← Back to article
Zero Trust Controls Assessment
Free checklist from our Zero Trust architecture guide
Map your current security controls against a Zero Trust reference model across five pillars.
Get your free checklist
Enter your email to unlock this resource instantly.
Instructions
Assess your current controls across five Zero Trust pillars. For each item, mark whether the control is in place, partially implemented, or missing. Use the gaps to build a prioritized roadmap.
1. Identity Controls
- All users authenticate through a centralized identity provider
- Multi-factor authentication enforced for all access (not just VPN)
- Phishing-resistant credentials (passkeys, FIDO2) deployed or in pilot
- Service-to-service authentication uses short-lived tokens or mTLS
- Session duration and re-authentication policies enforced
- Privileged access requires step-up authentication
- Identity lifecycle (joiner/mover/leaver) automated
- Federated identities validated and scoped per integration
2. Device Controls
- Device health checked before granting access (posture assessment)
- Managed and unmanaged devices treated with different trust levels
- Endpoint detection and response (EDR) deployed on all endpoints
- Device compliance signals fed into access policy decisions
- Certificate-based device identity in use
- BYOD access scoped to low-sensitivity resources only
3. Network Controls
- Micro-segmentation implemented for critical workloads
- East-west traffic encrypted (mTLS or WireGuard between services)
- Network access decisions based on identity, not IP/location
- DNS filtering and threat intelligence applied at the network layer
- Legacy VPN replaced or scoped to specific use cases only
- Cloud network policies enforce least-privilege connectivity
- Lateral movement detection in place
4. Application Controls
- Applications enforce authorization at the request level (not just login)
- API gateways enforce rate limits, authentication, and schema validation
- Application-level logging captures identity, action, and resource
- Internal applications behind an identity-aware proxy
- Third-party SaaS integrations scoped with least-privilege OAuth
- CI/CD pipeline access gated by identity and approval policy
5. Data Controls
- Data classified by sensitivity level (public, internal, confidential, restricted)
- Encryption at rest and in transit enforced for sensitive data
- Data loss prevention (DLP) rules active on high-sensitivity paths
- Access to sensitive data logged and auditable
- Data residency and sovereignty requirements mapped and enforced
- Backup and recovery tested against ransomware scenarios
6. Telemetry and Visibility
- Centralized logging across identity, network, application, and data layers
- Security events correlated across pillars (SIEM or equivalent)
- Anomaly detection for identity and access patterns
- Automated alerting for policy violations
- Regular reporting on trust posture and control gaps
Gap Summary
| Pillar | Strongest Control | Biggest Gap | Priority (H/M/L) | Owner |
|---|---|---|---|---|
| Identity | ||||
| Device | ||||
| Network | ||||
| Application | ||||
| Data | ||||
| Telemetry |
Found this useful? Read the full article:
Read: Zero Trust Architecture for Hybrid and Multi-Cloud →