1. Identity (ID)
Identities are defined as the common dominator across networks, endpoints, and applications, such as people, services, or IoT devices.
ID1
Internal users (employees) perform multi-factor authentication (MFA) to access all business critical systems/applications/platforms.
MFA is an efficient way to enhance the security of internal user accounts by reducing the attacks associated with compromised passwords, such as brute force, credential stuffing.
PR.AC-7
A.1 - 8.5
0
1
2
3
4
5
ID2
External users (third parties) perform MFA to access business critical systems/applications/platforms.
MFA is an efficient way to enhance the security of external user accounts by reducing the attacks associated with compromised passwords, such as brute force, credential stuffing.
PR.AC-7
A.1 - 8.5
0
1
2
3
4
5
ID3
Single sign-on (SSO) (e.g., Azure Active Directory (AAD), Okta, etc) is used to authenticate internal users to all critical business systems.
SSO can elevate user experience, improve productivity of internal users by logging in at regular intervals (often once a day) and revamp security by decreasing the number of attack surfaces.
A.1 - 8.5
0
1
2
3
4
5
ID4
Single sign-on (e.g., Azure Active Directory (AAD), Okta, etc) is used to authenticate external users to all critical business systems.
SSO can elevate user experience, save the time of external users by logging in at regular intervals (often once a day) and revamp security by decreasing the number of attack surfaces.
A.1 - 8.5
0
1
2
3
4
5
ID5
Have a security policy engine to grant access to resources.
The policy engine is an important component to determine whether to grant access to a resource by monitoring and enforcing specific rules.
PR.AC-6
A.1 - 5.15
0
1
2
3
4
5
ID6
Identity and access management (IAM) system integrates with privileged access management (PAM).
The integration of IAM and PAM can save time and simplify the process of protecting the identity of all users.
A.1 - 8.2
0
1
2
3
4
5
ID7
Users are granted only the minimum privileges required for their roles to access resources through continuous verification.
Enforcing least privilege and continuous verification are instrumental in effectively managing privileges.
PR.AC-4
A.1 - 8.2
0
1
2
3
4
5
ID8
Implement role-based access control (RBAC).
Role-based access control (RBAC) makes sure that users have varying levels of access rights depending on their role.
PR.AC-4
A.1 - 8.3
0
1
2
3
4
5
ID9
Real-time user risk and sign-in risk detections are enforced when evaluating access requests.
Risk can be detected in a timely manner so that organizations can quickly respond to suspicious behavior.
DE.CM-1, DE.CM-3
0
1
2
3
4
5
2. Endpoint/Device (EN)
Devices refer to various hardware assets that access data on the Internet, such as smartphones, IoT devices, laptops, bring your own device (BYOD), partner-managed devices, and cloud-hosted servers.
EN1
All corporate-owned devices (workstations and smart devices) are enrolled by a device enrollment manager.
This can refine management and identification of devices.
ID.AM-1
0
1
2
3
4
5
EN2
Internal users' smart devices are enrolled in a mobile device management system.
This can manage, control, monitor and secure the Internal users' smart devices.
ID.AM-1
0
1
2
3
4
5
EN3
Access to corporate resources from external users' smart devices is provided by mobile application management
This helps to manage external users' smart devices to secure the access to data.
PR.AC-3
A.1 - 6.7
0
1
2
3
4
5
EN4
Both corporate and BYO devices need to be continuously verified before being granted access to corporate resources.
Zero Trust assumes that devices should not be trusted by default.
PR.AC-1
A.1 - 6.7
0
1
2
3
4
5
EN5
Corporate-owned/managed devices are required to be compliant with IT configuration policies before granting access.
This helps to make sure that the configuration of managed devices is known and trusted.
A.1 - 8.9
0
1
2
3
4
5
EN6
Real-time endpoint detection and response (EDR) tools are used (e.g., FortiEDR).
This allows continuous monitoring and understanding of device risks in real time.
A.1 - 5.26
0
1
2
3
4
5
3. Application & Workload (AW)
Applications and workloads consist of computer programs, systems, and services (whether executed on-premises or in the cloud).
AW1
Workloads are identified and categorised.
Properly catagorising workloads makes it easier to align business priorities and helps clarify governance ane operations.
ID.AM-2
0
1
2
3
4
5
AW2
Policy-based access control on applications is implemented.
This enables access to application permissions to be determined based on the user's business role.
A.1 - 5.15
0
1
2
3
4
5
AW3
Session controls policies for your applications are enforced (e.g., limit visibility or block download/upload).
Session policies enable you to customize session security permissions.
A.1 - 5.15
0
1
2
3
4
5
AW4
Business critical applications are connected to a security platform to continuously monitor cloud threats.
Continuous monitoring of cloud threats to detect anomalous behavior in a timely manner.
A.1 - 8.16
0
1
2
3
4
5
AW5
Workload behaviour anomalies can be detected.
This helps detect anomalies in dynamic workloads.
DE.CM-3
A.1 - 8.16
0
1
2
3
4
5
4. Data (DA)
In a zero-trust environment, data security is primarily concerned with managing data, classifying data, designing data classification schemas, encrypting data both in transit and at rest (Cunningham, 2018).
DA1
Data is classified, labelled, and access restricted based on data sensitivity.
Organisations can intimately know their data during data classification.
ID.AM-5
A.1 - 5.12
0
1
2
3
4
5
DA2
There is a cloud security policy engine to help make data access decisions.
The policy engine is an important component of access control.
PR.AC-1
A.1 - 8.3
0
1
2
3
4
5
DA3
Business critical/sensitive data at rest is encrypted.
Encryption is an efficient way to pretect the security of sensitive data at rest.
PR.DS-1
A.1 - 8.12
0
1
2
3
4
5
DA4
Business critical/sensitive data in transit is encrypted.
Encryption is an efficient way to pretect the security of sensitive data in transit.
PR.DS-2
A.1 - 8.12
0
1
2
3
4
5
DA5
There are data loss prevention (DLP) controls in place to monitor, alert, or restrict the flow of sensitive information (e.g., blocking email, uploads, or copying to USB).
DLP is tools and processes used to prevent deliberate and accidental data leakage.
PR.DS-5
A.1 - 8.12
0
1
2
3
4
5
DA6
The authorisation of data access is controlled via a request and approval process.
The request and approval process is used to transmit information to communicate to enforce appropriate authorization.
PR.AC-4
0
1
2
3
4
5
DA7
A formalised data governance program that includes continually managing and maintaining data schemas is employed.
Data governance contributes to better data analysis.
ID.GV-4
0
1
2
3
4
5
5. Network (NE)
The network dimension of a zero trust implementation involves essentially segmentation, isolation, and control of the network.
NE1
Micro-segmentation is implemented for network environment.
Micro-segmentation can improve an organization’s security posture and ensure strong regulatory compliance.
PR.AC-5
A.1 - 8.22
0
1
2
3
4
5
NE2
Enforces access restrictions based on the context of access requests.
Context-based access control is used to block inappropriate access.
A.1 - 8.20
0
1
2
3
4
5
NE3
Encrypt all network traffic (e.g., using digital certificates).
Encrypting network traffic is helpful for preventing unauthorised access.
PR.PT-4
A.1 - 8.20
0
1
2
3
4
5
NE4
Ingress and Egress points of the network are protected by a next-generation firewall.
Using next-generation firewalls is an effective way to handle ingress and egress threats.
A.1 - 8.20
0
1
2
3
4
5
6. Infrastructure (IN)
Infrastructure can be described as the hardware, software (open source, first-and third-party), microservices (functions, APIs), networking infrastructure, facilities and so forth necessary to develop, test, deliver, monitor, or support IT services, whether local or multi-cloud (Microsoft, 2021).
IN1
Understand the risk profile of your cloud architecture and develop a cloud infrastructure protection plan.
This helps measure the risks of your cloud architecture and deploy a protection plan in advance against malicious attacks.
A.1 - 5.23
0
1
2
3
4
5
IN2
Have the capability to detect and quickly respond to security incidents (SIEM) in a cloud architecture.
This helps secure cloud architecture by detecting and quickly responding to security incidents.
A.1 - 5.23
0
1
2
3
4
5
IN3
Access to cloud services is protected by a secure web gateway (SWG).
SWG is used to make Internet access safer and protect data transfer.
A.1 - 5.23
0
1
2
3
4
5
IN4
Employ a vulnerability management solution to ensure that security vulnerabilities are identified on any infrastructure device and patched within a prescribed time frame (e.g., 48 hours).
Vulnerability management enhances the security of infrastructure devices.
PR.IP-12
0
1
2
3
4
5
7. Visibility & Analytics (VA)
Visibility and analytics refer to making all security-relevant activities occurring in the network visible and understanding them through analytics.
VA1
Regularly use network discovery tools, flow analysis tools, or packet capture tools to capture and analyse netowrk traffic.
This helps capture, examine and analyze network traffic for potential attacks or malicious abuse.
A.1 - 8.20
0
1
2
3
4
5
VA2
Apply network metadata analysis tools (e.g., LogRhythm NetworkXDR, Awake, Corelight).
Analysing network metadata is an effective way to monitor network communications.
A.1 - 8.20
0
1
2
3
4
5
VA3
Perform real-time device risk analysis integrated with user behavior analytics (UBA).
Real-time device risk analysis is used to identify abnormal devices.
DE.CM-3
A.1 - 8.16
0
1
2
3
4
5
VA4
Have security operations center (SOC) analysts monitoring 24/7.
SOC analyst can monitor the security access and report cyber attacks through analysis.
A.1 - 8.16
0
1
2
3
4
5
8. Automation & Orchestration (AO)
Automation and Orchestration comprise the utilization of tools and technologies to automate and orchestrate processes across organizations.
AO1
Use automated tools or techniques to manage and control network segmentation.
This helps deploy network segmentation in an efficient way.
PR.AC-5
A.1 - 8.22
0
1
2
3
4
5
AO2
Implement automated data classification and labeling.
Data classification and labeling can be done productively.
PR.DS-5
0
1
2
3
4
5
AO3
Automate anomaly detection.
This helps achieve greater efficiency in detecting anomalies.
DE.DP-5
0
1
2
3
4
5
AO4
Automate remediation actions for security incidents.
This facilitates effective remediation of security incidents.
RS.RP-1
A.1 - 5.26
0
1
2
3
4
5