This is the second blog of the series: Implementing CISA’s Zero Trust Architecture: A Microsoft Approach. The CISA has used their maturity model as guiding thread throughout the architecture and can be used as a roadmap to implement and improve your security across the different tenets and capabilities. In this blog, we will define what a maturity model is and what will be considered to advance to the next level.
View the previous blogs of the series here:
Table of Contents
Maturity Model: Definition
A maturity model is a conceptual model that measures the ability of an organisation for continuous improvement in a particular discipline i.e. Zero Trust Security journey. This model is evaluated against a specific set of data (c) and consists of a sequence of levels (a) that represent the evolution path for the behaviour, practices and processes (b).
a - The CISA maturity model contains 4 levels:
b - It is evaluated against several processes including:
security policies enforcement
identity and access management
c - The area of improvements are focused on key elements such as:
interoperability (communication and integration)
Maturity Model: Traditional
This is the starting point with processes that can be generalised as:
limited in scope
This maturity level represent a stage where most of the systems are disconnected, tasks and assignments are manual, monitoring is difficult as systems don't work together, inventory is created during provisioning and maintained manually increasing risks of blind spots and errors.
This stage serves as a baseline to identify issues and concerns, and help draw a first roadmap prioritising the most critical issues.
Maturity Model: Initial
This level represents the initial effort of modernization focusing on reducing manual processes and remediating most crucial concerns previously identified, and represents the initial effort of interoperability aiming to improve the overall visibility (internal and external of the organisation).
Maturity Model: Advanced
In this stage, most processes and policy enforcement are automated, and continuously and automatically monitored. New technologies based on machine learning and artificial intelligence are introduced to supplement the current incident and response capabilities. An holistic view of the organisation is established encompassing internal and external systems.
Maturity Model: Optimal
The organisation processes are fully automated, continuous monitoring and reporting are centralized, least privileges is adopted across the organisation with just-in-time privileged access provided, incident response and playbooks are defined and optimised.
This model enables a high standards of security, productivity, resilience and cost optimisation.
To conclude this blog, I wanted to briefly mention the deployment approach. During this journey you will configure and enable technologies that will impact users and disturb the overall business activities but will also improve your security posture and modernize the environment. It is essential to test every steps of the journey ensuring you are complying with your internal change process and regulations. Microsoft documentations often refer to a ring or phased deployment (also known as canary or evolutionary) to enable a safe deployment minimising the risk of impacting the business.
There are other deployment approaches such as greenfield and on/off (or revolutionary) deployment that can be used in some cases.
Ensure to have the right and sufficient resource and stakeholder engaged and a strong communication plan.
Finally, you can use Microsoft maturity model assessment tool to capture a point in time reference for a specific tenet of Zero Trust (you will see that CISA and Microsoft pillars are slightly split differently but aren't fundamentally different) :
In the next blog, we will look at the first Zero trust pillar, identity, at every level of maturity using Microsoft solutions starting by the authentication and MFA.
Thanks for reading!
About William Francillette:
I am a Microsoft Solutions Architect specialized in Microsoft 365, Entra and Azure security products at Threatscape.
I love learning, blogging and coding. My interests are very diverse and span across architecture, security, cloud engineering, automation, DevOps and PowerShell.
I own over a dozen Microsoft certifications and have worked in IT across multiple and diverse industries for over 15 years.