What is cybersecurity mesh and how can it help you?

What is cybersecurity mesh?

Cybersecurity mesh architecture (CSMA) is an architectural approach rather than a specific technology or market segment. It is a similar concept to zero trust. However, while zero trust presupposes that every device in an ecosystem is already compromised and potentially hostile, CSMA sees environments as disparate, logically separated and heterogeneous. That's a simplification, of course, but it's intrinsic and baked in.

In "Top Strategic Technology Trends for 2022: Cybersecurity Mesh," Gartner described CSMA:

Cybersecurity mesh architecture is a composable and scalable approach to extending security controls, even to widely distributed assets. ... CSMA allows security tools to integrate by providing a set of enabling services, such as a distributed identity fabric, security analytics, intelligence, automation and triggers, as well as centralized policy management and orchestration.

Cybersecurity mesh does this by having four distinct layers:

1. Security analytics and intelligence.
2. Distributed identity fabric.
3. Consolidated policy and posture management.
4. Consolidated dashboards.

Consider these layers through the lens of multi-cloud and work from anywhere. The mechanics of how a security policy goal is accomplished with cloud services can vary greatly from provider to provider. Storing a secret in Microsoft Azure Key Vault, for example, is different from using AWS CloudHSM or Google Cloud Key Management. Each has its own API, administration and security model. But while each service is different at the technical and implementation level, for most use cases, they achieve a similar policy goal: secrets management. This means the same policy objective translates to different implementations and configurations in different providers.

As such, consolidated policy and posture management that translates abstract policy objectives to specific configurations on individual providers can be tremendously helpful. For example, teams might define that all cryptographic key accesses are logged, that they conform to a certain key length, etc. A posture management tool can help ensure that those policies carry over to the right settings in the different providers used.

Likewise, if teams are serious about monitoring environments from a security perspective -- i.e., metrics, measurement, reporting and analysis -- they need a way to collect and consolidate information. Then, they need to tie that together with information about assets and threats -- through analytics and intelligence -- and review holistic telemetry.

Lastly, identity needs to span environments. Would it be acceptable if users or customers had to reauthenticate to an application if different elements of the application live in different PaaS or IaaS environments? Of course not. By its nature, the identity fabric needs to cover different environments.

Short-term effects of cybersecurity mesh

Practical-minded practitioners might be asking how all this changes their day-to-day lives. The answer is that it doesn't -- at least not directly or in the short term.

Right now, practitioners can go out and purchase any number of products that help accomplish the foundational layers of CSMA, as described by Gartner. Likewise, organizations have been aligning their multi-cloud and work-from-anywhere strategies to decouple policy from enforcement, to eliminate silos in their security stack, and to adapt to an increasingly porous and fragmented perimeter. For the latter, in some cases, they employ architectures that eschew the perimeter concept entirely.

Long-term effects of cybersecurity mesh

From a long-term perspective, cybersecurity mesh is beneficial for practitioners for three reasons:

1. Philosophical shifts sometimes drive the market, and the market, in turn, influences real-life architectures.
2. Industry acceptance makes it easier to incorporate the concept into architectural approaches.
3. It helps drive interoperability.

To illustrate the first point, think about zero trust. Zero trust dates back to the mid-1990s, but it became more popular since it was espoused by Google (BeyondCorp) in 2009 and Forrester Research in 2010. New companies and technology vendors have formed around the concept, and it has driven innovation and new features within existing vendor product portfolios. This, in turn, has driven initiatives in end-user technology organizations.

Just like with zero trust, those practitioners who understand why the CSMA model is compelling can be on the lookout for products that help achieve it, can use executive attention on the concept to help advance their security program and can otherwise be poised to turn the situation to their advantage.

Acceptance of an overall high-level concept by the industry can change how things are done. The increased acceptance of zero trust as a viable architectural model has changed how practitioners assess and audit cloud-native companies. Likewise, acceptance of CSMA as a viable architectural strategy can potentially simplify architectural discussions around multi-cloud, hybrid cloud, orchestration and containerization security -- for example, by causing organizations to recognize how complex modern cloud interrelationships are to plan accordingly. From there, it helps to make budget available for better monitoring and intelligence gathering and to better tie in sometimes-overlooked environments, such as private and hybrid cloud.

Recognizing that environmental differences play a role in securing the cloud will drive interoperability. The more abstract policies are tied to specific configurations and the more ways to synchronize, normalize and view together monitoring information from different providers, the more we help to alleviate things like lock-in. Taken together, these are all absolutely positive outcomes.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is currently the systems and software security director at Drake Software.