WAF++

Back to WAF++ Homepage

Maturity Model (Sovereign Cloud)

The Sovereign maturity model enables structured self-assessment and defines a clear development path.

The Five-Level Model

Level	Name	Characteristics
Level 1	Ad-hoc / Undocumented	Sovereignty not systematically addressed. Residency policy missing or informal. Region pinning not technically enforced. No systematic evidence collection.
Level 2	Documented & Defined	Policy documents exist and are versioned. IaC contains region defaults. Backups configured. Subprocessors roughly known. However: little technical enforcement, no continuous verification.
Level 3	Enforced & Monitored	Region pinning technically enforced (variable validation, SCP/policy). CMK for sensitive data. CloudTrail complete. Break-glass process exists. Dependency register up-to-date. Quarterly reviews documented.
Level 4	Measured & Automated	Automated drift detection for all sovereign controls. Real-time alerts on violations. Exit drills conducted and documented. IAM Access Analyzer active. VPC Flow Log anomaly detection. KMS access monitoring.
Level 5	Optimized & Continuously Improved	Auto-remediation on violations. Cryptographic erasure tested. SLSA-compliant supply chain. HYOK for highest-criticality data. Zero standing privilege fully implemented. Continuous compliance evidence pipeline. Exit RTO < 90 days proven.

Level

Name

Characteristics

Level 1

Ad-hoc / Undocumented

Sovereignty not systematically addressed. Residency policy missing or informal. Region pinning not technically enforced. No systematic evidence collection.

Level 2

Documented & Defined

Policy documents exist and are versioned. IaC contains region defaults. Backups configured. Subprocessors roughly known. However: little technical enforcement, no continuous verification.

Level 3

Enforced & Monitored

Region pinning technically enforced (variable validation, SCP/policy). CMK for sensitive data. CloudTrail complete. Break-glass process exists. Dependency register up-to-date. Quarterly reviews documented.

Level 4

Measured & Automated

Automated drift detection for all sovereign controls. Real-time alerts on violations. Exit drills conducted and documented. IAM Access Analyzer active. VPC Flow Log anomaly detection. KMS access monitoring.

Level 5

Optimized & Continuously Improved

Auto-remediation on violations. Cryptographic erasure tested. SLSA-compliant supply chain. HYOK for highest-criticality data. Zero standing privilege fully implemented. Continuous compliance evidence pipeline. Exit RTO < 90 days proven.

Maturity per Control

Control	L1	L2	L3	L4	L5
WAF-SOV-010 Data Residency Policy	No document	Document exists	IaC validation, CI gate	Drift detection	Policy-as-code, auto-remediation
WAF-SOV-020 Region Pinning	No enforcement	IaC defaults set	Variable validation + SCP/policy	Drift scan + alerting	Auto-block + auto-remediation
WAF-SOV-030 Backup Location	Backup uncontrolled	Location set, retention defined	All backups sovereign, PITR enabled	Restore tests documented	Automated restore tests + RTO measurement
WAF-SOV-040 Logging Residency	No log control	CloudTrail in EU, retention set	VPC flow logs, no external without approval	Anomaly detection in log streams	Forensic capacity tested, sovereign SIEM
WAF-SOV-050 Key Ownership	PMK for everything	CMK for sensitive data	No PMK for PII/finance, key rotation active	BYOK for critical data, key access monitoring	HYOK with HSM, cryptographic erasure tested
WAF-SOV-060 Privileged Access	No control	No wildcards, MFA for admins	JIT, SoD, quarterly reviews	IAM Access Analyzer, SCP against escalation	Zero standing privilege, continuous verification
WAF-SOV-070 Break-Glass	Uncontrolled root	Runbook exists, CloudTrail active	Root alarm, post-incident review mandatory	Auto-rotation after use, drill annual	Dual control JIT, full forensic pipeline
WAF-SOV-080 Dependency Inventory	No inventory	Informal inventory, provider pinned	Git-versioned register, DPA references	Automated alerts on new dependencies	SBOM, SLSA, continuous attestation
WAF-SOV-090 Egress Control	Open egress	Restricted ports, VPC endpoints deployed	Default-deny, domain allow-list	Flow log anomaly detection, GuardDuty active	Zero-trust network, auto-block anomalies
WAF-SOV-100 Exit Plan	No exit plan	Exit plan documented, never tested	Annual exit drill, IaC portable	Automated export tracking, dependency alternatives	Continuous exit readiness, RTO < 90 days proven

Control

WAF-SOV-010 Data Residency Policy

No document

Document exists

IaC validation, CI gate

Drift detection

Policy-as-code, auto-remediation

WAF-SOV-020 Region Pinning

No enforcement

IaC defaults set

Variable validation + SCP/policy

Drift scan + alerting

Auto-block + auto-remediation

WAF-SOV-030 Backup Location

Backup uncontrolled

Location set, retention defined

All backups sovereign, PITR enabled

Restore tests documented

Automated restore tests + RTO measurement

WAF-SOV-040 Logging Residency

No log control

CloudTrail in EU, retention set

VPC flow logs, no external without approval

Anomaly detection in log streams

Forensic capacity tested, sovereign SIEM

WAF-SOV-050 Key Ownership

PMK for everything

CMK for sensitive data

No PMK for PII/finance, key rotation active

BYOK for critical data, key access monitoring

HYOK with HSM, cryptographic erasure tested

WAF-SOV-060 Privileged Access

No control

No wildcards, MFA for admins

JIT, SoD, quarterly reviews

IAM Access Analyzer, SCP against escalation

Zero standing privilege, continuous verification

WAF-SOV-070 Break-Glass

Uncontrolled root

Runbook exists, CloudTrail active

Root alarm, post-incident review mandatory

Auto-rotation after use, drill annual

Dual control JIT, full forensic pipeline

WAF-SOV-080 Dependency Inventory

No inventory

Informal inventory, provider pinned

Git-versioned register, DPA references

Automated alerts on new dependencies

SBOM, SLSA, continuous attestation

WAF-SOV-090 Egress Control

Open egress

Restricted ports, VPC endpoints deployed

Default-deny, domain allow-list

Flow log anomaly detection, GuardDuty active

Zero-trust network, auto-block anomalies

WAF-SOV-100 Exit Plan

No exit plan

Exit plan documented, never tested

Annual exit drill, IaC portable

Automated export tracking, dependency alternatives

Continuous exit readiness, RTO < 90 days proven

Assessing Current Maturity

The following questions are recommended for self-assessment:

Level 2 Checklist

Is a data residency policy present and versioned?
Are permitted regions explicitly defined for each environment?
Are backup retention periods configured?
Is a subprocessor register (even informal) available?
Are Terraform provider versions pinned?

Level 3 Checklist

Do all region/location variables have validation blocks?
Is there an SCP, Azure Policy or GCP Org Policy for region restriction?
Do PII and financial data use CMK (not AES256/PMK)?
Is CloudTrail multi-region with log file validation active?
Are there CloudWatch alarms for root account activity?
Is a break-glass process documented and reviewed?
Are VPC endpoints for S3, KMS and other used services deployed?
Is the exit plan documented?

Level 4 Checklist

Are there automated Terraform checks (e.g. WAF++ Checker)?
Are IAM Access Analyzer findings regularly reviewed?
Are exit drills conducted and documented?
Is there flow log anomaly detection (GuardDuty / equivalent)?
Are KMS key accesses monitored for anomalies?

Recommended Entry Path

For organizations not yet at Level 3, we recommend the following prioritization:

Priority	Action	Controls
🔴 Immediate (Level 2→3)	Region Pinning: variable validation + SCP/policy + CI gate	WAF-SOV-020
🔴 Immediate (Level 2→3)	CMK for all PII/financial data: enable KMS with rotation	WAF-SOV-050
🟠 Short-term (Level 2→3)	CloudTrail: multi-region, log validation, root account alarm	WAF-SOV-070
🟠 Short-term (Level 2→3)	Security groups: resolve 0.0.0.0/0 egress; deploy VPC endpoints	WAF-SOV-090
🟡 Medium-term (Level 3→4)	Clean up IAM wildcard policies; introduce JIT access	WAF-SOV-060
🟡 Medium-term (Level 3→4)	Create dependency register; pin provider versions	WAF-SOV-080
🟢 Long-term (Level 4→5)	Conduct and document exit drill	WAF-SOV-100

Priority

Action

Controls

🔴 Immediate (Level 2→3)

Region Pinning: variable validation + SCP/policy + CI gate

WAF-SOV-020

🔴 Immediate (Level 2→3)

CMK for all PII/financial data: enable KMS with rotation

WAF-SOV-050

🟠 Short-term (Level 2→3)

CloudTrail: multi-region, log validation, root account alarm

WAF-SOV-070

🟠 Short-term (Level 2→3)

Security groups: resolve 0.0.0.0/0 egress; deploy VPC endpoints

WAF-SOV-090

🟡 Medium-term (Level 3→4)

Clean up IAM wildcard policies; introduce JIT access

WAF-SOV-060

🟡 Medium-term (Level 3→4)

Create dependency register; pin provider versions

WAF-SOV-080

🟢 Long-term (Level 4→5)

Conduct and document exit drill

WAF-SOV-100