Gartner Security & Risk Management Summit

17 – 20 June 2019 / National Harbor, MD

Zero Trust Networking as an

Initial Step on the Roadmap
to CARTA
Neil MacDonald
@nmacdona

© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this
publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research
may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or
influence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
Zero Trust Is Misnamed

In Order to Get Things Accomplished,

Trust Must Ultimately Be Extended

1 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Is Misnamed

In Order to Get Things Accomplished,

Trust Must Ultimately Be Extended

and Continuously Assessed for

Acceptable Levels of Risk/Trust …
and Our Security Infrastructure
Should Adapt Accordingly.
2 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Is Being Abused as
a Marketing Term.

3 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Is Being Abused as
a Marketing Term.

Vendors Are Applying the Term “Zero

Trust” to Market Everything in Security,
Creating Significant Market Confusion.

Zero Trust Is a Modifier. It Only Makes

Sense When You Follow It With a Noun.
4 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Issues

1. What is CARTA and why is it important?

2. What is Zero Trust Networking and why is it important?
3. How does Zero Trust Networking map to CARTA and what projects
can I implement to adopt the zero trust networking concept?
4. What other security projects would help to reduce excessive
implicit trust?

5 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 What Is CARTA and
Why Is It Important?

6 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Our World View Is Flawed

What We Think the World Is Like:

Good apps gone bad

Stolen credentials
Blacklist the A bit of gray in Whitelist the Insider threat
bad stuff the middle good stuff

What the World Is Really Like:

Zero days
Targeted attacks
Everything needs to be continuously assessed
Hostile content
and for security decisions adapt accordingly

7 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 Continuous
Adaptive
CARTA Risk and
Trust
Assessment

8 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 carta, charta, cartae
noun

CARTA Declension: First Declension

Gender: Feminine
Definitions: Charter, Map
Papyrus (Sheet/Page)
Record/Letter, Book/Writing(s)

9 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Complete Protection = Blocking/Prevention and
Detection/Response

Block and Prevent

Detect and Respond

10 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA Is the Engine That Powers the Gartner
Adaptive Security Architecture
Policy

Adjust Implement
posture posture
Predict Prevent

Continuous
Risk/Trust
Assessment
Adjust posture Monitor posture
Users
Systems
System activity
Payload
Network

Respond Detect

11
Compliance
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA Is the Engine That Powers the Gartner
Adaptive Security Architecture
Policy

Adjust Implement
posture posture
Predict Prevent
Risk-prioritized
Harden systems
exposure assessment

Anticipate threats/attacks Isolate systems

Continuous
Baseline systems and Risk/Trust
Assessment Prevent attacks
security posture
Adjust posture Monitor posture
Users
Systems
Remediate System activity Detect incidents
Payload
Design/Model policy change Network Confirm and prioritize risk

Investigate incidents/
Retrospective analysis Contain incidents

Respond Detect

12
Compliance
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA Is the Engine That Powers the Gartner
Adaptive Security Architecture
CARTA-inspired Vulnerability Management Policy
Breach/Attach Simulation Adjust Implement
posture posture
Predict Prevent
Risk-prioritized
Harden systems
exposure assessment

Anticipate threats/attacks Isolate systems

Continuous
Baseline systems and Risk/Trust
Assessment Prevent attacks
security posture
Adjust posture Monitor posture
Users
Systems
Remediate System activity Detect incidents
Payload
Design/Model policy change Network Confirm and prioritize risk

Investigate incidents/
Retrospective analysis Contain incidents

Respond Detect

SOAR Compliance
EDR, NTA, xDR
13 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. ED
What About Access Protection?

Discover and
Enable Access

Verify and Manage

14 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA Is the Engine That Powers the Gartner
Adaptive Security Architecture
Policy

Adjust Implement
posture posture
Discover requirements Adaptive access
Assess risk and compliance Context and credential assessment

h
Discover new requirements Entity/Service/Data adaptation
Continuous
Baseline known Risk/Trust
Assessment Access
usage and entitlements
Adjust posture Users Monitor posture
Devices
Assess risk/Test policy Apps
Monitor usage compliance
change Actions
Data
Analyze, manage and report usage Access Detect exceptions; prioritize risk

Investigate and respond

Contain/Mitigate risk
to exceptions
Manage usage Verify usage

Compliance
15 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
CARTA Is the Engine That Powers the Gartner
Adaptive Security Architecture
CASB cloud application discovery Policy
CSPM cloud security posture mgmt Adjust Implement
posture posture
Discover requirements Adaptive access
Assess risk and compliance Context and credential assessment

h
Discover new requirements Entity/Service/Data adaptation
Continuous
Baseline known Risk/Trust
Assessment Access
usage and entitlements
Adjust posture Users Monitor posture
Devices
Assess risk/Test policy Apps
Monitor usage compliance
change Actions
Data
Analyze, manage and report usage Access Detect exceptions; prioritize risk

Investigate and respond

Contain/Mitigate risk
to exceptions
Manage usage Verify usage

Identity SOC UEBA, Fraud detection, Risk scoring

Compliance
16 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 What Is Zero Trust
Networking and Why
Is It Important?

17 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
First, What Is Trust?

Trust Is the Bidirectional Belief Established Between

Two Entities That the Other Entity Is What It Claims to
Be and That It Will Behave in Expected Ways During
the Duration of the Interaction. Trust Leads to Access
to Capabilities Between the Entities That Otherwise
Should Not Be Possible.

18 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Points on Trust

• Trust is not necessarily a good thing. It’s what we

use in lieu of absolute certainty.
• Trust is a transient thing. It shouldn’t be predefined.
• Trust is not binary and not fixed. It must adapt.
• Extending trust implies assessing that behaviors
meet expectations.

19 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What Is Zero Trust Networking?

Zero Trust Networking Is a Concept for Secure Network

Connectivity Where the Initial Security Posture Has No
Implicit Trust Between Different Entities, Regardless of
Whether They Are Inside or Outside of the Enterprise
Perimeter. Risk-Optimized Access to Networked
Capabilities Is Dynamically Extended Only After an
Assessment of the Identity of the Entity, the System
and the Context.

20 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Key Points on Zero Trust Networking

• TCP/IP network connectivity was designed in a time when

trust could be assumed, which has never been valid.
• This excessive implicit trust leads to excessive latent risk.
• IP addresses are weak identifiers and were used as a poor
substitute for a person’s or entity’s identity.
• “Least privilege” isn’t always the risk appropriate choice.
• Extend network capabilities only after the entity’s identity
and context have been established.

21 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
 How Does Zero Trust
Networking Map to
CARTA and What
Projects Can I
Implement to Adopt
the Zero Trust
Networking Concept?

22 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Back to the Basics. Zero Trust Networking Is a
Solid Preventative Control
Zero Trust Network Segmentation
Policy
aka Microsegmentation
Adjust Implement
posture posture
Predict Prevent
Risk-prioritized
Harden systems
exposure assessment

Anticipate threats/attacks Isolate systems

Continuous
Baseline systems and Risk/Trust
Assessment Prevent attacks
security posture
Adjust posture Monitor posture
Users
Systems
Remediate System activity Detect incidents
Payload
Design/Model policy change Network Confirm and prioritize risk

Investigate incidents/
Retrospective analysis Contain incidents

Respond Detect

23
Compliance
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. ED
Submarines Assume Breaches, Why Not Data
Centers? Zero Trust Network Segmentation
(Microsegmentation)
Providing East/West Traffic Segmentation and Visibility.

24 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Network Segmentation and Flow
Visibility Project (Microsegmentation)
Sample vendor list:
When to consider:
Enterprises with flat network topologies (on- SDN/external:
• VMware • Cisco (Tetration)
premises AND IaaS) wanting visibility and • CloudPassage
• Cisco (ACI/ISE)
control of east/west network traffic flows • Cloudvisory
• Juniper Networks
between workloads, with a goal of thwarting • vArmour • Edgewise
the lateral spread of attacks that have gained • ShieldX • Illumio
a foothold in their data center. Host/container: • Neuvector
• Alcide • Tigera
• Aporeto • Twistlock
• Aqua Security

Criteria Advice
• Agents, virtual appliance or container-based? • Make visibility the starting point for segmentation.
• If agent-based, performance impact? • Don't oversegment. Start with critical applications.
• If virtual-appliance-based, how to get in line? • Require vendors to support native segmentation
• Will this solution work for public cloud IaaS? capabilities of IaaS, firewalls, switches, etc.
25 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Back to the Basics. Zero Trust Networking Is a
Solid Preventative Control
Zero Trust Network Access
Policy
aka Software Defined Perimeter
Adjust Implement
posture posture
Discover Requirements Adaptive Access
Assess risk and compliance Context and credential assessment

h
Discover new requirements Entity/Service/Data adaptation
Continuous
Baseline known Risk/Trust
Assessment Access
usage and entitlements
Adjust posture Users Monitor posture
Devices
Assess risk/Test policy Apps
Monitor usage compliance
change Actions
Data
Analyze, manage and report usage Access Detect exceptions; prioritize risk

Investigate and respond

Contain/Mitigate risk
to exceptions
Manage Usage Verify Usage

Compliance
26 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Network Access Project
(Software-Defined Perimeter)
Precise, application and context-aware access to enterprise applications

Source: Cloud Security Alliance

27 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Zero Trust Network Access Project

Sample vendor list:

When to consider:
Enterprises that want to reduce surface area Cloud-based: On-premises:
• Akamai • BlackRidge
of attack by limiting the exposure of digital
• Cato Networks • Certes Networks
systems and information to only named sets of • Cisco • Cyxtera
external partners, remote workers and • Cloudflare • Google
contractors. • Meta Networks • Microsoft
• Okta • Pulse Secure
• Perimeter 81 • Safe-T
• SAIFE • Waverly Labs
• Symantec • Zentera Systems
• Zscaler

Criteria Advice
• Windows, Mac, Linux and which mobile OSs? • Reduce services in enterprise DMZs if possible
• Trust broker in-line entire session? Or just setup? • Re-evaluate risk of legacy VPN-based access
• Cloud-based as a service, on-premises or both? • Pilot a deployment in 2019 using a digital
• Support for workloads and users in IaaS business service linked to partners as a use case
28 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Strategic Planning Assumption
By 2022, 80% of new digital business applications opened up to ecosystem
partners will be accessed with a Zero Trust Network Access offering.

Why it will happen: Why it won't happen:

• Network level VPNs are too risky for • Some legacy applications require an
partner/contractor use. agent to be installed, but this won’t
work for unmanaged devices.
• Sticking servers in the DMZ expose it
to everyone in the world, including • Extending access to unmanaged
attackers. applications is possible, but difficult to
assess the security posture of
• ZTNA offerings provide context-aware,
the device.
precision access to specific
applications based on identity.

29 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
If We Just Implement Another Siloed Preventative
Control, We Will Fail Zero Trust Network Segmentation
Policy
aka Microsegmentation
Adjust Implement
posture posture
Predict Prevent
Risk-prioritized
Harden systems
exposure assessment

Anticipate threats/attacks Isolate systems

Continuous
Baseline systems and Risk/Trust
Assessment Prevent attacks
security posture
Adjust posture Monitor posture
Users
Systems
Remediate System activity Detect incidents
Payload
Design/Model policy change Network Confirm and prioritize risk

Investigate incidents/
Retrospective analysis Contain incidents

Respond Detect
Monitor flows and behaviors once
30
Compliance
© 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. ED connected.
If We Just Implement Another Siloed Preventative
Control, We Will Fail Zero Trust Network Access
Policy
aka Software Defined Perimeter
Adjust Implement
posture posture
Discover Requirements Adaptive Access
Assess risk and compliance Context and credential assessment

h
Discover new requirements Entity/Service/Data adaptation
Continuous
Baseline known Visibility and
Assessment Access
usage and entitlements
Adjust posture Users Monitor posture
Devices
Assess risk/Test policy Apps Monitor usage compliance
change Actions
Data
Analyze, manage and report usage Detect exceptions; prioritize risk
Access
Investigate and respond
Contain/Mitigate risk
to exceptions
Manage Usage Verify Usage
Monitor actions/interactions and
Compliance
31 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. data handling once connected
 What Other Security
Projects Would Help
to Reduce Excessive
Implicit Trust?

32 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
What Other Areas in My Infrastructure Have
Excessive Implicit Risk to Target?
• End user workstations. Remove admin rights.
• IT admin accounts. Use privilege access management.
• Servers and workloads. Apply default deny/app control.
• Browser. Remotely render any uncategorized site.
• Email. Remotely render any embedded link.
• DevOps. Embrace open source, but know the identity, provenance
and vulnerabilities of every component used.
• DevOps. Don’t allow a workload to be instantiated in production
unless you know its identity and provenance.

33 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommendations

Ignore vendor hype on “Zero Trust”. What exactly does the vendor do?
Find the noun … Zero Trust <______> and how the vendor’s offering
supports adaptive risk/trust decision making.
“Zero Trust” doesn’t resonate with business leaders. Talk about
continuously assessed risk and trust that can adapt to the changing
context and adapt to the risk tolerance levels of business leaders,
enabling new digital business, cloud and mobile initiatives.
Budget and pilot two Zero Trust networking projects in 2019 — Zero Trust
network segmentation and Zero Trust network access.
Use CARTA to identify projects outside of Zero Trust networking where
excessive trust creates latent risk and where your security posture can be
significantly improved by risk-optimizing the trust.
34 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommended Gartner Research

 Zero Trust Is an Initial Step on the Roadmap to CARTA

Neil MacDonald (G00377791)
 Seven Imperatives to Adopt a CARTA Strategic Approach
Neil MacDonald (G00351017)
 Market Guide for Zero Trust Network Access
Steve Riley, Neil MacDonald and Lawrence Orans (G00386774)
 Fact or Fiction: Are Software-Defined Perimeters Really the
Next-Generation VPNs?
Joerg Fritsch and Mark Judd (G00361345)
 Solution Comparison for Microsegmentation Products
Joerg Fritsch (G00377627)
For information, please contact your Gartner representative.
35 © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.