Continuous adaptive risk and trust assessment (CARTA) is a strategic approach to information security that was introduced by Gartner in 2017. It is built on their Adaptive Security Architecture which promotes an approach of continuous adaptation to a changing security landscape rather than seeking to either block or allow specific interactions. The underlying philosophy is that in the digital world of modern business, some transactions must be allowed even when security is still not fully certain.
Within the CARTA approach, decisions and security responses are made based on risk and trust and continuously adapt to the context and learnings gained from each interaction. The block/allow binary-style assessments made in the non-CARTA approach are thought to be more dangerous over time, because they expose the organization to zero-day attacks, insider threats, credential theft, and targeted attacks. When trust and risk is dynamic rather than static, it is assessed continuously and managed with fine-grained “measures of confidence” that have varying risk and response attributes.
There are three phases of IT Security where CARTA plays a role: Run, Plan and Build. In the Run phase, CARTA lets the organization use analytics to focus only on the biggest threats and automate the majority of the incidents. In the Build phase, CARTA plays a role in DevSecOps, as teams identify threats and eliminate them from apps they are building and use things like a digital risk rating service to analyze open source components they may want to use. In the Plan phase, CARTA invites organizations to use analytics to determine the risks of things such as having employees change passwords frequently versus the productivity impact and decide how much risk to accept. The CARTA approach can help enterprises assess vendors and new technologies to determine how well they can help them continuously assess, analyze and mitigate risk. For example, SUSE Linux Enterprise High Availability Extension is a CARTA-friendly clustering system that is designed to continuously monitor servers and automatically transfer workloads to another server if it detects a fault or failure.