Design and Evaluation of a Macro Security Architecture Assessment Framework for Hyperscaler Environments
Author
Remke, Felix Simon
Term
4. semester
Education
Publication year
2026
Abstract
As organisations adopt hyperscaler cloud platforms, designing and consistently evaluating a macro-level security architecture across services and providers becomes both critical and challenging. This thesis addresses how such architectures can be assessed systematically by first reviewing relevant security standards, evaluation methods, and maturity models (RQ1), and then integrating the Cloud Security Maturity Model (CSMM) and the Cloud Controls Matrix (CCM) into a consolidated assessment framework with control objectives and maturity levels aligned to the organisation’s security architecture (RQ2). A pragmatist mixed-methods design is employed, combining requirements elicitation from literature and standards with internal expert interviews for validation and refinement, and external validation through application in a representative hyperscaler-based environment and service use cases (RQ3). The results indicate that the framework provides a structured way to gauge a service’s cloud security maturity and alignment with the macro architecture, helping practitioners prioritise improvements in complex multi-cloud and hyperscaler contexts. The contribution is a reusable assessment lens and process that enable organisations to understand, compare, and advance their cloud security posture at scale. The thesis also outlines limitations and future work related to domain-specific exceptions, assessment differences, and sector variations.
Efterhånden som organisationer tager hyperscaler-cloud i brug, bliver det både vigtigt og svært at designe og konsekvent vurdere en overordnet (macro) sikkerhedsarkitektur på tværs af services og leverandører. Denne afhandling undersøger, hvordan sådan en arkitektur kan vurderes systematisk, ved først at gennemgå relevante sikkerhedsstandarder, evalueringsmetoder og modenhedsmodeller (RQ1), og derefter integrere Cloud Security Maturity Model (CSMM) og Cloud Controls Matrix (CCM) i en samlet vurderingsramme med kontrolmål og modenhedsniveauer, der afspejler organisationens sikkerhedsarkitektur (RQ2). Arbejdet følger en pragmatisk mixed-methods tilgang med kravudledning fra litteratur og standarder, intern validering gennem ekspertinterviews og ekstern validering via anvendelse i et repræsentativt hyperscaler-miljø og konkrete serviceuse cases (RQ3). Resultaterne peger på, at rammeværket giver en struktureret måde at måle en service’s cloud-sikkerhedsmodenhed og dens alignment med macro-arkitekturen, hvilket hjælper praktikere med at prioritere forbedringer i komplekse multi-cloud og hyperscaler-kontekster. Bidraget er en genanvendelig vurderingslinse og proces, der understøtter organisationer i at forstå, sammenligne og videreudvikle deres cloud-sikkerhed på tværs af skala. Afhandlingen skitserer også begrænsninger og fremtidigt arbejde omkring domænespecifikke undtagelser, forskelle i vurderinger og sektorvariationer.
[This apstract has been generated with the help of AI directly from the project full text]