Excerpt
Feasibility Study between CARTA and Dynamic Trust Management in ON
Dr. Manisha Kumari Deep
Abstract
In this work an attempt has been made to discuss about CARTA (Continuous Adaptive Risk and Trust Assessment) and Dynamic Trust Management in Organic Networks (ON). The twin concepts behind CARTA and the three phases where CARTA can be used in IT security has been discussed. Here Organic Network (ON) and its Dynamic Trust Management method has been briefly stated. Here the feasibility of both CARTA and Dynamic Trust Management in ON has been stated in a tabular form for the convenience of the reader. Finally the topic is concluded and important points stated.
Introduction
CARTA is a new approach introduced by Gartner for security and risk management. As per Gartner, CARTA (Continuous Adaptive Risk and Trust Assessment) is vital to stay competitive with emerging business opportunities. The key is to apply philosophy across the business from DevOps to external partners.
CARTA
The twin concepts behind CARTA are that [2]:
1. “All systems and devices must be considered potentially compromised and their behaviours continuously assessed for risk and trust.”
2. “Users (and other entities), even once authenticated, are given just enough trust to complete the action being requested, and their behaviours are continuously verified and assessed for risk.”
The other core premise of CARTA is that “infrastructure and systems must be prepared to treat trust as a dynamic, ever-changing set of contextual values,” mirroring our own concept of continuous trustworthiness and the ability of our Constellation Analytics Platform™ to integrate a broad array of data sources, thus providing additional context in assessing threats from malicious, negligent or inadvertent activities [2].
According to Gartner, there are three phases of IT security where CARTA can be applied - Run/Plan/Build [1].
Organic Network
Organic networks can also be called as ‘the next generation networks’. Organic networks will have the below mentioned features inherited from Organic IT.
Organic Network must have [4]:
- Self-configuration: The network should automatically configure and adapt itself to different environments. Suppose a network is running over a mountain terrain and another through a plane. Inspite of these differences, the network should work consistently without any noticeable failures.
- Adaptivity: Suppose a node is using Time Division Multiple Access (TDMA) technique and the other Frequency Division Multiple Access (FDMA) technique. Still they can adapt themselves for transferring information.
- Self-distribution: The routing mechanism should self-distribute to locate routes in order to transfer or seek information.
- Self-organization: The system should automatically reorganize and rebalance itself if an imbalance occurs. It is non-authority based irregularly distributed in very large networks. In short it can even cover the network of the entire universe.
- Self-healing: Self-healing networks are designed to be robust even in environments where individual links are unreliable, making them ideal for dealing with unexpected circumstances.
- Automatic parallelization: Hidden parallelism in programs should be detected and exploited. The network should be able to perform other tasks simultaneously without user intervention. Like transfer of data and self-healing process mechanism running for different nodes by the same source node.
- Self-protection and protection of others: It is the property of network to anticipate, identify, and protect against arbitrary attacks. The authenticity of users and data has to be ensured, and kept secured, spying and corruption has to be prevented.
- Accounting and Self Accounting: Mechanisms and cost functions for accounting are provided and used computing time and resources should be offered. Users must be accountable for their usage of resources and actions.
In the following section the existing work done in the area of trust management
Dynamic trust Management in ON
Organic networks should not be bounded by any independent group. Decentralized and adaptive management, scalability, interoperability and authentication should be the governing standards for an organic network. A technology is successful if the technical architecture is in synchrony with the culture or in other terms society where the technology is ready to use after surpassing the planning, design and development phases.
Organic network hardware should enable it to work as a plug and play device. The hardware should also be designed such that it must have self-healing, self-configurable, fault tolerance, scalable and adaptive features. Authorization means that depending on its authentication every node can enjoy certain services which may be differential. Authentication basically refers to proving the identity of any node to any other node. Trust is the belief of a node A about the credibility of another node B. When node A trusts node B, A is sure of a secure transaction through B and also A expects a commitment from B that B will offer use of its resources to A if necessary. Trust assignment can be static or dynamic. In a static trust system initially trust is assigned to the nodes and this trust remains constant and thus future transactions are based on a previous fixed trust value. In contrast in a dynamic trust system, the initial trust assigned to nodes changes according to their performance. Trust can also be recommended by a third party.
In this work dynamic trust management method has been proposed, where the trust value gets updated according to the performance of the node [4]. The performance analysis of the node will be based on information transaction and trust level of an individual node. It will not depend on recommendation or certificates. The node identification will be done at the system and individual level. For individual level identification both personal and professional level details would be required and access would differ from person to person. The node identification and registration would be category based and will consist of system identification number, country, state, organization (small, medium, large, global, national and/school, college, companies-government, public, private), individual and purpose of joining the network. If the country is same then node is not taken as new node. But if one moves from one country to another then existing node will be considered as a new node. In such a situation, system identification will be must. If a node is already present on the network then the details of the previous transactions and search details will be available. If it is a new node, it will have to register first and will be given a trust level to enter the node initially. Network management policy would exist at node level, network level and mission level. The node will be always measured throughout its life time for security reasons.
Comparison
Abbildung in dieser Leseprobe nicht enthalten
Conclusion
The CARTA strategic approach is defined in great detail in a recent Gartner report. Some of the key concepts include [1]:
- Decisions must continuously adapt. Security responses must continuously adapt. Risk and Trust must continuously adapt.
- Initial block/allow security assessments for access and protection leave enterprises exposed to zero-day and targeted attacks, credential theft, and insider threats.
- Trust and risk must be dynamic, not static, and assessed continuously as interactions take place and additional context becomes available.
- Digital business outcomes can only be optimized when digital trust is adaptively managed as a set of fine grained measures of confidence with multidimensional risk and response attributes.
With a CARTA strategic approach, we can say yes, and we will monitor and assess it to be sure allowing us to embrace opportunities that were considered too risky in the past [5].
With ON, security will be a priority and data availability will be conditioned on sensitivity of data and trust. Any user/node can enter the network seamlessly but data will be available depending on the trust and performance of the user/node. With ON also we will say yes but would be performance governed.
Reference
1. https://blog.preempt.com/carta-the-evolution-of-it-security-continuous-adaptive-risk-trust DoD 2nd Nov’17
2. https://haystax.com/blog/2017/06/28/gartner-cybersecurity-needs-to-become-more-continuous-adaptable-and-risk-based/ DoD 2nd Nov’17
3. http://bwcio.businessworld.in/article/Gartner-Recommends-CARTA-Approach-to-Secure-Digital-Businesses/29-08-2017-125020/ DoD 2nd Nov’17
4. Manisha Kumari Deep and Gadadhar Sahoo, “Organic IT Infrastructure Planning and Implementation”, ISBN 978-93-5274-072-7, under publication, Lakshmi Publications.
5. https://www.gartner.com/smarterwithgartner/the-gartner-it-security-approach-for-the-digital-age/ DoD 1st Nov’17
[...]