One aspect of enterprise IT that organizations want to be mature is security. Given that cloud computing is a still-evolving aspect of IT infrastructure, however, it's difficult to establish a framework flexible enough to accommodate constantly changing environments.
To address this challenge, IANS and Securosis developed the Cloud Security Maturity Model (CSMM), a framework to help CISOs set their cloud security goals through asset visibility, automation, zero trust and security as code. It is a set of guidelines to help IT security teams evaluate their cloud security posture and determine how to improve security maturity.
Let's look at the domains and security levels described in the CSMM and how IT security leaders can effectively use the framework.
The 3 CSMM security domains
The CSMM outlines the following domains to help security leaders compartmentalize where to integrate cloud governance:
- Foundational domain. When building an initial cloud environment infrastructure, the CSMM recommends creating a baseline first. Get a thorough understanding of existing cloud applications and services to provide scalability and flexibility when business goals grow or change. Creating this foundational domain provides guardrails for a cloud environment from which teams can integrate security at a rate of speed that meets business demand. Examples of foundational technologies include account security, identity and access management, monitoring and incident response.
- Structural domain. With the foundational domain created, the structural domain consists of various tools and methodologies used to secure cloud technologies. Examples include network, application, workload, and security tools and methods. The security use cases for automation and centralized orchestration are key drivers that lead to flexible and nimble security components that enable businesses to pivot their cloud services as needed.
- Procedural domain. The procedural domain includes the various cloud security automation processes and flows the business wants and how to manage them. It provides steps on how to make changes to processes when cloud services scale or pivot in a new direction. Use this domain as a guide to differentiate cloud security from LAN and private data center security while operating within cloud service provider infrastructures. Procedural factors include practices around security integration, regular audits and compliance standards.
The 5 CSMM maturity levels
With the three CSMM security domains developed, organizations should visually gauge their level of cloud security maturity as it currently exists and set future goals based on need and achievability.
The following five levels determine where a business stands and where security teams aim to be in the future.
- Level 1: No security automation. This level is where businesses use manual processes and are completely reactionary around the creation and maintenance of security policies and procedures for disconnected accounts using traditional cloud infrastructure methods. These organizations have little to no security monitoring and reporting, ad hoc network security, no incident response procedures in place and workloads on traditional VMs.
- Level 2: Simple automation integrations. At this level, IT security teams have automated basic policy and procedure techniques, including the use of infrastructure as code and basic account federations, creating a single authoritative source for an organization. Security reviews and checkpoints are loosely coupled within automated processes, however. Logging is established across critical accounts with alerting capabilities, but incident response remains reactionary. Teams have tuned network security to best-practice standards, and basic automation enables future network building blocks.
- Level 3: Scripts with manual oversight. The basic framework of security automation is shown at this level, but it uses basic, manually executed scripts. Near-complete federation exists, with potential gaps that still need filling. Security is increasingly involved in the design and review process. Teams have established logging across all accounts and created scripts that facilitate incident response. Cloud-native architectures help segment mission-critical services, and relevant cloud-native tools help harden serverless architectures.
- Level 4: Establishment of guardrails. Automation processes are in effect across multiple accounts and use a centralized orchestration platform. Federation and multifactor authentication (MFA) management is nearly complete. Teams have integrated monitoring and alert automation using normal behavior baselines, and incident response teams have full use of well-documented procedures and associated tools. Security automation within networks integrates with policy enforcement. All mission-critical data is fully encrypted at rest and in motion and is only accessible through access control.
- Level 5: Complete security automation. All cloud security is centrally managed and fully automated. This includes all domains and provisioning tasks. Federation and MFA are consistent across the board. Organizations use incident response automation tools, centralized network automation controls, automated encryption keys, and security testing and remediation in all design aspects of the cloud.
How to determine your organization's cloud security decisions
To best understand where your organization stands as it relates to cloud security maturity, review the summary version of the IANS and Securosis Benchmark Report.
Keep in mind that IANS and Securosis said this model is not a step-by-step guide. The intention is to highlight the various cloud security strategies available and what your existing tools can achieve.
It's the responsibility of the CISO to determine which strategies and practices to prioritize based on their business's requirements. As with most aspects of enterprise IT, there are dozens of ways to secure data and devices, but the best ways to accomplish this are up to each specific organization and its unique circumstances.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.