Continuous Adaptive Trust: The Final Frontier of the Trust Revolution

Continuous adaptive trust is an emerging security framework for understanding the most comprehensive method for evaluating customer, workforce, and partner access to resources. It follows a continuous, adaptive trust framework that moves beyond static rules and basic security checks at login. Not to be confused with CARTA (continuous adaptive risk and trust assessment), continuous adaptive trust as a framework draws attention to the need for access control to be:

• Continuous: Continual, happening at multiple, different points in user journeys

   

• Adaptive: Responsive to user context, incorporating device, network, and other risk signals where available

   

• Trust-Based: Founded in our defined trust of the user, which is subject to change based on user action

The term "continuous adaptive trust" emerged to highlight that multi-factor authentication (MFA) alone isn't enough to sufficiently thwart today's bad actors. This makes good sense: considering that insider threats and lateral attacks lead to the most impactful breaches, authentication as the end-all-be-all of user risk assessment won't adequately defend against these attack vectors.²

To truly meet the challenges brought on by the broad adoption of AI and new social engineering threats, you need to continuously evaluate a user's risk, even after the point of authentication. This isn't unique to any single industry or use case: whether you're building a security strategy for your workforce, customers, or partners, continuous adaptive trust is a needed framework to best protect your party's data and best interests.

Continuous adaptive trust is a framework that can be met on the road to Zero Trust architecture.⁴ Zero Trust is a broader security paradigm built out of a problem: that traditional perimeter-based security isn't sufficient to defend against modern attack vectors. Zero Trust also has a wider set of technologies and capabilities needed to reach actualization, and Zero Trust solutioning favors workforce contexts, where breaches tend to be the most harmful.

Continuous adaptive trust, on the other hand, is the critical third milestone on the journey to Zero Trust, but is also a helpful framework for both workforce and customer identity and access management (IAM) use cases:

• Customers: Directing user journeys to create frictionless customer experiences while securing customer data against account takeovers, fraud, and more³

   

• Workforce: Leveraging contextual data in an enterprise environment to thwart insider threats, lateral attacks, and ultimately authorize users to access appropriate resources

   

• Partners (B2B): Continuously validating third-party identities, enforcing least-privilege access to shared systems and APIs, and reducing supply chain risk without adding friction to business collaboration.

Continuous adaptive trust builds upon the ideas of Zero Trust, emphasizing the need for real-time monitoring and decisioning to dynamically adjust access controls and permissions for users based on evolving factors like device health, user behavior, and environment changes.

Zero Trust principles are a key part of identity fundamentals, and there's plenty of overlap with continuous adaptive trust principles. Here's how they break down.

• Never Trust, Always Verify: Authenticate and authorize each access request explicitly before granting access to make sure resources are properly protected. Particularly focus on protecting assets over prioritizing micro perimeters or network segments.

   

• Assume a Breach: Assume a hostile network by limiting access to only necessary resources at any given time.

   

• Principle of Least Privilege: Ensure users aren't unnecessarily overprivileged and that only the right people have access to the right resources.

   

• Access Isn't Binary: Access to resources, data, and systems shouldn't be seen as a simple on or off, all-or-nothing concept. Access needs to instead be more nuanced, allowing for different levels of access based on context, roles, or other attributes.

   

• Users Need a Path to Adjust Assurance: Employees need to be able to do their jobs, and customers have high demands for user experience. Friction is an important management control, but if user risk is too high, there need to be pathways for users to increase confidence in their identity, either through MFA or other methods.

The last two principles are especially important concepts: because access isn't binary, users need to be able to increase assurance that they are in fact who they say they are to adequately reach the resources they need—either as a customer or to perform their job. In practice, that can include MFA, continuous identity verification, and other assurance methods that fit the moment. With continuous adaptive trust, your system can dynamically respond to user context to match the demands of modern cybersecurity challenges.

Grounding security initiatives with identity gives you the most control over how you define trust in users and redefine and respond to changes in that trust. We think about it in three key steps.

1. Detect All the Risk Signals

Gathering risk signals is crucial as it provides real-time insights into emerging threats and vulnerabilities. By collecting disparate signals through advanced threat protection and aggregating them into a composite risk score, organizations can proactively identify risky behavior, assess its impact, and ultimately hand off protection of sensitive assets and data.

2. Decide Appropriate Access

A policy-based authorization engine is vital for real-time decision-making in alignment with organizational policy. It automates intricate processes and analyzes data to produce and enforce access decisions. This minimizes human error and enables organizations to respond automatically to dynamic security situations.

3. Direct User Experiences Appropriately

Directing user journeys through no-code journey orchestration is essential for automated response to diverse user actions. It ensures seamless interaction between processes and technologies, leading to quicker problem resolution, improved developer resource allocation, and effective response to evolving challenges.