Cloud SecOps Maturity Assessment

When it comes to infrastructure security, it’s important to always implement both monitoring and controls — so you’re constantly verifying that your controls are actually working.

Take this self-assessment to analyze your cloud infrastructure security practices. At the end, you will get specific recommendations for improving automation and security at scale.

Runtime and Services Part 1: Controls

1

Which of the following best describes how your team delivers and runs software in your environment?

Most of our processes are pretty manual and we haven't standardized how we deliver or execute our software. 5

We've automated and standardized our processes with a configuration management tool (like Chef or Puppet) or some other method. We think about how to continue to achieve more operational efficiency through automation. 2

2

Are either of the following statements true for your organization? (1) Our employees do not often need access to systems to debug software. (2) We use service discovery to standardize how servers find one another.

Neither or just one of those statements are true for my company. 6

Both statements are true for my company. 3

3

Which of the following best describes how your services establish trust between each other?

Our services rely on network topologies for trust, or they do not establish it. 7

Our services establish trust between each other before communicating (either using HTTPS or IPSec or some other method). 4

4

Which mode is your mandatory access system (think AppArmor or SELinux) control in?

We don't have mandatory access control. 7

Warn or complain mode 8

Enforce Mode 9

Part 1 Results

Your Controls for Runtime and Services are a Level 1

You can learn more about what this means for your organization after completing Part 2 of this assessment.

Go to Part 2

Part 1 Results

Your Controls for Runtime and Services are a Level 2

You can learn more about what this means for your organization after completing Part 2 of this assessment.

Go to Part 2

Part 1 Results

Your Controls for Runtime and Services are a Level 3

You can learn more about what this means for your organization after completing Part 2 of this assessment.

Go to Part 2

Part 1 Results

Your Controls for Runtime and Services are a Level 4

You can learn more about what this means for your organization after completing Part 2 of this assessment.

Go to Part 2

Part 1 Results

Your Controls for Runtime and Services are a Level 5

You can learn more about what this means for your organization after completing Part 2 of this assessment.

Go to Part 2

Runtime and Services Part 2: Monitoring

1

Which of the following better describes your organization?

We don't do any security monitoring. 5

We monitor a few things, like users, file and software behavior. 2

2

Do you proactively look for suspicious behavior and use your data for incident response?

No, we don't. 6

Yes, we do. 3

3

Can you detect process execution patterns for unexpected behavior or remote code executions?

No, we can't. 7

Yes, we can. 4

4

Do you use real time data about runtimes to automatically reconfigure parts of the infrastructure, such as automatically closing ports on firewalls, removing unused access for servers to infrastructure APIs, etc.?

No, we don't. 8

Yes, we do. 9

Part 2 Results

Your Controls for Runtime and Services are a Level 1

Continue to see your results!

Back to Part 1 Complete the Assessment

Part 2 Results

Your Controls for Runtime and Services are a Level 2

Continue to see your results!

Back to Part 1 Complete the Assessment

Part 2 Results

Your Controls for Runtime and Services are a Level 3

Continue to see your results!

Back to Part 1 Complete the Assessment

Part 2 Results

Your Controls for Runtime and Services are a Level 4

Continue to see your results!

Back to Part 1 Complete the Assessment

Part 2 Results

Your Controls for Runtime and Services are a Level 5

Continue to see your results!

Back to Part 1 Complete the Assessment

Your Results

Current Level

Next Steps in SecOps Maturity

Controls

Current Level Controls Here
Next Steps Controls Here

Monitoring

Current Level Monitoring Here
Next Steps Monitoring Here

How to Understand Your Results

This sample assessment covers one of Threat Stack’s Five Principles. It is intended to help you understand how mature the monitoring and controls you’ve implemented are for your Runtime and Services.

Runtime Services Framework Slice

Interested in Seeing the Rest of the Framework and 4 Remaining Principles?

Contact Us

About the Threat Stack Cloud SecOps Maturity Framework

The Threat Stack Cloud SecOps Maturity Framework is designed to help companies align security and operations to reduce risk and improve operational efficiency.

Five Principles

The framework is divided into five principles, pictured around the circle below, that each fortify different aspects of your infrastructure. This assessment is intended to show you one of the five.

Monitoring and Controls

Controls are only effective when they’re enforced. The framework contains levels for both monitoring and controls, so companies can ensure that the controls that have been put in place are actually working.

Maturity Levels

The Framework contains five maturity levels, which range from ad hoc processes (Level 1) to optimized (Level 5). Once you’ve achieved Level 5, you can start to determine your own next steps to continually improve.

Complete Framework Map

Complete Framework Map

Sample Company Map

Sample Company Map

The Complete Maturity Scale for Runtime and Services

Threat Stack’s Complete Cloud SecOps Maturity Framework® includes tangible steps to take to mature your organization.

Level 1 Level 2 Level 3 Level 4 Level 5

Controls

  • Software is delivered to and runs in environments based on manual intervention.
  • There are no standards for how it is delivered or is supposed to execute.
  • Software is delivered to and runs in environments based on automation.
  • All software runs as the same service user on specific servers (one service per server), logs to a deterministic location, and its configuration is rendered to a deterministic location by configuration management. Services never run as root.

Organization meets the criteria of Level 2, plus:

Employees generally do not need to access systems to debug running software. Service discovery is performed with internal systems (DNS, centralized load balancers, etc.).

Organization meets the criteria of Levels 2-3, plus:

  • Services establish trust between each other before communicating (protocol layer or below).
  • Software is only able to access the specific file system locations that it needs to with the least privileges feasible. A Mandatory Access Control system (e.g., apparmor or selinux) is implemented in warn/complain mode.

Organization meets the criteria of Levels 2-4, except:

Mandatory Access Control system (e.g., apparmor or selinux) is implemented in enforce mode, instead of warn/complain.

Monitoring

Monitoring either doesn’t exist or it focuses on availability and the Operations team’s SLAs.

  • The Security Team is able to detect the following in real time: software that runs in the environment as an unexpected service user, unexpected software in the environment including run times, and configuration file changes by any software or user other than the automation system.
  • Logs are sent to a central location but are not relied on for real time system security monitoring.

Organization meets the criteria of Level 2, plus:

They can detect suspicious behavior like running debug tools or compilers, privilege escalation, and data access. This data is used for both incident response as well as changing internal behavior (i.e., remove the need for privilege escalation, system access, etc.).

Organization meets the criteria of Levels 2-3, plus:

They can detect process execution patterns for unexpected behavior or remote code executions.

Organization meets the criteria of Levels 2-4, plus:

Real time data about runtimes is used to automatically reconfigure parts of the infrastructure, such as automatically closing ports on firewalls, removing unused access for servers to infrastructure APIs, etc.