The Evolution of Cloud Security

My Take on a Monitoring Maturity Model

Is something wrong?

I’m not sure.

How would I know?

The questions above are somewhat of a nightmare scenario for an IT department. There are different reasons to monitor your technology, especially in the cloud. Some examples include performance, cost, and security.

I’ve been diving into the security pillar of the AWS Well-Architected Framework. As I read through the detection best practices, I couldn’t help but create a maturity model for cloud security monitoring. Here is the initial draft I’m proposing to the community. I’d love to get your feedback based on your experiences in different environments.

The Cloud Security Monitoring Maturity Model

Level 1: Ensuring Desired Behavior Status

At this level, the business simply cares that the purpose for using the technology is achieved. Someone on the staff may be responsible for manually logging in to an administrative console to check configuration settings. Alternatively, they may simply use the technology, and if it works, they’re satisfied.

Level 2: Compliance-based Monitoring

This is where some thought is given to what logs are enabled, and how long they’re stored. This is often driven by regulatory compliance requirements. The logs are accessed and analyzed only when necessary for an audit, or when a security incident arises.

Level 3: Established Centralized Logging Management Strategy

At this level, the logging is centralized, and detections are put in place. Your assets are generating logs based on both compliance and the business’s security risk tolerance. These configurations are mapped back to threat modeling outcomes and a prioritized asset inventory.

Level 4: Event & Response Automation

Automation is used to generate specific alerts and trigger responses. For example, there may be a detection in place that when alerted, will isolate the affected asset and bring a backup copy online. Another possibility is the inclusion of ChatOps alerting. This is where specific teams are notified via Slack or a similar service to a likely security event in their workload.

Level 5: Optimized for Dynamic Environments

In this final level, the optimization of the strategy is periodically reviewed. There are formal processes to incorporate new assets into the monitoring strategy and offload old resources. This approach both saves money and ensures only alerts of value bubble up to the top. The inclusion of cyber threat intelligence may be incorporated to fine-tune your monitoring and detection of the most prevalent threats in your industry.

Those are the five levels of the Cloud Security Monitoring Maturity Model. Is there another model out there? My initial search didn’t yield any substantive results. Let me know in a comment or on LinkedIn if you find other sources on logging and monitoring in the cloud. As always, thanks for reading.