Today’s business networks are complex, incorporating many devices and users with different access points. These environments can be difficult to secure using traditional protocols. To improve network security, companies should consider implementing CARTA. Also known as continuous adaptive risk and trust assessment, CARTA network security is an evolution of Gartner’s Adaptive Security Architecture.
In a rapidly changing threat landscape, security must change as well. For example, a source may be trusted one day and risky the next. This means that a policy must constantly evaluate and adjust its definition of trust and risk, using data and behavioral analytics to provide real-time context. This type of adaptive network security is called continuous risk and trust assessment (CARTA). Gartner first introduced CARTA network security in 2017 as a way to offer a more strategic and efficient approach to security. Modern businesses must allow employees to access their networks remotely. This can be done by providing secure VPN access via a mobile app or cloud solution. CARTA network security enables this without compromising the security of corporate systems or personal devices. The security is based on the user, device, and location, rather than an IP address. This enables employees to work from home, the office, or even while traveling. With traditional security, this would be impossible to do without sacrificing user efficiency. In addition, CARTA network security allows cyber security teams to quickly respond to threats by enabling them to detect suspicious behavior and alert users within milliseconds. It also helps to prevent data exfiltration by leveraging risk-adaptive protection policies that automatically adjust DLP rules for the highest-risk individuals. This type of adaptive network security is the foundation for a strong defense posture.
Zero trust is a security model that shifts the paradigm from “trust always, verify never” to the opposite, “never trust, always verify.” With this approach, all entities are considered hostile and access is only granted after they have been verified. This includes users, devices and applications. It also applies to network infrastructure, data centers and cloud environments. This is achieved by deploying micro-perimeters, restricted access zones and applying identity-based policies.
The key to zero trust is visibility into the status of all devices, networks and data that need to be protected. This enables the collection of all the necessary data that will inform and support the development, implementation and enforcement of appropriate security policies.
These policies are based on the principle of least privilege, so only the minimal set of capabilities that are required to perform the job is allowed. This reduces the threat surface and can contain breaches if they occur. Zero trust also allows for ongoing encrypted traffic inspection and analysis, which can be used to identify vulnerabilities. Despite what some might think, adding security shouldn’t add friction to the user experience. Zero trust solutions that employ a default-deny posture can help achieve this balance. They use dynamic policy, device and user monitoring practices – such as those described in Forrester’s Zero Trust eXtended, Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA) network security and NIST SP 800-207 – to verify users and their devices at the point of access and then only grant them access to the necessary resources based on context.
The security landscape is changing at a rapid pace. Attackers are leveraging new tactics and techniques to break into the most secure networks, but even the best cybersecurity teams struggle to keep up with this threat activity. CARTA’s network security framework is a solution to this challenge, enabling businesses to adapt and mitigate digital risk as it emerges. Instead of using static rules and deny-by-default approaches, the CARTA network security framework enables businesses to deploy and configure policies that automatically assess and adapt to reduce cyber risk as they change. By implementing automation at the Deploy and Configure layers of the security hierarchy, enterprises can improve their security posture faster than ever before.
This automation will also help reduce the number of false positives that security analysts are forced to investigate. False positives can distract analysts from more important tasks, leading to alert fatigue and slowing incident response times. Security automation will be able to identify these false positives and automatically resolve them, eliminating this problem and freeing up analyst time to focus on more critical activities. As a business that works to ensure the safety and security of customers, Carta network security takes security seriously. We follow strict standards for password protection, two-factor authentication, and securing customer data at rest and in transit with full disk encryption. We also use a secure file sharing platform and only serve our website over TLS 1.2+ to protect against older protocol attacks.
As the number of digital services offered by businesses increases, organizations must open their networks to many individuals who are not traditionally authorized. This requires a new kind of security that balances business-friendliness with protection that doesn’t begin and end with RBAC. CARTA network security offers this solution, allowing teams to start with a default deny posture but then continually assess risk using context and behavior.
Gartner’s CARTA network security is a set of practices that encourage continuous assessment of trust and risk. It focuses on the fact that security is not binary; risk is not black or white and must be continuously assessed to reduce attack surface. It also emphasizes the importance of identity management and authentication. Carta’s network security policy solution utilizes a variety of methods to protect our internal systems, including limiting the number of possible attempts to log in, requiring two-factor authentication for all staff accounts, and enabling OCSP stapling and HTTP strict transport security to keep data encrypted at rest and in transit. Additionally, our websites only use TLS 1.2+ to prevent older protocols from being used to brute-force break into account passwords. This enables us to create a seamless, pleasant experience for customers that doesn’t compromise their security, or the integrity of the data they’re accessing. Moreover, it allows us to quickly identify potential threats and then respond accordingly.