What Is Continuous Adaptive Risk And Trust Assessment (CARTA) And Why You Can’t Depend On Just RBAC Anymore

Organizations rely on the static, role-based access control (RBAC) security model that came with most ERP applications to safeguard their systems and data, enable effective governance and oversight of access management, and support effective threat detection and response capabilities.

However, Gartner recommends organizations move away from the static RBAC security model to adaptive security enabled through the attribute-based access control (ABAC) security model. Considering the changing security and risk landscape, Gartner has designed a proactive, policy-driven, and context-aware dynamic security model that can adapt based on key risk indicators.

What Makes Role-Based Access Control (RBAC) Inadequate?

• RBAC is a static security model and does not have the adaptive security capability recommended by Gartner.
• RBAC cannot easily configure access, transaction, and data field level controls with policy requirements.
• RBAC is a much less efficient approach to detecting threats and anomalies.

Instead of relying only on static controls, Gartner calls for a strategic approach known as “continuous adaptive risk and trust assessment,” or CARTA. The CARTA framework is focused on standardizing agility, enabling contextual awareness, and leveraging adaptive security technologies. It enables organizations to strengthen security and leverage automation for continuous improvement.

Gartner’s Adaptive Security Imperatives

The CARTA framework consists of seven imperatives that enable organizations to take a risk-adaptive approach. Out of seven, the first two assume the highest priority since they directly impact the organization’s security and risk.

Be Context-Aware And Adaptive

The first CARTA imperative recommends moving away from the initial one-time, yes/no risk-based decision at the main gate to their systems (managed by a static authentication and authorization process) to a continuous, real-time, adaptive risk and trust analysis of user anomalies with context-aware information across the platform.

Context-aware security uses situational information, such as identity, geolocation, time of day, or type of endpoint device, found in the ABAC models. There is a reason Gartner listed this as the first imperative. The foundation of your adaptive security capability must be based on a security model capable of enabling an adaptive security response, which cannot be achieved with the static RBAC security model.

Monitor Continuously And Prioritize Risk

The second CARTA imperative explains that risk events are fluid and require constant risk identification, analysis, prioritization, monitoring, and response after the initial login assessment. This should include a combination of proactive and reactive capabilities.

For example, if a user attempts to download a large amount of sensitive data, you need the ability to detect and prevent this action if it’s considered inappropriate. Again, the use of ABAC can provide organizations with preventative, detective, and reactive controls at the business transaction and master data level.

Enabling Adaptive Security With Pathlock

Overall, Gartner’s recommended change in present-day security capabilities enables organizations to manage the ever-changing risk and trust dynamic. This is why the Pathlock Platform features four key capabilities: Predictive, Preventative, Detective, and Responsive. It leverages the Attribute-Based Access Control Security model to enable Gartner’s CARTA imperatives of adaptive security while continuing to leverage the Role-Based Controls that are already defined and in use across your organization.

Learn more about how the Pathlock Platform can enable adaptive security controls with ABAC.