Gartner Reprint 1/22/18, 4(31 PM

(https://www.gartner.com/home) LICENSED FOR DISTRIBUTION

Use a CARTA Strategic

Approach to Embrace
Digital Business
Opportunities in an Era of
Advanced Threats
(https://www.gartner.com/technology
a-client.jsp?cm_sp=bac-_-reprint-_-ban

Published: 22 May 2017 ID: G00332400

Analyst(s): Neil MacDonald, Felix Gaehtgens

Summary
To securely enable digital business initiatives in a
world of advanced, targeted attacks, security and risk
management leaders must adopt a continuous
adaptive risk and trust assessment strategic approach
to allow real-time, risk and trust-based decision
making with adaptive responses.

Overview
Key Findings
Trust models using ownership and control as a proxy
for trust simply won't work in a world of IT-enabled
services delivered anytime to users, located
anywhere and accessed from any device.

Initial one-time block/allow security assessments for

access and protection are flawed, leaving the
enterprise open to zero-day and targeted attacks,
credential theft, and insider threats.

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 1 of 26
Gartner Reprint 1/22/18, 4(31 PM

Trust (and risk) of digital business entities and their

actions must be dynamic, not static, and assessed
continuously as interactions take place and
additional context is gained.

Digital business outcomes can only be optimized

when digital trust is adaptively managed as a set of
fine-grained measures of confidence with
multidimensional risk and response attributes.

Recommendations
Security and risk management leaders focused on
cloud security should:

Identify an upcoming digital business initiative to

implement a continuous adaptive risk and trust
assessment (CARTA) strategic approach.
Use cloud access security brokers (CASBs) to deliver
CARTA capabilities to secure access, protect
sensitive data and protect from attacks when
consuming cloud-based services.

Pick from a larger set of adaptive responses based

on the real-time assessments of digital risk and
digital trust (for example, enabling read/only
access), rather than just "block" or "allow,".
Implement an adaptive web application firewall for
continuous risk and trust visibility into web-enabled
applications, or consider software-defined perimeter
vendors to "wrap" legacy applications.
Adopt a combination of adaptive access control and
user and entity behavioral analytics (UEBA)
monitoring for legacy applications where a full
CARTA strategic approach can't be easily applied.

Strategic Planning Assumption

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 2 of 26
Gartner Reprint 1/22/18, 4(31 PM

By 2020, 25% of new digital business initiatives will

adopt a CARTA strategic approach, up from less than
5% in 2017.

Analysis
Information security is at an inflection point.
Traditional notions of "blocking the bad" and "allowing
the good" don't work when everything is potentially
compromised and we can't identify good from bad.
Mainstays of security protection using signature-based
blocking and prevention such as antivirus and intrusion
prevention systems fail to stop zero-day and targeted
attacks. Traditional identity and access management
protection that allows the good based on one-time
authentication events fails to detect stolen credentials
and insider threats.

The difficulty of discerning "good" from "bad" is

compounded by digital business initiatives where the
enterprise will no longer directly own or control the
systems and identities of devices and users interacting
with its processes and information. Models of trust
that used ownership and control as a proxy for trust
(for example, allowing corporate-owned devices only
to connect) simply won't work in a world of cloud-
based services delivered anywhere, anytime to users
that aren't our employees on devices that we often
don't own or physically control the systems.
Information security is put in the position of saying
"no" because our models of risk and trust are broken
and we don't have alternative approaches in place to
say "yes."

The emerging concept of digital trust transcends the

counterproductively simplistic and obsolete binary
notions of "good" and "bad," enabling IT planners to
better understand and navigate the complex reality of
the infinite, multivector spectrum of digital risk. For
many digital interactions, there is not one particular

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 3 of 26
Gartner Reprint 1/22/18, 4(31 PM

numeric value that can determine the level of trust, but

it all depends on the context. For example, a thing may
be trusted to interact with a service on behalf of a user
in a particular context. The same thing may act
differently and with a higher degree of freedom on
behalf of a different user (see "Digital Trust —
Redefining Trust for the Digital Era: A Gartner Trend
Insight Report" ). Infrastructure and systems must be
prepared to treat trust as a dynamic, ever-changing set
of contextual values and to implement this level of
variability in how the service functions.
In prior Gartner research on the adaptive security
architecture (ASA; see "Top 10 Strategic Technology
Trends for 2017: Adaptive Security Architecture " and
"Designing an Adaptive Security Architecture for
Protection From Advanced Attacks" ), we concluded
that perfect prevention is futile and that we must
architect adaptive security infrastructure with the
assumption that we will be compromised. The goal of
the ASA is really about minimizing the risk of loss and
the ability of an intruder or insider threat to cause
damage by improving our adaptive access and
defense, as well as minimizing the time to detect and
respond to an intrusion when one inevitably occurs. To
achieve this requires the ability to assess both the
trust of the entity and the risk of the behaviors being
requested continuously, from the moment the entity
initially requests to interact with our systems and data
and throughout its interactions.
Embracing the opportunities of digital business while
keeping risk manageable will require a new strategic
approach that embraces CARTA. All systems and
devices must be considered potentially compromised
and their behaviors continuously assessed for risk and
trust. Likewise, users (and other entities), even once
authenticated, are given just enough trust to complete
the action being requested, and their behaviors are
continuously verified and assessed for risk.
https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 4 of 26
Gartner Reprint 1/22/18, 4(31 PM

Information security can now have the confidence to

say "yes" and enable digital business initiatives and
interactions in situations where previously the default
answer would have been "no."
Digital business risk and digital business opportunity
are fundamentally intertwined; you can't have one
without the other. The key is continuously assessing
and balancing both. We need security that is adaptive
everywhere, to embrace the opportunity — and manage
the risks — that comes with this new digital world,
delivering security that moves at the speed of digital
business. In short, we need a CARTA strategic
approach. CARTA is about preparing all systems and
devices for interoperability with digital trust, and
extending digital trust toward them.

Attack Protection and Access Protection

Shift to Detect/Response
Attack prevention strategies alone are futile (see
"Prevention Is Futile in 2020: Protect Information Via
Pervasive Monitoring and Collective Intelligence" ) and
relying on one-time security inspection gating and
allow/block decisions isn't working. For example, bad
things without known signatures are let in. Once the
request has gotten past these one-time inspection and
gating mechanisms (most notably antivirus, intrusion
prevention systems [IPSs] and secure web gateways),
the executable or network connection is assumed to
be good. Indeed, if it was malicious, once let in, most
enterprises lack the visibility to detect and respond to
the breach, allowing the bad guys to infect systems,
grab credentials and move laterally to other systems
(see Figure 1).
Figure 1. Gartner Adaptive Security Architecture — Attack
Protection: One-Time Assessments Leave Us at Risk

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 5 of 26
Gartner Reprint 1/22/18, 4(31 PM

Source: Gartner (May 2017)

However, digital business is all about exploring new

opportunities and business patterns — it can't be just
about keeping the bad guys out, but also has to focus
on seizing opportunities and managing risk. In
Gartner's CASB research, we extend the ASA to include
access enablement (see "How to Evaluate and Operate
a Cloud Access Security Broker" ). Like attack
protection, from an identity perspective on the user
and entity side, there is a nearly identical problem with
access protection. Once an entity presents a valid
credential, it is believed to be good from that point
moving forward, even if the credentials were stolen or
provided by an insider with malicious intent. Once the
entity got past this one-time gating event
(authentication), the entity is assumed to be what it
says it is and no further assessment of trust or risk is
typically made (see Figure 2).
Figure 2. Gartner Adaptive Security Architecture — Access
Protection: One-Time Assessments Leave Us at Risk

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 6 of 26
Gartner Reprint 1/22/18, 4(31 PM

Source: Gartner (May 2017)

For digital business assets to be adequately protected

in an era of advanced and targeted threats, one-time
inspection and gating are not sufficient. The initial
assessments of risk and trust (the upper right parts of
Figures 1 and 2) are still critical, and must themselves
be improved and adaptive. However, these one-time
assessments must be assumed to be fallible.
Malicious entities will get through. Thus, once
admitted, the entity must be continuously monitored
for indications of malicious behavior as it interacts
with applications, systems and data, and its levels of
relative risk and trust assessed. If the risk is too high
or the trust is too low, then adaptive responses (such
as reducing access) are needed.

This is a significant change in mindset for information

security. If you assume bad entities will inevitably get
past one-time gating assessments of threat prevention
and access control, then the goal of information
security at this point must shift from "perfect"
block/allow decisions to continuous risk and trust
assessments for the rapid detection and response if
and when something malicious happens — minimizing

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 7 of 26
Gartner Reprint 1/22/18, 4(31 PM

the attacker's ability to infect other systems, cause

damage, steal information or create a service delivery
failure.
Digital trust is a key concept of CARTA and represents
the dynamic measure of confidence in the
corroboration of an identity. Digital risk (also a key
concept of CARTA) means that the variable level of
confidence in the claimed identity — digital trust — may
directly influence what an entity may be allowed to do
— within a particular context and acceptable level of
digital risk. Think of the example of TransferWise, 1 a
service for international payments that sets a monthly
limit for users who have registered, and removes this
limit once users have provided government-issued
identification.
By embracing a CARTA strategic approach, we
recognize that risk and trust are not static, and not
solely determined by one-time gating mechanisms.
Digital risk and digital trust are dynamic and vary over
time based on context. This context is derived by
correlating data to assess a set of digital trust vectors,
and encompasses the need to establish trust in the
data itself (see "Reset Your Information Governance
Approach by Moving From Truth to Trust" ).

Beyond the basic continuous monitoring of

frameworks like SANS and NIST, 2 more information
security decisions need to move toward a real-time
assessment of risk and trust at the point in time that
the security decision is made, using relevant context to
enrich and inform the decision-making process and to
enable real-time, adaptive, risk-based responses for
access enablement and protection from threats and
attacks (see Figure 3).
Figure 3. CARTA Adaptive Security Posture Combines Access
Posture and Defense Posture

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 8 of 26
Gartner Reprint 1/22/18, 4(31 PM

Source: Gartner (May 2017)

Information security will always be a balance between

access protection (letting the good guys into systems
and data) and attack protection (keeping the bad guys
out of systems and data). A CARTA strategic approach
continuously assesses and balances the risk and trust
for both. To support the world of digital business, our
security posture is constantly changing and adapting,
based on acceptable levels of digital risk and digital
trust based on context.

Information Security Is All About Decisions

(They Just Need to Be Continuously
Adaptive)
As first discussed in Gartner research seven years go
(see "The Future of Information Security Is Context-
Aware and Adaptive" ), almost all of information
security at runtime comes down to policy-based
decisions between the requesting entity, the behavior
being requested and the target entity. For example:
Should this IP address talk to this IP address on this
port? (firewalling)

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 9 of 26
Gartner Reprint 1/22/18, 4(31 PM

Should this system run this executable? (antivirus,

application control)

Should this data be allowed to be emailed? (data

loss prevention)

Should this system be allowed to connect to the

network? (network access control, VPN)

Should this person be able to visit this website?

(secure web gateway)
Should this person be allowed to log in to this
application or system? (authentication)
Should this person be able to execute this
transaction? (authorization)

Should this entity be allowed to act on behalf of

another entity? (delegation, authorization)

Traditional information security infrastructure treats

these as macro, binary, yes/no decisions — in many
cases, with predefined tables of what is allowed
(identity and access management systems, firewalls)
and what should be blocked (antivirus signatures,
IPSs). One-time assessments and static, predefined
security policies won't work and won't scale for digital
business. We need to make these decisions smaller —
microsecurity decisions — continuously, based on real-
time assessments of risk and trust.

With a CARTA strategic approach, we shift from the

one-time "perfect" macrosecurity decision, toward a
context-dependent set of microdecisions, constantly
evaluating an ever-changing context and evolving
status of the participants within a complex digital
ecosystem. It becomes practical to do this when you
have enough intelligence, and the automation to apply
it. At each requested interaction (microdecision), we
should dynamically answer this question:

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 10 of 26
Gartner Reprint 1/22/18, 4(31 PM

Should this entity be allowed to take the requested

action on this other entity given:
The current assessment of the entity's trust

The risk assessment of the requested behavior

given:

The current context (e.g., device reputation,

location reputation, sensitivity of the data, past
behaviors)

The enterprise's acceptable level of risk

A CARTA approach embraces the reality that we can't
know the answers to these security questions in
advance. We can't rely on static rules, tables and one-
time gating assessments of good or bad. In the world
of digital business, we can't provide a risk-based
answer to these security questions until the request is
made, the context is known, and the relative risk and
trust scoring of the entity and its requested behavior
are assessed.

Risk and Trust Must Become Continuously

Adaptive
As stated earlier, in digital business, risk and trust are
not binary things. They are dynamic, changing all the
time. To enable CARTA, we need to think of risk and
trust as continuous, adaptive assessments (models)
that change all the time. When a security decision is
requested — whether by a user, a system or an
executable — the overall risk is assessed using a
combination of risk of the requested action, our level
of trust in the entity (also referred to as reputation),
and the risk and trust scoring of the current context.
As part of this assessment, much of the contextual
data must be assessed, as well in terms of to what
extent it can be trusted; an example would be to

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 11 of 26
Gartner Reprint 1/22/18, 4(31 PM

assess to what extent we can trust a reputational

system, and how we will subsequently take data from
this system into consideration.
For instance, an entity with a low trust rating (low
reputation score) may be denied to take an action,
even if the action itself is not particularly risky and the
entity isn't definitely known to be bad (e.g., suspected
malware can't connect out to the internet). In contrast,
a trusted person (high reputation score) may be
allowed to take a risky action (e.g., delete a customer
record) if there is a high degree of confidence and trust
that the entity is what it is believed to be. Further, this
same person may be denied to take that action even if
the user is "authenticated" if the context is risky (e.g.,
the device is unknown and the location of the device is
from an untrusted region).
Digital trust becomes a dynamic, adaptive measure of
"trustability" — or trustworthiness — across multiple
dimensions (i.e., attributes of trust) at that point in
time given the current context. Entities themselves
carry trust ratings — or reputations. Over the past five
years, we've seen a significant rise of reputations and
reputation databases and services for all layers of the
IT stack (for example, external reputation services for
IP addresses, URLs, executables, devices, APIs, cloud
services, websites and email addresses). What is new
with CARTA is the additional scoring and rating of
these reputational systems, and also the scoring and
rating of all entities based on their observed behaviors
within our systems. A complete picture of digital risk
and trust must combine internally and externally
derived reputation measurements. For example, a
trusted application such as Adobe could exhibit a
series of risky behaviors within an enterprise that
provide enough evidence to treat Adobe as untrusted
(likely compromised), such as injecting into process
memory, writing to the boot loader and connecting
outbound to the public internet.
https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 12 of 26
Gartner Reprint 1/22/18, 4(31 PM

Security Responses Must Become

Continuously Adaptive
Most information security infrastructure to date is
designed with macro, binary, allow or block mentality,
and lacks sufficient visibility and risk/trust
assessments. Thus, information security leaders
default to "no," incurring opportunity costs and, in
some cases, causing business units to bypass security
with digital business initiatives. With a CARTA strategic
approach, enterprises will have flexibility and can
adapt how they respond when the risk is too high or
the trust is too low.

For example, if the trust is too low in an entity, there

are things we can do to increase our level of trust such
as a real-time device integrity assessment, applying a
patch, using out-of-band user authentication, asking a
security question and comparing the normality of the
request to those of their peers.

If the risk of the requested action is too high, there may

be actions we can take to reduce the risk of the
requested action — for example, allow access to the
file, but in a read/only method, or allowing the
withdrawal, but limiting the amount withdrawn, or
allowing the content to be moved locally on a device,
but only after the content has been detonated in a
network sandbox (see Figure 4).
Figure 4. Continuous Adaptive Risk and Trust Assessment

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 13 of 26
Gartner Reprint 1/22/18, 4(31 PM

Source: Gartner (May 2017)

Embracing a CARTA strategic approach acknowledges

that perfect security is impossible; that trying to be
perfect ensures that you will do a worse job than you
otherwise would and miss digital opportunities by
defaulting to "no"; and that doing a "good enough," risk-
appropriate assessment and continuously improving it
are the most effective ways to balance digital risk and
trust. Information security leaders can now say "yes" to
emerging digital business opportunities in a risk-
balanced manner.

Data Protection Must Become Continuously

Adaptive
The core charter of information security is ultimately
about the protection of information. Protection of
systems and networks is a means to the end goal of
protecting access to information. A CARTA strategic
approach must extend to how data is used and
accessed, and how sensitive data is kept protected —
either within the enterprise or outside of traditional
walls (for example, on mobile devices, in cloud
services and in the hands of digital business

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 14 of 26
Gartner Reprint 1/22/18, 4(31 PM

ecosystem partners). In reality, information protection

lives at the center of threat protection and access
protection.

In digital business, our data can be anywhere. We need

to apply a continuous risk- and trust-based
assessment approach to data. For example, is this
data sensitive and should it be allowed into a given
cloud-based service? If the sensitive data is already in
a cloud-based service, should it be allowed out of the
cloud and onto devices? What if the device is
unmanaged with a low level of trust? These are all real-
time security decisions and they need a CARTA
strategic approach.

In the examples above, if sensitive data is identified, it

could be blocked upon upload to any cloud file sharing
service except the one the enterprise has standardized
on (in this example, Box). It could also, by policy, be
encrypted before it is allowed to be stored in Box,
further reducing the risk of exposure. Once in Box, it
could be monitored for access and potentially risky
configurations (such as when shared to the public
internet). When a user requests to download the data
locally, a risk- and trust-based assessment of the
context of the request can be performed. Downloads
to unmanaged devices can be blocked and restricted
to managed devices in good health. Or the data could
be encrypted and protected with digital rights
management and allowed to be downloaded to any
device. Multiple CASB offerings provide exactly this
capability today — continuous sensitive data
identification; context, risk and trust measurements;
and adaptive, policy-based responses (see "Market
Guide for Cloud Access Security Brokers" ).

The Security Operations Center Must

Become Continuously Adaptive via Analytics

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 15 of 26
Gartner Reprint 1/22/18, 4(31 PM

At the center of Figures 1, 2 and 3 is "continuous

visibility and assessment." Continuous monitoring will
generate significantly more data than enterprise
security teams are used to handling. But we already
have too much data. A CARTA strategic approach
moves beyond passive monitoring and takes action —
adapts — based on the assessment. The implication is
that analytics will play a central role in CARTA.

Analytics are needed for multiple purposes: to

establish baselines; to identify sensitive data; to
perform correlation for behavioral signatures and for
machine learning to identify clusters of users and
usage, and to help identify meaningful outliers. All of
the following techniques will be used: signatures, rules,
correlation, baselining for monitoring deviations,
machine learning, deep learning and artificial
intelligence. The strategy of defense in depth, which
has been a cornerstone of information security for
decades, must now be applied in analytical techniques
as well — "analytics in depth."

At the end of the day, however, all of these analytical

techniques are a means to the end. The end goal of
CARTA is better information security decisions —
where "better" means more accurate, faster and
adaptive security decisions to allow end users to get
their jobs done in a risk-appropriate manner. On the
back end, a CARTA strategic approach needs to be
brought to the security operations center (SOC) as
well, to help our limited security operations analysts to
be more productive and to focus on the highest risk
incidents that are surfaced. There will always be
security incidents and here will always be more than
we can address. So real-time visibility and assessment
of the risk of the incident and our trust (confidence)
that the event is real is imperative.

Bimodal IT Needs Bimodal Security With a

CARTA Strategic Approach
https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 16 of 26
Gartner Reprint 1/22/18, 4(31 PM

It is not possible, nor is it appropriate, to adopt CARTA

across all of information security at once. In prior
Garner research (see "Hit the Bimodal IT Highway Now
— Considerations for Structuring and Staffing" and
"The Four Steps to Manage Risk and Security in
Bimodal IT" ), we discuss bimodal IT strategies for
separating the development, operations and
management of more traditional enterprise systems of
record (Mode 1) from the development, operations and
management of rapidly changing systems of
innovation (Mode 2). Both modes benefit from a
CARTA strategic approach. Mode 1 systems need
better protection from advanced, targeted attacks and
protection from credential theft and insider attacks. To
embrace, support and say "yes" to Mode 2-style
systems, a CARTA approach will be critical because of
the speed of delivery and the fact that, with mobile,
cloud and digital business ecosystems, we control less
and less of the physical infrastructure where our data
will reside. A CARTA strategic approach enables Mode
2 systems with continuous risk management. In
addition to CASBs, which are an excellent example of
adopting a CARTA strategic approach for the adoption
of cloud SaaS services, CARTA principles are being
implemented in other types of security offerings that
digital businesses are using today to embrace cloud
services, mobile endpoints and digital business
ecosystems using risk-and trust-based assessments.
Here are eight ways a CARTA strategic approach can
be put into motion today:

1. Adaptive access control. This is a

straightforward first step and is shown in the
upper right of Figure 2. As a stepping stone to
CARTA, apply more context at the point of
authentication (for example, an assessment of
the device reputation, location, time of day and
security posture). Many organizations do this
today for VPN and network access control, but

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 17 of 26
Gartner Reprint 1/22/18, 4(31 PM

the concept could be extended to enterprise

logins. 3 A full CARTA strategic approach would
monitor the user and device continuously beyond
this, but context-aware, adaptive access control
is a start.

2. Externalized authorization management (EAM).

This allows authorization decisions to be made
by an external system outside of a particular
application. The application can then query the
EAM system for a decision. This allows policies
to be defined across a whole set of systems and
applications, without the developer having to
preanticipate and implement policy controls in
each application separately, and enables a more
fine-grained authorization approach.

3. Endpoint detection and response (EDR). EDR

solutions (see "Market Guide for Endpoint
Detection and Response Solutions" ) assume
that malware will get into enterprise systems, so
they continuously monitor and assess the risk
and trust of an application while it is executing. If
and when the risk score crosses a threshold set
by the organization, adaptive responses can be
invoked. For example, terminating the process,
sending an alert to the SOC, running the process
in a sandbox and so on.

4. User and entity behavioral analytics. UEBA

solutions (see "Market Guide for User and Entity
Behavior Analytics" ) are similar to EDR, but
monitor a different layer of the stack by
monitoring users as they log in, log out, and
interact with systems and data. Most UEBA
solutions aren't yet in-line, so their assessments
are made after the event occurs with a goal of
minimizing the time to detect and respond to
risky behaviors indicative of malicious intent (the
bottom portion of Figure 2). However, most

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 18 of 26
Gartner Reprint 1/22/18, 4(31 PM

CASBs are deployed in-line and perform real-time

embedded UEBA, monitoring users as they log in
and interact with cloud services and cloud-based
data, and performing continuous risk- and trust-
based assessments. If the user is behaving in a
risky way, adaptive responses can be designed,
such as prompting the user out of band ("Are you
sure you intend to download the entire customer
database?"). If the request is legitimate, the user
can proceed. If the request is a hacker with
stolen credentials, the real user can deny the
request.

5. Software-defined perimeters (SDPs). SDP

offerings deliver precise, context-aware network
connectivity to enterprise applications, services
and data for remote users and partners (see "It's
Time to Isolate Your Services From the Internet
Cesspool" ). SDP is an evolution of VPN and
demilitarized zone (DMZ)-based access that
removes applications from the public internet
using a trust broker. Entities are not allowed to
see the resource until trust is established via the
trust broker's initial assessment process. All SDP
solutions provide initial context assessment, and
trust and risk assessment for adaptive access
control. Some of the SDP offerings remain in-line
and monitor, providing a continuous risk-and
trust-based assessment of the entire session.

6. Adaptive web application firewalls (WAFs).

Modern WAFs have moved beyond simple rule-
based attack prevention. Since the WAF is in-line,
the entire session can be monitored and
assessed for risk by monitoring the users and
their interactions at the web application layer.
This is also the promise of longer term of
runtime application self-protection (RASP) that
runs within the application itself and thus has
more context for real-time decision making.
https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 19 of 26
Gartner Reprint 1/22/18, 4(31 PM

Some CASBs and SDPs can also "wrapper"

legacy web-enabled applications for this type of
continuous visibility and assessment.

7. User interface protection. On e-commerce and

consumer websites, antibot protection and
antiautomation solutions protect from abuse of
the application at the user interface layer — for
example, protecting from automated bots, screen
scraping, rogue account creation and similar
fraudulent techniques. Like WAFs (indeed several
WAFs provide this capability), these solutions are
in-line and continuously monitor and assess the
risk and trust of the user, and their behaviors and
interactions with the application in real time,
continuously.
8. Network traffic analysis (NTA). These solutions
continuously monitor network traffic patterns,
metadata and objects (derived from flow logs or
directly from full packet capture) for indications
of malicious intent. In addition to identifying
known patterns of malicious behavior, these
offerings build a model over time of "normal"
baseline behaviors. When traffic patterns emerge
that are outside the expected spectrum and with
enough context to be determined "risky," these
NTA tools can provide adaptive responses —
typically an alarm, but could also be configured
to work with other network security controls to
block the connection or throttle access.

Looking Forward — Building CARTA Into

Digital Business Applications
Most of the solutions discussed above bring CARTA to
existing use cases by getting in-line to the session
using a variety of techniques — forward proxies,
reverse proxies, instrumenting the OS with an agent or
instrumenting the application runtime. Others get near-

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 20 of 26
Gartner Reprint 1/22/18, 4(31 PM

real-time visibility using network taps or packet

forwarding. Ideally, a CARTA strategic approach could
be applied earlier in development so that the
application is designed and instrumented for
continuous risk- and trust-based assessments and
adaptive responses from the beginning. We can look to
consumer-facing financial services applications for
examples of how the next generation of enterprise
digital business applications will embrace the CARTA
strategic approach. For example, several large financial
services institutions use a solution from LigaData that
implements continuous assessment (it refers to it as
its Kamanja "continuous decisioning" engine) in the
next generation of their consumer financial
applications. 4 The applications are architected for
continuous visibility with multiple layers of analytics
for real-time risk- and trust-based assessments.

Another example is an offering from Cleafy. 4 Its

offering is designed to work with mobile applications
using APIs to communicate to enterprise back ends.
Cleafy's architecture uses the application delivery
controller to inject JavaScript into web pages on the fly
(for native mobile apps, a software development kit).
The product is able to continuously monitor and
assess the risk of the application behaviors using
cumulative session risk scoring. Trust is established
by monitoring the integrity of the application,
communications and device layer. If the session
behaviors are too risky or the trust is too low, adaptive
responses are provided, such as a risk-based
authentication request. Analytics on the back end
provide multientity correlation, and machine learning is
used for real-time pattern clustering to identify similar
attack patterns without requiring traditional signatures.

Looking Forward: Extending a CARTA

mindset to More Information Security
Processes

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 21 of 26
Gartner Reprint 1/22/18, 4(31 PM

Information security is more than just the runtime

protection of access to services and information and
the runtime protection from threats. The CARTA
strategic approach should be extended to all areas of
information security and all of its processes. For
example:

Extending CARTA to the enterprise build and

development processes for continuous risk- and
trust-based assessments of IT-enabled services
during the development process. This is especially
critical for integrating security into DevSecOps style
workflows (see "DevSecOps: How to Seamlessly
Integrate Security Into DevOps" ).
Internet of Things (IoT) and embedded devices
extending the enterprise surface area for access and
attack. However, there are different limitations on
the risk profile of IoT devices (can't be easily
patched, for example). A CARTA strategic approach
would start with continuous monitoring and visibility
of the devices with an assessment of their relative
risk and trust, as well as monitoring and assessing
their exhibited behaviors over time.

Extending CARTA to the procurement processes of

new IT-enabled systems and services. Several third-
party vendor risk assessment providers are
emerging that provide access to their databases of
assessments of digital risk and trust. For example,
cloud service risk and trust databases are available
in all of the leading CASB solutions.

Extending a CARTA strategic approach to how and

when we partner in digital business ecosystems. In a
digital business system, my partners become a part
of my surface area for attack and vice versa. Their
risk is my risk. My risk is their risk. There is a
growing need for third-party, objective, real-time
continuous risk and trust assessments of digital

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 22 of 26
Gartner Reprint 1/22/18, 4(31 PM

businesses, and a growing set of vendors providing

these risk and trust assessments in the form of
security ratings services.

Strategies for business continuity and disaster

recovery will fundamentally change as enterprise
and information are spread everywhere. Continuous
visibility and understanding of systems, services,
assets and partners is needed as digital business
infrastructure will be in a state of constant flux. A
risk-based approach to service restoration in the
event of a catastrophe is needed.

Finally, extending a CARTA strategic approach to

information security governance and risk. Enterprise
risk management needs to become integrated risk
management (see "Definition: Integrated Risk
Management Solutions" ) — a continuous risk-based
process that works with business leaders to set
acceptable levels of risk. The continuous monitoring
and visibility of the current state of risk and trust in
an enterprise will shift this conversation to becoming
data-driven, not based on instinct. Analytics will be
used to make risk assessments actionable and
adaptive, enabling "what if" scenarios that are not
possible. Desired levels of risk can be set and then
monitored using the CARTA approaches to threat
protection and access protection discussed earlier,
providing a feedback loop from risk planning to risk
in production.

Bottom Line
Most of our security infrastructure is architected for a
binary world of clarity and control that no longer exists,
and in an environment where advanced and targeted
attacks are the norm. Bad guys routinely bypass the
one-time gating of today's attack and access
protection services. On top of this, the reality is that
business leaders are moving full speed ahead to

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 23 of 26
Gartner Reprint 1/22/18, 4(31 PM

embrace the opportunities of cloud services, mobile

devices and digital business ecosystems, with or
without you. This is exactly why we believe the shift to
a CARTA strategic approach is necessary. We need
security infrastructure that is adaptive everywhere, to
embrace the opportunity — and manage the risks —
that comes with this new digital world, delivering
security that moves at the speed of digital business.

Additional research contribution and review: Ramon

Krikken and Eric Ahlm

Evidence
1
See TransferWise (https://transferwise.com/us/) .
2
SANS (https://www.sans.org/reading-
room/whitepapers/analyst/continuous-monitoring-is-
needed-35030) and NIST
(http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
137.pdf) .
3
See DuoSecurity (https://duo.com/) , Syntegrity
(https://www.syntegrity.com/) and Preempt
(https://www.preempt.com/) .
4 N. Weir and R. Johnson. "Continuous Decisioning:
Extending Lambda Architecture for Real-Time
Decisioning." (http://kamanja.org/wp-
content/uploads/2015/10/Continuous-Decisioning-WP-
v0.8-aa-edit.pdf) LigaData.

To illustrate the concept of continuous decisioning,

consider this simplified use case from banking:
Continuously score a customer's account for likelihood
for overdraft in order to decide whether to offer the
customer an overdraft protection, send a low balance
alert, or take no action.
For this use case, the bank needs to perform the
following actions or decisions:
Upon each new transaction:

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 24 of 26
Gartner Reprint 1/22/18, 4(31 PM

Predict if a future overdraft is likely based on

historic spend and deposit patterns of that
customer
If an overdraft is predicted as likely, determine
whether a customer qualifies for overdraft
protection based on credit analysis:

If yes AND customer settings permit, send an

overdraft protection offer
optimized for acceptance

If no AND customer settings permit, send the

customer a low balance alert

Record relevant outcomes, such as nonoverdrafts,

overdrafts, overdraft protection offered and
overdraft protection sold.

Refine predictive model using recorded outcomes.

© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered
trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or
distributed in any form without Gartner's prior written permission. If you are authorized to
access this publication, your use of it is subject to the Usage Guidelines for Gartner
Services (/technology/about/policies/usage_guidelines.jsp) posted on gartner.com.
The information contained in this publication has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy
of such information and shall have no liability for errors, omissions or inadequacies in such
information. This publication consists of the opinions of Gartner's research organization
and should not be construed as statements of fact. The opinions expressed herein are
subject to change without notice. Gartner provides information technology research and
advisory services to a wide range of technology consumers, manufacturers and sellers, and
may have client relationships with, and derive revenues from, companies discussed herein.
Although Gartner research may include a discussion of related legal issues, Gartner does
not provide legal advice or services and its research should not be construed or used as
such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartner's Board of Directors
may include senior managers of these firms or funds. Gartner research is produced
independently by its research organization without input or influence from these firms,
funds or their managers. For further information on the independence and integrity of
Gartner research, see "Guiding Principles on Independence and Objectivity.
(/technology/about/ombudsman/omb_guide2.jsp)"

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 25 of 26
Gartner Reprint 1/22/18, 4(31 PM

About (http://www.gartner.com/technology/about.jsp) |
Careers (http://www.gartner.com/technology/careers/) |
Newsroom (http://www.gartner.com/newsroom/) |
Policies (http://www.gartner.com/technology/about/policies/guidelines_ov.jsp) |
Privacy (https://www.gartner.com/privacy) |
Site Index (http://www.gartner.com/technology/site-index.jsp) |
IT Glossary (http://www.gartner.com/it-glossary/) |
Contact Gartner (http://www.gartner.com/technology/contact/contact_gartner.jsp)

https://www.gartner.com/doc/reprints?id=1-46V5FJ4&ct=170719&st=sb Page 26 of 26