Cloudanix Joins AWS ISV Accelerate Program

Principles of Maturity and the Power of Hands-On Learning

Navigating the Cloud Security Journey

The transition from on-premise to cloud security requires more than just porting existing controls—it demands a fundamental shift in mindset and a structured framework for strategy. Without a roadmap, organizations risk applying legacy thinking to hyperscale environments, hindering progress and wasting resources.

We spoke with Rich Mogull, SVP of Cloud Security at Firemon and founder of Securosis Research, who shared his decade-plus experience, including the evolution of cloud security (from the days of root account access and no IAM) and the development of the Cloud Security Maturity Model (CSMM).

This article details the principles of CSMM, the key changes in Version 2, and the power of hands-on, focused learning to accelerate skill development.

You can read the complete transcript of the epiosde here >

What is the Cloud Security Maturity Model (CSMM), and Why is it Necessary?

The Cloud Security Maturity Model (CSMM) was created by Rich Mogull and Mike Rothman to help large enterprises answer the question: “How do we build a cloud security program in an organized way?”.

The Need for a Cloud-Native Framework

Before the CSMM, practitioners often relied on peer insights, cloud provider frameworks (like the Well-Architected Framework), or attempted to directly apply on-premise standards to the cloud.

  • The Problem: Frameworks like NIST 800-53 or the Cloud Controls Matrix (CCM) often served as a bridge, forcing organizations to take legacy standards and convert them to the cloud. This required an on-prem mindset that often caused internal challenges with alignment and setting the right priorities.
  • The CSMM Solution: The CSMM provides guidance by asking, “if you’re just looking at cloud security, what would this look like?”. This approach drives the necessary mindset shift by telling a story of what maturity looks like, which is helpful for structuring the program.

CSMM Alignment

The CSMM is fully compatible with existing standards like NIST 800-53 or NIST CSF, but it shifts the thinking to focus on cloud structure first.

How is Cloud Security Structured within the Maturity Model?

The CSMM is structured into 12 categories organized into three domains. These domains help prioritize effort and drive the correct cloud mindset.

Foundational

  • Focus / Mindset Shift: These are the core shared services and controls that should be done first and are consistent across the organization.
  • Core Categories: Governance, Identity and Access Management (IAM), Security Monitoring, and Organization Management (e.g., account hierarchy).

Structural

  • Focus/ Mindset Shift: This covers the traditional areas that change from project to project or deployment to deployment. The mindset should be that each deployment is its own data center with its own security.
  • Core Categories: Network Security, Application Security (AppSecurity), Data Security, and Workload Security.

Procedural

  • Focus / Mindset Shift: These are the processes to help the organization improve over time and enhance resilience.
  • Core Categories: Risk Management, Compliance, Resiliency, and Incident Response (IR).

The model also includes an overlay for DevSecOps and intentionally skips non-cloud specific issues like BYOD or HR policies.

What Are the Key Changes and Benefits of CSMM Version 2?

Version 1 was not originally meant to be a framework, but Version 2 was designed to be a usable framework and tool.

Major Changes in Version 2

  • Added Governance: Governance was added as a core category because it was realized that “the root of all evil in cloud is governance”.
  • Standardized Language: Categories were adjusted to better align with frameworks like NIST, switching to common language (e.g., “Organization Management” instead of “account security and structure”). Maturity levels switched to standard Capability Maturity Model definitions.
  • Quantitative Assessment (Control Objectives): The biggest change was the addition of key control objectives for every maturity level and category.
    • These are key indicators of security at that level, such as “use MFA on all console login access”.
    • Approximately 70% of these control specifications can be automatically assessed (quantitative), giving cloud practitioners confidence that automation will help them reach a better state.

Using CSMM Version 2 for Improvement

Organizations can use Version 2 to build their roadmap and show progress.

  • Establish Baseline: Start with a qualitative survey tool (like the IANS diagnostic) to get a top-level sense of where the program is, identifying strengths and weaknesses.
  • Quantitative Measurement: Use automation tools (or self-map existing CSPM results) to automatically assess the key control objectives and map out exactly where individual deployments or AWS accounts are.
  • Identify Pockets of Excellence: Find teams that are operating at higher maturity levels (e.g., Level 3 or 4) than the rest of the organization, and take their practices to start moving those into other parts of the organization.
  • Prioritize Focus: The high-level model helps security leaders prioritize areas to focus on, such as governance, if that area is lagging (e.g., lacking a Cloud Security Center of Excellence).

What is the Biggest Challenge Security Leaders Face When Implementing CSMM?

The biggest challenge is expectation setting and goal definition.

  • Level Five is Not the Goal: Leaders should not assume Level Five is their goal. Level Five represents the “cloud unicorns” and is highly expensive and difficult for legacy organizations to achieve (often requiring custom security development teams).
  • Moving Target: Level Five is a moving target—what is mature today will be different in five years.
  • Set Appropriate Goals: The goal should be what is appropriate for the organization, such as aiming for Level Three at the baseline with pockets of Level Four maturity within the next two years.

What is Cloud Security Lab a Week (CloudSLAW), and Why is Hands-On Learning Essential?

Rich Mogull started Cloud Security Lab a Week (CloudSLAW) as a free, hands-on learning initiative to disrupt traditional, often dry, security education.

Why Labs Work

  • Hands-On Focus: The labs are typically 15 to 30 minutes long and focus on hands-on experience, which helps users learn concepts much faster than traditional reading or video watching.
  • Structured Progression: The format is a newsletter where subscribers receive every lab in order from the beginning. This mimics structured training but with infinite time.
  • Avoid Skipping Steps: When building labs, it is critical to not skip steps (e.g., showing the screenshot of the “next” button) because everybody learns differently.
  • Context and Background: Every lab must include a lecture section to give the user the background on why the technical thing matters.

What Security Practices Should Be Prioritized?

When rating security practices, Rich emphasizes that modern security is defined by MFA and testing.

  • Password Policy (Rating: 2/5): Strong, complex, unique passwords and password managers are essential. However, the requirement to change passwords frequently (e.g., every 30-90 days) is not a modern practice. The game is changed by MFA (Multi-Factor Authentication), which is now basically free.
  • Incident Response Testing (Rating: 5/5): Developing and regularly testing an Incident Response (IR) plan is absolutely critical. This involves practice, drills, and running scenarios to evaluate processes and ensure equipment works, which is essential even for busy teams.
  • DevSecOps & Arch Review (Rating: 5/5): Integrating security into CI/CD pipelines and conducting security architecture reviews early is incredibly valuable. Good architecture, such as proper network design and isolation (using multiple VPCs instead of one big flat one), can eliminate many security problems. For example, building a serverless architecture can dramatically reduce the internet-facing attack surface.

Conclusion: Driving Maturity with Mindset and Metrics

Rich Mogull’s framework for cloud security affirms that achieving resilience is a journey of mindset and continuous iteration, not a destination defined by fixed compliance lists. The Cloud Security Maturity Model (CSMM) provides the crucial story and structure necessary to move away from legacy thinking and set appropriate, achievable goals.

By leveraging the quantitative measures in CSMM Version 2, security leaders can gain the metrics and visibility needed to secure management buy-in and demonstrate tangible progress. Ultimately, marrying this strategic framework with hands-on, engaging learning (like CloudSLAW) empowers development teams, ensuring security becomes an integrated function that constantly evolves to match the speed and complexity of the cloud.

Similar Resources

Comprehensive cloud security platform covering code to cloud protection

Security for your Code, Cloud and Data

Cloudanix replaces your 5-6 disjointed security tools within 30 minutes.

Get Started

Blog

Read More Posts

Your Trusted Partner in Data Protection with Cutting-Edge Solutions for
Comprehensive Data Security.

Wednesday, Nov 05, 2025

From Static to Strategic: Modernizing Privileged Access for Cloud Infrastructure

The promise of the cloud – agility, scalability, and innovation – has revolutionized how enterprises operate. Cloud infr

Read More

Tuesday, Sep 30, 2025

Eliminate Standing Access: Introducing JIT Kubernetes for Azure AKS Security

The Security Mandate: Why Permanent Access Fails Mission-Critical AKS Kubernetes has become the operating system of

Read More

Friday, Aug 08, 2025

User Access Review in Cloud Security: A Foundational Guide to Securing Your Cloud Environment

Introduction: The Unseen Gatekeepers of Cloud Security In the rapidly expanding landscape of cloud computing, organi

Read More