The explosion of cloud computing has paralleled a surge in security issues at most enterprises, most of which are still struggling to integrate one or more cloud platforms into their environments safely. With increased attack surfaces, organizations need better protection. Arick Goomanovsky, chief business officer, Ermetic, discusses how cloud security models could help with risk management.
As Gartner noted in a recent reportOpens a new window for Top Security and Risk Management Trends for 2022, the cloud has contributed to an expansion of the enterprise attack surface.Â
Even as cloud computing’s expansion moderates, it’s still expected to grow around 15% through 2025Opens a new window as more businesses look for the flexibility and efficiency it offers. At the same time, securing these environments is becoming more difficult with more moving parts in the form of complex software architectures, multicloud and hybrid cloud environments, and talent knowledge gaps in cloud security.Â
A cloud security maturity model can help rein in complexity in our fast-moving environment. Cloud security best practices and compliance standards provide suitable guardrails but, ironically, can also work at cross-purposes. While compliance standards are broad and need context to focus their enforcement, best practices can be very specific, covering only certain activities while leaving gaps in the wider security mesh.Â
For example, while standards like the Center for Internet Security (CIS) benchmarks are a good resource and one that many enterprises seek to align with, they do not provide an implementation roadmap for their use across cloud infrastructures. This is where a cloud security maturity model, like the one developed by the researchers at my company Ermetic, can help organizations assess their current level of preparedness in each cloud security domain and set practical and strategic goals to move on to the next level.Â
Learn More: Using a Least Privilege Framework to Boost DevSecOpsÂ
Processes that involve a seamless transformation in the cloud and when it comes to leveraging cloud technologies require time and a future-focused holistic approach. Maturing an entire organization and its infrastructure can’t be done in a single bound, so a cloud security maturity model ranks organizations into four maturity levels that enable security teams to assess the capabilities they possess and those that they need to progress to the next level:Â
- Ad Hoc: When cloud security is done as an afterthought while putting out fires, but not in an organized manner.
- Opportunistic: The organization starts addressing cloud security with some kind of strategy, which is also incorporated into the roadmap.Â
- Repeatable: The enterprise can execute its cloud security strategy when needed, such as when adding new resources, integrating an acquisition or carrying out some other business change.
- Automated and Integrated: Upon reaching maturity, the components of the cloud security strategy are applied automatically to the infrastructure.
Moving to the next level involves hard work, but a cloud security maturity model provides a way to spell out the leveling-up requirements so they are easy to explain to all stakeholders and helps motivate the entire organization to move forward. This vendor-neutral approach spells out clear goals and the resources needed to implement them. Being vendor-agnostic helped organizations focus better on their own growth plans – to set the agenda and then find the right-fit vendor instead of looking at available solutions and then tailoring their goals according to those offerings.
At the organizational level, a cloud security maturity model addresses the following parameters:
- Roles and responsibilities: Assigning a dedicated person/team with relevant training and expertise to manage cloud security
- Training:Â Having the cloud security team and R&D undergo formal cloud security training and certification
- Remediation process: Automating the risk discovery process and fixing security gaps, including misconfigurations in the cloud environment and assigning the findings to those responsible for remediating issuesÂ
- Integration to CI/CD pipeline:Â Embedding cloud infrastructure security in the CI/CD pipeline
- Compliance:Â Implementing cloud security best practices and standards and performing periodic audits to ensure compliance with requirements
- Access governance: Performing risk-based access reviews for all resources and identities to assess and ensure only business-relevant access is granted to identitiesÂ
- Incident response: Automating a playbook based on previous experience that can then enable better decisions for the future.Â
Learn More: Cloud Security Is a Top Priority for Financial Institutions
Implementation GuidelinesÂ
A cloud security maturity model isn’t a step-by-step instruction booklet with tutorials and assignments or intended to prescribe a set of technologies or vendors. Rather, it aims to help security staff and other decision-makers know what questions to ask, when, and to whom. This is essential, especially in our present landscape where there really isn’t just one route to cloud security success. Implementation strategies can help organizations zone in on the key elements of their cloud security maturity model. That said, each organization has very specific cloud needs and unique security challenges that they must adhere to.
Follow this level-up, multiple-step process to implement a cloud security maturity model:Â
- Qualify: Success depends largely on how each stage is applied before moving to the next, so an initial assessment is crucial.Â
- Set milestones: Picking the indicators that must be met before moving forward is key. Teams can develop these criteria by strengthening the status at the current level with more demanding requirements or by meeting those at the next level.Â
- Execute: At this stage, stakeholders come on board and agree on timetables for implementing goals.Â
- Repeat: As stated earlier, this is not a one-and-done process, but a continuous effort. Once the roadmap is executed, the organization needs to double back and qualify the results of the execution stage.Â
Ideally, organizations should perform this process once per quarter. If it isn’t carried out regularly, companies miss out on one of the model’s key benefits: maturing the organization and keeping it moving forward and improving. Continually mapping progress and analyzing security outcomes is crucial in planning the next steps as the scope of cloud solutions continues to expand. As the cloud continues to mature and grow, so does our dependence on it. Now is the time to address security challenges that are already present as well as the ones that threaten the future of cloud growth.
A cloud security maturity model is not a silver bullet because the work is never done. Instead, it offers an efficient roadmap that must be periodically reevaluated since an organization’s needs may change over time. It’s important to remember that achieving cloud security maturity takes time and is a moving target.Â
Are you planning to implement a cloud security maturity model? What are your key areas of focus? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window .Â