Zero Trust Metrics: Track Progress

and Program Maturity

Jennifer Minella, IANS Faculty
Brandon Dunlap, Moderator
 AGENDA Intro and Planning Measurements

Measurement Approaches
Approach A: Maturity Models
Approach B: Risk-Based Progress
Approach C: Ongoing Metrics

Aligning Measurements to Business Objectives

Next Steps

3 © 2023 IANS Research. All rights reserved.

 Intro and Planning Measurements
When and how to incorporate measurement into your Zero Trust program

6
© 2023 IANS Research. All rights reserved.
When to Consider Measurements
We cover 3 approaches to measurements, some of which could be identified early
in a Zero Trust strategy planning process. Other measurements arise as the
projects are in initiated, and a final set will be relevant as an ongoing pulse of the
organization’s ability to execute its Zero Trust plans.
The 3 approaches are:
• Approach A: Maturity Models
• Approach B: Milestone Progress Tracking
• Approach C: Ongoing Metrics
 When to Consider Measurements
Everyone Uses Approach C:
Ongoing Metrics should be
constantly evaluated

Prioritizing
Identifying Primary Projects Based on
Objectives for Zero Pillar, Protect Measuring and Tracking
Trust Surface, or B.U. Progress

2 4 6

1 3 5
Initial Information Allocating Budget and Initiating Zero Trust
Gathering and Building Determining Operational Projects
Internal Team(s) Plans

If Using Approach A: Maturity If Using Approach B: Milestone

Model is defined early Tracking begins in identifying
gaps at #4 and continues
8 © 2023 IANS Research. All rights reserved.
through #5
 POLL
Which best
describes your
q Large, highly regulated, and/or mature
organization?
q Mid-Size Enterprise

q Small-Medium Business

q Government

q Education or Not-for-Profit

9 © 2023 IANS Research. All rights reserved.

 Measurement Approaches
Maturing models vs. milestone tracking, plus ongoing metrics for all

©10
2023 IANS Research. All rights reserved.
Measurement Approaches

{ OR } { AND }

Maturity Models Milestone Tracking Ongoing Metrics

Approach A Approach B Approach C

Formal program roadmap Ad-hoc risk-based approach Ongoing data for decision-making
Approach 1: Maturity Models
A look at what’s beyond CISA for non-federal entities
Maturity Models
WHAT IT IS

A formalized roadmap to track the organization’s maturation of against Zero

Trust principles and capabilities.
WHEN TO USE

Maturity Models (MM) are the way to go for enterprises with a mature
cybersecurity program and teams.
WHAT TO USE

U.S. federal agencies rely on CISA’s model. There’s lag in others but look for
vendor-specific (e.g., Microsoft), and vendor-neutral (e.g., CSA).
HOW TO USE

Select or create a Maturity Model and track capabilities for relevant protect
surfaces and/or pillars (described soon).
 Automated dynamic granular access control
Optimized

Observability and conditional access Added observability,

Advanced integration, and
automation for truly
The addition of dynamic conditional
Identity and policy access with a central
Initial contextual access
but with limited policy authority. Access

A Simplified Maturity Model

Implicit trust, some
integration of systems,
inputs, usually based
on a point-in-time
based on postures of
users, target asset,
but disparate iDP, posture and lacking devices, and networks
partially implemented dynamic feedback. traversed.
tools, and no central
policy authority.

14 © 2023 IANS Research. All rights reserved.

 Excerpts of a Simplified Maturity Model

Pillar Function Initial Advanced Optimized

Authenticate identity using Authenticate identity using MFA or

Continuously validate identity, not
Identity Authentication either passwords or multifactor passwordless authentication, based on
just when access is initially granted.
authentication (MFA). asset sensitivity.

Access to data factors real-time

No posturing or data access control beyond Access to data conditional based on
Device Access and Posturing endpoint posture with tiers of
basic policies. endpoint posture.
access based on posture.

Network segmentation defined with large Some network architecture defined by Architecture is fully distributed
Network Network Segmentation perimeters/macro-segmentation (VLANs, ingress/egress microperimeter with some ingress/egress microperimeters
subnets, VRFs). microsegmentation. including application workflows.

All cloud apps and some

Some critical cloud apps are directly All applications are directly
on-prem apps are directly accessible to
Application Accessibility accessible to users over the internet; all accessible to users
users over
others accessible via VPN. over the internet.
the internet; others accessible via VPN.

Data is stored in cloud and remote

Data is stored primarily on prem and is
Data Encryption environments where they are encrypted at All data at rest is encrypted.
unencrypted at rest.
rest.

15 © 2023 IANS Research. All rights reserved.

 Excerpts of a Simplified Maturity Model

Pillar Function Initial Advanced Optimized

Authenticate identity using Authenticate identity using MFA or

Continuously validate identity, not
Identity Authentication either passwords or multifactor passwordless authentication, based on
just when access is initially granted.
authentication (MFA). asset sensitivity.

Access to data factors real-time

No posturing or data access control beyond Access to data conditional based on
Device Access and Posturing
No MFA or MFA applied with
basic policies. endpoint posture.MFA enforced endpoint posture with tiers of
.

.
access based on posture.
limited conditional access dynamically based
deployment segmentation definedpolicies
for
Network with large e.g.,
Somebased on conditional
network architecture defined by Architecture is fully distributed
Network Network Segmentation perimeters/macro-segmentation on(VLANs,
user, role,
ingress/egress microperimeter withaccess
some policies
ingress/egress microperimeters
specific sensitive subnets, VRFs). microsegmentation. including application workflows.
device, geography, with the addition of
data/assets, and data dynamic posture of
applied Some critical cloud apps areclassification
directly
All cloud apps and some
the to
on-prem apps are directly accessible user, device,
All applications are directly
Application
inconsistentlyothers
Accessibility
if accessible via VPN.
accessible to users over the internet; all
users over
target, data,
accessible to users
etc.
over the internet.
the internet; others accessible via VPN.
at all which may be
Data is stored primarily on prem and is triggered in-
Data is stored in cloud and remote
Data Encryption environments where they are encrypted atAll data at rest is encrypted.
unencrypted at rest.
rest. session

16 © 2023 IANS Research. All rights reserved.

Approach 2: Milestone
Tracking
For organizations without resources for a maturity model
Milestone Progress Tracking
WHAT IT IS

An ad-hoc method of tracking Zero Trust projects by milestones based on a

relative risk value.
WHEN TO USE

Perfect for small to midsize organizations who don’t currently have the teams
or formalized processes required for a Maturity Model, and/or who lack a
formalized Zero Trust strategy and are starting with point projects.
WHAT TO USE

You’ll make your own tracker using examples given.

HOW TO USE

Group current project(s), assign a qualitative or quantitative risk value, and

track towards completion.
 Assign Risk-Based Value to Gaps
If available, use a controls framework to prioritize and score.

Scenarios Model Encrypted Inspected Brokered ZTNA Least Privilege MFA Endpoint or
Net Posture
User “Joe” accessing SaaS Yes No No N/A Yes by CRM policy or Yes No
CRM AD group

IT Ops accessing On-Prem Yes Yes at No No No Yes Endpoint

Domain Admin and IaaS firewall/VPN posture via
remote (VPN) 2 termination VPN client
Siemens (Vendor) On-Prem Yes No No No Partially; VPN tunnel No but No
accessing managed allows access to locked to
X-ray machines biomed segment MSP IPs
with X-rays
… ...

Total
score

19 © 2023 IANS Research. All rights reserved.

 Track Progress
Target Starting
Total Value
Value Value

Completed Risk reduced

through
v completed
projects (equal to
10 points)

Planned or In Progress
Remaining
Risk Value

17 Current
Value

20 © 2023 IANS Research. All rights reserved.

 POLL
What's your
primary role in the
q CISO or primary security leader
organization?
q CIO, CTO or primary technical leader

q Technical/Security Contributor or Manager

q Governance, Risk, Compliance or Legal

q Other or not applicable

21 © 2023 IANS Research. All rights reserved.

Approach 3: Ongoing Metrics
Ongoing data points every organization should consider
Ongoing Metrics
WHAT IT IS

Specific metrics, both strategic and functional, that should be measured and
reported on for decision-making support and trending analysis.
WHEN TO USE

Organizations of all sizes and capabilities should use Ongoing Metrics. It’s
okay to start with what’s available and expand later.
WHAT TO USE

We’ll provide a starter list along with prompts to keep you going.
HOW TO USE

Metrics should inform decisions and should align activities and effort with the
overall business objectives. Metrics include strategic and functional as well
as current, past/lagging, and future predictive data.
 Metrics To Consider Metrics To Avoid
• Trending analysis such as reduction of help • Avoid raw data metrics with no context or
desk tickets and password resets, in context ratio, such as # of logon failures, # of alerts,
of total scoped user population. etc.
• Comparison of tracked security • Avoid using percent complete metrics
events/alerts for comparable controls before without a weighted impact scale such as %
and after (with the understanding zero trust of endpoints with XYZ agent installed with no
solutions may offer more visibility and skew context.
numbers). • Avoid tracking toward an unnecessary
• Focus on percent complete metrics in objective, such as always seeking
limited scope, such as % of privileged Optimized (top maturity) in every pillar; goals
users/accounts with MFA (vs. % of total will vary by organization.
population).

24 © 2023 IANS Research. All rights reserved.

 The 31 Flavors of Metrics

Audience and Decision Level Strategic | Functional

Mapped to… Pillars Identity | Device | Network | Workloads | Data

On-Prem LAN/WLAN | Legacy On-Prem Apps |

Mapped to… Protect Surfaces IaaS/PaaS | SaaS | User-Based Endpoints |
Cellular IoT Endpoints | …

Temporal Past/Lagging | Current State | Future/Predictive

25 © 2023 IANS Research. All rights reserved.

 Example Metrics to Consider
Includes keeping up with foundational activities such as… Metrics may include:
• is it happening,
• Data discovery and labeling ongoing • at what rate or cadence,
• and where, or by
• Data destruction ongoing
whom/role/BU.
• Data encrypted Here’s opportunity for %
metrics with context.
• IAM review access rights ongoing
• IAM review revocation, renewals, ongoing To start, review controls or
compliance framework or your
• Third party/Vendor access reviews ongoing MM (if used) and determine
• Third party/Internal data mapping ongoing what metrics convey DATA
THAT CAN BE USED TO
• HR/Retention rates for employees w with access to sensitive data MAKE DECISIONS.

26 © 2023 IANS Research. All rights reserved.

 Metrics as Inform Strategic Decisions

Decision Inputs
Such as hiring, firing, budget allocation, prioritization of
projects

Inform Functional Decisions

Find Metrics Such as what solutions to use, how to tune controls,
what project to focus on next
that…
Align with Business
Can be traced to one or more specific business
objectives

27 © 2023 IANS Research. All rights reserved.

 Aligning Measurements to Business Objectives
Explore the why to align measurements to the business needs

©28
2023 IANS Research. All rights reserved.
Aligning Measurements to the Business
• Earn and preserve customer trust
• Earn and preserve employee trust
• Protect brand reputation
Business • Retain relevancy in the market
Objectives •…

• Protect internal IP and financial interests

• Protect customer, partner, and employee confidential data
• Reduce the likelihood and impact of security incidents
Functional • Reduce user friction for customers, partners, and employees
Objectives •…

• Deploy, manage, and monitor security controls to meet objectives, such as to

• Apply MFA/2FA and conditional access policies
• Secure email communications and prevent BEC
Functional • Label and encrypt confidential data in all locations
Tasks •…
 POLL
What topic was
most helpful or
q How to track with a Maturity Model
interesting?
q How to track with Milestones

q Creating metrics for decision-making

q Creating metrics for business alignment

q Something else? Put it in the chat!

30 © 2023 IANS Research. All rights reserved.

 Next Steps
Where to go next…

©31
2023 IANS Research. All rights reserved.
Next Steps
1. Identify where you are the Zero Trust journey.
2. Identify where you are in capabilities for measurements; can/do you have a
Maturity Model to formalize, do you need to create Milestone Tracking?
3. Evaluate possible Metrics several ways:
• Review controls/MM or objectives and do a blue-sky exercise to work
out what data delivers the information you need.
• Look at what data you have and see if there’s meaningful ways to use it.
• Revisit decisions that have been made in the past and determine what
data would have been helpful in decision support at that time.
• Look forward at decisions to be made and determine what data is most
helpful.
Thank you!
Questions?
Recognize and honor the best
cybersecurity professionals
in the world
Over 12 awards categories available to
address any stage of one’s career from
Rising Star to Senior Professional

Nomination period closes May 12, 2023

Nominate today!

https://isc2-awards.secure-platform.com/site
 Thank you for attending this webinar!
Please visit the
“Attachments” tab.
There you’ll find supporting
assets and speaker’s LinkedIn
information.
Please take a moment to leave your feedback &
comments in the “Rate This” tab
 Stay Connected!
Update your email preferences to receive
news about upcoming (ISC)² webinars,
publications & more!

Current Members:
https://www.isc2.org/Dashboard/Preferences
Non-members:
www.isc2.org/preferences
New to (ISC)²:
https://www.isc2.org/connect
 We apologize,
We are currently experiencing
technical difficulties.