Plaidnox InfoSec
PLX-2025-026 . Confidential
Zero TrustNIST ZTA SP 800-207Maturity 1.8 / 5

Zero Trust Maturity Assessment
[REDACTED]

Zero trust architecture maturity assessment for [REDACTED] against the CISA Zero Trust Maturity Model across five pillars: Identity, Devices, Networks, Applications, and Data. Engagement ref. ENG-2025-0564.

Report IDPLX-2025-026
Client[REDACTED]
ZT Maturity1.8 / 5 (Traditional)
AssessedQ1 2025
01 . Overview

Zero Trust Maturity Assessment

Plaidnox assessed [REDACTED]' security architecture against the CISA Zero Trust Maturity Model v2.0. The overall maturity score of 1.8 out of 5 places the organisation at the Traditional level . consistent with a perimeter-centric security model built on network trust rather than continuous verification. The primary driver of the low score is the complete absence of micro-segmentation and a network architecture that implicitly trusts all east-west traffic once inside the perimeter.

The most critical gap is 4,200 warehouse and logistics devices operating on a flat, unsequenced network with no zone-based trust policy . a single compromised device can reach payment processing and HR systems directly.

02 . Pillar Maturity

CISA ZT Maturity Model scores

1.8
Overall Score
2.4
Identity Pillar
1.2
Network Pillar
1.0
Data Pillar
ZT PillarScoreLevelKey Gap
Identity2.4 / 5InitialMFA not enforced for 31% of users; no PIM
Devices1.8 / 5TraditionalIoT/OT devices not inventoried or enrolled in MDM
Networks1.2 / 5TraditionalFlat network . no micro-segmentation, implicit east-west trust
Applications2.2 / 5InitialNo application-layer access policy . network access = app access
Data1.0 / 5TraditionalNo data classification, no DLP, no encryption-in-use policy
03 . Critical Gaps

Priority findings

IDFindingPriority
ZT-G01Flat network with no micro-segmentation . 4,200 warehouse devices can reach all internal systemsCritical
ZT-G02No data classification framework . cannot apply least-privilege data access without classificationCritical
ZT-G03IoT/logistics devices not in MDM . unknown device trust posture, no patch state visibilityHigh
ZT-G04No Conditional Access policies . location, device compliance, and risk level not evaluated at loginHigh
ZT-G05Application access granted via network . ZTNA / app proxy not deployed for any internal appHigh
04 . ZT Roadmap

Zero trust transformation roadmap

PhaseActionsTarget Score
Phase 1 (0-3 mo.)Enforce MFA + Conditional Access; inventory all devices; classify top 20% of sensitive data2.5 / 5
Phase 2 (3-9 mo.)Micro-segment warehouse vs. corporate vs. payment networks; deploy Azure AD ZTNA for remote access3.2 / 5
Phase 3 (9-18 mo.)Deploy data classification labels across M365; implement application-layer access policies via Entra App Proxy3.8 / 5
Conclusion
Network micro-segmentation is the highest-impact single action available
[REDACTED] is operating a textbook flat-network, perimeter-trust model that zero trust architecture specifically addresses. A single compromised warehouse scanner today provides direct access to payment and HR systems. Network micro-segmentation using VLAN isolation and a software-defined perimeter for inter-zone access is the highest-leverage action, and should be paired with Conditional Access enforcement to move from Traditional to Initial maturity in Phase 1.
Plaidnox InfoSec . zero-trust
Confidential . Authorised Distribution Only