As we continue to explore some of the major themes from Gartner’s recent security conference, the theme of Continuous Security came up throughout the week. Gartner analyst Neil MacDonald spent time defining both the principles of CARTA — Continuous Adaptive Risk and Trust Assessment — and highlighting the priority security projects that adhere to those principles.
Most security infrastructure, Neil argues, was designed for a world in which we knew good vs. bad. That distinction has blurred a great deal, so now we need to monitor and assess risk continually. Building for zero trust is part of that, but he noted eventually, you have to let people in, so then you still need to watch what they’re doing.
Another principle of this CARTA model centers around what you’re looking at. In the “old days,” we put a lot of energy into securing “down the stack” — the hardware, the network, the OS, the workspace. For one, many organizations don’t run those layers anymore with cloud services. Also, while you’ll still apply protections there, they don’t provide much security help.
Instead, Neil advocates for investing a lot more “up the stack” — on the people, processes, transactions, and applications. “Replace one-time security gates with context-aware adaptive and programmable security platforms,” he said, and perform proactive risk-based monitoring all the time. Assume the bad guys have gotten through — stop trying to build a better gate and invest more in detection.
At StackRox, we designed our container security platform around these exact principles. We started with the “hard stuff” — adaptive detection that continually adjusts the baseline of what is “normal” for an application and using that information to inform governance for containers in the build and deploy phase.
In our next discussions, we’ll continue to highlight Neil’s thoughts on the principles of Continuous Security and highlight the top security projects you should pursue this year.