Immediate Takeaways

​

• Start with identity inventory and policy enforcement before buying more perimeter tools.

• Use NIST SP 800-207 concepts: policy engine, policy administrator, and policy enforcement point.

• Align work to CISA maturity pillars: identity, devices, networks, applications/workloads, data, plus cross-cutting visibility and automation.

• Make standing privilege the exception; use just-in-time access for sensitive actions.

Action Plan

​

• Phase 1: centralise identity sources, MFA, lifecycle automation, and app ownership.

• Phase 2: add device posture, risk signals, and conditional policies.

• Phase 3: move admin access to just-in-time, time-bound approvals.

• Phase 4: automate policy decisions and continuously certify high-risk access.

Control Checklist

​

• Identity source of truth with lifecycle automation.

• MFA and phishing-resistant authentication for privileged users.

• Policy decision records with context: identity, device, resource, risk, and approval.

• JIT access for admin actions and sensitive data.

• Continuous access review for high-risk roles and anomalous privilege changes.

Useful References
 

CISA Zero Trust Maturity Model

NIST SP 800-207 Zero Trust Architecture

NIST Implementing a Zero Trust Architecture