and how to manage them. It provides steps on how to make changes to operations when scaling or pivoting cloud services in a new direction. Use this area as a guide to distinguish between cloud security, LAN security, and private data center security while working within cloud provider infrastructures. Procedural factors include security integration practices, regular audits, and compliance standards.
The five maturity levels of CSMM
As the three CSMM security domains develop, organizations should visually measure the level of cloud security maturity as it currently exists and set future goals based on need and achievability.
The following five levels define where the business stands and where security teams aim to be in the future.
Level 1: No security automation. This level is where companies use manual processes and are completely backwards in terms of creating and maintaining security policies and procedures for separate accounts using traditional cloud infrastructure methods. These organizations have little security monitoring and reporting, ad hoc network security, and no incident response procedures and workloads on traditional virtual machines. Level 2: Simple automation integrations. At this level, IT security teams have automated core policies and procedures, including the use of infrastructure as code and basic account federations, creating a single trusted source for the organization. However, security reviews and checkpoints are loosely coupled with automated processes. Logging is created across critical accounts with alerting capabilities, but incident response remains reactionary. Teams have aligned network security to best-practice standards, and core automation is enabling the building blocks of the future network. Level 3: Scripts with manual moderation. The basic security automation framework is visible at this level, but it uses basic scripts that are executed manually. Almost complete federalism is in place, with potential gaps that still need to be filled. Security is increasingly involved in the design and review process. Teams created a registration process across all accounts and created scripts that facilitated incident response. Cloud-native architectures help segment mission-critical services, and related cloud-native tools help harden serverless architectures. Level Four: Create handrails. Automations are in effect across multiple accounts and use a central orchestration platform. Federation management and multi-factor authentication (MFA) are nearing completion. Teams have integrated monitoring and alert automation using baselines of normal behavior, and incident response teams have full leverage of well-documented procedures and associated tools. Security automation within networks is integrated with policy enforcement. All important data is fully encrypted at rest and in motion, and can only be accessed with access control. Level 5: Complete security automation. All cloud security measures are centrally managed and fully automated. This includes all domains and provisioning tasks. The Union and the Ministry of Foreign Affairs are consistent in all areas. Organizations use incident response automation tools, centralized network automation controls, automated encryption keys, and security testing and remediation in all aspects of designing for the cloud.
How to make cloud security decisions for your organization
To better understand where your organization stands in terms of cloud security maturity, review the summary version of the IANS and Security Benchmark report.
Keep in mind that IANS and Securosis said that this model is not a step-by-step guide. The goal is to highlight the different cloud security strategies available and what your current tools can achieve.
CISOs are responsible for determining which strategies and practices to prioritize based on their business requirements. As with most aspects of enterprise IT, there are dozens of ways to secure data and devices, but the best ways to achieve this are up to each specific organization and its unique circumstances.
Andrew Frohlich is the founder of InfraMomentum, an enterprise IT research and analytics firm, and president of West Gate Networks, an IT consulting firm. He has been involved in enterprise IT for over 20 years.
Next steps
Cloud Incident Response: Framework and Best Practices
Benefits and challenges of managed cloud security services
Related Resources
Dive deeper into cloud security
