Customer interest in and vendor marketing of a “zero trust” approach to networking are growing. It starts with an initial security posture of default deny. But, for business to occur, security and risk management leaders must establish and continuously assess trust using Gartner’s CARTA approach.

Zero trust networking is a concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.

In Gartner research, we call this shift to continuously assessing and adapting to relative risk and trust levels “CARTA.” CARTA extends zero trust networking by continuously monitoring and assessing the levels of risk and trust during the interaction after access to the capabilities is extended. If the trust drops or the risk increases to a threshold requiring a response, access to the capabilities extended should adapt accordingly. Further, we have extended the CARTA strategic approach beyond networking, to all layers of the IT stack, into the creation of new digital business capabilities and into risk governance processes.

Gartner CARTA Approach

Zero trust is a useful network security concept, not a framework. Zero trust is an initial step on the roadmap to CARTA — a strategic framework for information security where dynamic levels of risk and trust are continuously assessed and security infrastructure is adapted to optimize the level of trust extended.

By applying CARTA-inspired lean trust concepts to areas of excessive trust in your enterprise, starting with the network and extending to other areas, you can significantly improve your security posture in 2019 and beyond. Read now