Cybersecurity is Getting Meshy
Cybersecurity has changed significantly over recent years. Distributed networks, cloud services, subscription models, and remote work have made the traditional strategy of selecting specific solutions for each potential risk increasingly impractical. Traditional perimeter approaches have resulted in an average of 45 different security solutions deployed across the modern enterprise network. In addition, security risks are becoming increasingly external. The software supply chain, the public cloud, the trading of breached data, IoT proliferation, and operational technology (OT) are all threats outside of traditional perimeter security. The sheer number of tools, which frequently lack vendor interoperability, that are required to secure modern networks the traditional way make centralised management and monitoring an evolving headache. The days of deploying unintegrated point solutions for each threat are gone. It is time for a new strategy. Cybersecurity mesh architecture, or CSMA, is being touted as a practical and flexible new approach to managing the threats to modern enterprise networks. One of the fundamental drivers for this new approach has been the significant shift away from the ‘castle and moat’ or ‘walled cities’ paradigm of network security. The necessity of remote work brought about by pandemic pressures in tandem with the rapid digitisation of the modern workforce has established ‘hybrid multicloud’ as the increasingly dominant network architecture, where most organisational cyberassets now reside outside traditional physical and logical security perimeters. Because hybrid cloud and multicloud architectures utilise one or more public cloud services in tandem with on-premises servers and private cloud resources, the concept of the ‘walled city’ approach to cybersecurity has become increasingly obsolete. These distributed resource and worker models have become aptly referred to as ‘anywhere operations’. CSMA aims to secure these distributed architectures by allowing “anyone to access any digital asset securely, no matter where the asset or person is located”. By embracing the cloud delivery model, CMSA decouples policy enforcement from policy decision making, effectively making identity itself the defined security perimeter. Gartner predicts that by 2025, over half of digital access control requests will be supported by CSMA. This prediction appears to be on-track, given the increasing shift towards vertical-market clouds where cloud providers offer industry-specific services around security, compliance, and other factors. Bringing Down the City Walls with Mesh To understand exactly what cybersecurity mesh architecture is, it is helpful to revisit what it is not. CSMA does not draw from the traditional defence in depth strategies and ‘walled cities’ approaches where password-protected network perimeters provide access to an entire network with internally managed permissions. Instead, CSMA provides individual perimeters around each access point through a central point of authority which distributes and enforces security policy. Instead of a walled city surrounding the assets within a single perimeter, think more of many individual personal shields. With assets, workforces, and cloud services becoming increasingly distributed away from the protective environment of the traditional network, CSMA envisions utilising identity, not simply as the key to the kingdom, but as the perimeter itself. The primary advantage of this approach is that assets can be secured, regardless of location, by defining the security perimeter around the identities of users and machines on the network. However, to understand how this all works, we will need to revisit several related technologies and wade through a range of acronyms. There are four main layers of cybersecurity mesh. These include:
- Security Analytics and Intelligence Layer: This layer focuses on collecting, aggregating, and analysing security data from various security tools.
- Distributed Identity Fabric Layer: This layer focuses on providing identity and access management services, which are central to a zero-trust security policy.
- Consolidated Policy and Posture Management Layer: This layer converts policies into the rules and configuration settings needed for a particular environment or tool.
- Consolidated Dashboards Layer: This layer provides integrated visibility into an organisation’s complete security architecture, enabling more efficient detection, investigation, and response to security incidents.
- All entities are untrusted by default – This requires continuous verification and the checking of every request from every user for every resource.
- Least privilege access is enforced – This is designed to limit breach impact and access through minimal permissions.
- Comprehensive security monitoring is implemented – This requires the collection of evidence including logs, behavioural data, and context to enable the tracking, monitoring, and validation of compliance for every access to every monitored resource.
- Identify your attack surface. This can be achieved by assessing your current network for security gaps and vulnerabilities and prioritising the criticality of each resource and the severity of the associated risks using a solution such as Sapien Cyber’s Condor vulnerability management system.
Invest in reliable security technology and tools. Investing in reliable security technologies will help the development of a holistic security approach which may include:
- Information Security: Securing business data from leaks and breaches by employing data loss prevention and email security.
- Authentication Protocols: Password management and multi-factor authentication to prevent unauthorised users.
- Perimeter Security: Application firewalls and unified threat management (intrusion detection, spam detection, content filtering, etc) to ensure perimeter security.
- Network Security: Continuous network monitoring via solutions such as Sapien Cyber’s Raptor threat management system to proactively identify vulnerabilities and threats and take preventive security measures. Network security measures should be capable of storing threat and alert data for future intelligence.
- Endpoint Security: Endpoint security practices such as implementing a domain name system (DNS) and MDR (managed detection and response) will stop malicious traffic from unauthorised sites and allow for the regular collection and analysis of data related to persistent threat processes.
- Backup and Disaster Recovery: Mapping out an ongoing and testable backup and disaster recovery strategy using appropriate software solutions is an essential, yet often neglected aspect of a holistic strategy.
- Employing interoperable technologies. Avoiding silos and focussing on integrating security analytics and associated data (either in the cloud or on-premises) allows for efficient traffic analysis and the triggering of appropriate responses.
- Decentralised identification management. Authentication protocols, zero trust network security, and identity proofing are essential for securing a remote workforce and enforcing authorised access beyond traditional perimeters.
- Centralised security policy management. Modern decentralised infrastructure employing public, private, and hybrid cloud (multi-cloud) solutions require flexible security protocols and tools that separate policy and decision-making from implementation and enforcement. This centralised process converts policies into the rules and configuration settings needed for a particular environment or tool.
- Employ experienced security professionals and robust standards and frameworks. Security professionals who are well versed in current and emerging standards and open-source code projects that can supplement vendor interoperability gaps are essential to a successful security mesh implementation.