A Guide to the Foundation of Zero Trust Maturity Model

Zero Trust is not intended to be a one-size-fits-all approach. Specific implementations will vary depending on an organization’s size, complexity, network infrastructure, application stack, and compliance needs. Enterprises here and abroad accordingly need guidance on how best to deploy Zero Trust principles and practices in their particular organization. Indeed, cyber attacks over the last few years have demonstrated how important this subject is to national security imperatives the world over. Not surprisingly, then, the Cybersecurity and Infrastructure Security Agency (CISA), as part of the United States Department of Homeland Security (DHS), has been actively involved in providing detailed guidance on Zero Trust best practices for organizations by introducing its “Zero Trust Maturity Model” or: ZTMM.

Initially developed as a roadmap for federal civilian agencies, CISA’s ZTMM offers clear benefits to any enterprise organization needing to develop cybersecurity strategies and plans for zero trust adoption. ZTMM is structured around five key pillars: Identity, Devices, Networks, Applications & Workloads, and Data. It incorporates three overarching capabilities: Visibility & Analytics, Automation & Orchestration, and Governance. Genians is able to address the critical capabilities illustrated below by leveraging its Network Access Control (NAC) and Zero Trust Network Access (ZTNA) solutions.

As with Genians, many other security vendors define areas within the maturity model similarly. None of them support all the functionalities outlined in the Zero Trust maturity model; indeed, no one product or solution operatesas a silver bullet here

Genians, however, can suggest practical ways to implement the foundation of this model by highlighting the role of NAC and ZTNA. (a.k.a Universal ZTNA).

Let’s take a look at the major features of Genians by separating them into 3 simple but critical domains.

DomainsObservability and SurveillancePolicy ManagementAccess Control
Target · All resources (Network, Devices, Users, Applications, Data, anywhere it connects)ComplianceEmployee, Guest, Remote users, none-compliant users & devices, and whatever it connects
Features· Network discovery
· Traffic Flow/Analysis (Netflow)
· Device Platform Intelligence
· Real time Network surveillance and Anomoly detection
· IP Address Management
· Switch Port Management (SNMP)
· WLAN Visibility
· Condition-based Node grouping (over 600 predefined attributes/conditions)
· Automated tagging-based IT asset policies
· Device/Node type customization
· Dynamic Policy assignment based on the status change of endpoint compliance and network changes
· Cross configurations for multiple compliance policies
· Covering CIS Core requirements
· Microsegmentation
· Authentication & Authorization (RADIUS, 802.1x, MFA including FIDO 2)
· Multi-layered policy enforcements (ARP, DHCP, 802.1x / RADIUS, SPAN / Mirror, Secure Web Gateway, Agent
· Dynamic Policy Enforcement (RADIUS CoA)
· WLAN Security
· Switch Security
· Cloud Security
· Endpoint Security (Updates, Patch Mgt)
· Open API-based
· Always on ZTNA (Campus, Remote, Hybrid)
Required core technologies· Layer 2 based and non-disruptive Network Sensing and Access Control
· Granular access control for remote users
· Application visibility and Control
· Cloud visibility and control

Most importantly, achieving comprehensive visibility and access control at layer 2 across networks (campus, remote, hybrid, cloud) is extremely critical. This allows us to detect any endpoints sending out suspicious broadcast packets and showing abnormal behavior. It allows us to lock down any non-compliant devices and users immediately by correlating intelligence coming from multiple security products. For that, Genians Sensor-based NAC is required in this dynamically-evolving, heterogeneous network environment since it does not require any network changes or upgrades. Also, the sensor can be versatile in the sense that it can act as a network monitoring, policy enforcement manager, and Secure Web Gateway (SWG) tool for campus and remote users. It also supports Open API, allowing it to orchestrate other security and business solutions to mitigate risk most effectively.

Let’s see how NAC and ZTNA can support cross-cutting capabilities in the maturity model in the event that an organization faces the challenge of preventing risks from malware caused by remote users.

Anticipated response methodsPillars and Expected StagesIntegrations
Web surfing or USB usage not allowed for remote workersDevice (Advanced)UEM + NAC + ZTNA
Deactivate authentication in case of malware detectionIdentity (Advanced or Traditional)
Device (Advanced)
Antivirus or EDR + NAC
Blocking all connections when authentication is deactivatedIdentity (Advanced)
Network (Traditional)
Firewall + VPN + NAC + ZTNA
Comprehensive inspection of files transferred by remote workersNetwork (Advanced)
Application (Advanced)
UEBA + Antivirus + NAC + ZTNA
Blocking network traffic against users sending compromised filesNetwork (Traditional)
Application (Advanced)
EDR + Firewall + VPN + IPS + NAC
Announcing to all users when compromised files are detectedApplication (Advanced)
Identity (Traditional) or Device (Traditional)
Sandbox + IAM or UEM + NAC + ZTNA
Network isolation when server malware is detectedNetwork (Traditional)
Application (Advanced)
EDR + NAC + ZTNA
Restoring the previous state once malware is removedIdentity (Advanced)
Device (Advanced)
Network (Advanced)
DMS + EDR + NAC + ZTNA

* Endpoint Detection and Response (EDR)
* User Entity and Behavior Analytics (UEBA)
* Unified Endpoint Management (UEM)
* Network Access Control (NAC)
* Zero Trust Network Access (ZTNA)
* Virtual Private Network (VPM)
* Disaster Management Solutions (DMS)

As mentioned from the beginning, Zero Trust is not a one-size-fits-all approach. It also typically requires significant effort to implement correlation and automation processes, which play a crucial role in deploying modern cybersecurity strategies. However, NAC-driven ZTNA can be considered a core solution as it provides the fundamental benefits described above. It is also a big step in the right direction to break down IT security silos and realize additional benefits, from centralized visibility, to cross-functional collaboration, to common data sources and threat intelligence sharing, to streamlined workflows, to policy orchestration, and to a consistent user experience.

Why NAC? Why Genians?

Evolution of NAC

NAC Architecture Comparision

Best NAC Deployment Plan

NAC 101

Learn the basic concept of Next-Gen NAC to secure all network access from Core to edge network seamlessly. 

Scroll to Top

We use cookies to help improve this website and enhance your browsing experience You can change your cookie settings at any time. • Privacy • Terms