SDP, ZTNA, and CARTA: Making sense of the zero trust security buzz
SDP and ZTNA and CARTA. Oh my!
Ok, so my ditty doesn’t have quite the same ring as the memorable song from The Wizard of Oz. But the anxiety exhibited in that refrain can certainly be applied to my digital version.
IT professionals already have more than enough on their minds—battling the constant threat of cyberattack, securing access for remote employees, protecting the business, mitigating the potential risks brought about by personally owned devices and IoT—the list goes on.
So, getting bombarded with one acronym after another, while trying to find the best security solutions and advice for your digital transformation, can quickly become overwhelming. Every vendor starts to sound similar, with pitch decks that blur together, and it gets harder to make a decision on which technology is the best fit for you.
If you’re feeling a bit lost when it comes to the whole zero trust security thing, don’t worry. You’re not alone. A recent public Gartner webinar on CARTA reported that 70 percent of attendees had heard the term “zero trust” but 23 percent weren’t quite sure what it means.
So how do you make sense of all these security acronyms, and what role do they play in securing your move to the cloud?
SDP stands for software-defined perimeter, a term coined by the Cloud Security Alliance. The concept of SDP is that enterprises can now use software, instead of traditional network security appliances, to seamlessly connect remote users to privately managed applications running in private, hybrid, or multi-cloud environments.
It’s important to note that many SDP technologies are client-initiated. This means that a client MUST be installed on the user device for access to private apps to take place. Because of this requirement, they are often not a fit for uses cases in which access from unmanaged devices (e.g., BYOD or third-party users) is important.
ZTNA stands for zero trust network access. ZTNA is a new security term that was introduced in April 2019 by Gartner in its Market Guide for Zero Trust Network Access. ZTNA strives to clear up some of the key differences between the different vendors that play in this zero trust security space by breaking them down into two distinct architectural designs.
- Client-initiated architectures – ZTNA solutions in this category closely follow the original Cloud Security Alliance SDP architecture. Basically, an agent installed on authorized devices sends information about its security context to a “controller.” The controller prompts the user on the device for authentication and returns a list of apps the user is allowed to access.
- Service-initiated architectures – ZTNA services have a connector installed in the same network as the application, which establishes and maintains an inside-out connection to the cloud service where the app-to-user connection is stitched together. This process takes place after the user and device are authenticated.
Gartner offers a list of evaluation criteria and recommendations for selecting the right ZTNA technology. One of their recommendations is this:
“For most digital-business scenarios, favor vendors that offer ZTNA as a service for easier deployment, higher availability and protection against DDoS attacks. Favor vendors that require no openings in firewalls for listening services (inbound connections), which is typical for most as-a-service flavors of ZTNA.”
CARTA stands for Continuous Adaptive Risk and Trust Assessment. Unlike the first two buzzwords, which are technologies, CARTA is a security framework developed by Gartner. It is a modern cloud-first technology ecosystem that includes a ZTNA service, identity providers, endpoint security vendors, and MDM and SIEM providers all working together.
The framework stipulates that teams must initially begin with a zero-trust posture, but establishing trust is inevitable for work to actually get done. Additionally, instead of connecting a user based on an IP address (which is not a strong security attribute), CARTA says that IT should provide access based on context (user, device, app, and location). This access must be monitored on an ongoing basis, continually assessing risk to minimize the chance of attack and to reduce mean time to remediation. It’s important to note that the framework goes beyond zero trust, which was first created by Forrester Research 10 years ago, and pushes enterprises to embrace a continuously adaptive approach to information security instead.
Gartner developed the CARTA strategy based on the idea that in an increasingly cloud-first world, in which apps are moving to cloud and users are working from any binary decisions, the traditional black or white, allow or block mentality does not work. A CARTA mindset allows enterprises to make decisions based on risk and trust.
Some of the key concepts of the CARTA method include:
- Decisions must continuously adapt. Security responses must continuously adapt. Risk and trust must continuously adapt.
- The initial block/allow security assessments for access and protection leave enterprises exposed to zero-day and targeted attacks, credential theft, and insider threats.
- Trust and risk must be dynamic, not static, and assessed continuously as interactions take place and additional context becomes available.
- Digital business outcomes can only be optimized when digital trust is adaptively managed as a set of fine-grained measures of confidence with multidimensional risk and response attributes.
So, be it SDP or ZTNA, identifying a user and granting them access to specific applications instead of the entire network is an integral piece of the overall CARTA framework.
What does this mean for my network security?
SDP, ZTNA, and CARTA have emerged because the traditional hub-and-spoke network and castle-and-moat security models have become less effective in the cloud and mobile world. Enterprises do not control the public cloud’s network, so how can they do network security? Well, they can’t.
Backhauling internet-bound traffic (including public cloud and SaaS) to your data center through VPN inbound gateways just adds latency, which degrades the user experience, places users on the network (which can lead to the lateral spread of malware), and exposes IP addresses to the open internet, where they are at risk of DDoS attacks.
With 98 percent of security attacks stemming from the internet, it's become an unacceptable risk to place remote users on the network. Today’s digital employees, who demand the same fast connection to their apps regardless of their location or device, also deserve better.
The classic security perimeter, the data center, has evolved. Now, the user, app, and device are the new virtual perimeters and the internet is the new corporate network. This calls for a new approach to application access.
Since your employees, their work apps, and just about all of your business is in the cloud, shouldn’t your security be built for the cloud?
It is natural to be a bit apprehensive when embarking on a cloud journey that involves transforming your applications, network, and security. But, just as Dorothy, Tin Man, Scarecrow, and Cowardly Lion persevered, got some help, and completed their journey, you can do the same thing.
Feel free to reach out to me if you have any questions about SDP, ZTNA, or CARTA, or how Zscaler can help with securing access to your private applications: firstname.lastname@example.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Chris Hines is head of product marketing for Zscaler Private Access and Z App.