Zero Trust Maturity Model: A Multi-Chapter Guide

Zero trust (ZT) is a paradigm shift in network security, a new set of design principles that conceptually changes how modern networks are secured. Traditional network security relies upon implicit trust for resource access (that is, internal users are considered trustworthy) and focus on protecting the defined network perimeter. The zero trust architecture (ZTA) model was proposed based on the belief that the implicit trust model is flawed because it can benefit attackers by enabling uncontested lateral movement within the network post-compromise.

The ZT design principles shift focus away from the network perimeter, taking a resource-centric approach to security. All data and systems are considered resources, with none implicitly trusted, regardless of privilege. All data traffic is considered hostile, and compromise is assumed unless there is explicit authorization.

Maturing a zero trust architecture is a journey that must be led from the top of an enterprise. ZT is neither a single product that can be installed nor a new technology. Zero trust deployment requires commitment, time, strong leadership, and a robust strategy. A ZTA may require a change in an enterprise’s cybersecurity culture to reach maturity, so senior leadership must fully support and provide resources to a ZT strategy to ensure success.

This article discusses some best practices to assist an enterprise in maturing a ZTA program. The focus will be on the Zero Trust Maturity model created by the Cybersecurity and Infrastructure Security Agency (CISA). The article suggests enterprise best practices to mature the seven pillars of ZT tenets using the NIST SP 800-207 tenets and assumptions.

Zero Trust Maturity Summary

A zero trust architecture is best visualized as seven pillars that are matured and integrated across an enterprise. The seven pillars discussed in this article are illustrated below.

Optimal ZT maturity is achieved by evolving and integrating pillars through fourth maturity levels. Success is reliant upon the creation of a robust, long-term strategy fully supported by senior management at all stages.

Traditional Maturity Level: Traditional network architectures have large perimeters and are macro-segmented with little or no automation. An enterprise with this level of maturity has not started its zero trust journey.
‍
Initial Maturity Level: This stage is marked by the initiation of automation necessary for assigning attributes and managing lifecycles, aiding in policy decision-making and enforcement. Includes introduction of cross-pillar solutions, laying the groundwork for more complex, interconnected systems in the future. Aggregated visibility for internal systems, offering an encompassing view of the security landscape, setting the stage for further development and fine-tuning.

Advanced Maturity Level: An advanced maturity level will see more cross-pillar integration, micro-segmentation, basic analytics, and automation successfully implemented. An enterprise will have achieved an elevated level of security but still lack the refinement of a fully mature ZT architecture.

Optimal Maturity Level: Optimal ZT maturity is the ultimate aim of an enterprise implementing a ZT solution. At this level of maturity, enhanced policy enforcement, centralized management, risk mitigation, and incident response will be in operation. An enterprise at this level of maturity will have fully achieved ZT.

The table below summarizes the pillars and related technologies as they advance from traditional networks through the four maturity levels to the optimal implementation.

	Traditional	Initial	Advanced	Optimal
Identity	On-premises Identification, Authentication, Authorization, and Accountability (IAAA), with identities authenticated by single-factor authentication (SFA) in most enterprises	Multi-factor authentication (MFA) is introduced alongside self-managed and hosted identity stores. Access rights now expire, triggering automated reviews, although manual identity risk assessments still persist.	IAAA performed as a combination of federated and on-premises systems, with identities authenticated by MFA	Identities authenticated using MFA for initial access and then continually validated throughout the user’s session
Device	Device compliance with limited visibility and manual asset management	All physical assets are tracked, and limited device-based access control and compliance enforcement begin to take shape. Protection measures are partially automated, initially moving away from manual processes	Most devices have compliance enforcement mechanisms with automated methods employed to track assets	Continually monitored and validated device security posture, with asset and vulnerability management integrated across all environments
Network	Network architectures have large perimeters and are macrosegmented with internal/external traffic explicitly encrypted	Critical workloads begin to be isolated network capabilities are adjusted to manage more applications and dynamic configurations are introduced to parts of the network. Encryption becomes more widespread and key management policies get formalized.	Much of the network defined by ingress/egress microperimeters and microsegmentation; all traffic to internal applications encrypted	A zero trust network access (ZTNA) controller authenticates connection requests from endpoints based on policies; all network traffic is encrypted
Application	Remote application access governed by VPN and traditional firewalls that block traffic by port, protocol, destination and source addresses	Some mission-critical workflows begin to incorporate integrated protection measures, and applications become accessible over public networks, strictly to authorized users,	Remote on-premises applications access by VPN with some application access on the cloud; active connections tracked and monitored using stateful firewalls	Identity-based access control with direct access to applications; web application firewalls inspecting application layer traffic using dynamic policies
Data	Data at rest stored on-premises unencrypted, with inconsistent manual data categorization	Automation is introduced for data inventory and access control, to a limited extent, strategies for data categorization begin, and some data stores become highly available. Some data is encrypted in transit, implementing initial centralized key management policies.	Data at rest encrypted and stored in cloud or remote environments, with a combination of manual and static methods used to categorize data	All data at rest encrypted and data categorization enhanced by machine learning
Observability	Limited data and log inventories prevent a holistic view of the enterprise network, with static attributes used for observing user activity	Limited automation is introduced for monitoring network activities, with a basic framework for real-time threat alerts and responses beginning to take shape.	Most data and logs are inventoried, with manual analysis of aggregated user activity	All access events are analyzed for suspicious activity, with user visibility centralized via user and entity behavior analytics (UEBA).
Analytics and aAutomation	The organization relies on manual administration of systems, networks, devices, and application environmental changes	Basic data analytics and automation of simpler tasks commence, paving the way for a more robust, data-driven security approach.	Basic automation of device provisioning and change workflows; applications can inform network and system devices of changing state	Fully enforced automated security policies and administration; device and network configurations automated using infrastructure as code and continuous integration/continuous deployment (CI/CD) models

Zero Trust Tenets and Assumptions

NIST SP 800-207 discusses seven tenets and six assumptions that regulate ZT resource access and data management. When an enterprise takes action to progress pillars, it must consider the tenets and assumptions. These tenets are idealistic and aspirational targets to be considered on the path to maturity. It is acknowledged that enterprise technologies, policies, and strategies will restrict and impact the extent to which tenets are applied. The tenets and assumptions are displayed below.

Tenets

All enterprise network utilities are considered resources
All communication is secured
Resources are accessed on a per-session basis
Resource access is determined by dynamic policies
Data integrity must be maintained at all times
Resources are rigorously authenticated and authorized continually
Enterprise data is collected to improve security

Assumptions

The enterprise network is not an implicit zone
Devices on the network may not be owned or configurable by the enterprise
No device is inherently trusted
Enterprise resources may reside on on-enterprise infrastructure
Remote enterprise resources will not fully trust their local network
Security will be maintained between enterprise and non-enterprise infrastructures

Zero Trust Tenets

All enterprise network entities are considered resources: All data, users, devices, and systems with access to the enterprise network are considered untrusted resources.
All communication is secured: Trust should never be implied regardless of resource privilege or location. All resources with access to the enterprise must be rigorously authenticated and authorized equally.
Resources are accessed on a per-session basis: The enterprise must enforce a policy of least privilege and grant resources with the minimum access needed to complete a task. Automatic access to additional resources is never granted unless explicitly authorized.
Dynamic policies determine resource access: Adaptive access policies based on context, including a user’s role, location, device, and requested data or service, are used to govern resource access.
System and data integrity must be maintained at all times: No asset is inherently trusted. The enterprise must monitor the integrity of all assets, including patch status and vulnerabilities.
Resources are rigorously and continuously authenticated and authorized: Trust must be verified and validated continuously. MFA must be used for most, if not all, resource access from users.
Enterprise data is collected to improve security: Data should be collected from multiple enterprise sources to give insight and context to improve security posture.

Zero Trust Assumptions

The enterprise network is not an implicit trust zone: All connections must be authenticated and traffic encrypted. Network compromise is to be always assumed.
Devices on the network might not be owned or configurable by the enterprise: Non-enterprise devices may be present on the enterprise network. Enterprises may employ bring-your-own-device (BYOD) policies, which may include device management software or the installation of anti-malware software.
No device is inherently trusted: Enterprises must evaluate all assets continually. Resource credentials alone are insufficient for authentication and authorization.
Enterprise resources may reside on non-enterprise infrastructure: Enterprise resources may need to access local networks for connectivity and network and cloud services.
Remote enterprise resources will only partially trust their local network connections: All non-enterprise networks are to be considered hostile. All access requests are continually authenticated and authorized.
Security will be maintained between enterprise and non-enterprise infrastructures: Resources and workloads will maintain a consistent security policy and posture when transiting to non-enterprise infrastructures.

Maturing the Zero Trust Pillars

Identity Pillar

Identity is the new perimeter in a ZTA, with the Identity pillar critical to progressing maturity. A traditional network using single-factor authentication (SFA) only verifies that a subject is using authenticatable and authorized credentials. ZT applies context and enhances the authentication and authorization process, confirming that the correct subject has the precise attributes, authorization, and circumstances to access a resource by employing multi-factor authentication (MFA), one-time-passwords (OTP), or passkeys. Least privilege controls, including role-based access control (RBAC) mechanisms, are deployed to restrict a subject’s visibility and accessibility. The deployment of identity providers, including federated management, ensures that user identities will be managed consistently throughout the environment and enables the use of single sign-on (SSO) services to alleviate users from having to keep track of multiple credentials and to allow authentication to be centrally managed.

Identity risks and insider threats are challenging to address in a traditional network. If a user does not report a credential compromise, the enterprise continues to implicitly trust that individual. Identity risks are addressed and insider threats are mitigated using user behavior analytics. User and entity behavior analytics (UEBA) evaluates a user’s typical behavior pattern. This method uses machine learning to analyze and identify deviations from established practices and alert security staff. UEBA monitors all resources in the enterprise for behavior changes, including servers, devices, and applications.

The table below details some Identity pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice	Traditional	Initial	Advanced	Optimal
Authentication	On-premises identity management with SFA password policies	Validation of identity through MFA, which could incorporate passwords as one element. Can include several characteristics such as the entity’s location or behavior patterns.	More centralized identity management with SFA and MFA policies and some user attributes and context enforcement	Centralized identity management integrated into applications and platforms; MFA policies enforced by user attributes, context, OTP, or passkeys
Identity storage	On-premises identity providers	A combination of self-managed identity stores and hosted identity stores.	Some identities federated and on-premises that begin to be securely consolidated and integrated	Global identity awareness across the enterprise and cloud
Risk	Minimal identity risk taken into consideration	Risk identified using manual methods and static rules	Identity risk governed by static rules and analytics, but with some automated analysis and dynamic rules	User behavior analyzed with support from real-time machine learning to determine and action risks
Monitoring	User activity monitoring limited to static attributes	Some activity monitored with automated processes	User activity aggregated with static characteristics and manual analysis	Centralized user activities monitored by dynamic policies; UEBA used to monitor user characteristics and attributes

Device Pillar

Traditional network security approaches do not consider the device when authorizing access to data because the primary consideration for data access is identity. As enterprises mature the Device pillar and employ policies such as BYOD, they will encounter challenges with device data access, compliance, and management.

Securing devices and endpoints in a perimeterless environment is foundational to ZT. Devices hosted in a ZTA will be subject to continual validation and activity monitoring, even if other resources trust the device on the network. Endpoint security will mature as it moves from signature-based malware detection to advanced multi-layer endpoint protection that incorporates signed software, real-time threat intelligence, device management, and behavioral analysis.

The table below details some Device pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice	Traditional	Initial	Advanced	Optimal
Compliance monitoring	Limited visibility into device compliance	A basic process is in place for self-reported device characteristics with limited enforcement mechanisms.	Compliance enforced for most devices	Compliance continuously monitored and validated
Data access	Access to data typically not considered and dependent on the enterprise	Some devices or virtual assets required to report characteristics before approving access	Device security posture considered on first access to data	Access to device data integrated with real-time device analytics
Asset management	Device inventory tracked manually	Tracking of all physical and some virtual assets	Device vulnerabilities, patching, and management automated	Asset, patch, and vulnerability management integrated across the enterprise, cloud, and remote locations
Endpoint security	Signature-based antivirus able to detect known threats	Some automated processes for deploying and updating threat protection to devices and virtual assets with limited policy enforcement	Signature-based preventative endpoint detection and response (EDR) products, with some machine learning	Integrated endpoint managed detection and response (MDR) integrated with the Security Operations Centre (SOC) and the use of machine learning

Network Pillar

Cloud-hosted applications, remote workers, and the possibility of rogue devices or malware on devices within the corporate network have dissolved the traditional network perimeter. ZT principles are designed to meet the security requirements of these modern perimeterless networks. Cross-pillar integration between the ZT Network and Identity pillars is vital to ensure secure access to network resources, with encryption deployed by default in the protection of data confidentiality and integrity.

As an enterprise evolves its architecture toward micro-segmentation, it reduces its network attack surface. Furthermore, by limiting the lateral movement of an attack, an enterprise can better assure its regulatory compliance.

Software-defined networking (SDN) is a new networking paradigm that separates a network’s control plane from its data plane. It is a logical, dynamic, and programmable software approach to networking that enables administrators to take complete control and get a holistic view of an enterprise architecture. SDN programmability enables it to achieve true micro-segmentation by setting granular security policies that define perimeters and dictate resource communication. Unauthorized communication would be blocked and an alert triggered for investigation.

However, micro-segmentation is limited to the LAN and still gives attackers free rein within a segment, so the optimal form of secure networking is the zero trust network access (ZTNA) model. Under this model, a zero trust controller authenticates users through multi-factor authentication (MFA). The controller then checks the attributes of the user and the device requesting access, such as a certificate, as well as attributes like the device location. Finally, the controller matches the user with a list of applications based on access control policies and grants access. With ZTNA, compromised devices can be instantly blocked, and policies can be dynamically updated and applied device by device.

The table below details some Network pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice	Traditional	Initial	Advanced	Optimal
Architecture	Macrosegmented perimeter based upon defense-in-depth “castle and moat” architecture	Network architecture with isolation of critical workloads begins to be deployed, constraining connectivity to least function principles	Network progressing toward ingress/egress microperimeters and microsegmentation	Network architecture complies with zero trust network access (ZTNA) policy-based control of traffic between endpoints
Software-defined networking	Physical, manually configured, on-premises network devices with fixed control and data planes	SDN design attributes begin to be incorporated into network architecture	Some SDN-controlled physical and virtual devices, with control and data plane decoupled	Fully decoupled data and control planes; physical and virtual SDN-controlled network devices deployed across the enterprise
Security	Static traffic filtering based upon known threats	Network capabilities to manage availability demands and dynamic security requirements begin to be employed	Basic security analytics to dynamically detect threats	Integrated machine learning with context to proactively detect threats
Data-in-transit encryption	Minimal internal or external data encryption	All traffic to internal applications begins to be encrypted, while preferring encryption for traffic to external applications	Encryption for all applicable internal and external traffic is ensured	All internal and external data encrypted, if achievable

Application Pillar

Traditional remote access to applications uses an encrypted virtual private network (VPN). ZTNA changes how applications are accessed from inside and outside the office by removing the need for a VPN. Gartner predicts that by 2025, 70% of remote access will be served by ZTNA as opposed to VPNs.

Application and network access is traditionally controlled by firewalls based on the message protocol, port, state, and source and destination addresses. Web application firewalls (WAFs) additionally protect applications from cross-site forgery, cross-site scripting (XSS), injection, and other Layer 7 attacks. A WAF acts as a reverse proxy that protects a server from exposure to clients attempting to access its resources. Policies govern a WAF’s operation and can be modified quickly and easily. A WAF’s response to a denial-of-service attack can be instantaneous by automatically applying a policy of rate-limiting and blocking an IP source that is sending an abusive number of packet requests.

ZTNA application access is determined by user identity, location, device security posture, and other attributes that contribute to the authorization for application access. First, a user connects and is redirected to authenticate using MFA through the organization’s identity provider and single sign-on (SSO) service. The ZT policy engine applies the security policy, and real-time user and device attributes are verified before access to an application is granted.

The table below details some Application pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice	Traditional	Initial	Advanced	Optimal
Authorization	Authorization to access applications typically localized on-premises and established upon static attributes with no context	Authorizing access capabilities to applications that incorporate contextual information per request begins to be implemented.	Increased reliance upon centralized authentication and authorization	Authorization verified and continually validated, with real-time risk analytics and context taken into consideration
Security	Traffic controlled using a traditional firewall based on port, destination, and source address	Static and dynamic testing methods are used to perform security testing prior to application deployment	Traffic controlled using a stateful firewall to track and monitor the state of active network communications	Traffic controlled using web application firewalls to additionally block application layer attacks via automation and dynamic policies
Threat protection	Minimal integration between application workflows and threat protection systems, restricted to detecting generally known threats	Threat protections are integrated into mission-critical application workflows, delivering protection against known and application-specific threats	Essential integration between application workflows and threat protection systems, with a focus on generally known threats and some application-specific protection	Full integration between application workflow and threat protection systems; application analytics collated and used to analyze application behaviors
Accessibility	Access to some applications hosted by cloud, accessible via the internet, with others accessible via VPN	Some applicable mission critical applications are made available over open public networks to authorized users	Access to applications hosted on-premises via VPN, with all cloud applications accessible via the internet	Access to all applications via the internet

Data Pillar

Integration of the data pillar is essential to achieve optimal ZT maturity. All data at rest, regardless of where it resides, is encrypted under optimal ZT maturity. Labeling, categorization, and inventory of data is critical to its security. Traditional environments conduct data categorization and inventorying manually, which leads to inconsistency that impedes automation. Machine learning ensures that the same categorization and inventorying standard is attained across the enterprise.

The least privilege principle across a ZTA enforces data access by only assigning the privileges necessary to perform specific duties and no more. Least privilege access is supplemented by just-in-time, just-enough principles that provide deeper granular access to resources.

The table below details some Data pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best practice	Traditional	Initial	Advanced	Optimal
Data-at-rest encryption	Data primarily stored on-premises and typically unencrypted	Data at rest is encrypted where feasible, including both on-premises and cloud environments	Data encrypted and stored in remote or cloud environments	All data at rest encrypted
Inventory Management	Poor data inventory due to manual and inconsistent categorization	Data inventory processes begin to be automated for both on-premises and cloud environments, thus beginning to incorporate protections against data loss	Data categorization using both manual and static analysis methods, with some automated tracking	Data tagged and tracked for continuous data inventorying, augmented with machine learning
Access	Static controls governing data access	Some automated data access controls begin to be deployed incorporating elements of least privilege across the network	Data governed by least privilege access controls, risk, and other attributes	Dynamic data access supporting just-in-time and just-enough principles, informed by real-time, risk-based attributes
Protection	Manual data discovery and classification, with network and endpoint security blocking known threats	Data discovery and classification begin to be automated	Limited automated data discovery and classification technology employed	Fully automated data discovery and classification, supported by dynamic data loss prevention technologies and integrated with real-time analytics

Observability Pillar

ZT Observability measures enterprise systems’ internal states by analyzing data outputs. Log analysis and resource data are collected and analyzed to produce a baseline of an enterprise network. Deviation from baseline will alert an organization’s security or I.T. staff to investigate.

The table below details some Observability pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best Practice	Traditional	Initial	Advanced	Optimal
Device visibility	Manual label inspections and network discovery and reporting	Initial device visibility capabilities are implemented, beginning to automate the creation of device lists	Authorized lists of devices resolved against inventories, with noncompliant devices isolated manually	Endpoint detection and response (EDR) systems continually inspecting and reporting on device security postures
Network visibility	Perimeter visibility with centralized log analysis	Automation of log and event collection begins to be implemented	Integrated enterprise log analysis with manual triggers and alerts	Integrated enterprise log analysis with automated triggers and alerts
Application visibility	Security and health monitoring of applications performed in isolation, away from enterprise security sensors	Monitoring of applications is undertaken, gradually integrating and harmonizing with selected enterprise sensors, marking a transition from isolated monitoring to a more interconnected approach	Security and health monitoring of applications performed, with some enterprise security sensors	Enterprise sensors integrated with application security and health monitoring with continuous and dynamic monitoring
Data visibility	Visibility impacted by limited analytics and data inventories	Data inventories start to expand and basic analytics are applied, marking a developmental phase between limited analytics and comprehensive data accountability	Data mainly inventoried and accountable, with analytics limited to unencrypted data	Data fully accounted for and inventoried; all access events and suspicious events logged and analyzed, with analytics possible on encrypted data

Automation Pillar

The weakest link in security is the human. As a ZTA implementation matures, more automation will be introduced, reducing human error. Automation will benefit data discovery because when high-value data is identified and categorized, it can better conform with enterprise data life cycles.

The table below details some Automation pillar security best practices and summarizes their progress through the four levels of ZT maturity.

Best Practice	Traditional	Initial	Advanced	Optimal
Device provisioning	Devices have static capacity allocation and are manually provisioned	Devices begin to be provisioned using automated processes	Devices have policy-driven distributions and can be scaled and provisioned using automated processes	Devices can be dynamically scaled and deployed using infrastructure as code along with continuous integration / continuous deployment (CI/CD) principles
Network automation	Network changes and workflows manually planned and executed	Planning and execution of network changes and workflows begin to adopt some level of automation, facilitating the transition from purely manual operations to an environment where manual and automated processes coexist	Network changes and workflows automated	Network configured by infrastructure as code, with pervasive automation
Application hosting locations	Application hosting locations manually assigned by enterprise administrators	Hosting locations are primarily manually assigned, a transition towards applications gradually gaining awareness of their location and state begins, setting the stage for dynamic communication of changes in their state.	Applications are aware of their location and can communicate their changing state	Applications adapt to ongoing enterprise environmental changes automatically for security and performance optimization
High-value data discovery	Some data management automated, with much automation impeded by inconsistent categorization and labeling	A blend of automated data management and manual audits is employed to identify and safeguard high-value data	Manual audits commissioned to locate high-value data and assess access controls, with limited automation to apply to controls and backups	High-value data access controls enforced automatically and always backed up with automated inventorying

Summary

Maturing zero trust is a journey and a challenge that requires a robust strategy for success. The seven pillars of ZT can evolve at different rates, but to attain optimal ZT, they must integrate. The seven tenets that regulate the pillars must be consulted before maturity decisions are made to conform. As an enterprise matures the pillars, it will reduce its attack surface, obtain better visibility of its network, and become more automated.

‍

Introducing Cyberight ZTMesh™: Revolutionizing Zero Trust Network Access for Enterprises

Cyberight Spins Off from Optm

The Guide to Zero Trust Maturity Model