informa
5 min read
article

Cybersecurity Mesh Architecture: Hope or Hype?

Gartner has touted CSMA as one of the top technology trends for this year. But what is it really?

Gartner's prognostications on approaches that it thinks could significantly improve enterprise security over the next few years include one of its own: cybersecurity mesh architecture (CSMA).

The analyst firm has described CSMA as one of the top technology trends to watch for in 2022, calling it an approach that could help organizations reduce the cost of security incidents by 90% over the next two years.

Driving the need for the approach, according to Gartner, is the growing sophistication of cyberattacks, the migration of assets to the hybrid multicloud, and the adoption of remote work models. The remote work trend, in particular, has left organizations supporting a wide variety of poorly integrated security tools across multiple environments.

What exactly is CSMA, and why is Gartner so bullish about it? In Gartner's view, CSMA is a framework for tying disparate technologies together into a cohesive whole, where security information and alerts are seamlessly shared and correlated between products to enable faster detection and response.

In Gartner's words, "Cybersecurity mesh is a modern security approach that consists of deploying controls where they are most needed." Rather than having every security tool running in a silo, "a cybersecurity mesh enables tools to interoperate by providing foundational security services and centralized policy management and orchestration," according to the analyst firm. The mesh architecture approach allows organizations to more effectively extend security controls to distributed assets out the traditional enterprise perimeter, Gartner has noted.

Rik Turner, a principal analyst at Omdia, describes CSMA as a modular approach that centralizes security policy orchestration but distributes enforcement to the places where it is needed. "In essence, each asset within an organization's infrastructure gets its own notional perimeter," he says.

Access rights are governed centrally by a stack consisting of security analytics and threat intelligence, an identity fabric, policy and posture management, and a single dashboard for the security team to manage and mesh.

The controlling stack in Gartner's framework sits in the middle of the mesh and communicates with a wide variety of security controls, including those at the endpoint, the cloud, around apps and email, data, and for identity and access management, Turner says.

The sheer volume and velocity of IT deployment and development across the typical enterprise has left security teams scrambling to try and secure numerous disparate projects, all with their specific security requirements and levels of maturity, adds Fernando Montenegro, a senior principal analyst at Omdia. "Bringing it all back together in a ‘mesh’ like this is a way to let security retain tighter controls."

He predicts that adoption of CSMA will hinge on the availability of a capable enough platform for tying together various enterprise security technologies into a seamless mesh. Organizational alignment between the security team and the rest of the organization is also going to be crucial, Montenegro says. A good place for organizations to begin down the path toward a CSMA-like architecture is the identity infrastructure, he says. That's because the identities of people and things are central to what they can and cannot do in a CSMA-like environment.

An Idea or an Architecture?
For the moment, CSMA is not much more than an idea and is far from a formal architecture, Turner says. It's one of many ideas put forth as an alternative to the traditional castle-and-moat approach to enterprise security that has come under tremendous strain in recent years with the disaggregation of corporate infrastructure and apps into the cloud. The accelerated adoption of remote and hybrid environments in response to the COVID-19 pandemic has rendered obsolete old security models based on blocking everything at the perimeter and trusting those on internal networks.

"This is where Gartner’s suggestion of a cybersecurity mesh approach comes in," Turner says. "It is designed to help organizations in the rethinking process."

Turner likens the traditional security approach to border controls where once someone gets in, they can go anywhere, and stay on illegally even after their permitted duration of stay.

"By contrast, [Gartner's] approach authorizes you to enter the country but only to go to a specific town or city, only for a limited period, and keeps an eye on you via CCTV throughout your stay," Turner says.

Immigration authorities track every moment and ensure access is terminated after the permitted duration — or earlier for any violations of policy.

If that sounds a lot like zero trust, that's because it is, Turner says. The cybersecurity mesh idea can be thought of as a way of organizing enterprise cybersecurity infrastructure to deliver zero trust — an approach that Forrester first articulated and Gartner signed onto later.

"I think Gartner’s formulation of it as the cybersecurity mesh architecture is a bit of a stretch in that it is more notional than architectural at this stage," he says.

John Pescatore, director of emerging security trends at the SANS Institute, views CSMA as a recycled approach to security automation and orchestration. "Basically, for it to work, all security tools and controls need to talk directly to each other and produce or ingest security intelligence feeds," he says.

They also need to be able to communicate with a common enterprise identity fabric, use standardized policy languages, and perform dynamic enforcement. The probability of all that happening — especially since standard policy languages don't even exist yet — in a 10-year time frame are very remote, Pescatore predicts.

"Big vendors who have one of every product will jump on this," he says. And so will a few Google-scale companies that have the resources to internally develop the code needed for a mesh architecture. But expect low adoption among the Fortune 500 and other organizations, he says.