Skip to main content
GOV.UK
Cloud Maturity Model
Alpha
Home
Assessment
Pages in this section
Assessment
Cost & Sustainability
Data
Governance
Operations
People
Security
Technology
Report
Security
TODO: insert GovAssure baseline? or excerpt from?
How do you manage accounts used by software, not people?
We use basic usernames and passwords.
We use API keys that don’t change often.
We use a central place to store secrets and sometimes rotate them.
We use certificates (mutual TLS) for secure connections.
We use short-lived, strongly checked identities that change for each use.
I don't know
How does your organisation manage user identities and authentication?
There are a few rules for managing user identities, and little checking.
There are some rules, and these are sometimes checked by hand.
There are rules, such as two-factor authentication for key accounts, and some automated checks.
There are central rules for all users, with most checks and enforcement automated. Single Sign-On and two-factor authentication are widely used.
All identity rules and checks are fully centralised and automated. This includes strong authentication, automated approval processes, and good reporting, especially for sensitive data access.
I don't know
How do you make sure people have the right access for their role?
We review users’ access when we need to.
We sometimes review access, but rarely remove it.
We review access often, but mostly add new access rather than remove it.
Access is reviewed regularly, with expiry dates set for each role.
Reviews are automated. Access changes when roles change, and all access has expiry dates.
I don't know
How do you create and manage user accounts for cloud systems?
People share accounts, or accounts are managed by hand.
We use a central directory (like Active Directory), but links to cloud systems are inconsistent.
We have standard ways of working with cloud systems and try to avoid services that won’t work with this.
Identity management is automated. Non-standard systems are kept separate.
We have a single cloud-based directory for all users. All accounts are managed in one place, and non-standard systems are gone.
I don't know
How do you manage non-human service accounts in the cloud?
Service accounts are like user accounts, with long-lived passwords.
Service accounts use long-lived API keys, managed by each team.
All service accounts use a central secret store, which everyone must use.
Service accounts use short-lived identities, checked each time.
Service accounts are managed as code, with trust set up across the whole organisation.
I don't know
How do you manage risks?
Informally, by individuals.
Tracked in spreadsheets by each team.
Teams keep risk registers, which they review and update.
We have a central risk system, which we review and update.
We use an advanced risk tool for all teams, which helps us spot and escalate risks.
I don't know
How do you manage staff identities?
Each service manages its own identities.
We have a central identity system, but not all services use it.
Most services use our central identity system, but a few don’t.
Nearly all services use our central system, and we keep them in sync.
Every service uses one identity system, with one identity per person.
I don't know
How do you reduce the risk from staff with high-level access?
We vet all staff with high-level access.
Systems keep logs, but logs are not checked or centralised.
We check logs before going live, but not regularly.
Logs are stored in one place, can’t be changed, and are checked automatically.
We have regular audits with legal checks to make sure logs are complete and can be used as evidence.
I don't know
How do you keep your software supply chain secure?
We don’t track software dependencies. Updates are done as needed.
We set dependencies at the start and update for big changes. Some teams use tools to check security.
All code is checked and updated regularly, with fixes applied as needed.
A central team watches all code, fixes big problems first, and checks how each dependency is used.
We use advanced tools to watch and fix supply chain risks, focusing on real threats.
I don't know
How do you find and fix security problems, vulnerabilities, and misconfigurations?
There is no clear way for people to report problems.
We publish how to report problems and respond quickly. We may use public reporting platforms.
We use automated tools to scan for problems and do regular checks.
We hunt for threats and respond quickly, with some automation.
We use red and purple teams to test security. A central team checks and fixes issues, with many actions automated.
I don't know
How do you secure your network and control access?
We rely on network controls like firewalls and IP allow-lists.
We use network controls and also check user identity.
We check both user and service identity, as well as network controls.
In some areas, we use strong identity checks instead of network controls, reducing VPN use.
We don’t use network perimeters. Access is based on device and user identity, with strong checks.
I don't know
How do you use two-factor or multi-factor authentication (2FA/MFA)?
It’s suggested, but not required.
It’s required, but not always enforced.
It’s enforced for nearly all users, with few exceptions.
Only strong 2FA/MFA methods are allowed (no SMS or phone-based codes).
Only hardware-based MFA is used, managed and given out by the organisation.
I don't know
How do you manage privileged access?
Each admin manages their own privileged accounts, with no set process.
We use central controls for passwords and keys, with basic logging.
We have structured admin processes, with one-time passwords for access.
We use automated systems for privileged access, with strong controls and checks.
We use advanced tools for privileged access, with full logging, approval steps, and regular reviews.
I don't know
How does your organisation respond to security breaches and incidents?
We do not have a set process for handling security breaches.
We have a basic process for reporting and managing breaches, but it is not always followed.
We have a clear process for handling breaches. Staff are trained, and we record what happens.
We test our breach process regularly and update it when needed.
We have a well-tested breach process. We review incidents, learn from them, and make improvements each time.
I don't know
Reset Section
Save and continue