Continuous Adaptive Risk and Trust Assessment (CARTA)

The Continuous Adaptive Risk and TrustAssessment (CARTA) is a strategic approach to IT security that favors continuous cybersecurity assessments and contextual decision-making based on adaptive evaluations of risk and trust. CARTA was introduced by Gartner in 2010 as an evolution of its Adaptive Security Architecture.

CARTA principles

CARTA seeks to make sense of the “gray” world of modern IT security, where not all security decisions can be black and white.

Traditional IT security solutions favor black and white decisions, essentially decide whether to fully block or allow access to IT networks based on the potential for risk. However, digital transformation has created an IT environment where those black and white decisions are no longer possible.

Companies that offer digital services to consumers must, by nature, open up aspects of their corporate network to many more users than they ever would have in the past. Employees are now bringing more unmanaged devices into the workplace, and they are using those devices to connect to corporate networks. Businesses must open up their IT networks to a larger group of third-party partners and service providers, who might connect via their own apps and services. And the nature of remote work means that a corporation’s IT perimeter is no longer restricted to the its own four walls – users who might need to access corporate data via public networks in airports, coffee shops, and more.

CARTA proposes that all of these factors have created a reality where traditional block/allow security solutions don’t allow for enough contextual decision-making and real-time security evaluation. Security solutions cannot simply block user access to corporate networks because the user is not located within the organization’s four walls – that would inhibit the daily flow of work.

Indeed, the block/allow security strategy may create more risk overall, because it inherently trusts all users or devices that have been “allowed” within the network, failing to re-evaluate any users or devices that may be unknowingly compromised, which leaves open the possibility of zero-day attacks, insider threats, or risk from compromised credentials.

At the same time, the organization cannot open the flood gates to all new users at all times – that would create tremendous security risk.

How to implement CARTA

CARTA advises continuously evaluating all users or devices and making contextual access decisions. It's rooted in the Zero Trust framework, which advocates that no user or device – even those that are already within the network – should be inherently trusted.

The three phases of CARTA IT security and risk management

Run: In this phase, organizations rely on analytics to detect anomalies in real time. Automated solutions allow this detection to happen regularly and much sooner than if this evaluation were done manually. The net benefit is that the organization can respond to potential threats much sooner.

Build: This phase goes hand-in-hand with the concept of DevSecOps. It involves baking security into the development process by always evaluating and identifying security risks before they are built into production code. Since many modern applications are pieced together using publicly available libraries mixed with custom code, organizations need to make sure they are scanning those libraries for security risks before adding it to their program. Similarly, companies must evaluate ecosystem partners, including third-party developers or digital service providers, who need to interact with their environment.

Planning: Finally, organizations need to set their priorities. How much security risk are business leaders willing to accept in order to tap into the new opportunities afford by modern IT environments? If your organization decides it wants to move to the public cloud, how will you address the security implications inherent in that decision? If remote work is preferred among your staff, how will the IT environment need to evolve in order to support that? By thinking through modern IT and establishing priorities, businesses will be in a better position to make contextual decisions and avoid the black/white decision-making of traditional IT.