Skip to content

securekamal/zero-trust-validator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
zero_trust_validator.py
zero_trust_validator.py
 
 

Repository files navigation

🛡️ Zero Trust Validator

Automated Zero Trust Architecture (ZTA) posture assessment — validates identity policies, network microsegmentation, device trust, least-privilege access, and continuous verification against NIST SP 800-207.

Python 3.10+ NIST 800-207 CISA ZTA

Overview

Zero Trust is more than a buzzword — it's a rigorous architecture. This tool validates your ZTA implementation across 5 CISA pillars and generates a maturity scorecard with specific remediation actions.

CISA Zero Trust Maturity Pillars

┌──────────────────────────────────────────────────────────┐
│                  ZERO TRUST MATURITY                      │
├──────────┬──────────┬──────────┬──────────┬──────────────┤
│ Identity │ Devices  │ Networks │   Apps   │    Data      │
│  (IdP,   │ (MDM,    │ (micro-  │ (authz,  │ (classify,   │
│  MFA,    │  EDR,    │  segment,│  api gw, │  encrypt,    │
│  PAM)    │  trust)  │  BeyondC)│  WAAP)   │  DLP)        │
└──────────┴──────────┴──────────┴──────────┴──────────────┘
           Visibility & Analytics | Automation & Orchestration

Features

  • 📋 NIST 800-207 assessment — maps controls to all 7 ZTA tenets
  • 🏆 CISA Maturity scoring — Traditional → Initial → Advanced → Optimal
  • 🔐 Identity posture — MFA coverage, conditional access, PAM, service accounts
  • 🌐 Network segmentation — microsegmentation coverage, lateral movement paths
  • 📱 Device trust — MDM enrollment, EDR coverage, certificate-based auth
  • 📊 Maturity heatmap — visual pillar-by-pillar scoring
  • 🛣️ Roadmap generator — prioritized remediation plan to reach next maturity level

Quickstart

pip install -r requirements.txt

# Run full assessment from config
python zero_trust_validator.py assess --config zt-config.json --output report.html

# Quick posture check
python zero_trust_validator.py quick-check --cloud aws --sso okta

# Identity pillar deep-dive
python zero_trust_validator.py pillar identity --provider okta --tenant myorg

# Generate roadmap to reach "Advanced" maturity
python zero_trust_validator.py roadmap --current-level initial --target advanced

Configuration

{
  "organization": "Example Corp",
  "identity": {
    "provider": "okta",
    "mfa_enforced_percent": 87,
    "phishing_resistant_mfa": false,
    "privileged_access_management": true,
    "just_in_time_access": false,
    "service_account_governance": "partial"
  },
  "network": {
    "microsegmentation": "partial",
    "east_west_tls": true,
    "dns_security": true,
    "network_detection_response": false,
    "beyondcorp_proxy": false
  },
  "devices": {
    "mdm_enrollment_percent": 92,
    "edr_coverage_percent": 78,
    "certificate_auth": true,
    "compliance_checks_at_auth": false
  },
  "applications": {
    "api_gateway": true,
    "waap_waf": true,
    "continuous_authz": false,
    "step_up_auth": false,
    "secrets_management": "vault"
  },
  "data": {
    "classification_coverage": "partial",
    "dlp_deployed": true,
    "encryption_at_rest": true,
    "encryption_in_transit": true,
    "rights_management": false
  }
}

Sample Maturity Report

ZERO TRUST MATURITY ASSESSMENT — Example Corp
══════════════════════════════════════════════

Overall Maturity Level: INITIAL (Score: 52/100)
Target Recommended:     ADVANCED

Pillar Scores:
  Identity   ████████░░  78/100  [ADVANCED]
  Devices    ██████░░░░  58/100  [INITIAL]
  Networks   █████░░░░░  47/100  [INITIAL]
  Apps       ████████░░  75/100  [INITIAL → ADVANCED]
  Data       ████░░░░░░  42/100  [TRADITIONAL]

Top Remediation Actions (Quick Wins):
  1. [Identity]  Enable phishing-resistant MFA (FIDO2/passkeys)    +12pts
  2. [Network]   Deploy NDR for east-west visibility                +8pts
  3. [Devices]   Enforce device compliance check at every auth      +7pts
  4. [Data]      Complete data classification across S3/SharePoint  +6pts

NIST 800-207 Tenet Coverage:
  ✅ All resource auth is dynamic and strictly enforced
  ✅ Communication secured regardless of location
  ⚠️  Access granted on per-session basis — partial
  ❌  Access determined by dynamic policy — not implemented
  ❌  Remote enterprise assets monitored — not implemented

Roadmap Output

## Zero Trust Roadmap: Initial → Advanced (Est. 9 months)

### Phase 1 (Q1) — Identity Hardening
- [ ] Roll out FIDO2 passkeys to all privileged users
- [ ] Implement JIT access for admin roles via CyberArk/BeyondTrust
- [ ] Enforce device compliance in Conditional Access policies

### Phase 2 (Q2) — Network Microsegmentation  
- [ ] Deploy Illumio/Guardicore for workload microsegmentation
- [ ] Enable mTLS in service mesh (Istio/Linkerd)
- [ ] Deploy NDR (Darktrace/ExtraHop) for east-west visibility

### Phase 3 (Q3) — Data & App Controls
- [ ] Complete Purview/Macie data classification
- [ ] Enable continuous authorization in API gateway
- [ ] Deploy DSPM for cloud data security posture

About

Zero Trust posture assessment — NIST 800-207, CISA maturity scoring

Topics

devsecops zero-trust cisa identity-security nist-800-207

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages