Taking a CARTA approach to email security

Egress | 4th Sep 2019

Gartner introduced its 'continuous adaptive risk and trust assessment' (CARTA) approach to security in 2017 as a response to the ever-changing threat landscape faced by digital businesses. The approach focuses on helping organisations detect and prevent cyberattacks and data breaches caused by the reality of modern cybsecurity and its inherent 'grey areas' - for example, the trusted employee exfiltrating information, or cybercriminals exploiting flaws in business applications. By adopting a CARTA approach to security, organisations and their security teams accept a level of distrust to their environments, applications and actors (employees, contractors, partners, etc.), and in resonse, are always assessing and monitoring relative levels of risk and trust to enhance their cybersecurity posture. 


The CARTA approach is designed to leverage organisations' predictive powers that enable them to anticipate and overcome potential security threats before their environments and data has been breached. At the same time, the approach recognises that this is not always possible; that as the landscape shifts, threats will continue to slip through the net. Therefore organisations also need to be able to detect when boundaries have been breached and data is at risk, and rapidly contain these situations and remediate any damage caused. Learnings from both these processes can then be used as ongoing improvements to organisations' security postures. 

This adaptive security architecture can be broken into both proactive and reactive phases: 

  • Predict and prevent = Proactive
  • Detect and respond = Reactive

Where historically security measures have been overly-reliant on preventative measures, this has made life too difficult for everyday users trying to get their jobs done. Overloading systems with too-frequent AV scans or making authentication methods too complex has resulted in decreased productivity and a legacy of hostility to information security. And, ultimately, organisations have continued to be breached and data has continued to be exposed. 

Because it is built on the assumption of a successful breach, the CARTA methodology is inheritently adaptive. It is not overly-reliant on any one area of security, and it is therefore better positioned to deal with new and emerging threats, as well as those that have existed within organisations for any number of years. 

What does CARTA mean for email security?

CARTA dictates that security friction be continuously assessed and implemented as a balance to the actual risk of a breach. Yet email security has a reputation for being inheritently static. DLP rules are applied from static libraries and, often, encryption is either switched on or switched off. Recipient authentication, meanwhile, is applied in 'one-size-fits-all' methods relying on either weak one-time passwords or user enrolment schemes. 

In its recent Market Guide for Email Security, Gartner recommends that customers adopt a CARTA approach to email security - but is it possible to bring these two apparent opposites together?

At Egress, we prioritise a people-centric approach to security, which ultimately looks to wrap protection around users as they carry out their day-to-day tasks and provide a safety net when, inevitably, mistakes happen as they share data via email. In addition, because this approach is based on using technology to detect anomalous behaviours, it can also be used to detect and prevent malicious data breaches (that 'trusted' employee exfiltrating information). 

What's more, this is closely affiliated with the CARTA methodology. In the context of email security, a CARTA approach requires a continuous assessment of the risk of an actual data breach as sensitive content is shared across potentially untrusted networks and applying appropriate protection as those risks change, and Egress implements a CARTA-inspired approach to email data protection by following these five steps:

  1. Continuously analysing the risk of sharing emails: As an email message is being composed by the user, Egress analyses all characteristics of the email, including the recipient fields, the subject of the email, the message body, attachments and any classification labels applied by the user. In real time, Egress also looks up any history of communicating with the recipient(s) and the security characteristics of the recipient(s) domain(s), including domain reputation, versions of TLS deployed, DMARC, SPF, etc.
  2. Prevent content being shared with the wrong people: Based on the analysis performed, Egress ensures that sensitive content, including any attachments, is only shared with the correct recipients. Organisations can set policies to warn users, quarantine emails or entirely block them based on the severity of the issue.
  3. Apply the right protection to emails: Traditionally, an increase in security has almost always been associated with an increase in friction for end users. Egress can apply the right amount of encryption to emails after considering the various risk factors as an email travels through private and public networks, and is eventually accessed by the recipient. This could vary from sending the email via TLS to highly trusted and secure networks, to applying watermarking and message expiry when end networks and recipients are deemed risky.
  4. Dynamically authenticate recipients and enforce access: Recipients from trusted devices and networks following predictable patterns are provided with seamless access to encrypted messages. Access rights to messages can be changed in real time as business relationships and risk factors change. This includes watermarking, preventing the download of attachments, recalling messages, and expiring messages.
  5. Report and adapt: The Egress platform constantly updates and refreshes the data that it holds about user history and domain security characteristics so that it can make the most accurate decisions about risk. It provides organisations with dynamic reports on risky user behaviour and a detailed map of how sensitive data being shared is protected. Organisations can then apply procedural or technical controls to remediate these risks and calculate ROI on investments in security technologies. 

Contact us for more information about how Egress can help your organisation adopt a CARTA approach to email security, prevent data breaches and help protect sensitive information.