One aspect of enterprise IT that organizations want to be mature is security.
To address this challenge, IANS and Securosis developed the Cloud Security Maturity Model, a framework to help CISOs set their cloud security goals through asset visibility, automation, zero trust and security as code.
It is a set of guidelines to help IT security teams evaluate their cloud security posture and determine how to improve security maturity.
Let's look at the domains and security levels described in the CSMM and how IT security leaders can effectively use the framework.
Creating this foundational domain provides guardrails for a cloud environment from which teams can integrate security at a rate of speed that meets business demand.
The security use cases for automation and centralized orchestration are key drivers that lead to flexible and nimble security components that enable businesses to pivot their cloud services as needed.
The procedural domain includes the various cloud security automation processes and flows the business wants and how to manage them.
Use this domain as a guide to differentiate cloud security from LAN and private data center security while operating within cloud service provider infrastructures.
Procedural factors include practices around security integration, regular audits and compliance standards.
With the three CSMM security domains developed, organizations should visually gauge their level of cloud security maturity as it currently exists and set future goals based on need and achievability.
The following five levels determine where a business stands and where security teams aim to be in the future.
This level is where businesses use manual processes and are completely reactionary around the creation and maintenance of security policies and procedures for disconnected accounts using traditional cloud infrastructure methods.
These organizations have little to no security monitoring and reporting, ad hoc network security, no incident response procedures in place and workloads on traditional VMs. Level 2: Simple automation integrations.
Teams have tuned network security to best-practice standards, and basic automation enables future network building blocks.
Security is increasingly involved in the design and review process.
Security automation within networks integrates with policy enforcement.
All cloud security is centrally managed and fully automated.
Organizations use incident response automation tools, centralized network automation controls, automated encryption keys, and security testing and remediation in all design aspects of the cloud.
To best understand where your organization stands as it relates to cloud security maturity, review the summary version of the IANS and Securosis Benchmark Report.
The intention is to highlight the various cloud security strategies available and what your existing tools can achieve.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 07 Dec 2023 19:13:05 +0000