Zero Trust-The Five Pillars of CISA Maturity Model

CISA Zero Trust Maturity Model provides a blueprint to help you continuously improve your security program. Taking a Zero Trust approach allows you to maximize the value of your security investment and mitigate cyber risk.

Introduction to Zero Trust Maturity Model (ZTMM)

US Federal Agencies are one of the most favorite targets of Advanced Persistent Threats, such as State Actors. A significant cause of these breaches is because of weak cloud security, insider threats, risky supply chain, and implicit trust granted to a user or system once it is authenticated and authorized.  

Cyber defense requires greater speed and agility to outpace our adversaries, increase resiliency, build response capabilities to recover immediately while significantly raising the time and cost to these adversaries.

There are various Zero Trust (ZT) standards, such as from NIST, NSA and DoD, but how can an organization implement ZT incrementally to mature their Zero Trust capability?  

That’s where DHS CISA Zero Trust Maturity Model comes in handy for developing a roadmap to ZT maturity.

What is the Zero Trust Maturity Model?    

There are three stages used to identify maturity in your ZTA, and they are Traditional, Advance, and Optimal.  

Zero Trust Maturity Model

  1. The Traditional Stage of Zero Trust Maturity Model

    Traditional is the legacy system that has been broken down into these pillars and requires manual configuration for attributes, manual incident response, and manual mitigation deployment.
  2.  
  3. The Advance Stage of Zero Trust Maturity Model

    Advanced is the stage where you have some cross pillar coordination, centralized visibility, centralized identity control, some incident responses pre-defined, and some least-privilege changes based on posture assessments.
  4. The Optimal Stage of Zero Trust Maturity Model

    Optimal is the final stage, where the organization has fully automated assigning of attributes to assets and resources, dynamic policies based on automated/observed triggers, assets have self-enumerating dependencies for dynamic least privilege access, alignment with open standards for cross-pillar interoperability, centralized visibility with historian functionality for point-in-time recollection of state.

The Five Pillars of Zero Trust Model

ZTA should always be evolving and adapting, while meeting the quota of “least privilege to complete the necessary work”.  

In the following sections, we will discuss how we can implement the five pillars of the Zero Trust model using ZTMM. Each section will detail the level of maturity and what you can expect to see in terms of ZT implementation.

CISA Five Pillars of Zero Trust Maturity
CISA Five Pillars of Zero Trust Maturity

Identity-The First Pillar of ZTA Model

Traditional ZTA Maturity level to Identity

Traditional cybersecurity authenticates identity using either passwords or multi-factor authentication (MFA). For risk assessments, agencies make limited determinations for identity risk, and would segment users' activities with basic and static attributes. Agencies would manually audit identities and permissions after initial provisioning using static technical enforcement of credential policies.

Advanced ZTA Maturity level to Identity  

For an Advance cybersecurity maturity level in Zero Trust, agencies have moved towards automation and multiple checks on identity and use MFA over single passwords, and monitor some cloud environments along with on premise systems. Simple analytics and static rules determine risk assessments. Policy based automated access revocation emerges, and there are absolutely no shared accounts.  

Optimal ZTA Maturity Level to Identity

For Optimal maturity level, your organization has reached a state of continuously validating identity, not just when initially granted. Agencies analyze user behavior in real time, using machine learning algorithms to determine risk and deliver ongoing protection. Agencies centralize user visibility with high fidelity attributes and user and entity behavior analytics (UEBA).  

Organizations fully orchestrate the identity lifecycle dynamic user profiling, dynamic identity and group membership, just-in-time and just-enough access controls are implemented. This ensures and leads to full automation enforcement of policies, with updates to policies reflecting new orchestration options.    

Device-The Second Pillar of ZTA Model

Traditional ZTA Maturity level to Device

For traditional cybersecurity practices, agencies have limited visibility into device compliance. Agencies manually define and enforce device acquisition channels and establish and implement inventory frequency policy. Device retirement requires extensive sanitation to remove residual access and data.

Advance ZTA Maturity level to Device

Advanced Zero Trust maturity moves towards automation and constant monitoring. Agencies use automated methods to manage assets, identify vulnerabilities and patch assets, and reconcile device inventories against sanctioned lists with isolate non-compliant components.  

Devices are provisioned using automated, repeatable methods with policy-driven capacity allocations and reactive scaling. Devices natively support modern security functions in hardware.  

Optimal ZTA Maturity level to Device

Optimal ZT constantly monitors and validates device security posture. Access to data considers real-time risk analytics about devices, and integrates asset and vulnerability management across all agency environments, including cloud and remote workspaces.  

Agencies continuously run device posture assessments (endpoint detection and response or EDR). Device capacity and deployment use continuous integration and continuous deployment (CI/CD) principles with dynamic scaling. Devices permit data access and use without resident plain-text copies, reducing asset supply chain risks.  

High-Level Zero Trust Maturity Model

Network-The Third pillar of ZTA Model

Traditional ZTA Maturity level to Network

Network architecture marks traditional maturity using a large perimeter or macro-segmentation. Agencies base threat protections primarily on known threats and static traffic filtering, explicitly encrypting minimal internal traffic. Agencies will use manual policies to identify sanctioned networks, devices, and services, with manual discovery and remediation of unauthorized entities.

Advanced ZTA Maturity level to Network  

Advanced network maturity is defined by more of their network architecture by ingress/egress micro-perimeters with some internal micro-segmentation. Agencies include basic analytics to proactively discover threats, and encrypt all traffic to internal applications, as well as some external traffic. Organizations integrate analysis across multiple sensor types and positions with manual policy-driven alerts and triggers, using automated workflows to manually initiate network and environment changes.    

Optimal ZTA Maturity level to network

Optimal Network maturity architecture comprises fully distributed ingress/egress micro-perimeters and deeper internal micro-segmentation based around application workflows. Organizations integrate machine learning-based threat protection and filtering with context-based signals. All traffic to internal and external locations is encrypted where possible. Analysis across multiple sensor types and positions with automated alerts and triggers, and network environment configurations use infrastructure-as-code, with pervasive automation, following (CI/CD) deployment models.  

Application Workload-The Fourth Pillar of ZTA Model  

Traditional ZTA Maturity level to Application Workload

Agencies that are in a traditional phase of maturity access applications primarily based on local authorization and static attributes. Agencies have legacy policies and conduct manual enforcement for software development, software asset management, security tests and evaluations (ST&E) at technology insertion, and tracking software dependencies.  

Advance ZTA Maturity level to Application Workload  

Organizations that are in the advanced stage of maturity in ZT have access to applications that rely on centralized authentication, authorization, monitoring, and attributes. All cloud applications and some on-premises applications are directly accessible to users over the internet, with all others available through a VPN. Organizations are integrating application security testing into the application development and deployment process, including the use of dynamic testing methods.

Optimal ZTA Maturity level to Application Workload

Optimal maturity for application workload continuously authorizes access to applications, considering real-time risk analytics. This includes strongly integrating threat protections into application workflows, with analytics to provide protections that understand and account for application behavior. All applications are directly accessible to users over the internet. Agencies integrate application security testing throughout the development and deployment process, with regular automated testing of deployed applications, performing continuous and dynamic application health and security monitoring with external sensors and systems. Applications adapt to ongoing environmental changes for security and performance optimization. Organizations update policies and have dynamic enforcement.  

Data-The Fifth Pillar of ZTA Model

Traditional ZTA Maturity level to Data

The data pillar at the traditional phase of maturity manually categorizes data and has poor data inventorying, leading to inconsistent categorization. Agencies govern access to data by using static access controls and primarily store data in on-premises data stores and where they are decrypted at rest. Data categorization and data access authorizations are largely defined by distributed decision making.

Optimal ZTA Maturity level to Data

With optimal maturity, data is continuously inventoried by robust tagging and tracking. Agency augments categorization with machine learning models. Agency’s access to data is dynamic, supporting just-in-time and just-enough principles, and continual risk-based determinations. All data at rest is encrypted. An agency’s data is inventoried and can always be accounted for.

Organization logs and analyzes all access events for suspicious behaviors and perform analytics on encrypted data. Organizations automatically enforce strict access controls for high-value data. All high-value data is backed up regardless of its storage location. Data inventories are automatically updated; simultaneously, data protections required by policy are automatically enforced. Data categorization and data access authorizations are defined using a fully unified approach that integrates data, independent of the source.  

Advance ZTA Maturity level to Data

At an advanced phase of maturity, organizations primarily inventory data manually with some automated tracking. Access to data is governed using the least privilege controls that consider identity, device risk, and other attributes. Agencies store data in cloud or remote environments where they are encrypted at rest. Data protections are enforced through mostly technical and some administrative controls.

Join our community
No spam. Just helpful guides, blogs, and news about Cybersecurity from experts
Read about our privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.