CNAMM Quick Assessment

Evaluate your Cloud Native security maturity in 24 questions. This quick assessment will give you an overview of your organization's current state and identify key areas for improvement.

Your responses are collected anonymously to help improve the CNAMM framework.

← Return to CNAMM Home

1. Strategy and Risk Governance

1.1 How would you describe your organization's Cloud Native security strategy?

No formal Cloud Native security strategy exists
Basic security strategy that covers some Cloud Native aspects
Documented strategy with clear security goals and metrics
Comprehensive strategy with executive support and continuous improvement

1. Strategy and Risk Governance

1.2 How does your organization assess and manage Cloud Native security risks?

No formal risk assessment process for Cloud Native
Basic risk assessments conducted periodically
Structured risk management with regular assessments and prioritization
Comprehensive risk management integrated with business processes and supported by automation

1. Strategy and Risk Governance

1.3 How mature is your Cloud Native security policy management?

Few or no specific Cloud Native security policies
Basic policies exist but may not be enforced consistently
Comprehensive policies with regular reviews and enforcement
Policy-as-code approach with automated enforcement and compliance validation

2. Supply Chain and Vendor Security

2.1 How does your organization secure its software supply chain?

No specific supply chain security controls
Basic dependency scanning and vendor assessments
Comprehensive supply chain security with SBOM and artifact verification
Advanced supply chain security with continuous monitoring and automated validation

2. Supply Chain and Vendor Security

2.2 How do you manage vulnerabilities in third-party dependencies?

Ad-hoc or no regular scanning
Regular scanning but limited remediation processes
Automated scanning with formal remediation processes
Comprehensive dependency management with automatic updates and impact analysis

2. Supply Chain and Vendor Security

2.3 How does your organization assess and manage risks from Cloud service providers?

No formal assessment of provider security
Basic due diligence during provider selection
Structured assessment with ongoing compliance monitoring
Advanced provider risk management with defense-in-depth controls and continuous validation

3. Infrastructure and Platform Security

3.1 How mature is your cloud infrastructure security posture management?

No automated security posture assessment
Basic cloud security scanning and monitoring
Automated posture assessment with policy enforcement
Comprehensive real-time posture management with automated remediation

3. Infrastructure and Platform Security

3.2 How do you secure your container orchestration platforms?

Default configurations with minimal hardening
Basic platform hardening with some security controls
Comprehensive hardening with advanced security features enabled
Defense-in-depth security model with continuous validation and enforcement

3. Infrastructure and Platform Security

3.3 How do you approach infrastructure-as-code security?

No specific IaC security processes
Basic manual code reviews
Automated policy checks and security scanning
Comprehensive security validation with shift-left controls and automated guardrails

4. Application and Data Protection

4.1 How would you describe your Cloud Native application security practices?

No Cloud Native specific application security controls
Basic application security with some Cloud Native considerations
Dedicated Cloud Native application security with automated testing
Comprehensive security mesh with automated policy enforcement and real-time monitoring

4. Application and Data Protection

4.2 How mature is your approach to secure API management?

No formal API security strategy
Basic API authentication and authorization
Comprehensive API gateway with security controls and monitoring
Advanced API security with zero-trust model and real-time threat protection

4. Application and Data Protection

4.3 How do you protect sensitive data in your Cloud Native environment?

Basic encryption with limited data protection
Standard encryption practices with some data classification
Comprehensive data protection strategy with proper key management
Advanced data security with zero-trust data access and automated data governance

5. Identity and Access Governance

5.1 How do you manage identity and access in your Cloud Native environment?

Basic identity management without Cloud Native specifics
Identity management with some Cloud Native considerations
Advanced identity orchestration with automated lifecycle management
Zero-trust identity framework with automated verification and continuous monitoring

5. Identity and Access Governance

5.2 How mature is your privileged access management for Cloud Native resources?

Basic privileged access controls with limited oversight
Standard privileged access management with manual reviews
Comprehensive PAM with just-in-time access and monitoring
Advanced PAM with zero standing privileges and continuous verification

5. Identity and Access Governance

5.3 How do you manage service-to-service authentication in your Cloud Native environment?

Static credentials or basic authentication
Service accounts with proper rotation policies
Dedicated service mesh with mutual TLS and identity-based policies
Zero-trust service authentication with advanced workload identity and real-time verification

6. Runtime Security Operations

6.1 How do you secure container workloads at runtime?

No container-specific runtime security
Basic container monitoring and vulnerability scanning
Advanced runtime protection with behavioral analysis
Comprehensive runtime security with automated threat response

6. Runtime Security Operations

6.2 How do you monitor and manage security events in your Cloud Native environment?

Limited or ad-hoc monitoring with manual analysis
Basic centralized logging with security alerting
Advanced security monitoring with correlation and automated triage
Comprehensive observability platform with ML-based detection and automated response

6. Runtime Security Operations

6.3 How do you enforce security policies at runtime?

Limited or no runtime policy enforcement
Basic runtime security controls with manual verification
Automated policy enforcement with continuous validation
Comprehensive policy-driven security with adaptive enforcement and real-time remediation

7. Threat Detection and Response

7.1 How does your organization detect and respond to threats in Cloud Native environments?

No Cloud Native specific threat detection
Basic monitoring with manual investigation
Advanced threat detection with some automated response
Comprehensive threat analytics with ML-based detection and automated response

7. Threat Detection and Response

7.2 How mature is your Cloud Native incident response capability?

No specific Cloud Native incident response procedures
Basic incident response processes with limited automation
Structured incident response with playbooks and cross-team coordination
Advanced incident response with automated containment and detailed forensics capabilities

7. Threat Detection and Response

7.3 How do you maintain threat intelligence specific to Cloud Native environments?

No formal threat intelligence program
Basic consumption of general threat feeds
Dedicated Cloud Native threat intelligence with regular updates
Advanced threat intelligence with custom indicators and automated implementation

8. Resilience and Service Assurance

8.1 How do you ensure reliable and secure software delivery?

No formal delivery safety measures
Basic deployment checks and rollback capability
Advanced deployment controls with automated verification
Comprehensive deployment safety with progressive delivery and impact controls

8. Resilience and Service Assurance

8.2 How mature is your approach to disaster recovery for Cloud Native applications?

Limited or no formal DR strategy
Basic backup and recovery procedures
Comprehensive DR strategy with regular testing
Advanced resilience engineering with automated failover and chaos testing

8. Resilience and Service Assurance

8.3 How do you manage compliance and auditing in your Cloud Native environment?

Ad-hoc compliance checks with limited automation
Basic compliance monitoring with periodic audits
Continuous compliance validation with comprehensive audit trails
Automated compliance as code with real-time validation and remediation

Your CNAMM Quick Assessment Results

Based on your responses, here's an overview of your Cloud Native security maturity

0.0
Overall Maturity

Business Function Breakdown

Maturity by Business Function

Maturity Radar

Maturity Level Distribution

Recommended Next Steps

Based on your assessment, we recommend focusing on improving your foundational capabilities.

To get a comprehensive assessment and detailed improvement roadmap:

Download Full CNAMM Toolkit ← Return to CNAMM Home