Zero trust and CARTA. These are two of the biggest topics being talked about in the security world. If you were at RSA earlier this year you were probably hard-pressed to find a booth without zero trust plastered all over it. CARTA, the Gartner Continuous Adaptive Risk and Trust Assessment (CARTA) strategy, and the newest Gartner technology approach, zero trust network access (ZTNA), are quickly gaining traction within enterprise IT teams—especially those that subscribe to Gartner’s security perspective.
But why now? What’s causing this massive buzz?
The attention can mainly be attributed to digital transformation (yes, I totally just completed the trifecta of buzzwords). Specifically, enterprises and government agencies are recognizing the benefits of cloud and mobility for more speed, stronger competitive differentiation, and greater cost savings for the business. This transformation from a network-based operating environment to one that’s cloud-based is pushing legacy security models to the brink. For the first time in 30 years, security is being forced to evolve. Enterprises are in need of a new approach—one that replaces data center and perimeter-centric security with a user- and app-centric model.
Consider these three factors, identified by Gartner in its CARTA report:
Each one of these factors highlights pitfalls with legacy security technologies. VPNs place users on the network, giving them the keys to your castle and allowing any malware on those users’ devices to be introduced to the network where it can spread laterally. In fact, this is often the source of ransomware attacks like NotPetya and iEncrypt.
DMZs were designed to help the good guys gain access to enterprise services over the internet, but they also give the bad guys access to those services! And that leaves your crown jewels exposed potential internet-based attacks.
The inherent trust implied when VPNs and DMZs are used is often abused by the bad guys. Instead, minimizing trust to the point where access is delivered just in time and on a least-privilege basis should be the goal.
Contrary to popular belief, the security perimeter is not going away—that would be an oversimplification. Instead, the perimeter has been extended and now exists everywhere. It’s with mobile users accessing private apps on personal devices from home, the hotel, airport, or Starbucks. The private apps now running in the public cloud.
THIS is the new perimeter.
With it, zero trust network access and the CARTA framework become incredibly important. Now, companies should look to understand how they work together.
Zero trust today builds atop the initial zero trust model that Forrester’s John Kindervag developed 10 years ago. The name is a bit misleading as trust must inevitably be established in order for work to get done, but the main idea was to adopt a default-deny posture, and trust no one.
The reality is that zero trust in itself is important, but it is only the starting point in a greater journey. A one-time gate at the initiation of a session is not a framework in itself. This is where Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA) comes in.
Source: Gartner (December 2018)
CARTA is the next iteration of the Gartner Adaptive Security Architecture from 2014. Here, zero trust becomes a starting point and one of the key pillars of CARTA, as explained below:
Security is not just at the point of initiation. It is a dynamic entity that must be flexible enough to extend to a perimeter that has evolved. This is why Gartner recommends software-defined perimeter (SDP) solutions, due to their ability to perform app segmentation, as the first zero trust project enterprises take on.
While enterprises should look to embrace CARTA, they must consider the challenges they may face when trying to get there. I’ll highlight a few below:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chris Hines is head of product marketing for Zscaler Private Access and Z App.