Workforce

Four Ways to Make Quick Gains in Zero Trust Maturity

Written By
Published On
Oct 12, 2023

The cybersecurity landscape is becoming more and more vulnerable to attacks that are both cost-effective and powerful. These attacks use techniques like MFA bypass and Initial Access Brokers with stolen credentials. To tackle this issue, organizations must implement a zero trust security architecture emphasizing the importance of continuous, phishing-resistant MFA.

One of the most critical aspects of this architecture is the concept of device trust. This means that security protocols should validate not only the user's credentials but also the integrity of the device from which access is being sought. In other words, a secure fortress requires vigilant gatekeepers to ensure that a breach of credentials doesn't equate to a breach of the system.

Strong authentication and device trust directly address zero trust security architecture’s Identity and Device pillars. Unfortunately, many incumbent identity and security vendors continue to misdirect the market by redefining phishing resistance, implementing weak device trust, and preserving suboptimal security defaults.

Now more than ever, CIOs and CISOs need to lead their organizations toward a pragmatic and structured approach, like the one outlined by CISA’s Zero Trust Maturity Model. This model provides a well-articulated pathway towards continuous, automated access reevaluation and efficient cross-system integrations, which aligns with NIST's robust security recommendations.

The urgency to address these issues is palpable, and the strategy is clear: a comprehensive, neutrally endorsed, proactive, and interconnected security approach that thwarts today’s adversaries and their tactics while providing a firm foundation for an AI and cloud-intensive future.

The CISA Maturity Model

CISA created the Zero Trust Maturity Model (ZTMM) to help organizations create a roadmap for achieving Zero Trust maturity. In their report, they unpack five key areas called “pillars” that companies should focus on: identity, devices, networks, applications and workloads, and data.  

The Zero Trust Maturity Model defines how to move from the lowest “Traditional” stage of maturity to “Optimal” or full maturity. Companies can elect to mature faster in one or more pillars since each is assigned its own maturity level.

The figure below provides an overview of the Zero Trust Maturity Model, with each pillar listed from left to right and the specific functions required to mature detailed from bottom to top. As you’ll see in the chart, moving to “continuous” and “automated” processes that occur in near real-time is the key to Zero Trust maturity.

pillars of zero trust maturity model

Four ways to make quick gains in maturity

1. Address identity first

Identity is the attributes that describe a user or entity. Cybercriminals most frequently attack the identity pillar through phishing, stolen credentials, and social engineering.

In one recent survey by Trends in Security Digital Identities, 84% of respondents said their company had an identity-related attack that year. Respondents overwhelmingly said implementing MFA and better privileged user access controls would have prevented the attacks. Both of these elements are part of the Zero Trust Maturity Model for Identity, showing just how vital it is to address the identity pillar first.

recent survey results by Trends in Security Digital Identities

The goal of identity maturity is ensuring the right user is given access to what they need, when they need it, without giving them access to more than they require.

The table below from the Zero Trust Maturity Model shows the improvements a company needs to make from passwords and static access to continuous validation with phishing-resistant MFA.  


Function Traditional Initial Advanced Optimal
Authentication Agency authenticates identity using either passwords or multi-factor authentication (MFA) with static access for entity identity Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g. locale or activity).  Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. 
Risk Assessments Agency makes limited determinations for identity risk (i.e. likelihood that an identity is compromised.  Agency determines identity risk using manual methods and static rules to support visibility. Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities.  Agency determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection.
Access Management (New Function) Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts. Agency authorizes access, including for privileged access requests, that expires with automated review.   Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources.  Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. 
Made with HTML Tables

2. Link together identity and devices

According to CISA, a device is any asset that connects to a network “including its hardware, software, firmware, etc.” The number of devices companies manage today continues to grow. The need to secure everything from printers to employee mobile phones can be challenging for IT leaders.

To mature in the device pillar, device trust must be factored into authentication and access decisions. When devices are bound to identity for authentication, companies have even more ways to verify that the right user, using only a trusted device, can access networks and resources. Data must be made shareable across the two pillars to enable this functionality.  

For Optimal maturity with CISA’s ZTMM, device checks must move from one-time validation to real-time and continuous. The table below shows the steps required to move from Traditional to Optimal in the device pillar.


Function Traditional Initial Advanced Optimal
Policy Enforcement & Compliance Monitoring (New Function) Agency has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. Agency receives self-reported device characteristics (e.g., keys, tokens, users, etc. on the device) but has limited enforcement mechanisms. Agency has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices.  Agency has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Agency uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches.  Agency continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Agency integrates device, software, configuration, and vulnerability management across all agency environments, including for virtual assets. 
Asset & Supply Chain Risk Management (New Function) Agency does not track physical or virtual assets in an enterprise-wide or cross-vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with limited view of enterprise risks. Agency tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework (e.g., NIST SCRM.).  Agency begins to develop comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments.  Agency has a comprehensive, at-or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. 
Resource Access (Formerly Data Access) Agency does not require visibility into devices or virtual assets used to access resources.  Agency requires some devices or virtual assets to report characteristics then use this information to approve resource access.  Agency's initial resource access considers verified device or virtual asset insights.  Agency's resource access considers real-time risk analytics within devices and virtual assets. 
Device Threat Protection (New Function) Agency manually deploys threat protection capabilities to some devices.  Agency has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration.  Agency begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring.  Agency has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. 
Visibility and Analytics Capability Agency uses a physically labeled inventory and limited software monitoring to review devices on a regular basis with some manual analysis.  Agency uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some agency devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk.  Agency automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices.  Agency automates status collection of all network-connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. Agency tracks patterns of provisioning and/or de-provisioning of virtual assets for anomalies. 
Automation and Orchestration Capability Agency manually provisions, configures, and/or registers devices within the enterprise.  Agency begins to use tools and scripts to automate the process of provisioning, configuration, and virtual assets. Agency has implemented monitoring and enforcement mechanisms to identify and manually disconnect or isolate non-compliant (vulnerable, unverified certificate, unregistered mac address) devices and virtual assets. Agency has fully automated process for provisioning, registering, monitoring, isolating, remediating, and deprovisioning devices and virtual assets. 
Governance Capability Agency sets some policies for the lifecycle of their traditional and peripheral computing devices and relies on manual processes to maintain (e.g. update, patch, sanitize) these devices. Agency sets and enforces policies for the procurement of new devices, the lifecycle of non-traditional computing devices and virtual assets, and for regularly conducting monitoring and scanning of devices.  Agency sets enterprise-wide policies for the lifecycle of devices and virtual assets, including their enumeration and accountability, with some automated enforcement mechanisms.  Agency automates policies for the lifecycle of all network-connected devices and virtual assets across the enterprise. 
Made with HTML Tables

3. Feed your zero trust policy engine with security telemetry

The policy engine is a key component of zero trust architecture. It houses company rules around access, device security, and authentication. But the policy engine can only check rules against the data it’s given. Therefore, the more information you can feed it regarding security, the more accurate and thorough its enforcement becomes. Mature companies link device security to their policy engine and data from security and IT management tools. That’s where an XDR solution comes in.  

Mature companies link device security to their policy engine and data from security and IT management tools

Here is a great example of a Zero Trust authentication policy in action:

  • If: A device makes an access request
  • And if: It does not have an active EDR agent on it
  • Then: Do not authenticate
  • And: Send an alert to the Security Operations Center
  • And: Generate a ticket on the IT service management system and notify the user of the need to comply with device security policies

4. Prioritize “continuous” and “automated”

The most common theme across all pillars of the Zero Trust Maturity Model is that continuous and automated processes are required for Optimal maturity. Continuous checks are needed because hackers who log in with compromised credentials may wait a while before acting, or authenticated users may remove a firewall or antivirus software after authentication.

Automation is what enables continuous processes. Humans simply can’t keep pace with what’s required for zero trust maturity. Automated workflows that cross the Zero Trust Maturity Model pillars allow companies to move fast enough to stop cyberattacks before they happen.

Move to optimal Zero Trust maturity with Beyond Identity

The journey from Traditional to Optimal maturity can be daunting, but it doesn’t have to be. With Beyond Identity, your organization can immediately jump from Traditional to Optimal in the Identity and Device pillars.

Our Zero Trust Authentication is passwordless, phishing-resistant, and easy to use. We’ve already built in continuous and automated processes, decreasing your time-to-deployment.

To learn more about Zero Trust maturity, download A Practitioner’s Guide to the CISA Zero Trust Maturity Model.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Four Ways to Make Quick Gains in Zero Trust Maturity

Download

The cybersecurity landscape is becoming more and more vulnerable to attacks that are both cost-effective and powerful. These attacks use techniques like MFA bypass and Initial Access Brokers with stolen credentials. To tackle this issue, organizations must implement a zero trust security architecture emphasizing the importance of continuous, phishing-resistant MFA.

One of the most critical aspects of this architecture is the concept of device trust. This means that security protocols should validate not only the user's credentials but also the integrity of the device from which access is being sought. In other words, a secure fortress requires vigilant gatekeepers to ensure that a breach of credentials doesn't equate to a breach of the system.

Strong authentication and device trust directly address zero trust security architecture’s Identity and Device pillars. Unfortunately, many incumbent identity and security vendors continue to misdirect the market by redefining phishing resistance, implementing weak device trust, and preserving suboptimal security defaults.

Now more than ever, CIOs and CISOs need to lead their organizations toward a pragmatic and structured approach, like the one outlined by CISA’s Zero Trust Maturity Model. This model provides a well-articulated pathway towards continuous, automated access reevaluation and efficient cross-system integrations, which aligns with NIST's robust security recommendations.

The urgency to address these issues is palpable, and the strategy is clear: a comprehensive, neutrally endorsed, proactive, and interconnected security approach that thwarts today’s adversaries and their tactics while providing a firm foundation for an AI and cloud-intensive future.

The CISA Maturity Model

CISA created the Zero Trust Maturity Model (ZTMM) to help organizations create a roadmap for achieving Zero Trust maturity. In their report, they unpack five key areas called “pillars” that companies should focus on: identity, devices, networks, applications and workloads, and data.  

The Zero Trust Maturity Model defines how to move from the lowest “Traditional” stage of maturity to “Optimal” or full maturity. Companies can elect to mature faster in one or more pillars since each is assigned its own maturity level.

The figure below provides an overview of the Zero Trust Maturity Model, with each pillar listed from left to right and the specific functions required to mature detailed from bottom to top. As you’ll see in the chart, moving to “continuous” and “automated” processes that occur in near real-time is the key to Zero Trust maturity.

pillars of zero trust maturity model

Four ways to make quick gains in maturity

1. Address identity first

Identity is the attributes that describe a user or entity. Cybercriminals most frequently attack the identity pillar through phishing, stolen credentials, and social engineering.

In one recent survey by Trends in Security Digital Identities, 84% of respondents said their company had an identity-related attack that year. Respondents overwhelmingly said implementing MFA and better privileged user access controls would have prevented the attacks. Both of these elements are part of the Zero Trust Maturity Model for Identity, showing just how vital it is to address the identity pillar first.

recent survey results by Trends in Security Digital Identities

The goal of identity maturity is ensuring the right user is given access to what they need, when they need it, without giving them access to more than they require.

The table below from the Zero Trust Maturity Model shows the improvements a company needs to make from passwords and static access to continuous validation with phishing-resistant MFA.  


Function Traditional Initial Advanced Optimal
Authentication Agency authenticates identity using either passwords or multi-factor authentication (MFA) with static access for entity identity Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g. locale or activity).  Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. 
Risk Assessments Agency makes limited determinations for identity risk (i.e. likelihood that an identity is compromised.  Agency determines identity risk using manual methods and static rules to support visibility. Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities.  Agency determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection.
Access Management (New Function) Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts. Agency authorizes access, including for privileged access requests, that expires with automated review.   Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources.  Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. 
Made with HTML Tables

2. Link together identity and devices

According to CISA, a device is any asset that connects to a network “including its hardware, software, firmware, etc.” The number of devices companies manage today continues to grow. The need to secure everything from printers to employee mobile phones can be challenging for IT leaders.

To mature in the device pillar, device trust must be factored into authentication and access decisions. When devices are bound to identity for authentication, companies have even more ways to verify that the right user, using only a trusted device, can access networks and resources. Data must be made shareable across the two pillars to enable this functionality.  

For Optimal maturity with CISA’s ZTMM, device checks must move from one-time validation to real-time and continuous. The table below shows the steps required to move from Traditional to Optimal in the device pillar.


Function Traditional Initial Advanced Optimal
Policy Enforcement & Compliance Monitoring (New Function) Agency has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. Agency receives self-reported device characteristics (e.g., keys, tokens, users, etc. on the device) but has limited enforcement mechanisms. Agency has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices.  Agency has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Agency uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches.  Agency continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Agency integrates device, software, configuration, and vulnerability management across all agency environments, including for virtual assets. 
Asset & Supply Chain Risk Management (New Function) Agency does not track physical or virtual assets in an enterprise-wide or cross-vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with limited view of enterprise risks. Agency tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework (e.g., NIST SCRM.).  Agency begins to develop comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments.  Agency has a comprehensive, at-or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. 
Resource Access (Formerly Data Access) Agency does not require visibility into devices or virtual assets used to access resources.  Agency requires some devices or virtual assets to report characteristics then use this information to approve resource access.  Agency's initial resource access considers verified device or virtual asset insights.  Agency's resource access considers real-time risk analytics within devices and virtual assets. 
Device Threat Protection (New Function) Agency manually deploys threat protection capabilities to some devices.  Agency has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration.  Agency begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring.  Agency has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. 
Visibility and Analytics Capability Agency uses a physically labeled inventory and limited software monitoring to review devices on a regular basis with some manual analysis.  Agency uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some agency devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk.  Agency automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices.  Agency automates status collection of all network-connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. Agency tracks patterns of provisioning and/or de-provisioning of virtual assets for anomalies. 
Automation and Orchestration Capability Agency manually provisions, configures, and/or registers devices within the enterprise.  Agency begins to use tools and scripts to automate the process of provisioning, configuration, and virtual assets. Agency has implemented monitoring and enforcement mechanisms to identify and manually disconnect or isolate non-compliant (vulnerable, unverified certificate, unregistered mac address) devices and virtual assets. Agency has fully automated process for provisioning, registering, monitoring, isolating, remediating, and deprovisioning devices and virtual assets. 
Governance Capability Agency sets some policies for the lifecycle of their traditional and peripheral computing devices and relies on manual processes to maintain (e.g. update, patch, sanitize) these devices. Agency sets and enforces policies for the procurement of new devices, the lifecycle of non-traditional computing devices and virtual assets, and for regularly conducting monitoring and scanning of devices.  Agency sets enterprise-wide policies for the lifecycle of devices and virtual assets, including their enumeration and accountability, with some automated enforcement mechanisms.  Agency automates policies for the lifecycle of all network-connected devices and virtual assets across the enterprise. 
Made with HTML Tables

3. Feed your zero trust policy engine with security telemetry

The policy engine is a key component of zero trust architecture. It houses company rules around access, device security, and authentication. But the policy engine can only check rules against the data it’s given. Therefore, the more information you can feed it regarding security, the more accurate and thorough its enforcement becomes. Mature companies link device security to their policy engine and data from security and IT management tools. That’s where an XDR solution comes in.  

Mature companies link device security to their policy engine and data from security and IT management tools

Here is a great example of a Zero Trust authentication policy in action:

  • If: A device makes an access request
  • And if: It does not have an active EDR agent on it
  • Then: Do not authenticate
  • And: Send an alert to the Security Operations Center
  • And: Generate a ticket on the IT service management system and notify the user of the need to comply with device security policies

4. Prioritize “continuous” and “automated”

The most common theme across all pillars of the Zero Trust Maturity Model is that continuous and automated processes are required for Optimal maturity. Continuous checks are needed because hackers who log in with compromised credentials may wait a while before acting, or authenticated users may remove a firewall or antivirus software after authentication.

Automation is what enables continuous processes. Humans simply can’t keep pace with what’s required for zero trust maturity. Automated workflows that cross the Zero Trust Maturity Model pillars allow companies to move fast enough to stop cyberattacks before they happen.

Move to optimal Zero Trust maturity with Beyond Identity

The journey from Traditional to Optimal maturity can be daunting, but it doesn’t have to be. With Beyond Identity, your organization can immediately jump from Traditional to Optimal in the Identity and Device pillars.

Our Zero Trust Authentication is passwordless, phishing-resistant, and easy to use. We’ve already built in continuous and automated processes, decreasing your time-to-deployment.

To learn more about Zero Trust maturity, download A Practitioner’s Guide to the CISA Zero Trust Maturity Model.

Four Ways to Make Quick Gains in Zero Trust Maturity

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

The cybersecurity landscape is becoming more and more vulnerable to attacks that are both cost-effective and powerful. These attacks use techniques like MFA bypass and Initial Access Brokers with stolen credentials. To tackle this issue, organizations must implement a zero trust security architecture emphasizing the importance of continuous, phishing-resistant MFA.

One of the most critical aspects of this architecture is the concept of device trust. This means that security protocols should validate not only the user's credentials but also the integrity of the device from which access is being sought. In other words, a secure fortress requires vigilant gatekeepers to ensure that a breach of credentials doesn't equate to a breach of the system.

Strong authentication and device trust directly address zero trust security architecture’s Identity and Device pillars. Unfortunately, many incumbent identity and security vendors continue to misdirect the market by redefining phishing resistance, implementing weak device trust, and preserving suboptimal security defaults.

Now more than ever, CIOs and CISOs need to lead their organizations toward a pragmatic and structured approach, like the one outlined by CISA’s Zero Trust Maturity Model. This model provides a well-articulated pathway towards continuous, automated access reevaluation and efficient cross-system integrations, which aligns with NIST's robust security recommendations.

The urgency to address these issues is palpable, and the strategy is clear: a comprehensive, neutrally endorsed, proactive, and interconnected security approach that thwarts today’s adversaries and their tactics while providing a firm foundation for an AI and cloud-intensive future.

The CISA Maturity Model

CISA created the Zero Trust Maturity Model (ZTMM) to help organizations create a roadmap for achieving Zero Trust maturity. In their report, they unpack five key areas called “pillars” that companies should focus on: identity, devices, networks, applications and workloads, and data.  

The Zero Trust Maturity Model defines how to move from the lowest “Traditional” stage of maturity to “Optimal” or full maturity. Companies can elect to mature faster in one or more pillars since each is assigned its own maturity level.

The figure below provides an overview of the Zero Trust Maturity Model, with each pillar listed from left to right and the specific functions required to mature detailed from bottom to top. As you’ll see in the chart, moving to “continuous” and “automated” processes that occur in near real-time is the key to Zero Trust maturity.

pillars of zero trust maturity model

Four ways to make quick gains in maturity

1. Address identity first

Identity is the attributes that describe a user or entity. Cybercriminals most frequently attack the identity pillar through phishing, stolen credentials, and social engineering.

In one recent survey by Trends in Security Digital Identities, 84% of respondents said their company had an identity-related attack that year. Respondents overwhelmingly said implementing MFA and better privileged user access controls would have prevented the attacks. Both of these elements are part of the Zero Trust Maturity Model for Identity, showing just how vital it is to address the identity pillar first.

recent survey results by Trends in Security Digital Identities

The goal of identity maturity is ensuring the right user is given access to what they need, when they need it, without giving them access to more than they require.

The table below from the Zero Trust Maturity Model shows the improvements a company needs to make from passwords and static access to continuous validation with phishing-resistant MFA.  


Function Traditional Initial Advanced Optimal
Authentication Agency authenticates identity using either passwords or multi-factor authentication (MFA) with static access for entity identity Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g. locale or activity).  Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. 
Risk Assessments Agency makes limited determinations for identity risk (i.e. likelihood that an identity is compromised.  Agency determines identity risk using manual methods and static rules to support visibility. Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities.  Agency determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection.
Access Management (New Function) Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts. Agency authorizes access, including for privileged access requests, that expires with automated review.   Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources.  Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. 
Made with HTML Tables

2. Link together identity and devices

According to CISA, a device is any asset that connects to a network “including its hardware, software, firmware, etc.” The number of devices companies manage today continues to grow. The need to secure everything from printers to employee mobile phones can be challenging for IT leaders.

To mature in the device pillar, device trust must be factored into authentication and access decisions. When devices are bound to identity for authentication, companies have even more ways to verify that the right user, using only a trusted device, can access networks and resources. Data must be made shareable across the two pillars to enable this functionality.  

For Optimal maturity with CISA’s ZTMM, device checks must move from one-time validation to real-time and continuous. The table below shows the steps required to move from Traditional to Optimal in the device pillar.


Function Traditional Initial Advanced Optimal
Policy Enforcement & Compliance Monitoring (New Function) Agency has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. Agency receives self-reported device characteristics (e.g., keys, tokens, users, etc. on the device) but has limited enforcement mechanisms. Agency has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices.  Agency has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Agency uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches.  Agency continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Agency integrates device, software, configuration, and vulnerability management across all agency environments, including for virtual assets. 
Asset & Supply Chain Risk Management (New Function) Agency does not track physical or virtual assets in an enterprise-wide or cross-vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with limited view of enterprise risks. Agency tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework (e.g., NIST SCRM.).  Agency begins to develop comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments.  Agency has a comprehensive, at-or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. 
Resource Access (Formerly Data Access) Agency does not require visibility into devices or virtual assets used to access resources.  Agency requires some devices or virtual assets to report characteristics then use this information to approve resource access.  Agency's initial resource access considers verified device or virtual asset insights.  Agency's resource access considers real-time risk analytics within devices and virtual assets. 
Device Threat Protection (New Function) Agency manually deploys threat protection capabilities to some devices.  Agency has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration.  Agency begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring.  Agency has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. 
Visibility and Analytics Capability Agency uses a physically labeled inventory and limited software monitoring to review devices on a regular basis with some manual analysis.  Agency uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some agency devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk.  Agency automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices.  Agency automates status collection of all network-connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. Agency tracks patterns of provisioning and/or de-provisioning of virtual assets for anomalies. 
Automation and Orchestration Capability Agency manually provisions, configures, and/or registers devices within the enterprise.  Agency begins to use tools and scripts to automate the process of provisioning, configuration, and virtual assets. Agency has implemented monitoring and enforcement mechanisms to identify and manually disconnect or isolate non-compliant (vulnerable, unverified certificate, unregistered mac address) devices and virtual assets. Agency has fully automated process for provisioning, registering, monitoring, isolating, remediating, and deprovisioning devices and virtual assets. 
Governance Capability Agency sets some policies for the lifecycle of their traditional and peripheral computing devices and relies on manual processes to maintain (e.g. update, patch, sanitize) these devices. Agency sets and enforces policies for the procurement of new devices, the lifecycle of non-traditional computing devices and virtual assets, and for regularly conducting monitoring and scanning of devices.  Agency sets enterprise-wide policies for the lifecycle of devices and virtual assets, including their enumeration and accountability, with some automated enforcement mechanisms.  Agency automates policies for the lifecycle of all network-connected devices and virtual assets across the enterprise. 
Made with HTML Tables

3. Feed your zero trust policy engine with security telemetry

The policy engine is a key component of zero trust architecture. It houses company rules around access, device security, and authentication. But the policy engine can only check rules against the data it’s given. Therefore, the more information you can feed it regarding security, the more accurate and thorough its enforcement becomes. Mature companies link device security to their policy engine and data from security and IT management tools. That’s where an XDR solution comes in.  

Mature companies link device security to their policy engine and data from security and IT management tools

Here is a great example of a Zero Trust authentication policy in action:

  • If: A device makes an access request
  • And if: It does not have an active EDR agent on it
  • Then: Do not authenticate
  • And: Send an alert to the Security Operations Center
  • And: Generate a ticket on the IT service management system and notify the user of the need to comply with device security policies

4. Prioritize “continuous” and “automated”

The most common theme across all pillars of the Zero Trust Maturity Model is that continuous and automated processes are required for Optimal maturity. Continuous checks are needed because hackers who log in with compromised credentials may wait a while before acting, or authenticated users may remove a firewall or antivirus software after authentication.

Automation is what enables continuous processes. Humans simply can’t keep pace with what’s required for zero trust maturity. Automated workflows that cross the Zero Trust Maturity Model pillars allow companies to move fast enough to stop cyberattacks before they happen.

Move to optimal Zero Trust maturity with Beyond Identity

The journey from Traditional to Optimal maturity can be daunting, but it doesn’t have to be. With Beyond Identity, your organization can immediately jump from Traditional to Optimal in the Identity and Device pillars.

Our Zero Trust Authentication is passwordless, phishing-resistant, and easy to use. We’ve already built in continuous and automated processes, decreasing your time-to-deployment.

To learn more about Zero Trust maturity, download A Practitioner’s Guide to the CISA Zero Trust Maturity Model.

Four Ways to Make Quick Gains in Zero Trust Maturity

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

The cybersecurity landscape is becoming more and more vulnerable to attacks that are both cost-effective and powerful. These attacks use techniques like MFA bypass and Initial Access Brokers with stolen credentials. To tackle this issue, organizations must implement a zero trust security architecture emphasizing the importance of continuous, phishing-resistant MFA.

One of the most critical aspects of this architecture is the concept of device trust. This means that security protocols should validate not only the user's credentials but also the integrity of the device from which access is being sought. In other words, a secure fortress requires vigilant gatekeepers to ensure that a breach of credentials doesn't equate to a breach of the system.

Strong authentication and device trust directly address zero trust security architecture’s Identity and Device pillars. Unfortunately, many incumbent identity and security vendors continue to misdirect the market by redefining phishing resistance, implementing weak device trust, and preserving suboptimal security defaults.

Now more than ever, CIOs and CISOs need to lead their organizations toward a pragmatic and structured approach, like the one outlined by CISA’s Zero Trust Maturity Model. This model provides a well-articulated pathway towards continuous, automated access reevaluation and efficient cross-system integrations, which aligns with NIST's robust security recommendations.

The urgency to address these issues is palpable, and the strategy is clear: a comprehensive, neutrally endorsed, proactive, and interconnected security approach that thwarts today’s adversaries and their tactics while providing a firm foundation for an AI and cloud-intensive future.

The CISA Maturity Model

CISA created the Zero Trust Maturity Model (ZTMM) to help organizations create a roadmap for achieving Zero Trust maturity. In their report, they unpack five key areas called “pillars” that companies should focus on: identity, devices, networks, applications and workloads, and data.  

The Zero Trust Maturity Model defines how to move from the lowest “Traditional” stage of maturity to “Optimal” or full maturity. Companies can elect to mature faster in one or more pillars since each is assigned its own maturity level.

The figure below provides an overview of the Zero Trust Maturity Model, with each pillar listed from left to right and the specific functions required to mature detailed from bottom to top. As you’ll see in the chart, moving to “continuous” and “automated” processes that occur in near real-time is the key to Zero Trust maturity.

pillars of zero trust maturity model

Four ways to make quick gains in maturity

1. Address identity first

Identity is the attributes that describe a user or entity. Cybercriminals most frequently attack the identity pillar through phishing, stolen credentials, and social engineering.

In one recent survey by Trends in Security Digital Identities, 84% of respondents said their company had an identity-related attack that year. Respondents overwhelmingly said implementing MFA and better privileged user access controls would have prevented the attacks. Both of these elements are part of the Zero Trust Maturity Model for Identity, showing just how vital it is to address the identity pillar first.

recent survey results by Trends in Security Digital Identities

The goal of identity maturity is ensuring the right user is given access to what they need, when they need it, without giving them access to more than they require.

The table below from the Zero Trust Maturity Model shows the improvements a company needs to make from passwords and static access to continuous validation with phishing-resistant MFA.  


Function Traditional Initial Advanced Optimal
Authentication Agency authenticates identity using either passwords or multi-factor authentication (MFA) with static access for entity identity Agency authenticates identity using MFA, which may include passwords as one factor and requires validation of multiple entity attributes (e.g. locale or activity).  Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of passwordless MFA via FIDO2 or PIV Agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. 
Risk Assessments Agency makes limited determinations for identity risk (i.e. likelihood that an identity is compromised.  Agency determines identity risk using manual methods and static rules to support visibility. Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities.  Agency determines identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection.
Access Management (New Function) Agency authorizes permanent access with periodic review for both privileged and unprivileged accounts. Agency authorizes access, including for privileged access requests, that expires with automated review.   Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources.  Agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. 
Made with HTML Tables

2. Link together identity and devices

According to CISA, a device is any asset that connects to a network “including its hardware, software, firmware, etc.” The number of devices companies manage today continues to grow. The need to secure everything from printers to employee mobile phones can be challenging for IT leaders.

To mature in the device pillar, device trust must be factored into authentication and access decisions. When devices are bound to identity for authentication, companies have even more ways to verify that the right user, using only a trusted device, can access networks and resources. Data must be made shareable across the two pillars to enable this functionality.  

For Optimal maturity with CISA’s ZTMM, device checks must move from one-time validation to real-time and continuous. The table below shows the steps required to move from Traditional to Optimal in the device pillar.


Function Traditional Initial Advanced Optimal
Policy Enforcement & Compliance Monitoring (New Function) Agency has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. Agency receives self-reported device characteristics (e.g., keys, tokens, users, etc. on the device) but has limited enforcement mechanisms. Agency has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices.  Agency has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. Agency uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches.  Agency continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. Agency integrates device, software, configuration, and vulnerability management across all agency environments, including for virtual assets. 
Asset & Supply Chain Risk Management (New Function) Agency does not track physical or virtual assets in an enterprise-wide or cross-vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with limited view of enterprise risks. Agency tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework (e.g., NIST SCRM.).  Agency begins to develop comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments.  Agency has a comprehensive, at-or near-real-time view of all assets across vendors and service providers, automates its supply chain risk management as applicable, builds operations that tolerate supply chain failures, and incorporates best practices. 
Resource Access (Formerly Data Access) Agency does not require visibility into devices or virtual assets used to access resources.  Agency requires some devices or virtual assets to report characteristics then use this information to approve resource access.  Agency's initial resource access considers verified device or virtual asset insights.  Agency's resource access considers real-time risk analytics within devices and virtual assets. 
Device Threat Protection (New Function) Agency manually deploys threat protection capabilities to some devices.  Agency has some automated processes for deploying and updating threat protection capabilities to devices and to virtual assets with limited policy enforcement and compliance monitoring integration.  Agency begins to consolidate threat protection capabilities to centralized solutions for devices and virtual assets and integrates most of these capabilities with policy enforcement and compliance monitoring.  Agency has a centralized threat protection security solution(s) deployed with advanced capabilities for all devices and virtual assets and a unified approach for device threat protection, policy enforcement, and compliance monitoring. 
Visibility and Analytics Capability Agency uses a physically labeled inventory and limited software monitoring to review devices on a regular basis with some manual analysis.  Agency uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some agency devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk.  Agency automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices.  Agency automates status collection of all network-connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. Agency tracks patterns of provisioning and/or de-provisioning of virtual assets for anomalies. 
Automation and Orchestration Capability Agency manually provisions, configures, and/or registers devices within the enterprise.  Agency begins to use tools and scripts to automate the process of provisioning, configuration, and virtual assets. Agency has implemented monitoring and enforcement mechanisms to identify and manually disconnect or isolate non-compliant (vulnerable, unverified certificate, unregistered mac address) devices and virtual assets. Agency has fully automated process for provisioning, registering, monitoring, isolating, remediating, and deprovisioning devices and virtual assets. 
Governance Capability Agency sets some policies for the lifecycle of their traditional and peripheral computing devices and relies on manual processes to maintain (e.g. update, patch, sanitize) these devices. Agency sets and enforces policies for the procurement of new devices, the lifecycle of non-traditional computing devices and virtual assets, and for regularly conducting monitoring and scanning of devices.  Agency sets enterprise-wide policies for the lifecycle of devices and virtual assets, including their enumeration and accountability, with some automated enforcement mechanisms.  Agency automates policies for the lifecycle of all network-connected devices and virtual assets across the enterprise. 
Made with HTML Tables

3. Feed your zero trust policy engine with security telemetry

The policy engine is a key component of zero trust architecture. It houses company rules around access, device security, and authentication. But the policy engine can only check rules against the data it’s given. Therefore, the more information you can feed it regarding security, the more accurate and thorough its enforcement becomes. Mature companies link device security to their policy engine and data from security and IT management tools. That’s where an XDR solution comes in.  

Mature companies link device security to their policy engine and data from security and IT management tools

Here is a great example of a Zero Trust authentication policy in action:

  • If: A device makes an access request
  • And if: It does not have an active EDR agent on it
  • Then: Do not authenticate
  • And: Send an alert to the Security Operations Center
  • And: Generate a ticket on the IT service management system and notify the user of the need to comply with device security policies

4. Prioritize “continuous” and “automated”

The most common theme across all pillars of the Zero Trust Maturity Model is that continuous and automated processes are required for Optimal maturity. Continuous checks are needed because hackers who log in with compromised credentials may wait a while before acting, or authenticated users may remove a firewall or antivirus software after authentication.

Automation is what enables continuous processes. Humans simply can’t keep pace with what’s required for zero trust maturity. Automated workflows that cross the Zero Trust Maturity Model pillars allow companies to move fast enough to stop cyberattacks before they happen.

Move to optimal Zero Trust maturity with Beyond Identity

The journey from Traditional to Optimal maturity can be daunting, but it doesn’t have to be. With Beyond Identity, your organization can immediately jump from Traditional to Optimal in the Identity and Device pillars.

Our Zero Trust Authentication is passwordless, phishing-resistant, and easy to use. We’ve already built in continuous and automated processes, decreasing your time-to-deployment.

To learn more about Zero Trust maturity, download A Practitioner’s Guide to the CISA Zero Trust Maturity Model.

Book

Four Ways to Make Quick Gains in Zero Trust Maturity

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.