Last year, Gartner introduced a new strategic approach for information security called Continuous Adaptive Risk and Trust Assessment (CARTA). This new model is summarized in 7 core principles that reflect the reality of securing a world where digital business capabilities can be accessed anywhere, by anyone, from any device, and where attackers continue to proliferate and innovate. Designed to addresses the shortcomings of static security programs, CARTA approach was one of Gartner’s top security projects for 2019.
CARTA strategic approach requires continuous device visibility and automated control, as well as orchestration capabilities to operationalize security and risk management across the growing vendor ecosystem. It builds upon Gartner’s Adaptive Security Architecture to shift security and risk management processes away from single allow/deny gating to more agile, context-aware and adaptive methods. The CARTA approach:
- Requires continuous discovery, monitoring, assessment and risk prioritization to get full visibility and context of assets and risk, including prioritization of vulnerabilities
- Includes both adaptive attack and access protection
The CARTA approach
The CARTA strategic approach stipulates that effective risk and cybersecurity management require:
- 100% device visibility and automated control
- Continuous monitoring, assessment and remediation of cyber and operational risk
- Micro-segmentation to contain breaches and limit lateral movement/damage
- Technologies and products from multiple vendors
- New levels of multivendor orchestration and process/response automation
- Discovery, posture assessment and remediation/control of physical and virtual devices as well as cloud infrastructure and workloads
- Effective security management of agentless IoT devices and cyber-physical OT systems
Cybersecurity approach for the digital age
In a nutshell, Gartner sees CARTA as a way for organizations to manage the risks that come with the digital world by deploying security that moves at the speed of digital business.
Using a simplistic view of the world, we think we can protect our assets by identifying what is good and what is bad, then “blocking or allowing” based on those definitions. But this approach has proven to be flawed, as increasing numbers of targeted attacks get past these kinds of defenses as the bad guys keep figuring out ways to “get around the gate.”
CARTA’s risk reduction/business enablement model, built on the premise that everything needs to be continually monitored and assessed, proposes a new security and risk mindset for the next decade.