CSMM 2.0 Header

I’m pretty excited about this one. We are finally releasing version 2.0 of the Cloud Security Maturity Model. This is the culmination of nearly 9 months of research and analysis, a massive update from the original released in 2020. The tl;dr is that this version is not only updated to reflect current cloud security practices, but it includes around 100 cloud security control objectives to use as Key Performance Indicators — each matched 1:1 (where possible) with a technical control you can assess (AWS for now— we plan to expand to Azure and GCP next).

  • You can download it here — no registration wall, and it includes the spreadsheet and PDFs.The CSMM 2.0
  • The CSMM 2.0 was developed by Securosis (that’s us!) and IANS Research in cooperation with the Cloud Security Alliance.
  • Version 2.0 underwent a public peer review process at the CSA and internal review at IANS.
    • We will keep updating it based on public feedback.
  • The model includes nearly 100 control objectives and controls, organized into 12 Categories in 3 Domains.
  • IANS released a free diagnostic self-assessment survey tool. You can quickly and easily generate a custom maturity report.
  • FireMon added a free CSMM dashboard to Cloud Defense, which will automatically assess, rate, and track your cloud maturity using the CSMM!
    • It’s really cool. But I’m biased because I pushed hard to build it.

Okay, that’s what it is, but here’s why you should care.

When Mike and I first built the CSMM we designed it more as a discussion tool to describe the cloud journey. Then we started using it with clients and realized it also worked well as a framework to organize a cloud security program. Two of the big issues with cloud governance we’ve seen in the decade-plus we’ve been doing this are:

  • Existing security frameworks have been extended to cloud, but not designed for cloud, which creates confusion because they lack clear direction.
    • Those don’t tell you “do this for cloud” — they tell you “add this cloud stuff”. We saw need for a cloud-centric view.
  • Security teams quickly get tossed into cloud, and while tooling has improved immensely over time, those flood you with data and don’t tell you where to start.
    • We don’t lack tools, but we do lack priorities.

Version 2.0 of the CSMM was built directly to address these issues. We reworked the CSMM to work as a cloud security framework. What does that mean? The model focuses on the 12 main categories of cloud security activities, which you can use to organize your program. The maturity levels and KPIs then help define your goals and guide your program without the minutiae of handling individual misconfigurations.

What’s the difference between the Diagnostic and the Dashboard?

The IANS diagnostic is where you should start. It’s a survey tool anyone can fill out without technical access to their deployments. The objective of the diagnostic is to help you quickly self-assess your program and then, using that, determine your maturity objectives. Let’s be realistic — not all organizations can or should be at “Level 5”. The diagnostic helps set realistic goals and timelines, based on where you are now.

The FireMon Cloud Defense CSMM Dashboard is a quantitative real-time assessment and tracking tool. Once you integrate it with your cloud accounts you’ll have a dashboard to track maturity for the entire organization, different business units, and even specific accounts. It’s the tool to track how you are meeting the goals established with the diagnostic. It’s self-service and covers as many AWS accounts as you have (Azure will be there once the CSMM adds Azure controls).

You can also just use the CSMM spreadsheet. Options are good. Free options are better.

Finally, please send me your feedback. These are living documents and tools, and we plan to keep them continuously updated.

The usual disclosure: I’m an IANS faculty member and I manage the Cloud Defense product. But both of these are available absolutely free, no strings attached, as is the model itself.