CISA Zero Trust Maturity Model for the networks pillar
This section has Microsoft guidance and recommendations for the CISA Zero Trust Maturity Model in the networks pillar. For more information, see Secure networks with Zero Trust.
3 Networks
The Cybersecurity & Infrastructure Security Agency (CISA) identifies a network as an open communication medium, including typical channels. Examples include agency internal networks, wireless networks, and the internet. In addition, the definition cites potential channels such as cellular and
Use the following links to go to sections of the guide.
3.1 Function: Network segmentation
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections. |
Azure Front Door, Azure Firewall, Azure Virtual Network, Azure Kubernetes Service Use architecture guidance to design mission-critical workloads with strict network controls that isolate workloads, constrain connectivity, and enable a transition to service-specific interconnections. - Secure networks with Zero Trust - Mission-critical baseline architecture on Azure - Mission-critical baseline architecture with network controls - Networking for mission-critical workloads |
| Advanced Maturity Status Agency expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress micro-perimeters and service-specific interconnections. |
Azure Firewall Premium Use Azure Virtual Network and Azure Firewall Premium with network-application-level traffic filtering to control ingress/egress traffic between cloud resources, cloud and on-premises resources, and the internet. - Segmentation strategy - Azure Firewall policy rule sets - Multi-hub-and-spoke topology - Firewall Premium features - Secure and govern workloads Azure Private Link Azure Private Link accesses Azure platform as a service (PaaS), over a private endpoint, in a virtual network. Use private endpoints to secure Azure resources in virtual networks. Traffic from a virtual network to Azure remains on the Azure backbone network. To consume Azure PaaS services, don’t expose a virtual network to the public internet. - PaaS service boundary - Network security best practices Network security groups An NSG is an access control mechanism to control traffic between resources in a virtual network, as a Layer-4 firewall. An NSG controls traffic with external networks, such as the internet, other virtual networks, and so on. NSG overview Application security groups The ASG control mechanism is similar to an NSG, but referenced with an application context. Use ASGs to group VMs with an application tag. Define traffic rules applied to the underlying VMs. ASG overview |
| Optimal Maturity Status Agency network architecture consists of fully distributed ingress/egress micro-perimeters and extensive micro-segmentation based around application profiles with dynamic just-in-time and just-enough connectivity for service-specific interconnections. |
Microsoft Defender for Cloud, just-in-time virtual machine access Cybersecurity prevention techniques and goals reduce attack surfaces. Enable fewer open ports, especially management ports. Your legitimate users use these ports, so it’s impractical to close them. Use Microsoft Defender for Cloud JIT to lock down inbound traffic to VMs. This action reduces exposure to attacks while maintaining access to connect to VMs. Just-in-time (JIT) virtual machine access Azure Bastion Use the Azure Bastion managed Platform as a Service (PaaS) to connect securely to VMs over a TLS connection. Establish the connectivity from the Azure portal, or through a native client, to the private IP address on the virtual machine. - Azure Bastion - Enable JIT access on VMs |
3.2 Function: Network traffic management
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency establishes application profiles with distinct traffic management features and begins to map all applications to these profiles. Agency expands application of static rules to all applications and performs periodic manual audits of application profile assessments. |
Azure Policy Use Azure Policy to enforce networking standards, such as traffic forced tunneling to Azure Firewall, or other networking appliances. Prohibit public IPs or enforce secure use of encryption protocols. Azure networking services definitions Azure Application Gateway Require use of Application Gateway for web apps deployed to Azure. - Application Gateway overview - Application Gateway integration Azure service tags Use service tags for Azure VMs and Azure Virtual Networks to restrict network access to Azure services. Azure maintains IP addresses associated with each tag. Service tags Azure Firewall Manager Enable this security management service for centralized policy and route management for cloud-based security perimeters: firewall, distributed denial of service (DDoS), and Web Application Firewall. Use IP groups to manage IP addresses for Azure Firewall rules. - Firewall Manager - Internet protocol (IP) Groups in Azure Firewall Application security groups Use ASGs to configure network security as an extension of application structure. Group virtual machines (VMs) and define network security policies, based on the groups. ASGs and network security groups Azure DDoS Protection Limit resources with a public IP address. Deploy distributed denial of service (DDoS) Protection for Azure resources with a public IP address. - DDoS Protection - Application (Layer 7) DDoS Protection |
| Advanced Maturity Status Agency implements dynamic network rules and configurations for resource optimization that are periodically adapted based upon automated risk-aware and risk-responsive application profile assessments and monitoring. |
Azure Monitor This service continuously monitors network and applications, providing insights and alerts based on performance and security metrics. Dynamically adjust network rules to optimize resource usage and security. Azure Monitor overview |
| Optimal Maturity Status Agency implements dynamic network rules and configurations that continuously evolve to meet application profile needs and reprioritize applications based on mission criticality, risk, etc. |
Microsoft Entra Internet Access, Private Access Configure Conditional Access policies to secure traffic profiles. Define an acceptable sign-in risk. - Global Secure Access - Universal Conditional Access Azure Virtual Network Manager Define and manage dynamic network group memberships using Azure Policy conditional statements. Network groups include or exclude virtual networks, based on specific conditions. - Virtual Network Manager - Dynamic network group membership Azure Firewall, Microsoft Sentinel Azure Firewall and Sentinel integration offers continuous monitoring, AI-driven threat detection, automated responses, and security configuration updates based on risk. Sentinel playbooks dynamically respond to identified threats, adjusting network configurations to secure mission-critical applications. Azure Firewall with Sentinel Network security groups NSGs have security rules that filter network traffic to and from Azure resources. Enable dynamic rule updates to allow or deny traffic, based on network conditions and security requirements. NSG overview Azure Virtual Network Manager This management service facilitates grouping, configuration, deployment, and virtual network (VNet) management across subscriptions and tenants. Define network groups to segment your VNets. Establish and apply connectivity and security configurations for selected VNets in these groups. Virtual Network Manager |
3.3 Function: Traffic encryption
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency begins to encrypt all traffic to internal applications, to prefer encryption for traffic to external applications, to formalize key management policies, and to secure server/service encryption keys. |
Microsoft Cloud Services For customer data in transit, Microsoft Cloud Services uses secure transport protocols, such as Internet Protocol Security (IPSec) and Transport Layer Security (TLS), between Microsoft datacenters, also between user devices and Microsoft datacenters. Encryption in the Microsoft cloud Microsoft Entra application proxy To publish internal apps over encrypted channels, deploy application proxy connectors. Publish on-premises apps |
| Advanced Maturity Status Agency ensures encryptions for all applicable internal and external traffic protocols. Manages issuance and rotation of keys and certificates, and begins to incorporate best practices for cryptographic agility. |
Azure Key Vault This cloud service helps safeguard cryptographic keys and secrets used by cloud applications and services. Secure storage, access control, and auditing ensure sensitive information is protected and managed efficiently. Centralize key management to simplify compliance with security standards. Enhance the overall app security posture. Azure Key Vault |
| Optimal Maturity Status Agency continues to encrypt traffic as appropriate, enforces least privilege principles for secure key management enterprise-wide, and incorporates best practices for cryptographic agility as widely as possible. |
Key management in Azure The Azure key management services securely stores and manages cryptographic keys in the cloud, including Azure Key Vault, Azure Managed Hardware Security Model (HSM), and Azure Dedicated HSM. Select from platform-managed keys and customer-managed keys. Support flexible compliance and overhead management. Centralize key management. Azure enhances security, simplifies access control, supports applications, and protects sensitive data. Key management Azure Key Vault Enforce least privilege principles through role-based access control (RBAC). Assign specific permissions to users and applications based on roles. Enable granular access management. Set permissions for keys, secrets, and certificates. Ensure only authorized entities access sensitive information. - Azure Key Vault best practices - Grant permissions to apps to access Azure Key Vault Microsoft Entra Privileged Identity Management Integrate Azure Key Vault with PIM for just-in-time (JIT) access. Grant temporary permissions when needed. - PIM overview - PIM for Groups |
3.4 Function: Network resilience
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency begins to configure network capabilities to manage availability demands for additional applications and expand resilience mechanisms for workloads not deemed mission critical. |
Azure Virtual Networks Adopt Azure to manage availability demands with its global network of datacenters and services. - Azure Virtual Network - Azure reliability overview Availability zones To ensure apps are available, even if one zone has an outage, use availability zones for fault isolation in a region. Azure availability zones Azure ExpressRoute ExpressRoute is a hybrid connectivity service used for low latency, resilience, and high throughput private connectivity between an on-premises network and Azure workloads. ExpressRoute for resiliency |
| Advanced Maturity Status Agency has configured network capabilities to dynamically manage the availability demands and resilience mechanisms for the majority of their applications. |
Azure Traffic Manager Dynamically distribute traffic across regions and datacenters. Ensure optimal performance and high availability; adapt to changing user-request patterns. - Traffic Manager - Reliability in Traffic Manager Azure Front Door Enhance global connectivity and security with dynamic HTTP/S load balancing and web application firewall services. The service routes traffic and adjusts to real-time demands or threats. Azure Front Door Availability zone-aware ExpressRoute virtual network gateways Zone-redundant gateways dynamically distribute network traffic across availability zones. Maintain seamless connectivity if one zone has an outage. Zone-redundant VNet gateways in availability zones |
| Optimal Maturity Status Agency integrates holistic delivery and awareness in adapting to changes in availability demands for all workloads and provides proportionate resilience. |
Azure Load Balancer Configure Azure Load Balancer health probes to create awareness of application instance health status. Probes detect application failures, manage load, and adapt to availability demand changes. - Load Balancer health probes - Manage health probes Azure Application Gateway Dynamically manage availability demand and resilience mechanisms by distributing traffic across multiple back-end pools and availability zones. Ensure high availability and fault tolerance, automatically reroute traffic during zone failures. - Azure Application Gateway v2 - Well-architected perspective Azure Firewall Enhance auto-scaling by automatically adjusting resources to meet traffic demands. Ensure security and performance under high loads. Use threat protection and URL filtering capabilities dynamically scale, based on throughput and CPU usage. - Premium features - Azure Firewall FAQ - Azure Firewall performance Azure ExpressRoute Configure Bidirectional Forwarding Detection (BFD) to improve ExpressRoute failover. Use rapid detection of link failures, and enable near-instantaneous switchover to back-up connections. Minimize downtime, maintain high availability, while making the network more resilient and reliable. Configure BFD |
3.5 Function: Visibility and analytics
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency employs network monitoring capabilities based on known indicators of compromise (including network enumeration) to develop situational awareness in each environment and begins to correlate telemetry across traffic types and environments for analysis and threat hunting activities. |
Azure Monitor Use Azure Network Watcher and Azure Monitor Network Insights for a comprehensive and visual network representation. Enable virtual network (VNet) flow logs to go to a Log Analytics workspace for ingestion into other analytical tools. Use Connection Monitor to track the reliability of important flows. Attach alerts to the flows so the right groups are notified about disruptions. - Network Watcher - Network insights - VNet flow logs - Connection Monitor Traffic analytics Use the Traffic analytics solution for visibility into user and application activity in cloud networks. Traffic analytics examines Azure Network Watcher flow logs to deliver insights about flow in an Azure cloud. Traffic analytics overview |
| Advanced Maturity Status Agency deploys anomaly based network detection capabilities to develop situational awareness across all environments, begins to correlate telemetry from multiple sources for analysis, and incorporates automated processes for robust threat hunting activities. |
Microsoft Sentinel Azure Firewall, Application Gateway, Data Factory, and Bastion export logs to Sentinel, or other security information and event management (SIEM) systems. To enforce environment-wide requirements, use connectors in Sentinel or Azure Policy. - Azure Firewall with Sentinel - Web App Firewall connector to Sentinel - Find Sentinel data connectors Global Secure Access In Global Secure Access logs, find details about network traffic. To understand and analyze the details when monitoring your environment, look at the three levels of logs and their correlations. - Logs and monitoring - Network traffic logs - Enriched Microsoft 365 logs - Remote network health logs |
| Optimal Maturity Status Agency maintains visibility into communication across all agency networks and environments while enabling enterprise-wide situational awareness and advanced monitoring capabilities that automate telemetry correlation across all detection sources. |
Monitor Zero Trust security architectures with Microsoft Sentinel The Zero Trust (TIC 3.0) solution enables visibility and situational awareness for control requirements, from Microsoft technologies, in predominantly cloud-based environments. Customer experience varies by user. Some user interface might require configuration and query modification. Monitor Zero Trust (TIC 3.0) security architectures |
3.6 Automation and orchestration
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency begins using automated methods to manage the configuration and resource lifecycle for some agency networks or environments and ensures that all resources have a defined lifetime based on policies and telemetry. |
Azure Virtual Network Manager Centralize connectivity and security configurations for virtual networks across subscriptions. Virtual Network Manager Azure Policy Enforce network standards, such as traffic forced tunneling to Azure Firewall, or other network appliances. Prohibit public IPs, or enforce encryption protocols. Azure networking service definitions Azure Firewall Manager This service is for centralized security policy and cloud-based security perimeter route management. It manages policies for Azure Firewall, Azure DDoS Protection and Azure Web Application Firewall. - Azure Firewall Manager - Policy overview Network Performance Monitor Azure solutions monitor, analyze, alert, and visualize network connectivity. To trigger automatic scaling or failover actions use Azure Monitor Alerts. Network monitoring Azure DevOps Use this service to set up continuous integration and continuous delivery (CI/CD) pipelines for network configurations. DevOps practices bridge the gap between conventional infrastructure management and a modern, agile, approach to ensure network environments meet requirements. Azure DevOps Azure Blueprints Define repeatable Azure resources that adhere to your standards, patterns, and requirements. Build and start new environments while ensuring compliance. Azure Blueprints Microsoft Sentinel Insecure Protocol Workbook Use Insecure Protocol Workbook for insights into insecure protocol traffic. It collects and analyzes security events from Microsoft products. View analytics and identify sources of legacy protocol traffic, like NT LAN Manager (NTLM) Server Message Block version 1 (SMBv1), WDigest, weak ciphers, and legacy authentication with Active Directory. Insecure Protocol Workbook Microsoft Sentinel Connect Azure network infrastructure to Sentinel. Configure Sentinel data connectors for non-Azure networking solutions. Use custom analytics queries to trigger Sentinel security orchestration, automation, and response (SOAR) automation. - Threat response with playbooks - Detection and response with Logic Apps Global Secure Access The network access APIs create a framework to configure forwarding or filtering traffic and associated rules. Secure access with Graph network access APIs |
| Advanced Maturity Status Agency uses automated change management methods (e.g., CI/CD) to manage the configuration and resource lifecycle for all agency networks and environments, responding to and enforcing policies and protections against perceived risks. |
Azure DevOps To automate network configuration changes and resource management, implement continuous integration and continuous delivery (CI/CD) pipelines. Azure DevOps Azure Automation Manage network configuration and lifecycle tasks, such as updates and compliance enforcement. Azure Automation Microsoft Sentinel Enable Sentinel to monitor network environments and enforce policies. Its automated responses address perceived risks. Advanced monitoring Azure Policy Automate compliance enforcement and policy application for network resources. Azure Policy |
| Optimal Maturity Status Agency networks and environments are defined using infrastructure-as-code managed by automated change management methods, including automated initiation and expiration to align with changing needs. |
Azure Resource Manager Use ARM templates to define and manage network infrastructure-as-code. Enable automated provisioning and updates. ARM overview Terraform on Azure To automate processes to create, manage, and scale network resources, implement Terraform for infrastructure-as-code. Terraform and Azure Azure DevOps Use continuous integration and continuous delivery (CI/CD) pipelines to automate changes and lifecycle management. Ensure alignment with dynamic network requirements. Advanced CD/IC Microsoft Sentinel Orchestrate and automate network security operations. Sentinel integrates with infrastructure-as-code practices for comprehensive management. Automation with Sentinel Azure Automation Use features for lifecycle management, including automated initiation and expiration of network resources. Advanced automation |
3.7 Function: Governance
| CISA ZTMM Stage Description | Microsoft guidance and recommendations |
|---|---|
| Initial Maturity Status Agency defines and begins to implement policies tailored to individual network segments and resources while also inheriting corporate-wide rules as appropriate. |
Azure Network Security Define and implement network security policies for segments and resources. Azure network security Azure Firewall Premium Route outbound and inbound traffic through Azure Firewall. Implement its policies for network segments and resources. - Firewall Premium features - Inbound and outbound internet connectivity - Configure Azure Firewall in the Azure portal - Azure Policy to secure Azure Firewall deployments - Azure Firewall policy rule sets Microsoft Sentinel Monitor and enforce network policies, and ensure they align with enterprise-wide rules. Sentinel Microsoft Defender for Cloud Start with governance and security for network resources and segments. Defender for Cloud |
| Advanced Maturity Status Agency incorporates automation in implementing tailored policies and facilitates the transition from perimeter-focused protections. |
Azure Firewall Automate network policy enforcement and transition from a perimeter-based mindset to nuanced security measures. - Azure Firewall - Azure Firewall with Sentinel Network security groups Use NSGs to automate management of network traffic and dynamically enforce policies. Azure NSGs Sentinel Enhance automation of policy enforcement and monitor the transition from traditional to dynamic security models. Advanced monitoring |
| Optimal Maturity Status Agency implements enterprise-wide network policies that enable tailored, local controls; dynamic updates; and secure external connections based on application and user workflows. |
Azure Policy Implement and manage enterprise-wide network policies with dynamic updates and local controls. Azure Policy Azure Virtual WAN Facilitate secure, dynamic external connections, and optimize network performance based on application and user needs. Azure Virtual Wide Area Network (WAN) Sentinel Use Sentinel for end-to-end automation and network policy integration, with secure external connections. Automation with Sentinel Microsoft Defender for Cloud Achieve comprehensive network governance with automated, dynamic updates and robust network resource security. Advanced network security Azure Firewall, Firewall Manager Build enterprise-wide network policies. Use customizable network and application rules for segments and resources; ensure needed network-wide security. With Azure Firewall Manager, policies are centrally managed and applicable to multiple instances. IT staff establishes core policies, while DevOps staff adds localized controls. - Azure Firewall central management - Azure Firewall policy rule sets |
Next steps
Configure Microsoft Cloud Services for the CISA Zero Trust Maturity Model.