Cloud computing, complex supply chains and COVID created rapid change in cyber security. The traditional perimeter-based, “castle and moat” style of network defense is no longer sufficient as digital boundaries defining “inside” and “outside” continue to blur. Zero Trust is the answer to today’s modern security threats. Our Zero Trust Maturity Model demonstrates a roadmap and reference to show where you currently are in implementing a sophisticated defense against those threats.
Our previous posts reviewing our secure remote access maturity model and password management maturity model demonstrated what is required for sophisticated implementations in these respective areas. Now we are joining those elements and more to provide a full view in our Zero Trust Maturity Model.
What is a Zero Trust Maturity Model
Zero Trust is built upon three principles: never trust a connection, assume a breach has or will happen and least-privileged access. This means as you increase your Zero Trust maturity level, you’ll be verifying users based on multiple data points, segmenting your network, consistently monitoring the network and its users, while controlling their access at a granular level.
Zero Trust Maturity Model Stages
Zero Trust Maturity Level 1: Conventional
This is the typical approach to cybersecurity and where most organizations who haven’t started shifting to Zero Trust are situated. At this level in the Zero Trust Maturity Model, the perimeter-based approach to network defense is enforced. This leaves many holes in the network’s armor, as sophisticated attackers can exploit the inherent trust this conventional style of defense permits.
Once a user gains access at this level of defense, they will quickly navigate across the network, permitting a large-scale attack.
- Typical “castle and moat” style architecture with a verify once and trust identity model.
- Little to no rules around role-based access.
- Network structure is not segmented, leaving the organization available to large-scale attacks.
- Logging and monitoring are limited. Organizations don’t know who did what or when.
- High uncertainty around device baselines or compliance. Probable drift and unpatched, exposed devices.
Zero Trust Maturity Level 2: Intermediate
An intermediate-level organization has implemented more rules around access and started to reduce their vulnerabilities, achieving higher levels of security. It’s at this level in the Zero Trust Maturity Model that we see the principles of Zero Trust becoming key features in the security architecture. Things like least-privileged access, network segmentation and logging and monitoring begin to become foundational.
This level still lacks the true sophistication of a fully mature Zero Trust implementation, like further segmentation, truly granular access that is always verifying users and various security automations.
- Access-based policies gate endpoints, networks and data. The user may still be considered “trusted” after verification has occurred. Permissions are managed manually.
- The network is more segmented, reducing risks of an attack affecting the whole environment or having access to everything.
- Monitoring is implemented to understand what has happened and by whom. You now have more insight into what is happening across the network.
- You track your devices and check baselines, though it is infrequent, and it is a long, manual task.
Zero Trust Maturity Level 3: Advanced
Your Zero Trust baseline is established here. While the intermediate level helped you pave the way, at this level in the Zero Trust Maturity Model you have automated operations, your network is micro-segmented and true Zero Trust policies are enforced company wide.
- Secure, least-privileged remote access, with associated roles and controls are enforced for everyone. Every identity is continually verified, no inherent trust is permitted.
- Your network has been structured into many security zones, each with its own access rules and redundant layers of security.
- You are aware of all your devices and have authenticated them. Your device baselines are checked against your standards to prevent drift or tampering.
- Network monitoring informs you automatically of threats and your threat response is also planned and implemented.
Beyond Zero Trust is as Important as Achieving Zero Trust
We talk a lot about going beyond Zero Trust. Zero Trust should merely be your security baseline. It is an excellent defense. It also leaves room for further improvements. Our Beyond Zero Trust series reviewed the three core principles that take your security further by assessing more than connections, reviewing your supply chain’s strength and severing direction connections.
Factoring these guiding principles into your security will permit even greater levels of security for your business and prepare you to fend off today’s highly sophisticated threats. You’ll account for all the rapid change that has quickly made perimeter-based security so vulnerable.
The Roadmap to Stronger Defense
As we believe in the importance of remaining as secure as possible, we have our Beyond Zero Trust roadmap with a full maturity model and design considerations to review as well. It establishes both what you need to attain and go beyond Zero Trust while informing you on your journey. To learn more about achieving Zero Trust for your business or how we can help, you can start a conversation with us here.