Cloud Native Security Program Self Assessment

{{overallScore}}

Result:

{{result}}

with {{ttl}} out of a possible 100 points

Nascent - Isolated < 31
Intermediate - Transforming > 31 and < 80
Advanced - Automated > 80

At what level of your company is security managed for internally developed cloud native applications?
{{Answer03}}

Which team is primarily responsible for defining security policies to protect your cloud native applications?
{{Answer04}}

Does your company have an individual or group designated as cloud security architects and/or DevSecOps engineers?
{{Answer05}}

Into which stages of your organization’s software development lifecycle (SDLC) has security been integrated? (please check all that apply)

{{Answer06a}} We include security in our planning process

{{Answer06b}} We have shifted security left into our development processes

{{Answer06c}} We integrate security measures at the integration and build stages

{{Answer06d}} We integrate security measure into our delivery/deployment stages

{{Answer06e}} We apply security controls to protect runtime production environments

{{Answer06f}} None of the above

Regardless of the previous answer, how do your organization’s project teams, across all roles, feel about the security approach of ‘shift left’ (i.e., integrating security processes and controls earlier in the SDLC)?
{{Answer07}}

When integrating security controls within the SDLC, do your project teams employ a risk-based approach that takes into account both the critically of different cloud native applications and their associated threat models?
{{Answer08}}

Which of the following controls are currently employed to secure your organization’s cloud native applications? (please check all that apply)

{{Answer09a}} We use security controls native to the cloud service provider or our orchestration platform

{{Answer09b}} We use third-party security controls (e.g., commercial solution)

{{Answer09c}} We use open-source security controls (e.g. Clair, Trivy, Osquery, Falco, Kube-Bench, etc.)

{{Answer09d}} We develop our own set of security controls

{{Answer09e}} None of the above

{{Answer09f}} Don't know

Which of the following security use cases and areas of focus has your organization implemented to protect your cloud native applications? (please check all that apply)

{{Answer10a}} Vulnerability management

{{Answer10b}} Host hardening

{{Answer10c}} Kubernetes hardening

{{Answer10d}} Runtime monitoring

{{Answer10e}} Micro-segmentation

{{Answer10f}} Secrets management

{{Answer10g}} Compliance mandates (e.g. PCI-DSS, HIPAA, etc.)

{{Answer10h}} Malware prevention and analysis

{{Answer10i}} Runtime threat protection

{{Answer10j}} Auditing and forensics

{{Answer10k}} Don’t know

Which of the following cloud security solutions is currently being used by your organization? (please check all that apply)

{{Answer11a}} Application security testing (Software composition analysis, code scanning)

{{Answer11b}} Cloud security posture management (CSPM)

{{Answer11c}} Cloud workload protection platforms (CWPP)

{{Answer11d}} Container security

{{Answer11e}} Serverless Security

{{Answer11f}} API Security

{{Answer11g}} Cloud infrastructure entitlement management (CIEM)

{{Answer11h}} Micro-segmentation

{{Answer11i}} Web application firewall (WAF)

{{Answer11j}} Data loss prevention (DLP) for object stores

{{Answer11k}} None of the above

{{Answer11l}} Don’t know

At what stage is your organization regarding consolidation of cloud security controls and using an integrated platform to protect your cloud native applications and infrastructure.
{{Answer12}}

How many of your company’s internally developed cloud native applications are considered business-critical?
{{Answer01}}

For how long has your organization been using the following technologies as part of your internally developed cloud native applications? (Please check one per row)
Containers: {{Answer02a}}
Kubernetes: {{Answer02b}}
Serverless function-as-a-service FaaS: {{Answer02c}}
Continuous Integration and Continuous Delivery CI/CD Tools: {{Answer02d}}
Microservices Service Mesh: {{Answer02e}}

Below, we have compiled recommendations across people, processes, and technologies that your organization can enact to improve its standing and create a competitive edge over its peers.