The Levels of Zero-Trust Maturity
The ZTMM defines four levels as part of the zero-trust maturity journey.
- Traditional: This level involves manually configuring lifecycles and assigning attributes for security and logging. At this stage, organizations address one pillar at a time with siloed pillars of enforcing policy.
- Initial: Organizations begin using automation to assign and configure lifecycles. They also start integrating security solutions across the pillars — identity, devices, networks, applications and workloads, and data.
- Advanced: In addition to cross-pillar coordination, organizations centralize visibility and identity control and establish changes to least-privilege policies based on their risk and posture assessments.
- Optimal: Organizations fully automate their “just-in-time” lifecycles and establish dynamic least-privilege access as well as cross-pillar interoperability that includes continuous monitoring.
The ZTMM provides guidance to organizations on how to implement zero-trust policies across the five pillars. A zero-trust architecture improves a healthcare organization’s security and lessens the security complexity and operational overhead, according to a Palo Alto Networks blog post.
Bill Kiely, director of cybersecurity architecture and engineering at Children’s Mercy Kansas City in Missouri, says the healthcare companies he has seen are in the initial and traditional stages, but a few have reached the advanced level. Baker agrees that most healthcare organizations are at the traditional stage today.
“It goes up from there to some of the initial levels of zero trust, which is where you start doing some automation,” he says.
Baker explains that the four levels of zero-trust maturity extend separately across the pillars of zero trust. An organization could be at one level for devices but another for networks and data, he notes.
Healthcare organizations vary in their progress of reaching zero-trust levels across pillars. Dearing says some healthcare organizations are advanced, while others are just starting out with the identity pillar. Additional health systems may have implemented multifactor authentication.
“You can end up being optimal in networks but advanced in applications and workloads or initial in data,” Dearing says. “I don’t think that organizations have the capability or the budget to very quickly reach optimal in everything, so doing the thing that addresses the most challenges is probably the most sensible way to do it.”
Dearing says healthcare organizations should not overextend themselves to get to the optimal level in one pillar at the expense of achieving progress toward initial and advanced levels in the other pillars.