Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
GDPR Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Knowledge Center
Certificates & Training
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
Advanced Cloud Security Practitioner (ACSP) Training
Get Involved
Become an Instructor
Become a Training Partner
Train my entire team
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Architectures and Components
Enterprise Architecture
Hybrid Cloud Security
Emerging Technologies
Blockchain/Distributed Ledger
Quantum-safe Security
Securing DevOps
Application Containers and Microservices
DevSecOps
Security Services
Enterprise Resource Planning
Software-Defined Perimeter
Zero Trust
Threat Intelligence
Global Security Database (GSD)
Top Threats
View all topics
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
GDPR Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Knowledge Center
Certificates & Training
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
Advanced Cloud Security Practitioner (ACSP) Training
Get Involved
Become an Instructor
Become a Training Partner
Train my entire team
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Architectures and Components
Enterprise Architecture
Hybrid Cloud Security
Emerging Technologies
Blockchain/Distributed Ledger
Quantum-safe Security
Securing DevOps
Application Containers and Microservices
DevSecOps
Security Services
Enterprise Resource Planning
Software-Defined Perimeter
Zero Trust
Threat Intelligence
Global Security Database (GSD)
Top Threats
View all topics
Cloud 101CircleEventsBlog
Sign In

Understanding the Two Maturity Models of Zero Trust

Home
Industry Insights
Understanding the Two Maturity Models of Zero Trust

Blog Article Published: 05/17/2023

Written by John Kindervag, Senior Vice President, Cybersecurity Strategy, ON2IT Cybersecurity.

The top mistake in the Zero Trust world is monolithic thinking. There has become the belief that eating the entire elephant in one bite is possible. Organizations' top mistake is trying to deploy all of their Zero Trust environments simultaneously. They go too big. The failure is immediate. These organizations spend all of their time thinking and arguing about Zero Trust but never get around to actually doing it.

The second and interrelated mistake is to think too tactically. The focus becomes solely on products and technology. Strategy is thrown out the window. This hyper-focus on technology loses the objective of cybersecurity: to protect something.

This makes measuring progress more difficult. I am convinced that the optimal way to measure progress in cybersecurity is through maturity.

While at Forrester Research, I worked on our overarching enterprise cybersecurity maturity assessment project. Later, I adapted that into the first maturity model for Zero Trust in the report: ā€œAsses Your Network Security Architecture with Forresterā€™s Zero Trust Maturity Model.ā€. (Note: I authored the report in late 2016, but it was published in 2017 after I left Forrester. This is why I am listed third on the byline.)

first page of the ā€œAsses Your Network Security Architecture with Forresterā€™s Zero Trust Maturity Modelā€ report

Figure 1

Over the years, I had the opportunity to refine the model during real client engagements. This model was codified in the NSTAC report. You dive in deeper by looking at Appendix A.

A simplified graphic is seen below. This is the graphic I use to explain the model during presentations, including the one that I did for CSA recently.

Zero Trust Maturity Model

Figure 2

You will notice that this Maturity Model is based on the 5 Step process for Zero Trust and is scored on a per Protect Surface basis. It uses the standard 5-level maturity paradigm originally developed by Carnegie Mellon University.

Each Protect Surface is scored individually. The model requires the identification of both the Protect Surface and the DAAS element. This way, we are breaking up the maturity scoring into manageable bite-sized chunks. An example using Directory Services as the Protect Surface is seen in Appendix A of the NSTAC report.

This means that if a Protect Surface is fully optimized, then it would be scored with a maximum score of 25 points. At ON2IT, we rarely see this.