The first step to improving is getting an understanding of where your performance lies now – whether that’s working on your tennis swing or studying for an exam. The key to evaluating performance is finding information rooted in data and comparing performance against a set and steady benchmark.
This truth is no different for evaluating your cloud’s security posture. Measuring your environment’s security is a critical task for any CISO today, as it provides your business with a starting point. We took this need and integrated it into our product, Dig, to help your business get a read on your cloud’s maturity. Other third-party security tools offer similar scoring capabilities, so we made sure to take things up a notch and offer a level of context and detail that can’t be beat. We’ll be sure to cover these value adds, but first, let’s start with the basics.
What is Sonrai’s Cloud Security Maturity Assessment?
Sonrai Security’s Cloud Maturity Assessment is a capability in our product, Dig, that offers a detailed and data driven assessment of your cloud across its multiple environments. The Maturity Assessment is an organizational tool that allows you to manage your security proficiency at a granular level. Within Dig you can find a ‘Maturity’ tab that serves as a home to the plethora of organizational data helping you to understand where your cloud is today and where it needs to be. This is where you can set goals for each of your environments, at a unique level, and right-size the policies set for each environment. As we know, not all configurations and environments in the cloud are equal.
Cloud maturity can be understood as the performance level of your cloud’s security. Cloud maturity tells your business how ready your cloud is to take on the many threats and risks public and multi cloud enterprises face today.
What does it offer my business?
Within Sonrai’s Cloud Security Maturity Assessment capability, your score can be broken down by environment, team ownership, or however you wish to organize your cloud. Each environment is in what we call its own ‘swimlane’. These swimlanes include sandbox environments, staging, production, development or any custom grouping your business decides.
Dig will provide each and every swimlane its own specific maturity assessment. All performance is relative so we set benchmark parameters, or ‘target’ scores to help you understand the different levels of maturity. These include: basic, moderate, advanced, resilient and zero trust. This means your organization can set tailored goals for every environment in your cloud, as a sandbox environment intended for innovation, does not warrant the same security policies as a production environment.
So let’s say you click into the maturity assessment tool, and you click into your ‘sensitive data development’ environment, which has a target of ‘zero trust’, but a current assessment score of ‘exposed.’ Next, you can expand your view into the details of platform measurements, identity measurements and data measurements (see image 1.)
Within platform measurements, you get a score for your network, audit, access, credentials and more. Within your identity measurement, you get a score for least privilege and privilege escalation. For data, you receive a score for encryption and data protection. Each assessment category will show you its performance through a number of tickets.
Things can go even deeper. Let’s say you’re in your sensitive data development swimlane, and you’re looking at your platform measurements. You can click into one of the ten security areas, like ‘credentials,’and actually see how many issues are detected and what they are exactly.
Honing into an individual security area will give you access to the detailed issues themselves, allowing you to see what is wrong and how you can remediate it. Dig will detect that, for example, you actually have a temporary initial user access key that still exists and poses unnecessary impersonation risk to your organization now.
Every single swimlane – be it development, staging, or production, and every single category – platform, identity, data – and every measurement – audit, network, credentials, least privilege, data security etc. receives a degree of performance assessment. All working together to comprise your overall cloud’s security maturity. Amazing.
Why is it important?
We opened up this blog by stating that understanding where your performances lies today is critical to improving tomorrow. Dig’s maturity assessment provides invaluable information your business can use to inform your security plans and procedures. Let’s review why this is important:
Every cloud and security team is overwhelmed with concerns, risks, alerts and more. How do they know where to start? What is the most important action that needs to be taken today? What can wait another day? Sonrai’s Maturity Assessment tool offers your business the context it needs to determine these questions. With such granular detail into every branch of your cloud, your business can decide that the ticket raised over logging in your sandbox swimlane can wait till tomorrow and that the anomalous identity behavior raising red flags in your sensitive data development swimlane deserves immediate attention. When there is too much to do, this sort of context and prioritization is the only way to survive.
Your cloud environments are not all the same. Therefore they do not deserve the same maturity target. With Dig you can tailor your security targets to each swimlane. Your sandbox environment can exist at a ‘Basic’ score while any production environment at least needs to be ‘Resilient’ (Tip: that’s a Sonrai best practice!) At the end of the day, giving one overall security score to your entire cloud is sort of, well, useless. The ability to tailor benchmarks and performance to sub-categories is priceless.
What good is understanding the risks in your cloud if you don’t know how to fix them? Luckily, Dig will not only flag that you don’t have Cloud DNS logging turned on in your Staging environment, but how to remediate that either manually or using automation. Yeah – we’ve got bots that can take care of that for you. The big takeaway is, if you want to move up from the ‘Moderate’ maturity level to ‘Advanced’, Dig will tell you exactly what you need to do to get there.
Want to Assess Your Cloud’s Maturity?
Whether you’re internally monitoring your organization’s security level, or reporting to executive leadership and stakeholders, Dig’s maturity assessment capability arms you with the data to paint a picture of your cloud.
If cloud security is a priority for your business and you understand that your cloud consists of different environments deserving different security targets, consider utilizing Dig’s maturity assessment.
Let us gamify the solution for you. To see Dig in action request a demo.