Continuous Adaptive Trust: The Final Frontier of the Trust Revolution

Since the term ‘Zero Trust’ was coined back in 2010, Zero Trust has become the de facto cybersecurity industry paradigm. And for good reason - understanding security broadly through the lens of trust in users ultimately better protects your organization’s resources.

But Zero Trust is a journey: one that hinges upon how well you can truly evaluate trust in a user when handling their access requests day in and day out. Continuous Adaptive Trust is the key step to achieving Zero Trust Architecture. Moving to a model of Continuous Adaptive Trust, one where trust in users is repeatedly evaluated and reevaluated, is worth striving for in the journey towards Zero Trust with best-defined trust with users for user protection.

The CAT is out of the bag: Continuous Adaptive Trust is an emerging security framework for understanding the most comprehensive method for evaluating customer, workforce, and partner access to resources. Not to be confused with CARTA (continuous adaptive risk and trust assessment), Continuous Adaptive Trust as a framework draws attention to the need for access control to be:

• Continuous: continual, happening at multiple, different points in user journeys

   

• Adaptive: responsive to user context, incorporating device, network, and other risk signals where available

   

• Trust-based: founded in our defined trust of the user, which is subject to change based on user action

Gartner first coined the term ‘Continuous Adaptive Trust’ in 2021 to highlight that MFA isn’t enough to sufficiently thwart the bad actors of today. This made good sense at the time: considering that insider threats and later attacks lead to the most impactful breaches, authentication as the end all be all of user risk assessment won’t adequately defend against these attack vectors.

To truly meet the needs of today's threat landscape, you need to continuously evaluate a user's risk, even after the point of authentication. This isn’t unique to any single industry or use-case: whether you are trying to build a security strategy for your workforce, customers, or partners, Continuous Adaptive Trust is a needed framework to best protect your party’s data and best interests.

Continuous Adaptive Trust is a framework that can be met on the road to Zero Trust Architecture. Zero Trust is a broader security paradigm built out of a problem: that traditional perimeter-based security isn’t sufficient to defend against modern attack vectors. Zero Trust also has a wider set of technologies and capabilities needed to reach actualization, and Zero Trust solutioning favors workforce contexts, where breaches tend to be the most harmful.

Continuous Adaptive Trust, on the other hand, is the critical third milestone on the journey to Zero Trust, but is also a helpful framework for both workforce and customer identity implementation use cases:

• Customers: directing user journeys to create frictionless customer experiences while securing customer data against account takeovers, fraud, and more

   

• Workforce: leveraging contextual data in an enterprise environment to thwart insider threats, lateral attacks, and ultimately authorize users to access appropriate resources

Continuous Adaptive Trust builds upon the ideas of Zero Trust, emphasizing the need for real-time monitoring and decisioning to dynamically adjust access controls and permissions for users based on evolving factors like device health, user behavior, and environment changes.

Zero trust principles are a key part of Identity Fundamentals, and there’s much overlap with Continuous Adaptive Trust principles.

• Never Trust, Always Verify: Authenticate and authorize each access request explicitly before granting access to make sure resources are protected right. Particularly focus on protecting assets over prioritizing micro perimeters or network segments

   

• Assume a Breach: Assume a hostile network by limiting access to only necessary resources at any given time

   

• Principle of Least Privilege: Ensure users aren’t unnecessarily overprivileged and that only the right people have access to the right resources

   

• Access Isn’t Binary: Access to resources, data, and systems shouldn’t be seen as a simple on / off, all or nothing concept. Access needs to instead be more nuanced, allowing for different levels of access based on context, roles, or other attributes

   

• Users Need a Path to Adjust Assurance: Employees need to be able to do their jobs, and customers have high demands for user experience. Friction is an important management control, but if user risk is too high, there need to be pathways for users to increase our confidence in their identity, either through MFA or other methods

The last 2 principles are especially important concepts: because access isn’t binary, users need to be able to increase our assurance that they are in fact who they say they are to adequately reach the resources they need either as a customer or to perform their job. With Continuous Adaptive Trust, your system can dynamically respond to user context to match the needed complexity of modern cybersecurity challenges.

Grounding security initiatives with Identity gives you the most control over how you define trust in users and redefine and respond to changes in that trust.

1. Detect All the Risk Signals

Gathering risk signals is crucial as it provides real-time insights into emerging threats and vulnerabilities. By collecting disparate signals and aggregating them into a composite risk score, organizations can proactively identify risky behavior, assess their impact, and ultimately hand off protection of sensitive assets and data

2. Decide Appropriate Access

A decision engine is vital for real-time decision making in alignment with organizational policy. It automates complex processes and analyzes data to produce and enforce access decisions. This minimizes human error, and enables organizations to respond automatically to dynamic security situations.

3. Direct User Experiences Appropriately

Directing user journeys through orchestration is essential for automated response to diverse user actions. It ensures seamless interaction between processes and technologies, leading to quicker problem resolution, improved developer resource allocation, and effective response to complex challenges.

Learn more about how Continuous Adaptive Trust supports user protection and the journey to Zero Trust.