The explosive growth of cloud-based services and mobile devices in the workplace has rendered conventional approaches to cybersecurity risk management virtually obsolete, requiring a more adaptive and continuous strategy towards risk and trust, according to IT research and advisory firm Gartner.
One of the central messages at the Gartner Security & Risk Management Summit, held from 12-15 June near Washington DC, was that security threats and IT environments are evolving in ways that make binary ‘yes/no’ or ‘good/bad’ security decision-making useless. In the past, for example, IT leaders had to say ‘no’ to all manner of potentially risky situations. Now, they have to support their businesses by saying ‘yes’ more often, which in turn means they have to accept more gray areas and assess risk and trust on a more continuous basis.
Last year, Gartner unveiled a new Adaptive Security Architecture approach, which aimed to minimize the risk from those inevitable compromises by curtailing an intruder’s or insider’s ability to inflict damage, and by minimizing the time to intrusion detection and response — on the premise that “perfect prevention is futile.”
The logical next step, which Gartner revealed in a May report and discussed in detail at the June summit, is to implement a new strategic approach it calls Continuous Adaptive Risk and Trust Assessment (CARTA), which should enable organizations to “embrace the opportunities of digital business while keeping risk manageable.”
The twin concepts behind CARTA are that:
- “All systems and devices must be considered potentially compromised and their behaviors continuously assessed for risk and trust.”
- “Users (and other entities), even once authenticated, are given just enough trust to complete the action being requested, and their behaviors are continuously verified and assessed for risk.”
We like the CARTA approach. It crystallizes the idea that one-off assessments and ‘yes/no’ access decisions are useless in today’s environment, similar to our own view that security professionals should scrap binary black-or-white approaches to security in favor of achieving greater contextual awareness and discovering more actionable intelligence in the ‘gray areas.’
The other core premise of CARTA is that “infrastructure and systems must be prepared to treat trust as a dynamic, ever-changing set of contextual values,” mirroring our own concept of continuous trustworthiness and the ability of our Constellation Analytics Platform™ to integrate a broad array of data sources, thus providing additional context in assessing threats from malicious, negligent or inadvertent activities.
Gartner also tackles the important issue of current cybersecurity frameworks (e.g. NIST) not being comprehensive enough in their approach to risk. According to Gartner, “more information security decisions need to move toward a real-time assessment of risk and trust at the point in time that the security decision is made, using relevant context to enrich and inform the decision-making process and to enable real-time, adaptive, risk-based responses for access enablement and protection from threats and attacks.”
Haystax Technology has long advocated for organizations to adopt an increased focus on holistic risk frameworks and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats, whether they be in finance, defense or industry in general.
Simple forms of what we’ve called ‘cyber hygiene,’ although valuable, don’t protect against real risks. What’s required instead is something much more analytically sound and scientifically grounded, something that asks important questions like “which threats are most likely to occur?” or “what are our greatest vulnerabilities?” Translating these into business terms is key, and continuously measuring them so that risks and countermeasures can be prioritized is essential.