DayBlink Consulting supported a cloud security maturity assessment for a large Technology company
Read the full case study here: Cloud Security Maturity Assessment
Introduction
DayBlink Consulting conducted a cloud security maturity study of a large technology organization. This assessment was a current–state third party evaluation that offered an independent perspective on the organization’s cloud security posture. Through this assessment, DayBlink Consulting identified a variety of gaps for the organization to address. Some of these included: inadequate access controls, over-privilege to critical resources, nascent asset tagging strategy, nascent asset tagging strategy, no SBOM program and insufficient Cloud FinOps function. We created an action plan and multi-year roadmap to address these gaps and help the organization reach their target cloud security maturity goals.
Problem
With cloud security breaches on the rise, our client wanted an independent evaluation of its cloud security maturity.
The organization lacked a comprehensive cloud security program and its plan for a variety of security controls was only partially implemented and tracked for compliance. The cloud security practices were fragmented and inconsistent across business units, which impacted the ability to protect against advanced cyber threats and remain resilient under attack. The organization was also trying to become IPO-ready, and many of their controls were not implemented with the ability to scale.
The Leadership team desired a better understanding of areas for improvement to inform their strategic plan. The organization also wanted an action plan and roadmap to work towards its target maturity levels and establish repeatable maturity assessment methods to be executed annually, helping further scale services.
Solution
Our team assessed cloud security controls to understand the current security posture and identify gaps to help inform the strategic plan.
To properly assess the implementation of the company’s cloud security controls, DayBlink Consulting used a recognized industry framework based on NIST’s extensive CSF and CSAs controls framework.
Those frameworks lacked a standard maturity evaluation rubric. DayBlink developed a custom maturity scoring model including both quantitative and qualitative inputs.
We conducted a six phase analysis including: (1) Planning, (2) Finalizing In-Scope Cloud Controls & Scoring Rubric, (3) Assessing Maturity Levels, (4) Cataloging Gaps & Opportunities, (5) Developing Detailed Opportunity Profiles, and (6) Finalize Cloud-Security Domain Roadmap.
We then presented the results and iterated with the CISO in prioritizing the cloud-security initiatives to pursue.
Outcome
Over the following year our client substantially improved its cloud security posture.
With DayBlink’s support, the client addressed a number of its security controls by improving its Business Continuity and Disaster Recovery (BCDR) program for cloud assets through better use of AWS high-availability services. The client also automated its base image maintenance with Terraform for the cloud patching process. With advancements in security controls, the client has seen an improvement in their efficiency, and decreased response time to threats – helping protect systems, networks and data within the cloud.
The client has also leveraged the assessment in its path to IPO readiness. This repeatable assessment will continue to be used yearly and allow the organization to track its progress and inform future strategic plans.