Continuous Adaptive Risk and Trust Assessment (CARTA)


Continuous Adaptive Risk and Trust Assessment (CARTA)

CARTA is a strategy method for IT security that prioritizes ongoing cybersecurity assessments and contextual decision-making via adaptive evaluations of risk and trust. Gartner announced CARTA in 2010 as a progression of its Adaptive Security Architecture.

The concepts of CARTA

CARTA Framework aims to provide clarity in the complex realm of contemporary IT security, where not all security determinations can be categorized as either completely secure or completely vulnerable.

Conventional IT security solutions tend to make binary judgments, determining whether to completely ban or permit access to IT networks depending on the level of possible danger. Nevertheless, the process of digital transformation has given rise to an IT landscape where making binary judgments is no longer feasible.

Companies providing digital services to customers inherently expose some parts of their corporate network to a much larger number of users compared to previous times. There is a growing trend of employees introducing unmanaged devices into the office and using them to connect to corporate networks.

Businesses should expand the accessibility of their IT networks to a broader range of third-party partners and service providers, who may establish connections via their applications and services.

Due to the nature of remote work, a corporation’s IT perimeter is no longer limited to its physical premises. Users may need to access company data across public networks in places like airports and coffee shops.

CARTA argues that these reasons have together resulted in a situation where conventional block/allow security systems lack the ability to make contextual decisions and evaluate security in real-time adequately. Security measures cannot just restrict user access to business networks due to the user’s external location, since this would impede the regular workflow.

The block/allow security strategy poses a higher overall risk as it relies on trusting all users or devices that have been “allowed” into the network without re-evaluating their status. This leaves room for potential zero-day attacks, insider threats, or risks arising from compromised credentials.

Simultaneously, the company cannot indiscriminately provide unrestricted access to all new users at any one moment, since this would pose a significant security threat.

How to implement the CARTA methodology

CARTA recommends the ongoing assessment of all users or devices and the implementation of access choices based on specific circumstances. The concept is based on the Zero Trust framework, which promotes the idea that no person or device, even those already present in the network, should be automatically considered trustworthy.

The CARTA IT security and risk management framework consists of three distinct stages.


During this stage, firms depend on analytics to promptly identify deviations from the norm. Automated methods provide frequent and prompt detection, surpassing the time it would take to do this examination manually. The primary advantage is that the company can promptly address possible dangers.


This phase is closely linked with the notion of DevSecOps. The technique entails integrating security measures into the development process by consistently assessing and finding security vulnerabilities before incorporating them into the final code. Given that several contemporary applications are constructed by combining publically accessible libraries with customized code, it is imperative for enterprises to do thorough security scans of these libraries before incorporating them into their programs. Likewise, firms must assess ecosystem partners, such as third-party developers or digital service providers, who need interaction with their environment.


Ultimately, companies must establish their priorities. To what extent are company executives ready to tolerate security risks to exploit the new possibilities provided by contemporary IT environments? When your business chooses to go to the public cloud, how will you handle the security ramifications that come with this decision? If your workforce prefers remote work, what changes will need to be made to the IT system to accommodate that? By carefully analyzing contemporary information technology and setting clear goals, organizations may enhance their ability to make informed judgments based on specific circumstances, therefore avoiding the simplistic and rigid decision-making approach often associated with conventional IT.

Leave a Comment