With cloud deployment rates continuing to accelerate, it’s important for security teams to
assess their cloud security maturity from both a planning and implementation perspective—the urgency is increasing to strengthen security posture now.
Cloud Security Maturity Model Benchmark Report Overview
IANS and Securosis recently published the
2021 Cloud Security Maturity Benchmark Report. The report provides comprehensive insights, along with an assessment of the state of current cloud security practices. During 2021, IANs collected self-reported responses from participants who completed our CSMM Diagnostic, which measures 12 categories across three domains of cloud security practices.
Findings from the Cloud Security Maturity Benchmark Report
While organizations are moving rapidly to the cloud, many security activities intended to protect those systems are evolving too slowly. However, security activities common to on-premises deployments and good security practices scored relatively well in the Diagnostic. Unfortunately, security activities that are difficult to do on-prem also lag in cloud deployments.
Key Takeaway #1: Still Room for Cloud Security Improvement
Overall, not many organizations have fully implemented the complete set of
cloud security controls needed to mitigate risk. Some business divisions within organizations have matured their security activities, but there is still much work to do, and many organizations are falling behind in their planning to get to good practice. Overall, some key security controls are implemented and managed, but on average, none are fully implemented across all areas.
A strong cloud security strategy begins with implementing solid cloud security best practices across all deployments.
Key Takeaway #2: Security Basics Translate Well
The most mature categories—Account Security and Structure, and Network Security—map well and are easily adapted to the cloud. Best practice security activities common to on-premises deployments, such as good user management, network isolation, denial-of-service mitigation and security assessments rank relatively high among participants. For example, most organizations are centrally managing user and administrator accounts, and using different accounts to minimize damage or blast radius from stolen credentials.
Key Takeaway #3: Organizations Are Not Planning Enough for Breaches
Good security requires accepting the fact your systems will be breached at some point and it’s important to put strong incident response (IR) plans in place.
Unfortunately, respondents scored lowest on having cloud-specific IR capabilities (which is also a security best practice that’s more difficult for on-premises deployments). A mature IR program minimizes downtime and damage from an attack. However, IR plans for cloud deployments should be different from on-premises plans and your strategy should contain both pre-breach and post-breach elements.
Key Takeaway #4: Automation Falls Behind
Automation is important in several areas of modern development and mature security practices. Since most companies are in the early phases of their cloud migration, it is not surprising that automation scores far lower than manual tasks. In general, respondents use automated provisioning and federation of identities, but all other automation tasks scored low on average, with just pockets of good practice in place.
Maturity in a cloud security context requires organizations to embrace automation. Everything in the cloud is accessible programmatically via an API, so cloud security is programmable. Automation of key security operations and orchestration of many security tools into a cohesive whole is achievable. The more mature the cloud security practice, the more likely it is to be heavily automated.
Key Takeaway #5: Integration Is an Early Indicator of Automation
The Security Integration category trended more mature, raising optimism for improvement in automation. For example, many respondents are adopting PaaS services to reduce system attack surfaces, with use of security team-provided design patterns close behind. In the Workload Security category, we also see increased integrations with configuration management tools (a requirement for automation). Keep in mind that rapid cloud adoption using PaaS services, especially in light of widespread remote work, can result in visibility blind spots if services are not configured correctly.
Key Takeaway #6: Cloud Security Is a Business Issue
A successful cloud security program requires support from all stakeholders. Organizations looking to mature their cloud security capabilities clearly benefit from establishing a cloud security center of excellence (CoE). A cloud security CoE comprises cross-functional teams and executive leadership working together to set goals and key performance indicators (KPIs). With representation from multiple disciplines, organizations can ensure cloud security is meeting the needs of the business while providing a centralized means to enforce cloud security practices, especially when inevitable issues arise.
Cloud security is complex and requires a solid strategy for maturity. Focusing initially on developing best practices within the six key areas discussed and establishing a CoE ensures your cloud initiatives are built on a strong, secure foundation.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.