Cloud

CLOUD-01
Domino control

Multi-Cloud Permission Management (CIEM)

This control asks one thing: What is the dominant operating model for controlling and right-sizing permissions across AWS, Azure, and GCP?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Over-privilege + leaked keys leads to full cloud compromise. You won’t know what’s exposed until after the incident.

Why this control caps your score

Cloud permissions quietly become your biggest breach multiplier. If identity is federated but permissions are wild, you still lose.

CLOUD-01 is one of the domino controls in the AXIS model. When the weakest domino control in an assessment sits at a low level, the overall maturity score is capped, regardless of how strong everything else is. The cap lifts as this control matures; the exact schedule is part of the scoring model.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Minimizes breach impact and maximizes engineering velocity safely.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Move to federated identity for cloud access and eliminate static keys for human users.

What reaching level 2 (Developing) unlocks

Least privilege becomes sustainable, not a quarterly ritual.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • CIEM dashboards used
  • Periodic removal of unused permissions
  • Some policy guardrails exist

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite CLOUD-01 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for CLOUD-01 resolves to 5 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on CLOUD-01?

This page is the teaser layer. The full rubric behind CLOUD-01 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.