Relevance of CARTA (Continuous Adaptive Risk and Trust Assessment) strategy in the emerging WFH culture

 Author - Sivakumar RR 

We are going through a very difficult time of COVID19 pandemic, where all organizations are struggling to get back to normal operations. This year also triggered the Digital Transformation journey for most of the organizations and accepting the new culture of WFH (work from home) model. In general this helps a lot for both employee and employer in terms of get the things to keep moving even though the COVID19 regulations and lock-downs are in place. But there is something which every organization should take a look at. What does these changes really mean for the security part of the picture here? Take a closer look at the changes, now your office is not just a few walls or buildings, your network is not limited to a certain area, your assets are not only part of your network but also part of other non-monitored networks as well. What all these points lead to? Well, congratulations you got leveled up in your game, now it’s time to reevaluate the game plans.

 

 

Conventional IT policies work based on black and white principles, either not give access or give full access. But with modern circumstances, these policies are not very effective. Since the user who has the white access level can have devices which can be a potential threat as well. Also as part of the Digital transformation there might be new services or portals which you are offering to your customer which requires them to connect to your network. In those cases the conventional policies will not be helpful.

So it’s the right time to evaluate how the “gray” flavor in the access level works. This follows the principle of not trusting the users or devices blindly even though it’s in the same network. CARTA is a strategic approach which helps to follow this principle. Little history here is, CARTA was introduced by Gartner as an advanced form of Adaptive Security Architecture. This allows the user or devices to be evaluated in real time and make contextual decisions on the access level.

  

Three phases on the CARTA are Run, Plan & Build

Run

This phase organizations can put effort on their analytics to identify the threats, which can be based on business logic or even based on known vulnerability data references. This process will automate most of the task to perform the evaluation in real time and much faster than manual evaluation and threat identification.

Build

This is something more aligning with the concepts of DevSecOps culture. Teams should evaluate the applications which they are building, components and third party integrations etc at the development and deployment level. Perform continuous evaluations starting on the code and business logic analysis to the open source machine libraries which the application is going to be deployed. As like in the Run phase these activities can also be automated or structured in a way which can have a mix of both manual and automated analysis for better output.

Plan

This is something which involves more management level decisions, since this phase evaluates the organization’s assets, applications and integrations at a high level and makes decisions on how much risk can be accepted. This is a very crucial phase since this will have an impact on other two phases as well. For example a decision of moving applications to a public cloud or building own cloud architecture can have implementation impact on both Run and Build phases.

To conclude, CARTA is something which aligns with the current circumstances of frequent changes and a potential relief to organizations on managing their remote assets. An organization which assesses, identifies and mitigates its risks continuously will always have a better posture on their security front, which adds value to their brand as well.