Cybersecurity is Getting Meshy

Cybersecurity has changed significantly over recent years. Distributed networks, cloud services, subscription models, and remote work have made the traditional strategy of selecting specific solutions for each potential risk increasingly impractical. Traditional perimeter approaches have resulted in an average of 45 different security solutions deployed across the modern enterprise network. In addition, security risks are becoming increasingly external. The software supply chain, the public cloud, the trading of breached data, IoT proliferation, and operational technology (OT) are all threats outside of traditional perimeter security.

The sheer number of tools, which frequently lack vendor interoperability, that are required to secure modern networks the traditional way make centralised management and monitoring an evolving headache. The days of deploying unintegrated point solutions for each threat are gone. It is time for a new strategy.

Cybersecurity mesh architecture, or CSMA, is being touted as a practical and flexible new approach to managing the threats to modern enterprise networks. One of the fundamental drivers for this new approach has been the significant shift away from the ‘castle and moat’ or ‘walled cities’ paradigm of network security. The necessity of remote work brought about by pandemic pressures in tandem with the rapid digitisation of the modern workforce has established ‘hybrid multicloud’ as the increasingly dominant network architecture, where most organisational cyberassets now reside outside traditional physical and logical security perimeters.

Because hybrid cloud and multicloud architectures utilise one or more public cloud services in tandem with on-premises servers and private cloud resources, the concept of the ‘walled city’ approach to cybersecurity has become increasingly obsolete. These distributed resource and worker models have become aptly referred to as ‘anywhere operations’.

CSMA aims to secure these distributed architectures by allowing “anyone to access any digital asset securely, no matter where the asset or person is located”. By embracing the cloud delivery model, CMSA decouples policy enforcement from policy decision making, effectively making identity itself the defined security perimeter.

Gartner predicts that by 2025, over half of digital access control requests will be supported by CSMA. This prediction appears to be on-track, given the increasing shift towards vertical-market clouds where cloud providers offer industry-specific services around security, compliance, and other factors.

Bringing Down the City Walls with Mesh

To understand exactly what cybersecurity mesh architecture is, it is helpful to revisit what it is not. CSMA does not draw from the traditional defence in depth strategies and ‘walled cities’ approaches where password-protected network perimeters provide access to an entire network with internally managed permissions.

Instead, CSMA provides individual perimeters around each access point through a central point of authority which distributes and enforces security policy. Instead of a walled city surrounding the assets within a single perimeter, think more of many individual personal shields.

With assets, workforces, and cloud services becoming increasingly distributed away from the protective environment of the traditional network, CSMA envisions utilising identity, not simply as the key to the kingdom, but as the perimeter itself.

The primary advantage of this approach is that assets can be secured, regardless of location, by defining the security perimeter around the identities of users and machines on the network. However, to understand how this all works, we will need to revisit several related technologies and wade through a range of acronyms.

There are four main layers of cybersecurity mesh. These include:

  1. Security Analytics and Intelligence Layer: This layer focuses on collecting, aggregating, and analysing security data from various security tools.
  2. Distributed Identity Fabric Layer: This layer focuses on providing identity and access management services, which are central to a zero-trust security policy.
  3. Consolidated Policy and Posture Management Layer: This layer converts policies into the rules and configuration settings needed for a particular environment or tool.
  4. Consolidated Dashboards Layer: This layer provides integrated visibility into an organisation’s complete security architecture, enabling more efficient detection, investigation, and response to security incidents.

A Mesh of Acronyms

Cybersecurity loves an acronym, and tracing the evolution of the CSMA concept can make even the most seasoned practitioner’s head spin. Starting with the more familiar Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR), we can track the development of the CSMA strategy through SASE (Secure Access Service Edge technologies), CASB (Cloud Access Security Brokers), XDR (Extended Detection and Response), and ZTNA (Zero Trust Network Access). Unlike SIEM or SOAR which integrate various security tools to coordinate and execute security incident management, CSMA primarily utilises security analytics and intelligence, together with identity, policy, posture and dashboard layers. In this way, CSMA more closely resembles XDR.

Extended Detection and Response (XDR) seeks to provide greater visibility and control than traditional SIEMs across all endpoints, the network, and cloud workloads. XDR uses a collection of products within a single solution, typically including Endpoint Detection and Response (EDR), threat intelligence and analytics, antivirus software, firewalls, and data encryption. XDR provides a more holistic potential foundation than SIEM for the security analytics and intelligence layer in CSMA.

CSMA also has similarities to Secure Access Service Edge (SASE) technology. SASE aims to provide secure access to cloud and network resources by applications, services, users, and machines, typically delivered as a cloud service. Rather than these services being delivered by standalone systems, SASE technologies combine SD-WAN, CASB, secure web gateways, ZTNA, Firewalls as a Service (FaaS), VPN’s, and microsegmentation. SASE, therefore, has much technology in common with CSMA.

For example, Software-Defined Networking (SDN) and Software-Defined Wide Area Networks (SD-WAN) enable the network to be intelligently and centrally controlled, or ‘programmed,’ using software applications. This provides a foundation for CSMA’s central point of authority for distributing and enforcing security policy consistently and holistically, regardless of the underlying network technology. Although SASE may be described as a meshy method of distributing diverse functions in an integrated manner, CSMA has an even broader scope.

Cloud Access Security Brokers (CASB) also provides a possible foundation for CSMA by utilising an on-premises or cloud-based security policy enforcement point. This point of enforcement is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed.

Zero-Trust Network Access (ZTNA) is another key feature of CSMA and reflects the ‘personal shield’ concept that is central to the approach. ZTNA embraces three central principles:

  1. All entities are untrusted by default – This requires continuous verification and the checking of every request from every user for every resource.
  2. Least privilege access is enforced – This is designed to limit breach impact and access through minimal permissions.
  3. Comprehensive security monitoring is implemented – This requires the collection of evidence including logs, behavioural data, and context to enable the tracking, monitoring, and validation of compliance for every access to every monitored resource.

Although each of the existing technologies mentioned above provide some elements of the four CSMA layers, security mesh remains a strategy, rather than a defined architecture, despite the name.

So, if Cybersecurity Mesh Architecture is currently an architectural strategy, what can organisations do to pave the way to establishing this type of security architecture in their own hybrid cloud or multicloud enterprise network?

Making a Mesh of Your Enterprise Network

To leverage the advantages of CSMA for hybrid cloud and multicloud architectures, organisations can begin by building the supportive layers for a cybersecurity mesh strategy:

  1. Identify your attack surface. This can be achieved by assessing your current network for security gaps and vulnerabilities and prioritising the criticality of each resource and the severity of the associated risks using a solution such as Sapien Cyber’s Condor vulnerability management system.
  2. Invest in reliable security technology and tools. Investing in reliable security technologies will help the development of a holistic security approach which may include:
    1. Information Security: Securing business data from leaks and breaches by employing data loss prevention and email security.
    2. Authentication Protocols: Password management and multi-factor authentication to prevent unauthorised users.
    3. Perimeter Security: Application firewalls and unified threat management (intrusion detection, spam detection, content filtering, etc) to ensure perimeter security.
    4. Network Security: Continuous network monitoring via solutions such as Sapien Cyber’s Raptor threat management system to proactively identify vulnerabilities and threats and take preventive security measures. Network security measures should be capable of storing threat and alert data for future intelligence.
    5. Endpoint Security: Endpoint security practices such as implementing a domain name system (DNS) and MDR (managed detection and response) will stop malicious traffic from unauthorised sites and allow for the regular collection and analysis of data related to persistent threat processes.
    6. Backup and Disaster Recovery: Mapping out an ongoing and testable backup and disaster recovery strategy using appropriate software solutions is an essential, yet often neglected aspect of a holistic strategy.
  3. Employing interoperable technologies. Avoiding silos and focussing on integrating security analytics and associated data (either in the cloud or on-premises) allows for efficient traffic analysis and the triggering of appropriate responses.
  4. Decentralised identification management. Authentication protocols, zero trust network security, and identity proofing are essential for securing a remote workforce and enforcing authorised access beyond traditional perimeters.
  5. Centralised security policy management. Modern decentralised infrastructure employing public, private, and hybrid cloud (multi-cloud) solutions require flexible security protocols and tools that separate policy and decision-making from implementation and enforcement. This centralised process converts policies into the rules and configuration settings needed for a particular environment or tool.
  6. Employ experienced security professionals and robust standards and frameworks. Security professionals who are well versed in current and emerging standards and open-source code projects that can supplement vendor interoperability gaps are essential to a successful security mesh implementation.

In summary, CSMA is a modern strategy for securing distributed and remote IT infrastructure, based on a zero-trust strategies, integrated and interoperable components, and consolidated security tools. CSMA offers a holistic security strategy suited to modern distributed environments by extending security controls on an individual level and enhancing a zero-trust access approach. We invite you to discuss your cybersecurity mesh journey with us at Sapien Cyber and learn how our on-premises and cloud solutions can help you build out your CSMA layers and secure your distributed network architecture.