Adaptive Risk Management With CARTA and Zero Trust

Approaches to identity and access management are continually evolving in response to a changing threat landscape and the growing financial impact of breach activity. The amount of data organizations manage jumped 40% between 2018 and 2019, and the total cost of losing that data increased almost $14,000 during the same period.

With the stakes so high, enterprise businesses and large organizations can’t afford to continue using security protocols designed for self-contained internal systems. Extensive networks with diverse user bases require identity management and access control measures capable of executing adaptive responses to dynamic user interactions. The CARTA framework introduced by Gartner offers one such solution.

What does the CARTA acronym mean?

CARTA stands for Continuous Adaptive Risk and Trust Assessment and is based on Gartner’s Adaptive Security Architecture. As one of the company’s top security projects in 2019, CARTA seeks to address the changing world of identity and access management and provide solutions to emerging IAM challenges.

Today’s enterprises face the unique challenge of managing cloud-based networks that are always on and always accessible from a variety of devices. While network users often lack essential cybersecurity knowledge, innovative hackers take advantage of technologies like artificial intelligence to launch subtle attacks. It’s a tricky combination with the potential for serious consequences unless reliable IAM protocols are put in place.

The CARTA strategy is designed for continuous adaptation that goes beyond basic allow or deny models to provide contextually relevant access. By operating with context as a guide, CARTA can reduce bottlenecks, maximize system efficiency, improve workflow agility and improve user experiences. It enables granular access control beyond what standard IAM procedures are capable of and allows IT teams to manage networks without the constant burden of manual monitoring.

CARTA vs. zero trust: Is there a difference?

CARTA shares many characteristics with zero-trust frameworks. In traditional network settings where the perimeter can be clearly defined, the default position is often to trust anything “inside” and require verification only for “outside” requests and inputs. However, this stance becomes problematic as perimeters expand beyond the confines of a business or organization.

Today’s network perimeters may incorporate an enterprise’s physical location, numerous remote employees and multiple third-party vendors or partners. Zero trust addresses such an environment with a new default security position: Trust nothing in the network until its identity has been verified. Network access is only granted when genuine proof of identity is presented, usually as a combination of credentials and behavioral parameters.

CARTA takes the zero trust idea further by introducing:

• Continuous monitoring, assessment, discovery and risk prioritization
• Adaptive attack protection
• Contextual access control
Continuous device visibility
• Automated device control
• Micro-segmented networks
• Ongoing cyber and operational risk assessment
• Security management for agentless devices
• Dynamic trust and risk assessments and responses

Both CARTA and zero trust encourage real-time assessments and monitoring. Trust is based on identity and verified continually using behavior and context instead of basic allow or deny rules. To achieve the best outcomes with either framework, both users and devices must be monitored on an ongoing basis. CARTA’s additional security measures not only reduce breach risk but also improve containment should a hacker gain network access.

Should businesses switch to the Gartner CARTA model?

Cybersecurity evolves quickly, and it can be difficult for businesses to keep up with the changes. However, hackers seek out vulnerabilities, and organizations with outdated security policies present easy targets. CARTA offers an approach that incorporates recent trends in IAM and security, so businesses should be able to adapt and expand existing security protocols to adhere to the updated principles.

CARTA implementation makes the most sense for enterprises and organizations with:

• Large numbers of agentless internet of things devices
• An extensive network of external vendors or partners requiring network access
• An active BYOD policy
• A large remote workforce
• A growing network perimeter
• Issues arising from silos within existing security systems
• Concerns regarding the use of unapproved third-party applications

Such complex networks have more users, including third parties, and require more oversight and automation than smaller network environments. Customer access introduces additional challenges for some enterprises and organizations. CARTA can also address these issues, such as unsecure devices and access from private Wi-Fi connections.

If a breach occurs, the CARTA model improves detection times and allows for faster responses. Instead of weeks or months passing between a breach event and its discovery, enterprises are able to shut down and mitigate hacker activity before extensive damage is done.

How can businesses implement CARTA?

Building on the idea of zero trust, CARTA assumes every potential network interaction poses a threat. It creates a security framework where identity management and breach response are both based on a reality in which hackers are definitely going to infiltrate the system.

It’s far from a paranoid assumption. Sixty-eight percent of business leaders see an increase in cybersecurity risk, and statistics show the perception is accurate. Breach incidents have increased 67% since 2014, and hacker attacks now occur once every 39 seconds. Such volume requires the kind of continual, automated monitoring and response CARTA can provide.

Management within a CARTA framework involves three interconnected phases:

• Run: Analytics are used to detect real-time behavioral anomalies. Automating the process reduces the need for direct intervention from IT teams, which improves overall security efficiency. Shorter threat response times and faster mitigation prevents costly breach consequences.
• Build: Security becomes part of the application development process. Risk evaluation takes a high priority as developers assess the tools and code used to create software solutions and take a critical approach to service partnerships.
• Planning: Risk tolerance levels can hold back enterprise development and growth.

Executives need to recognize that all growth—particularly in terms of technology—comes with a measure of risk. New opportunities must be evaluated based on whether benefits outweigh potential risks to the organization as a whole.

Successfully implementing and sustaining these phases requires a suite of automation tools to handle monitoring and responses. This enables advanced identity management and access control by introducing contextual elements, which equip networks to approve or deny access requests based on granular controls.

Finding the right tool starts with a thorough assessment of current security systems to identify gaps and see where CARTA can improve protocols. By evaluating known and potential vulnerabilities, enterprises can determine the best approach for moving away from traditional IAM and security frameworks to a new method designed for a growing perimeter.

Higher amounts of risk are inherent in larger businesses, which makes CARTA desirable for enterprises and institutions. These organizations should weigh implementation expenses against potential breach costs to determine if CARTA is superior to other security solutions.

As with any identity management and access control solution, CARTA must be approached with a solid knowledge of all hardware, software, devices and users accessing internal networks. Clearly defined metrics serve to guide ongoing monitoring activities and future assessments, which helps enterprises track whether new security protocols are working.

Although the design of the CARTA framework is suitable for enterprise IAM and security needs, companies must conduct internal assessments prior to implementation. Any protocol should support requirements for security and compliance while providing a seamless and efficient experience for all users.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications