/multi-cloud-security-maturity-roadmap

Multi Cloud Security Maturity Roadmap

Apache License 2.0Apache-2.0

multi-cloud-security-maturity-roadmap

version 1, 19 February 2023

Running workloads across multiple Cloud Service Providers (CSPs) has become increasingly popular among organizations. There are many reasons why an organization may decide to use multiple CSPs not limited to, but including:

  • Reducing reliance and lock-in with one provider.
  • Choosing "best of breed" services from each CSP.
  • Organization merger or acquisition.

With multi-cloud, complexity is amplified significantly. From the need to grow knowledge and skills across CSPs, choosing between centralized versus decentralized tools, or even where to build a product or service, it is something organizations should carefully consider.

Version 1 of this roadmap was built with NIST Cyber Security Framework (CSF) as its foundation to apply security functions against core cloud resources: compute, data, network, and identity. It was produced by an international group of cloud security professionals. The roadmap is designed to guide any organization of any size to map their level of cloud security maturity in a multi-cloud environment.

The roadmap is not intended to be prescriptive but rather to serve as a guide describing traits of organizations effectively managing risk across multiple CSPs. The roadmap intends to remain agnostic but does cite specific example controls from the big three CSPs (Microsoft Azure, Google Cloud Platform, and Amazon Web Services).

As a disclaimer, any organization formalizing single or multi-cloud should use techniques such as threat modeling, risk management, and other best practices against their specific business needs.

Contributors

  • Aashish Aacharya (AJ)
  • Adam Chou
  • Almahdi Sahad
  • Ashish Rajan
  • Claude Mandy
  • David Levitsky
  • Frank Graziano
  • Kyhle Ohlinger
  • Paul Schwarzenberger
  • Rajeev Sharma
  • Shawn Tolidano

This Roadmap is built with the NIST CyberSecurity Framework (CSF) framework as a foundation. This document is a guide for any organization to map their level of maturity in a Multi Cloud environment. Organizations should be able to select the appropriate level suited for them from this document and use it to map to their internal maturity framework with to plan, implement and improve their maturity.

Dictionary:

  • Cloud - Compute capabaility provided as a service by CSPs.
  • CSP - Cloud Service Provider e.g Amazon Web Services, Microsoft Azure, Google Cloud etc
  • CLI - Command Line Interface for interacting with available Application Programmable Interface (APIs) using commands & credentials to authenticate requests