Understanding the Two Maturity Models of Zero Trust

Written by John Kindervag, Senior Vice President, Cybersecurity Strategy, ON2IT Cybersecurity.

The top mistake in the Zero Trust world is monolithic thinking. There has become the belief that eating the entire elephant in one bite is possible. Organizations' top mistake is trying to deploy all of their Zero Trust environments simultaneously. They go too big. The failure is immediate. These organizations spend all of their time thinking and arguing about Zero Trust but never get around to actually doing it.

The second and interrelated mistake is to think too tactically. The focus becomes solely on products and technology. Strategy is thrown out the window. This hyper-focus on technology loses the objective of cybersecurity: to protect something.

This makes measuring progress more difficult. I am convinced that the optimal way to measure progress in cybersecurity is through maturity.

While at Forrester Research, I worked on our overarching enterprise cybersecurity maturity assessment project. Later, I adapted that into the first maturity model for Zero Trust in the report: “Asses Your Network Security Architecture with Forrester’s Zero Trust Maturity Model.”. (Note: I authored the report in late 2016, but it was published in 2017 after I left Forrester. This is why I am listed third on the byline.)

Figure 1

Over the years, I had the opportunity to refine the model during real client engagements. This model was codified in the NSTAC report. You dive in deeper by looking at Appendix A.

A simplified graphic is seen below. This is the graphic I use to explain the model during presentations, including the one that I did for CSA recently.

Figure 2

You will notice that this Maturity Model is based on the 5 Step process for Zero Trust and is scored on a per Protect Surface basis. It uses the standard 5-level maturity paradigm originally developed by Carnegie Mellon University.

Each Protect Surface is scored individually. The model requires the identification of both the Protect Surface and the DAAS element. This way, we are breaking up the maturity scoring into manageable bite-sized chunks. An example using Directory Services as the Protect Surface is seen in Appendix A of the NSTAC report.

This means that if a Protect Surface is fully optimized, then it would be scored with a maximum score of 25 points. At ON2IT, we rarely see this.

Next, all the Protect Surfaces can aggregate to define an overall score for the organization as well as an average score per Protect Surface. In this example, we can see the average mature score is 3.8. We can also see the maturity distribution across all Protect Surfaces. With this information, the organization can focus on targeting specific low-maturity Protect Surfaces for enhancement.

So, how does the new CISA Zero Trust Maturity Model Fit in? This Maturity Model actually integrates well into the 5 Step Maturity Model. You should think about them as complementary.

Figure 5

I recently had the opportunity to go to CISA’s headquarters to discuss this topic with several of the individuals who created this document, including CSA Zero Trust steering committee members Sean Connelly and John Simms. We discussed how you could define the proper technologies used in each step of the 5-Step Process.

Much of the mapping between the Per Protect Surface Maturity Model and the CISA Maturity Model is done in Step 3: Architect a Zero Trust Environment. Below is an example of how this appears in the ON2IT AUXO Managed Services Portal.

Figure 6

You can see which controls have been implemented and where controls are still needed. In our portal, a report can then be generated mapping the Protect Surfaces back to either the Forrester ZTX Framework or the CISA Maturity Model.

Speaking of Forrester’s ZTX Framework, it is really the precursor to the Pillar Maturity Models. Created by Dr. Chase Cunningham while he was at Forrester Research, it was designed to complement the Per-Protect Surface Maturity Model. This history has been lost, but it’s important to understand the intent of the Framework and how that led to “the Pillars.” But Chase and his team at Forrester deserve credit here.

Figure 7 (licensed version)

So, which Maturity Model do you use? The answer is both. Note that CISA’s documentation states, “CISA’s ZTMM is one of many paths to support the transition to zero trust.”

Too many organizations take the Pillar model too literally, and that leads to significant implementation issues. For example, one organization has started with the Identity pillar, thinking that they need to move from left to right. They believe that must fix all the identity issues in the organization and then move on to the devices pillar. This is an impossible task. This organization has identified several thousand systems that need identity upgrades. They, like most organizations, must use multiple different identity solutions across the organization. So even if they could optimize the identity solution for one system (Level 4 in the CISA model), the aggregate maturity level for all systems would remain at one. This will probably be the case for perpetuity.

A simpler and more effective solution would be to take a single Protect Surface and then map the existing controls across the pillars and determine the maturity gaps. Taking that information, then the organization can create a project to improve the maturity of that Protect Surface. Then you generate a report that maps the maturity of that Protect Surface back to the CISA model, and viola, you can see progress happen in a short timeframe.

Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.