Zero Trust Maturity Rubric and Tool Matrix

Version 2 of CISA’s Zero Trust Maturity Model expands on content and guidance compared to the first version, but a very specific change should be addressed:

Do you see it? CISA saw the need to split the old Advanced section into Advanced and Initial. This highlights a need to differentiate organizations who are just at the start of their zero trust maturity journey compared to those who are well into it.

We fully understand why: Too many organizations are on Initial when they think they are Advanced.

So while CISA put together the results of what moving on to each tier accomplishes for an organization, existing organizations are left to decide where they currently are.

If you don’t know where you’ve come from, you don’t know where you’re going.

Maya Angelou

It may be easier for organizations to understand where they are based by simply looking at the tools in their infrastructure. The same way you can guess a civilization’s technology based on bronze tools and a lack of steel.

Zero Trust Maturity Tool Matrix

How can your organization tell which category it currently belongs to?

We’ve done the heavy lifting. Here is a tool chart of where an organization is based on CISA’s defined results for that location:

(Note that we plotted this based upon the widespread use of said tool. It is entirely possible to advance to the next level by utilizing the tool to the extreme, or in conjunction with other tools that shore up any weaknesses.)

• Due to the exhaustive number of tools that exist, we couldn’t list every tool (and there’s quite a few tools that purportedly span across columns).
• We have left the Optimal column purposefully blank. Using a tool does not automatically place you in a column — using it with zero trust principles in mind may get you there.

Remember that each column has blurry lines — a tool used to the extreme can show better results than a powerful tool used only at a basic level. Moreover, larger organizations may have different penetrations of tool usage; it’s entirely possible that certain subsections of their infrastructure are still in the traditional stage while other sections are close to nearing the optimal stage. Some network segments may be at the advanced stage while adjacent network segments are closer to initial.

Zero Trust Maturity Score Methodology

CISA divides the zero trust maturity model into four stages based on the following criteria:

• Traditional — manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.
• Initial — starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.
• Advanced — wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).
• Optimal — fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.

Why Care About Zero Trust?

A good question! Here’s a piece unpacking the benefits of zero trust as laid out by NIST, but the short answer is:

• The Network Perimeter cannot be feasibly defended
• Network architecture should be secure by design while providing operational agility
• Organizations should have full observable insight into what is happening in their networks

As governments decide if they should have more power over organizations posing cybersecurity risks, CISA and NIST hasn’t been shy with encouraging organizations to adopt zero trust architecture.

(Prefer something fun to read? Here’s a no-marketing-fluff Children’s Guide to Zero Trust you can read to your children … or executives!)

Where Should Organizations Start?

Implementation doesn’t need to happen overnight. NIST says:

Enterprises should use a risk-based approach to set and prioritize milestones for their gradual adoption and integration of ZTA across their enterprise environment.

Line 561 of NIST’s Implementing a Zero Trust Architecture

We tell this to organizations that use Pomerium too: adopting ZTA is never rip and replace and should be a gradual roll-out across their enterprise environment.

Start your zero trust journey today with Pomerium, an open-source context-aware access proxy for securing applications and services to applications and services. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:

• Easier because you don’t have to maintain a client or software.
• Faster because it’s deployed directly where your apps and services live. No more expensive data backhauling.
• Safer because every single action is verified for trusted identity, device, and context.

Our customers depend on us to secure zero trust, clientless access to their web applications everyday.

Check out our open-source Github Repository or give Pomerium a try today!