
	ZeroTrustMaturity.com A resource to assess your organization's Zero Trust Maturity

General Info

The Zero Trust Maturity Model (ZTMM)

The Zero Trust Maturity Model was developed to help organizations calculate their current Zero Trust Maturity across all domains of Zero Trust as defined on the About ZT tab above. The benefit of knowing your current Zero Trust maturity is to aid you in developing a roadmap towards achieving higher levels of Zero Trust maturity which will correspond to what will likely be a significantly lower cyber risk (among many other benefits).

The assessment is comprised of 131 items which are an amalgamation of items related to Zero Trust across all 7 domains.

The overall ZT maturity assessment value will be the minimum maturity level of any of the 5 pillars (Identity, Data, Network, Workload, and Devices) if any of the maturity levels of the pillars is less than 3. This is because maturity levels 1-2 cover the foundational elements of cyber security and they must be completed before the rest of the journey towards higher levels of Zero Trust maturity can begin. Once each of the pillars has achieved at least a level 3 maturity, the overall ZT maturity will be the average of the maturity levels across all 7 domains of ZT (the pillars plus visibility & analytics and orchestration & automation).

The generated report from the free version of the assessment (excerpts from a sample ZT maturity report) will include a breakdown of the scores across the 7 domains, the ZT maturity across the 7 domains, an overall Zero Trust maturity score for the organization, as well as the values input for the 131 items. The assessment can be completed in stages with the interim values stored for subsequent sessions. You can also update the scores for each of the items indefinitely.

About

ZeroTrustMaturity.org and the Zero Trust Maturity Model were developed by Dr. Andrew Aken (LinkedIn address: linkedin.com/in/ajaken). Dr. Aken has over 20 years of experience in cyber security (as well as software engineering, network & systems architecture, and many other IT areas) while working at various roles and levels within different organizations. Dr. Aken also was a leader in the development of the Cyber Security degree program at an Oklahoma university and a leader in the development of the point of view & marketing strategy for Zero Trust at one of the big 4 consulting firms. He has conducted Zero Trust maturity assessments and created roadmaps for achieving higher levels of Zero Trust maturity at several large and well-known organizations.

The model for Zero Trust Maturity encapsulated in this comprehensive assessment relies upon not only Dr. Aken's experience in this area, but also upon Zero Trust models developed by several others. The assessment itself is vendor agnostic and does not promote the utilization of any particular vendor's solutions.

In case you're curious about where the logo for ZeroTrustMaturity originated from, it's made from Ziti pasta which shares its name with the acronym for Zero Trust (ZT).

And, if you're interested in what skills employers are looking for in Computer Science, Management Information Systems, or Information Technology graduates, check out my other site at dogs-it.org (The Degree-Oriented Guide to Skills in Information Technology).

Privacy Policy

Any information entered here will never be shared with any 3rd parties other than in aggregate form. Your contact and organizational information will not be shared with anyone in any form. We take privacy & security very seriously here.

The primary purpose of the data entered here will be to help you on your journey towards achieving a higher level of Zero Trust maturity. The aggregate form of the data entered here will be to help you compare your maturity to others within your industry and organizational size. It may also be utilized in the aggregate form to show trends across all organizations, industries, and organizational sizes.

All personally identifiable information (PII) will be stored encrypted.

About ZT

About Zero Trust

"Never implicitly trust, always and continuously verify"

Zero Trust is a relatively new security paradigm which goes beyond the traditional defense-in-depth perimeter-based strategy and treats all communications and resource requests as initially untrusted and requiring continuous verification before access to those resources is granted. One of the greatest benefits of Zero Trust is that it can eliminate lateral movement from a compromised system within a network.

The recent Executive Order on Improving the Nation's Cybersecurity defines "the term “Zero Trust Architecture” [to mean] a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever[al criteria]."

The views of Zero Trust embodied in the Zero Trust Maturity Model which is assessed within this application adhere to the Executive Order's definition and are primarily derived from the Zero Trust eXtended (ZTX) model developed by Forrester. In this model of Zero Trust, the foundation is built upon a robust understanding of the environment that the organization operates in and that the organization is at least doing the basics as it relates to cybersecurity (e.g, the CIS top 18 (formerly the SANS top 20)). Then, the 7 domains of Zero Trust are built upon that foundation. Those domains are: Users (a/k/a people or identity), Endpoints (a/k/a devices), Data, Networks, Workloads (a/k/a applications), Visibility & Analytics, and Automation & Orchestration. The outcome of moving towards Zero Trust is increased Governance (as well as reduced risk, improved user experience, lower costs, speedier & more reliable software development, and a variety of other positive outcomes).

It is these 7 domains as well as The Basics that are the inspiration behind the assessment criteria in the Zero Trust Maturity Model utilized here.

Following are some links to various podcasts, presentations, and panel discussions which discuss this point of view on Zero Trust as well as the Zero Trust Maturity Model:

Panel - Avoid zero trust in your new framework - Zero Trust Interactive Forum @ Cloud & Cyber Security Expo (must register to watch)

IAM in a Zero Trust world - IDM DACH

What is Zero Trust and why should I care? - AFCEA

User Behavior Analytics & The Zero Trust Approach - A Veriato Podcast

Guilty until proven innocent? Zero Trust in practice - teissTalk

Services

Service levels for ZeroTrustMaturity

Service Level	Security Architect	CISO	vCISO	Big-X Consulting
Features	At the free "Security Architect" level you can create a single user account to conduct a Zero Trust maturity assessment for one organization. Edit the maturity assessment indefinitely to complete the assessment in multiple stages or to update progress towards improving Zero Trust maturity View a report of the organization's Zero Trust maturity across all 7 domains	All of the features of "Security Architect" level plus: Conduct and save multiple assessments to track progress of your Zero Trust maturity over time Set target levels of maturity for each item Generate a report of your progress towards achieving your desired levels of Zero Trust maturity with expected risk reduction once targets have been achieved	All of the features of "CISO" level plus: Unlimited number of organizations to create, edit, and view assessments for	All of the features of "vCISO" level plus: Up to 1000 user accounts with varying privileges to create, edit, and/or view assessments
Features	ZeroTrustMaturity.org	ZeroTrustMaturity.com	ZeroTrustMaturity.pro	ZeroTrustMaturity.pro
Price	Free Forever	$TBD/month	$TBD/month	Contact Sales

Note:Not all service levels are currently available. But, they will be coming soon

Other services:

If you would like someone to come in to conduct a Zero Trust assessment of your organization or to validate your own assessment, contact Sales.

Contact

The Zero Trust Maturity Model (ZTMM)

For more information regarding this application contact Andrew Aken at andrew.aken@zerotrustmaturity.org.