1 KuppingerCole Maturity Level Matrix - How to use this document

Most organizations now critically depend upon IT services to operate and are therefore their business is vulnerable to cyber security incidents. This report provides a tool to evaluate the maturity of your cyber security.

Organizations are moving from using IT services that are exclusively delivered by equipment on-premises to a mixture of delivery models that also include hosting as well as cloud services. The move to this hybrid environment is driven by digital business transformation to provide greater flexibility as well as cost reduction. However, it brings with it increased challenges of management, compliance and security. This makes it essential to continuously review and update your cyber security posture, processes and tools.

1.1 Why Cyber Security projects need regular reviews

Business objectives, organizational best practices and technologies are constantly evolving. It is essential to continuously review your organization’s performance in the light of these changes.

Organizations are under pressure to exploit digital technology to become more flexible, more responsive to customer needs and more efficient. The traditional model where IT services are delivered internally is being challenged as being unresponsive, poorly adapted to connecting with customers as well as too costly, and cloud services are being promoted as the solution. However, this evolution needs to be considered in the context of the increased regulation over the protection and use of data, such as the recent EU GDPR (General Data Protection Regulation). Compliance with these regulations depends upon good cyber security and the use of cloud services means sharing the responsibilities for security with the cloud service provider. Failure to properly manage cyber security risks can result not only in operational failure but also in reputational damage as well as regulatory penalties.

These conflicting challenges have led to the emergence of the hybrid IT service delivery model. When organizations deliver IT services from their own data centres, they have tight control over the security and compliance of processing. The loss of direct control when using externally provided services leads to concerns over compliance and security. The hybrid IT service delivery model addresses these concerns. This model provides greater control by allowing the user organization to locate sensitive data and critical systems on premises or on dedicated resources in a private cloud but adds to the complexity of governance, management and security. The maturity of an organization to manage cyber security must now be judged in the context of this hybrid IT service model.

To understand the security implications of this hybrid model it is necessary to consider the IT service delivery stack. This is because the responsibilities for the different parts of the stack are shared between the CSP (Cloud Service Provider) and the cloud tenant in different ways. There are five distinct service delivery planes and each needs to be managed and secured. These planes range from the physical data centre through the logical infrastructure to the applications and data. For cloud services three of these planes correspond with the cloud service model (IaaS, PaaS and SaaS). When IT services are delivered on premises the responsibility for all five planes is clear. However, in the cloud model, responsibility for managing these planes is split between the customer and the CSP in a way that depends upon how the service is delivered. For each plane there are six important elements that are need to ensure security.

This is illustrated in Figure 1.