— Back to the Cloud Forum Schedule

By James Monek – Director of Technology Infrastructure & Operations at Lehigh University

Estimated reading time: 3 minutes

There is a misconception that we don’t handle sensitive data, so we don’t need a security framework. As with security in general, cloud security is everyone’s responsibility, even if you do not handle protected data or store institutional data in the cloud. You are leveraging the cloud for some services and if you misconfigure those services or forget to patch for vulnerabilities, threat actors will leverage those services for their malicious behavior, including coming back to your network where they can move laterally. 

Cloud Security Maturity Models (CSMMs) offer a structured, strategic way to assess where you are today and plan where you need to go next. As institutions expand their cloud footprints, build dedicated teams, and adopt new tooling, maturity models can guide that growth securely and intentionally.

What Do These Maturity Models Typically Look Like?

While different frameworks use different terminology, they generally align along five levels of increasing maturity:

• Initial: No formal process. Security is reactive, with inconsistent or undocumented changes. Knowledge is in the silos of independent SMEs.
• Repeatable: Some security practices, policies, and training. Some Infrastructure as Code (IaC) such as Terraform or CloudFormation. Compliance assessments are done manually.
• Defined: Processes and practices are documented and followed, such as the security team reviewing IaC. Cloud Centers of Excellence or cloud teams begin to form. FinOps and chargebacks gain visibility.
• Capable: Security becomes more mature with metrics and controls being put in place. IaC becomes more automated across the deployments along with guardrails. Compliance reports begin to be automated.
• Efficient: Everything is managed centrally and automated with true IaC pipelines. Accounts are federated, logged, and MFA across all services including CLI. Compliance checks are enforced automatically, automated dashboards and chargebacks.

Depending on which cloud provider(s) you are using, there are several models to consider below, including an open model.

• iANS CSMM: https://sf-cdn.iansresearch.com/sitefinity/docs/default-source/ians-documents/csmm/csmm-full_02232024.pdf
• AWS Security Maturity Model v2: https://maturitymodel.security.aws.dev/en/model/
• Google (GCP) Security Overview: https://cloud.google.com/docs/security/overview/whitepaper
• Microsoft Cloud Security Benchmark: https://learn.microsoft.com/en-us/security/benchmark/azure/  

Take some time to explore these models before the workshop.

Reflect on the following:

• Where do you think your team or institution currently falls on the maturity scale?
• What level would you like to be at in the next 12–18 months?
• What’s getting in the way and what can you do about it?
• What can the community do to help?

You don’t have to be operating in a highly regulated environment to take cloud security seriously. Maturity models aren’t just for checking compliance boxes, they’re about building trust, reducing risk, and scaling your cloud efforts with confidence.