December 16, 2019

Where Zero Trust Meets CARTA

Gartner’s CARTA model has been getting a lot of attention recently to help CISCOs with a more comprehensive security strategy to meet ever changing cyber threats. This model is similar in scope to the Forrester model of Zero Trust.  But are these two ideals, at odds, or is there an intersection of CARTA and zero trust we should strive for?

Zero Trust Demystified

Most credit President Reagan with making the phrase “Trust but verify” a global phenomenon. The premise was with respect to tensions with Russian Secretary Mikhail Gorbachev back in 1987. This became a catch-phrase for everything where absolute certainty is paramount to success. So, it is not a surprise that when a Forrester principal analyst in 2010 wrote about zero trust security and the concept of “trust no one and verify everything” became the founding strategy for CISO’s new cyber security strategies. Put more specifically in cyber security terms, a CSO Online article titled “What is Zero Trust? A model for more effective security” offers:

“Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”

This concept of zero trust security was actually introduced by Forrester Group analyst John KIndervag back in 2010. Back in August of 2010 Dark Reading had a headline that read “Forrester Pushes 'Zero Trust' Model For Security” and reported:

“Trust no one, not even your end users: That's the underlying theme of a new security model proposed by Forrester Research this week called "Zero Trust," which calls for enterprises to inspect all network traffic, from the outside and on the inside.

John Kindervag, senior analyst with Forrester, says the current trust model in security is broken and the only way to fix it is to get rid of the idea of the trusted internal network and the untrusted external network. Instead consider all network traffic untrusted, he says. "Times have changed. You can't think about trusted and untrusted users" anymore, says Kindervag, who gave more details on the model at Forrester's Security Forum in Boston this week.”

This model still exists today and Forrester publishes a Zero Trust Wave annually.

Understanding Continuous Adaptive Risk Assessment

Kasey Panetta of Gartner Group wrote a Smarter With Gartner article titled “Combat security risks with an adaptive approach to risk management.” That describes Gartner’s recommendations on CARTA.

CARTA should also be used to evaluate vendors to ensure they offer five criteria:

  1. Open APIs,
  2. Support of modern IT practices such as cloud and containers,
  3. support adaptive policies such as being able to change security postures based on context,
  4. full access to data without penalties and
  5. multiple detection methods.

“A CARTA strategic approach enables us to say yes more often. With a traditional binary allow/deny approach we had no choice but to be conservative and say no,” says MacDonald. “With a CARTA strategic approach, we can say yes, and we will monitor and assess it to be sure allowing us to embrace opportunities that were considered too risky in the past.”

The article goes on to report why this is so important:

“The average time to detect a breach in the Americas is 99 days and the average cost is $4 million. Analytics will speed up detection and automation will speed up response time, acting as a force multiplier to scale the team without adding people. Analytics and automation ensure enterprises focus limited resources on events with the highest risk and the most confidence.”

As discussed in previous blogs we believe that IT Security is not a binary decision, so we couldn’t agree more on the best solution to this challenge.

Zero Trust Meets CARTA With Continuous Behavioral Authentication

The only way to find the intersection of CARTA and zero trust is to leverage an immutable identity solution for all internal and external users. In that way you can ensure that pre, during and post authorization, only those you want to have access will actually gain that access.

One of the most important aspects of identity authentication is that most cybercriminals also adapt to new technologies so something is needed to create an immutable identity that can’t be adapted by cybercriminals. Acceptto was the first to understand, develop and deliver continuous authentication. Our company was built on the foundation that the only way to ensure digital credentials are being used only by the person who those credentials represent and not some imposter or someone hijacking a device correctly authenticated by that person.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Enterprise Management Associates’ Ten Priorities For Identity Management in 2019  today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download EMA Top 3 Identity Management Report

continuous biobehavioral authentication Gartner Carta zero trust