Gartner’s CARTA Framework

What is Gartner’s CARTA Framework?

Gartner’s CARTA Framework aka Continuous Adaptive Risk and Trust Assessment (CARTA) is a strategic approach to IT security that favors continuous cybersecurity assessments and contextual decision-making based on adaptive evaluations of risk and trust. CARTA was introduced by Gartner in 2010 as an evolution of its Adaptive Security Architecture.[1]

The CARTA framework is focused on standardizing agility, enabling contextual awareness, and leveraging adaptive security technologies. It enables organizations to strengthen security and leverage automation for continuous improvement.

The CARTA strategy is designed for continuous adaptation that goes beyond basic allow or deny models to provide contextually relevant access. By operating with context as a guide, CARTA can reduce bottlenecks, maximize system efficiency, improve workflow agility and improve user experiences. It enables granular access control beyond what standard IAM procedures are capable of and allows IT teams to manage networks without the constant burden of manual monitoring.

According to Gartner, a CARTA mindset allows enterprises to make decisions based on risk and trust. Decisions must continuously adapt, security responses must continuously adapt, and thus risk and trust must continuously adapt.

The CARTA Approach[2]
The CARTA strategic approach stipulates that effective risk and cybersecurity management require:

  • 100% device visibility and automated control
  • Continuous monitoring, assessment, and remediation of cyber and operational risk
  • Micro-segmentation to contain breaches and limit lateral movement/damage
  • Technologies and products from multiple vendors
  • New levels of multivendor orchestration and process/response automation
  • Discovery, posture assessment, and remediation/control of physical and virtual devices as well as cloud infrastructure and workloads
  • Effective security management of agentless IoT devices and cyber-physical OT systems

The Need for CARTA[3]
Given the relentless pace of investment in security tools over the past decade, you may wonder why enterprises and government organizations haven’t solved all of their security problems and still need such an all-encompassing security framework. But let’s face it: Cybercriminals these days are wildly successful. The status quo simply isn’t working. Previously effective security and risk management approaches are unsuitable for rapid changes brought about by IP-connected data sharing and digital transformation. Some of these changes include:

  • Hypergrowth of non-traditional devices and OSes—most of which are agentless
  • Perimeter defenses no longer work—physical vendor access, phishing, and insider credential abuse circumvent the perimeter every day
  • Corporate device ownership has become irrelevant thanks to mobile computing, BYOD, and IoT/OT devices showing up constantly on enterprise networks
  • Point-in-time scans are old news—asset inventory and vulnerability assessment must occur continuously in real time
  • Security silos add inefficiency and delays—too many tools to learn and use and too many manual processes to keep pace with growth and unyielding pressure from hackers
  • One-time block/allow authentication methods miss the mark while impeding access to legitimate users

CARTA Vs. Zero Trust[4]
CARTA shares many characteristics with zero-trust frameworks. In traditional network settings where the perimeter can be clearly defined, the default position is often to trust anything “inside” and require verification only for “outside” requests and inputs. However, this stance becomes problematic as perimeters expand beyond the confines of a business or organization.

Today’s network perimeters may incorporate an enterprise’s physical location, numerous remote employees and multiple third-party vendors or partners. Zero trust addresses such an environment with a new default security position: Trust nothing in the network until its identity has been verified. Network access is only granted when genuine proof of identity is presented, usually as a combination of credentials and behavioral parameters.

CARTA takes the zero trust idea further by introducing:

  • Continuous monitoring, assessment, discovery, and risk prioritization
  • Adaptive attack protection
  • Contextual access control
  • Continuous device visibility
  • Automated device control
  • Micro-segmented networks
  • Ongoing cyber and operational risk assessment
  • Security management for agentless devices
  • Dynamic trust and risk assessments and responses

Both CARTA and zero trust encourage real-time assessments and monitoring. Trust is based on identity and verified continually using behavior and context instead of basic allow or deny rules. To achieve the best outcomes with either framework, both users and devices must be monitored on an ongoing basis. CARTA’s additional security measures not only reduce breach risk but also improve containment should a hacker gain network access.

Challenges of Adopting CARTA Approach[5]
While enterprises should look to embrace CARTA, they must consider the challenges they may face when trying to get there. Some of these are highlighted below:

  • Attempting to use traditional technologies – Firewall appliances and virtual appliances are built to secure the network. With the adoption of public cloud services, you no longer control the network, which is the internet, so how do you do network security? Traditional technologies place employees (and partners) on the corporate network, expose apps to the internet, and they’re expensive to scale and manage. What happens with 5G?! SDP solutions were built to address all these challenges—keeping users off the network and keeping apps invisible to the internet—and they’re infinitely scalable—which makes SDP a requirement for today’s IT.
  • Planning for no-agent and no-MDM on devices – Being able to deliver user-centric security when there is no agent on the device is difficult. Users working on any number of devices must have the flexibility to connect over a browser, instead, and go agentless. This is especially important when partners need to access private apps.
  • Performing risk assessment on an ongoing basis – Security can no longer be a one-and-done mindset. Teams should adopt technologies that adapt to the user and the changing context in which they access business services. Adopting modern, cloud-first technologies that integrate well together across users, devices, logging, and connectivity is a must.

See Also


  1. Defining Gartner’s CARTA Framework[1]
  2. The CARTA Approach [2]
  3. Why CARTA [3]
  4. CARTA vs. zero trust: Is there a difference? [4]
  5. Challenges of Embracing CARTA [5]