• Cloud maturity models (CMMs) are helpful tools for evaluating an organization’s cloud adoption readiness and cloud security posture.

• Cloud adoption presents tremendous business opportunity—to the tune of USD 3 trillion—and more mature cloud postures drive greater cloud ROI and more successful digital transformations.

• There are many CMMs in practice and organizations need to decide which are most appropriate for their business and their needs. CMMs can be used individually, or in conjunction with one another.

Why move to the cloud?

Business leaders worldwide are asking their teams the same question: “Are we using the cloud effectively?” This quandary often comes with an accompanying worry: “Are we spending too much money on cloud computing?” Given the statistics—82% of surveyed respondents in a 2023 Statista study cited managing cloud spend as a significant challenge—it’s a legitimate concern.

Concerns around security, governance and lack of resources and expertise also top the list of respondents’ concerns. Cloud maturity models are a useful tool for addressing these concerns, grounding organizational cloud strategy and proceeding confidently in cloud adoption with a plan.

Cloud maturity models (or CMMs) are frameworks for evaluating an organization’s cloud adoption readiness on both a macro and individual service level. They help an organization assess how effectively it is using cloud services and resources and how cloud services and security can be improved.

Why move to cloud?

Organizations face increased pressure to move to the cloud in a world of real-time metrics, microservices and APIs, all of which benefit from the flexibility and scalability of cloud computing. An examination of cloud capabilities and maturity is a key component of this digital transformation and cloud adoption presents tremendous upside. McKinsey believes it presents a USD 3 trillion opportunity and nearly all of responding cloud leaders  (99%) view the cloud as the cornerstone of their digital strategy, according to a Deloitte study.

A successful cloud strategy requires a comprehensive assessment of cloud maturity. This assessment is used to identify the actions—such as upgrading legacy tech and adjusting organizational workflows—that the organization needs to take to fully realize cloud benefits and pinpoint current shortcomings. CMMs are a great tool for this assessment.

There are many CMMs in practice and organizations must decide what works best for their business needs. A good starting point for many organizations is to engage in a three-phase assessment of cloud maturity using the following models: a cloud adoption maturity model, a cloud security maturity model and a cloud-native maturity model.

Cloud adoption maturity model

This maturity model helps measure an organization’s cloud maturity in aggregate. It identifies the technologies and internal knowledge that an organization has, how suited its culture is to embrace managed services, the experience of its DevOps team, the initiatives it can begin to migrate to cloud and more. Progress along these levels is linear, so an organization must complete one stage before moving to the next stage.

• Legacy: Organizations at the beginning of their journey will have no cloud-ready applications or workloads, cloud services or cloud infrastructure.
• Ad hoc: Next is ad hoc maturity, which likely means the organization has begun its journey through cloud technologies like infrastructure as a service (IaaS), the lowest-level control of resources in the cloud. IaaS customers receive compute, network and storage resources on an on-demand, over the internet, pay-as-you-go pricing basis.
• Repeatable: Organizations at this stage have begun to make more investments in the cloud. This might include establishing a Cloud Center of Excellence (CCoE) and examining the scalability of initial cloud investments. Most importantly, the organization has now created repeatable processes for moving apps, workstreams and data to the cloud.
• Optimized: Cloud environments are now working efficiently and every new use case follows the same foundation set forth by the organdization.
• Cloud-advanced: The organization now has most, if not all, of its workstreams on the cloud. Everything runs seamlessly and efficiently and all stakeholders are aware of the cloud’s potential to drive business objectives.

Cloud security maturity model

The optimization of security is paramount for any organization that moves to the cloud. The cloud can be more secure than on-premises data centers, thanks to robust policies and postures used by cloud providers. Prioritizing cloud security is important considering that public cloud-based breaches often take months to correct and can have serious financial and reputational consequences.

Cloud security represents a partnership between the cloud service provider (CSP) and the client. CSPs provide certifications on the security inherent in their offerings, but clients that build in the cloud can introduce misconfigurations or other issues when they build on top of the cloud infrastructure. So CSPs and clients must work together to create and maintain secure environments.

The Cloud Security Alliance, of which IBM® is a member, has a widely adopted cloud security maturity model (CSMM). The model provides good foundation for organizations looking to better embed security into their cloud environments.

Organizations may not want or need to adopt the entire model, but can use whichever components make sense. The model’s five stages revolve around the organization’s level of security automation.

• No automation: Security professionals identify and address incidents and problems manually through dashboards.

• Simple SecOps: This phase includes some infrastructure-as-code (IaC) deployments and federation on some accounts.

• Manually executed scripts: This phase incorporates more federation and multi-factor authentication (MFA), although most automation is still executed manually.

• Guardrails: It includes a larger library of automation expanding into multiple account guardrails, which are high-level governance policies for the cloud environment.
• Automation everywhere: This is when everything is integrated into IaC and MFA and federation usage is pervasive.

Cloud-native maturity models

The first two maturity models refer more to an organization’s overall readiness; the cloud-native maturity model (CNMM) is used to evaluate an organization’s ability to create apps (whether built internally or through open source tooling) and workloads that are cloud-native. According to Deloitte, 87% of cloud leaders embrace cloud-native development.

As with other models, business leaders should first understand their business goals before diving into this model. These objectives will help determine what stage of maturity is necessary for the organization. Business leaders also need to look at their existing enterprise applications and decide which cloud migration strategy is most appropriate.

Most “lifted and shifted” apps can operate in a cloud environment but might not to reap the full benefits of cloud. Cloud mature organizations often decide it’s most effective to build cloud-native applications for their most important tools and services.

The Cloud Native Computing Foundation has put forth its own model.

• Level 1 – Build: An organization is in pre-production related to one proof of concept (POC) application and currently has limited organizational support. Business leaders understand the benefits of cloud native and, though new to the technology, team members have basic technical understanding.

• Level 2 – Operate: Teams are investing in training and new skills and SMEs are emerging within the organization. A DevOps practice is being developed, bringing together cloud engineers and developer groups. With this organizational change, new teams are being defined, agile project groups created and feedback and testing loops established.

• Level 3 – Scale: Cloud-native strategy is now the preferred approach. Competency is growing, there is increased stakeholder buy-in and cloud-native has become a primary focus. The organization is beginning to implement shift-left policies and actively training all employees on security initiatives. This level is often characterized by a high degree of centralization and clear delineation of responsibilities, however bottlenecks in the process emerge and velocity might decrease.
• Level 4 – Improve: At level 4, the cloud is the default infrastructure for all services. There is full commitment from leadership and team focus revolves heavily around cloud cost optimization. The organization explores areas to improve and processes that can be made more efficient. Cloud expertise and responsibilities are shifting from developers to all employees through self-service tools. Multiple groups have adopted Kubernetes for deploying and managing containerized applications.  With a strong, established platform, the decentralization process can begin in earnest.
• Level 5 – Optimize: At this stage, the business has full trust in the technology team and employees company-wide are onboarded to the cloud-native environment. Service ownership is established and distributed to self-sufficient teams. DevOps and DevSecOps are operational, highly skilled and fully scaled. Teams are comfortable with experimentation and skilled in using data to inform business decisions. Accurate data practices boost optimization efforts and enables the organization to further adopt FinOps practices. Operations are smooth, goals outlined in the initial phase have been achieved and the organization has a flexible platform that suits its needs.

What’s best for my organization?

An organization’s cloud maturity level dictates which benefits and to what degree it stands to gain from a move to the cloud. Not every organization will reach, or want to reach, the top level of maturity in each, or all, of the three models discussed here. However, it’s likely that organizations will find it difficult to compete without some level of cloud maturity, since 70% of workloads will be on the cloud by 2024, according to Gartner.

The more mature an organization’s cloud infrastructure, security and cloud-native application posture, the more the cloud becomes advantageous. With a thorough examination of current cloud capabilities and a plan to improve maturity moving forward, an organization can increase the efficiency of its cloud spend and maximize cloud benefits.

Advancing cloud maturity with IBM

Cloud migration with IBM® Instana® Observability helps set organizations up for success at each phase of the migration process (plan, migrate, run) to make sure that applications and infrastructure run smoothly and efficiently. From setting performance baselines and right-sizing infrastructure to identifying bottlenecks and monitoring the end-user experience, Instana provides several solutions that help organizations create more mature cloud environments and processes. 

However, migrating applications, infrastructure and services to cloud is not enough to drive a successful digital transformation. Organizations need an effective cloud monitoring strategy that uses robust tools to track key performance metrics—such as response time, resource utilization and error rates—to identify potential issues that could impact cloud resources and application performance.

Instana provides comprehensive, real-time visibility into the overall status of cloud environments. It enables IT teams to proactively monitor and manage cloud resources across multiple platforms, such as AWS, Microsoft Azure and Google Cloud Platform.

The IBM Turbonomic® platform proactively optimizes the delivery of compute, storage and network resources across stacks to avoid overprovisioning and increase ROI. Whether your organization is pursuing a cloud-first, hybrid cloud or multicloud strategy, the Turbonomic platform’s AI-powered automation can help contain costs while preserving performance with automatic, continuous cloud optimization.