Cognitive Trust

Overview
Cognitive Trust in the field of Information technology (IT) describes a new approach to the design and implementation of secure IT and Operational Technology (OT) networks spanning multiple disparate identity domains. Through ubiquitous policy, it enables operationalization of the explicit trust model, as opposed to the traditional implicit trust approach. By combining enhanced zero-trust with location independent Identity Behavior Analytics (IBA), Cognitive Trust creates an identity aware, dynamically scalable, elastic policy framework and achieves the “never trust, always verify” security paradigm.
At its core, Cognitive Trust represents the implementation of enhanced Software Defined Perimeter security, nano-segmentation and continuous identity verification (driven by IBA). It offers perimeter flexibility and entitlement-based “right size” access to its resources (users, devices, data, network) and ensures that identity compromise is never a concern by eliminating the possibility of a lateral traversal attack in the network.
Background
Cognitive Trust is a transformative security approach. While the idea of Explicit Trust has existed for years, it has only recently come into mainstream practice in the form of Zero Trust, a term coined by Forrester Research in 2010. Zero Trust was recently adopted by Gartner, the global research and advisory firm, as a core element of their Secure Access Service Edge (SASE) paradigm.
However, “Zero Trust” is often confused as a term, if not misused as a marketing buzzword. In fact, when enterprises talk about Zero Trust, they in fact mean an Explicit Trust approach, where they are able to control each and every access to their resources. Zero or Explicit Trust can best be described as a security principle — a vast, almost philosophical concept — that refers to limiting excessive trust on the network by adhering to the principle of least privilege, or the idea that a user or device should have the bare minimum access required to perform their function. Rather than provide trust in a network-centric fashion (when it needs to be given), it should be given dynamically, based on changing context like user and device identity, location, time of day, and more.
In practice, most organizations that try to operationalize Zero Trust Network Access (ZTNA) - a practical framework of Zero Trust principles developed by Gartner - only implement "Lean Trust" as they find transformation from implicit to explicit trust difficult, if not impossible. For ZTNA, organizations rely on either micro-segmentation or Software-Defined Perimeter methods, not both (Gartner Continuous Adaptive Risk and Trust Assessment - CARTA). While both micro-segmentation and SDP provide a way to implement Lean Trust individually, they themselves don’t offer a transformative approach to comprehensive Explicit Trust. This is where Cognitive Trust takes things a step further, and enables enhanced security capabilities.
In terms of adoption, Lean Trust, in the name of “Zero Trust” has come into the mainstream: according to a survey of leading cybersecurity executives by Okta, 60% of organizations in North America have launched Zero Trust projects. Another study from Microsoft reports an even higher number, with 94% deploying Zero Trust in some capacity, together with the fact that despite the COVID-19 pandemic, a majority of businesses (58%) are still increasing their security budgets. The federal government, too, has weighed in on Zero Trust, with the NIST recently releasing their Zero Trust Architecture publication, detailing a roadmap for adopting Zero Trust across an enterprise or organization. Similarly, nearly half of federal IT executives say their government agency is moving towards a Zero Trust model of security.
Now, there's a new security strategy for supporting business transformation in an environment filled with advanced threats. Cognitive Trust builds and enhances on Gartner’s CARTA segmentation and SDP approach, focusing on how, when, and why users and entities interact with critical data, correlating behavior with the context of user activities so you can address risk holistically. Analytics and automation increase the speed and agility of detection and response mechanisms, without adding additional manpower.
It is clear that, regardless of their approaches, a majority of enterprises are ready to embrace “never trust, always verify” as their core security strategy. While they are able to accomplish some aspects of the “never trust” part of the strategy through Zero Trust practices, they are still looking for ways to operationalize the “always verify” part as they transition from pilot to full production. This often causes them confusion regarding the meaning of Zero Trust strategy and the elements needed to implement it at a practical level. This is where Cognitive Trust comes into play - not only by helping them migrate to the enhanced Explicit/Zero Trust security but also by offering the “always verify” part in order for them to remain Zero Trust during their security life cycle.
Principles Behind Cognitive Trust
Many of the principles driving the Zero Trust Architectures such as “strong source of user identity, user/machine authentication” are still applicable to Cognitive Trust architecture. However, unlike Zero Trust, which mandates either micro-segmentation or SDP, Cognitive Trust mandates both. The key principles that drive Cognitive Trust are
# Software Defined Perimeter
# Nano-Segmentation
# Identity Behavior Analytics
# Continuous Identity Verification
# Strong source of user/machine/application identity
# User/machine/application authentication
# Identity Security Tagging
# Identity Security Compliance Policy
# Authorization and Access Control Policies for Applications
 
< Prev   Next >