Control Maturity: Not All Passes Are Created Equal
The Problem With Pass/Fail
Traditional CSPMs only care about one thing: did it pass?
If your S3 bucket has encryption enabled, it passes. If your IAM user has MFA configured, it passes. Green checkmark. Move on.
But this binary view misses something crucial: the quality of the implementation.
Same Check, Different Quality
Let's look at MFA as an example. Three users, all passing the "MFA should be enabled" check:
| User | MFA Status | Implementation | Quality |
|---|---|---|---|
user_ops | Enabled | Virtual TOTP app | Basic |
user_dev | Enabled | Hardware security key (YubiKey) | Strong |
user_security | Enabled | 2+ hardware keys with backup | Excellent |
All three pass. But the security gap between a TOTP app and multiple hardware keys is enormous. Traditional tools see no difference.
Introducing Maturity Tiers
Vigimati evaluates passing resources on three quality levels:
Bronze
The resource passes the control with a basic implementation. It meets the minimum requirements but could be significantly improved.
Examples:
- S3 encryption with SSE-S3 (Amazon-managed keys)
- Single virtual MFA device
- Basic CloudTrail logging without log file validation
Silver
The resource passes with a strong implementation that follows recommended practices.
Examples:
- S3 encryption with KMS (customer-managed keys)
- Hardware security key for MFA
- CloudTrail with log file validation and multi-region enabled
Gold
The resource passes with an excellent implementation that represents best-in-class security.
Examples:
- S3 encryption with KMS, automatic key rotation, and bucket key enabled
- Multiple hardware security keys with backup registration
- CloudTrail with log file validation, multi-region, organization trail, and S3 object-level logging
Why Maturity Matters
Track Improvement Over Time
When you fix a finding, your compliance score goes up. But when you improve an implementation from Bronze to Gold, nothing changes in traditional tools. With maturity scoring, every improvement is visible and measurable.
Identify Upgrade Opportunities
Instead of only chasing failures, your team can identify resources that pass but could be hardened. "We have 50 S3 buckets at Bronze encryption — let's upgrade the ones with sensitive data to Gold."
Benchmark Quality
Maturity scoring lets you compare not just whether you comply, but how well you comply. Your organization might be 95% compliant, but if most passes are Bronze, there's significant room for improvement.
The Full Picture
When you combine maturity scoring with weighted compliance and residual risk, you get a complete view of your security posture:
- Weighted compliance tells you what controls matter
- Residual risk tells you what failures are dangerous
- Maturity tells you what passes need attention
This is what context-aware compliance looks like.
Measure Your Maturity
Start with Vigimati's free tier. See your maturity distribution across all controls and identify the quickest wins to elevate your security quality.
About
Vigimati Team
The team behind Vigimati, building context-aware cloud security compliance.
