Zero Trust Made Simple

Rapid Self Assessment for Your Zero Trust Needs

Score yourself using our mini-assessment tool. Easily identify your organization’s Zero Trust Maturity in each of the following categories:

This is a mini-assessment, to request a full in-person assessment

Click Here

Your Zero Trust

Assessment Result

Identity

Devices

Networks

Applications and Workloads

Data

Cross-Cutting Capabilities

Details

1.0 Identity

Authentication

1.1 How does the system authenticate user identity?

The system does not authenticate the user. By using passwords or MFA with static access for entity identity. By using MFA, which may include passwords as 1 factor and requires validation of multiple attributes. By beginning to authenticate all identity using Phishing-resistant MFA and attributes, including initial implementation of password-less MFA via FIDO2 or PIV. By continuously validating identity with Phishing-resistant MFA, not just when access is initially granted.

Governance Capability

1.2 How does the system implement policies for enterprise-wide enforcement?

The system does not implement policies for enforcement. System implements identity policies (authentication, credentials, access, lifecycle, etc.) with enforcement via static technical mechanisms and manual review. System defines and begins implementing identity policies for enterprise-wide enforcement with minimal automation and manual updates. System implements identity policies for enterprise-wide enforcement with automation and updates policies periodically. System implements and fully automates enterprise-wide identity policies for all users and entities across all systems with continuous enforcement and dynamic updates.

Identity Stores

1.3 What kind of identity store mechanism does the system use?

The system does not store the user identity. System only uses self-managed, on-premises, identity stores. System has a combination of self-managed identity stores and hosted identity store (e.g. Cloud or other system) with minimal integration between the store(s) (e.g., Single Sign on.). System begins to securely consolidate and integrate some self-managed and hosted identity stores. System securely integrates their identity stores across all partners and environments as appropriate.

2.0 Devices

Policy Enforcement & Compliance Monitoring

2.1 How does the system secure all devices and manage risk?

The system does not secure all devices nor manage risk. System has limited, if any, visibility (i.e., ability to inspect device behavior) into device compliance with few methods of enforcing policies or managing software, configurations, or vulnerabilities. System receives self-reported device characteristics (e.g., keys, tokens, users, etc., on the device) but has limited enforcement mechanisms. system has a preliminary, basic process in place to approve software use and push updates and configuration changes to devices. System has verified insights (i.e., an administrator can inspect and verify the data on device) on initial access to device and enforces compliance for most devices and virtual assets. system uses automated methods to manage devices and virtual assets, approve software, and identify vulnerabilities and install patches. System continuously verifies insights and enforces compliance throughout the lifetime of devices and virtual assets. system integrates device, software, configuration, and vulnerability management across all system environments, including for virtual assets.

Visibility and Analytics Capability

2.2 How does the system maintain inventory of all physical devices and virtual assets and conduct monitoring and anomaly detection?

The system does not maintain an inventory of all physical devices and virtual assets. System uses a physically labeled inventory and limited software monitoring to review devices on a regular basis with some manual analysis. System uses digital identifiers (e.g., interface addresses, digital tags) alongside a manual inventory and endpoint monitoring of devices when available. Some system devices and virtual assets are under automated analysis (e.g., software-based scanning) for anomaly detection based on risk. System automates both inventory collection (including endpoint monitoring on all standard user devices, e.g., desktops and laptops, mobile phones, tablets, and their virtual assets) and anomaly detection to detect unauthorized devices. System automates status collection of all network connected devices and virtual assets while correlating with identities, conducting endpoint monitoring, and performing anomaly detection to inform resource access. system tracks patterns of provisioning and/or deprovisioning of virtual assets for anomalies.

Asset & Supply Chain Risk Management

2.3 Does the system track all physical and virtual devices and manage supply chain risk?

No, the system doesn't not track devices or manage supply chain risk. System does not track physical or virtual assets in an enterprise-wide or cross vendor manner and manages its own supply chain acquisition of devices and services in ad hoc fashion with a limited view of enterprise risks. System tracks all physical and some virtual assets and manages supply chain risks by establishing policies and control baselines according to federal recommendations using a robust framework, (e.g., NIST SCRM.). System begins to develop a comprehensive enterprise view of physical and virtual assets via automated processes that can function across multiple vendors to verify acquisitions, track development cycles, and provide third-party assessments. System has a comprehensive, at-or near real-time view of all assets across vendors and service providers, automates its supply chain risk management as, applicable, builds operations that tolerate supply chain failures, and incorporates best practices.

3.0 Networks

Network Segmentation

3.1 How does the system define the network architecture?

The system does not define the network architecture. System defines their network architecture using large perimeter/macro-segmentation with minimal restrictions on reachability within network segments. system may also rely on multi-service interconnections (e.g., bulk traffic VPN tunnels). System begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections. System expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress micro-perimeters and service specific interconnections. System network architecture consists of fully distributed ingress/egress micro-perimeters and extensive micro-segmentation based around application profiles with dynamic just-in-time and just-enough connectivity for service-specific interconnections.

Visibility and Analytics Capability

3.2 What type of network monitoring capabilities does the system use?

The system does not perform network monitoring. System incorporates limited boundary-focused network monitoring capabilities with minimal analysis to start developing centralized situational awareness. System employs network monitoring capabilities based on known indicators of compromise (including network enumeration) to develop situational awareness in each environment and begins to correlate telemetry across traffic types and environments for analysis and threat hunting activities. System deploys anomaly based network detection capabilities to develop situational awareness across all environments, begins to correlate telemetry from multiple sources for analysis, and incorporates automated processes for robust threat hunting activities. System maintains visibility into communication across all system networks and environments while enabling enterprise-wide situational awareness and advanced monitoring capabilities that automate telemetry correlation across all detection sources.

Network Traffic Management (New Function)

3.3 How does the system manage internal and external network traffic?

The system does not manage network traffic. System manually implements static network rules and configurations to manage traffic at service provisioning, with limited monitoring capabilities (e.g., application performance monitoring or anomaly detection) and manual audits and reviews of profile changes for mission critical applications. System establishes application profiles with distinct traffic management features and begins to map all applications to these profiles. system expands application of static rules to all applications and performs periodic manual audits of application profile assessments. System implements dynamic network rules and configurations for resource optimization that are periodically adapted based upon automated risk-aware and risk-responsive application profile assessments and monitoring. System implements dynamic network rules and configurations that continuously evolve to meet application profile needs and reprioritize applications based on mission criticality, risk, etc.

4.0 Applications and Workloads

Application Access (Formerly Access Authorization)

4.1 How does the system authorize application access?

The system does not authorize application access. System authorizes access to applications primarily based on local authorization and static attributes. System begins to implement authorizing access capabilities to applications that incorporate contextual information (e.g., identity, device compliance, and/or other attributes) per request with expiration. System automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles. System continuously authorizes application access, incorporating real-time risk analytics and factors such as behavior or usage patterns.

Visibility and Analytics Capability

4.2 Does the system perform security monitoring of all applications to maintain enterprise-wide comprehensive visibility?

No, the system not perform security monitoring for visibility. System performs some performance and security monitoring of mission critical applications with limited aggregation and analytics. System begins to automate application profile (e.g., state, health, and performance) and security monitoring for improved log collection, aggregation, and analytics. System automates profile and security monitoring for most applications with heuristics to identify application-specific and enterprise-wide trends and refines processes over time to address gaps in visibility System performs continuous and dynamic monitoring across all applications to maintain enterprise-wide comprehensive visibility.

Application Threat Protections (Formerly Threat Protections)

4.3 How does the system integrate threat protections into all application workflows?

The system does not integrate threat protection into application workflows. System threat protections have minimal integration with application workflows, applying general purpose protections for known threats. System integrates threat protections into mission critical application workflows, applying protections against known threats and some application specific threats. System integrates threat protections into all application workflows, protecting against some application-specific and targeted threats. System integrates advanced threat protections into all application workflows, offering real-time visibility and content-aware protections against sophisticated attacks tailored to applications.

5.0 Data

Data Inventory Management

5.1 How does the system identify and manage data inventory?

The system does manage data inventory. System manually identifies and inventories some system data (e.g., mission critical data). System begins to automate data inventory processes for both on-premises and in cloud environments, covering most system data, and begins to incorporate protections against data loss. System automates data inventory and tracking enterprise-wide, covering all applicable system data, with data loss prevention strategies based upon static attributes and/or labels. System continuously inventories all applicable system data and employs robust data loss prevention strategies that dynamically block suspected data exfiltration.

Data Categorization

5.2 How does the system implement data categorization?

The system does not perform data categorization System employs limited and ad hoc data categorization capabilities. System begins to implement a data categorization strategy with defined labels and manual enforcement mechanisms. System automates some data categorization and labeling processes in a consistent, tiered, targeted manner with simple, structured formats and regular review. System automates data categorization and labeling enterprise-wide with robust techniques; granular, structured formats; and mechanisms to address all data types.

Data Availability

5.3 What mechanisms does the system use to make data available including historical data?

The system does track historical data. System primarily makes data available from on-premises data stores with some off-site backup System makes some data available from redundant, highly available data stores (e.g., cloud) and maintains off-site backups for on-premises data. System primarily makes data available from redundant, highly available data stores and ensures access to historical data. System uses dynamic methods to optimize data availability, including historical data, according to user and entity need.

6.0 Cross-Cutting Capabilities

Visibility and Analytics

6.1 Does the system maintain a comprehensive visibility that informs policy decisions and facilitate response activities?

No, the system does not maintain visibility into policy decisions and facilitate response activities. System manually collects limited logs across their enterprise with low fidelity and minimal analysis. System begins to automate the collection and analysis of logs and events for mission critical functions and regularly assesses processes for gaps in visibility. System expands the automated collection of logs and events enterprise-wide (including virtual environments) for centralized analysis that correlates across multiple sources. System maintains comprehensive visibility enterprise-wide via centralized dynamic monitoring and advanced analysis of logs and events.

Governance

6.2 How does the system implement policies for enterprise-wide enforcement?

The system does not implement policies for enforcement. System implements policies in an ad hoc manner across the enterprise, with policies enforced via manual processes or static technical mechanisms. System defines and begins implementing policies for enterprise-wide enforcement with minimal automation and manual updates. System implements tiered, tailored policies enterprise wide and leverages automation where possible to support enforcement. Access policy decisions incorporate contextual information from multiple sources. System implements and fully automates enterprise-wide policies that enable tailored local controls with continuous enforcement and dynamic updates.

Automation and Orchestration

6.3 Does the system have automation and orchestration capabilities to support robust and streamlined operations to handle security incidents and respond to events as they rise?

No, the system does not have automation capabilities. System relies on static and manual processes to orchestrate operations and response activities with limited automation System begins automating orchestration and response activities in support of critical mission functions. System automates orchestration and response activities enterprise-wide, leveraging contextual information from multiple sources to inform decisions. System orchestration and response activities dynamically respond to enterprise-wide changing requirements and environmental changes.

7.0 Zero Trust Maturity Level – Unlock Your Score

Submit the form below to receive your score and an email will be sent to the address provided with some additional considerations.

Contact Information

First Name*:

Names must be between 2 and 50 letters only.

Last Name*:

Names must be between 2 and 50 letters only.

Email*:

Organization:

Organization must be between 2 and 50 letters only.

Phone No:

Phone number must be in ###-###-#### format

Your request has been submitted!
We will contact you to schedule your Full Zero Trust Assessment.

Your Total Score is:

Note that a full assessment includes additional questions for a more comprehensive view and curated recommendations to achieve the Ideal Level of Zero Trust Maturity.

You will receive an email with additional considerations, but in the meantime, we encourage you to request a Full Assessment and a member of our team will reach out to schedule your first meeting with our Merlin Labs Team!

Question? Contact Us

Zero Trust Made Simple

Rapid Self Assessment for Your Zero Trust Needs

Your Zero Trust

Assessment Result

1.0 Identity

2.0 Devices

3.0 Networks

4.0 Applications and Workloads

5.0 Data

6.0 Cross-Cutting Capabilities

7.0 Zero Trust Maturity Level – Unlock Your Score

Submit the form below to receive your score and an email will be sent to the address provided with some additional considerations.

FOR PARTNERS

EVENTS & ACTIVITIES

FOR Government

BLOG

ABOUT