Traditional Identity Security

Basic authentication and manual identity management processes

Overview

The Traditional phase represents the foundational level of identity security, where organizations rely on basic authentication methods and manual processes. According to the CISA Zero Trust Maturity Model v2.0, this phase is characterized by manual identity lifecycle management, basic authentication mechanisms, and limited automation of security controls.

Key Takeaway: This phase represents the starting point for organizations beginning their zero trust journey, focusing on establishing basic identity security controls and processes.

Current State

  • Authentication: Relies on passwords or basic multi-factor authentication (MFA) with static access permissions. Authentication occurs only at initial access.
  • Identity Stores: Uses self-managed, on-premises identity stores with no integration.
  • Risk Assessments: Limited manual assessments of identity risk (e.g., compromised credentials).
  • Access Management: Grants permanent access with periodic manual reviews.
  • Visibility and Analytics: Collects limited logs (e.g., privileged user activity) with manual analysis.
  • Automation and Orchestration: Manually provisions identities and reviews access.
  • Governance: Enforces static policies via manual processes.

Common Challenges

  • Password fatigue and susceptibility to phishing attacks
  • Limited control over evolving access needs
  • Systems remain vulnerable after initial login
  • Data silos and inconsistent identity information across the organization
  • Missed threats and compromised credentials due to limited manual assessments
  • Privilege creep from permanent access grants, increasing insider threat risks
  • Incomplete visibility into user activity—making incident detection and response difficult
  • Inefficient and error-prone manual processes
  • Difficulty adapting to evolving security requirements and compliance regulations

Path to Initial Phase

1

Implement Multi-Factor Authentication

Begin implementing MFA across critical systems and applications.

2

Automate Basic Processes

Start automating basic identity lifecycle management tasks.

3

Enhance Access Controls

Implement role-based access control and basic identity verification.

Learn About the Initial Phase