Gartner named cybersecurity mesh architecture (CSMA) one of its top cybersecurity trends in 2022 and again in 2023 (under the term “composable security”). But what exactly is CSMA? What benefits does it offer your organization, and what are the key elements to understand to get started? This article answers all those questions and more.
What is cybersecurity mesh architecture?
CSMA isn’t a specific product or service. Rather, cybersecurity mesh architecture is a strategy for improving cybersecurity and cyber resilience using a variety of tools and services that work together effectively. Gartner defines it as follows:
Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise. It builds on a strategy of integrating composable, distributed security tools by centralizing the data and control plane to achieve more effective collaboration between tools.
The crux of cybersecurity mesh architecture, accordingly, is the word “mesh” — with CSMA, cybersecurity solutions are not independent islands but an integrated and collaborative mesh or ecosystem. For instance, when one tool detects a threat, it will promptly inform all relevant other tools to facilitate quick and effective response.
How does cybersecurity mesh architecture differ from traditional approaches?
Perhaps the best way to understand cybersecurity mesh is to contrast it to traditional cybersecurity architecture, which involves establishing a single security perimeter for the entire network and working very hard to defend that perimeter. This model has become less and less effective in recent years. A core reason is that IT environments have become increasingly distributed, primarily due to widespread adoption of cloud technologies, a shift from using only company-controlled machines to bring-your-own-device (BYOD) policies and rapid expansion of remote work.
This transformation resulted in the evaporation of the traditional “network perimeter” and an explosion in the number of access points that can be exploited to compromise the whole IT ecosystem. It’s really no surprise that cyberattacks have become not just relentless but increasingly sophisticated and costly. To defend themselves, organizations typically deploy a variety of point security solutions. In fact, the average large organization uses some four dozen different cybersecurity tools. Those solutions deliver valuable functionality, from filtering out potential phishing emails to monitoring network traffic to detecting anomalous user behavior and other threats.
But for the most part, point solutions do not play especially well together — yielding a very complex security architecture in which risk signals are not automatically communicated promptly to all the decision points that could use them. These silos leave critical gaps that adversaries eagerly seek out and exploit. As a result, active threats can go undetected and incident response can be slow and ineffectual. For example, one solution might spot a spike in failed attempts to log in to an administrative account, which suggests an attempt to compromise powerful credentials. But that vital information might not be passed promptly to other solutions to enable a quick and intelligent response, such as temporarily removing privileged access to any critical data and services that the admin account has access to.
Cybersecurity mesh architecture helps address this vital issue by replacing the siloed approach with an integrated cybersecurity defense system across an organization’s distributed digital assets and identities. It offers a “centralized decentralized” model in which security controls can be applied to any device, application or identity, regardless of its location or platform.
The underlying strategy is to re-envision the perimeter at the identity layer and unify disparate security tools into a holistic ecosystem in which they work together towards common goals. Achieving this vision requires taking a modular approach to the cybersecurity stack, bringing together best-of-breed solutions that offer deeper and more standardized integration capabilities.
What are the benefits of cybersecurity mesh?
In 2022, Gartner predicted that by 2024, organizations adopting a cybersecurity mesh architecture would reduce the financial impact of security incidents by an average of 90%. Exactly how does CSMA promise to deliver such astonishing results? By delivering benefits like the following:
Improved cybersecurity and cyber resilience
By enabling security solutions and other controls to interoperate more effectively, cybersecurity mesh architecture can dramatically strengthen cybersecurity. In particular, CSMA enables the following:
- Reduction in security gaps — CSMA helps eliminate the security blind spots that commonly arise due to lack of interoperability and communication between standalone security solutions. Closing these gaps makes it harder for adversaries to slip into your network and escape notice if they do manage to get inside.
- More adaptive and granular access control —With cybersecurity mesh, different components can have their own security policies and controls, depending on their unique requirements and risk profiles, while still adhering to the organization’s overall security strategy and policies.
- Enhanced threat detection capabilities — Improved integration between security tools enables quick correlation of activity for better detection of even advanced threats across systems and platforms, as well as consolidated alerting and reporting.
- Faster and more effective incident response — CSMA speeds investigation of incidents and enables automated responses across security tools. For example, if one tool detects a threat, its integration with another tool could enable immediate locking of the associated user accounts.
- Consistent policies across the IT ecosystem — CSMA also provides centralized administration of security policy, which helps ensure consistent enforcement across systems.
Flexibility, agility, scalability and extensibility
Cybersecurity mesh architecture emphasizes composability, so organizations can quickly plug in the solutions they choose to meet their specific requirements. Application programming interfaces (APIs) enable extensions, customizations, analytics and other capabilities beyond what might be currently available from tools on the market.
Moreover, organizations can easily extend their architecture with new infrastructure components and security solutions as their business, security and technology needs evolve or new regulations appear. As a result, they can quickly achieve the benefits of implementing a partial approach to CSMA while paving the way for a fuller implementation down the road.
These features of cybersecurity mesh architecture provide the agility to quickly address changing business needs. For example, you can rapidly respond to emerging market demands, establish new distribution channels or other initiatives, and take advantage of new technologies — all while maintaining a strong cybersecurity posture.
IT team efficiency and productivity
Cybersecurity mesh provides a simpler and cleaner security architecture that is much easier to maintain. As we have already seen, CSMA makes it easier to deploy, configure and integrate tools. Central dashboards reduce the need to learn multiple interfaces for auditing, reporting and investigations, and to constantly switch between them to complete daily tasks. As a result, IT professionals can be far more effective with far less effort.
How does CSMA relate to Zero Trust?
The simple answer is that CSMA and Zero Trust are complementary approaches. The fuller answer is that cybersecurity mesh is an architecture model for IT environments, while Zero Trust is a security model for IT environments.
A security model is set of system design principles, controls and processes for ensuring the confidentiality, integrity and availability of IT assets. In other words, a security model helps guide the design of an IT architecture that delivers on your security goals while maintaining user productivity. The Zero Trust security model is founded on the premise the network is under threat at all times from internal and external actors and therefore no user, service or other element should be implicitly trusted. Instead, real-time information from multiple sources is used to make access decisions and other system responses.
Accordingly, cybersecurity mesh architecture goes hand-in-glove with Zero Trust, since security solutions are tightly integrated and communicating effectively.
What companies are using cybersecurity mesh?
The core principles behind CSMA have been around a long time, and most IT professionals do their best to implement them: They are always trying to break down silos, gain holistic visibility, and choose tools that integrate well and easily. CISOs are also largely aware of the concept of cybersecurity mesh and are working to incorporate the framework into their overall strategy.
Large tech companies that are moving quickly to adopt CSMA include:
- Google — Google uses a Zero Trust security model called BeyondCorp, which applies granular security policies to every request based on the context and identity of the user, device, app and data. This centralized access control is a core element of CSMA.
- Microsoft — Microsoft has developed a cloud-based security platform called Azure Sentinel, which collects and analyzes data from various sources to enable unified insight and response to security incidents.
- IBM — IBM offers a suite of security products and services that leverage AI and automation to enable a more integrated and intelligent security management system.
What are the foundational layers of cybersecurity mesh architecture?
Now, let’s dive deeper into the details of cybersecurity mesh architecture. Gartner offers the following reference diagram that illustrates the four foundational layers of CSMA, along with examples of the types of products and IT assets that might be involved:
Source: Gartner, “The Future of Security Architecture: Cybersecurity Mesh Architecture (CSMA)” Patrick Hevesi and Mary Ruddy, ID G00754315, 12 January 2022.
As shown above in the diagram, you can see the following four foundational layers of CSMA:
- Operations dashboards
- Policy, posture and playbook management
- Threat intelligence and analytics
- Identity fabric
Cybersecurity mesh architecture includes unified dashboards that deliver visibility into the organization’s complete security posture. Centralized alerting, investigation and reporting, along with visualizations of risk scores and other key metrics enables security teams to detect, investigate and respond to security events much faster and more effectively. This represents a huge advance over a traditional siloed approach to security in which IT pros must constantly switch between multiple screens and reports, struggling to gain a cohesive understanding of the IT environment, spot emerging threats, and respond quickly and effectively.
Note that the consolidated dashboards do not necessarily replace all the consoles of all the various security products in the IT ecosystem. Still, they provide an invaluable single pane of glass with dynamic visualization of risks and threats.
Consolidated policy and posture management
This layer is focused on building and managing the policies, configuration standards and playbooks necessary to ensure consistent security across a complex IT environment. It provides a central location for managing the settings of each security tool, as well as for orchestration of the policies and posture mappings between products. Options include translating central policies into the native rules and configuration constructs of individual security tools, or providing dynamic runtime authorization services. Standards such as the Open Policy Agent (OPA) can help organizations implement a common policy across all tools from different vendors.
In addition, this layer enables security teams to compare their organization’s standards to industry standards, such as those from the National Institute of Standards and Technology (NIST). The comparisons will be surfaced in the dashboard layer, where they can be used for purposes such as policy review and refinement, reporting to stakeholders, and compliance audits.
Security analytics and intelligence
The security intelligence layer is the “brain” of the cybersecurity mesh. It is typically powered by advanced technologies like machine learning (ML) and artificial intelligence (AI). Its purpose is to aggregate signals, indicators of compromise (IOCs), risk scores, threat intelligence and other data from your various security tools and provide intelligent threat analysis that enables real-time alerts and fast, effective response.
Solutions at this layer can include security information and event management (SIEM); security orchestration automation and response (SOAR); extended detection and response (XDR); and user and entity behavior analytics (UEBA) solutions. However, a key difference from traditional deployment is that cybersecurity mesh involves deep integration between products; this requires a catalog of connectors for the various security solutions. To be maximally effective, these types of tools need to become more advanced and autonomous, as well as better at collaborating with the intelligence layer. They also need to support deeper sharing of alert signals, an area in which standards are still evolving.
Distributed identity fabric
Each verified identity needs to be able to access the IT resources it legitimately needs from allowed devices and approved locations. Accordingly, an effective and well-managed identity fabric is a crucial element in CSMA. This layer provides a distributed identity framework that supports identity and access management (IAM) functions such as directory services, decentralized identity management, adaptive access, identity proofing and entitlement management.
In a traditional siloed architecture, IAM functions are often managed by different business units, which can lead to security gaps and user frustration. With CSMA, identity policy is managed centrally and applied more consistently, which enables both risk and trust signals to be used more broadly, facilitating both stronger security and a better user experience. For example, a cloud access security broker (CASB) might continuously monitor what users are actually doing in the service and use the identity fabric to cause the access control tool to prompt for multifactor authentication (MFA) when appropriate.
While many IAM tools are already fairly well integrated, they need to become even more composable in order to address the new IAM use cases that are constantly emerging. In addition, they must become more standards-based to improve the sharing of trust signals and reduce the need to create custom interfaces.
How can an organization get started with cybersecurity mesh?
The four foundational layers of CSMA provide a roadmap for implementation. For brand-new organizations, the layers provide a blueprint for designing and building the network infrastructure. But most organizations will be starting from a legacy IT ecosystem that could be quite complex, with dozens of security solutions already in place, which can make the effort more difficult.
There are many challenges: No single vendor has all the building blocks that are required, standards are still emerging, and products generally do not yet provide the necessary interoperability. Nevertheless, there are steps you can take today to advance toward a full CSMA implementation that will be viable regardless of how the marketplace matures.
Take stock of your current tools and identify gaps.
The first step is to understand your current cybersecurity strategy, risk profile, solutions and controls, and skillsets. Be sure to thoroughly map the data flows and analytical capabilities between your various tools.
Then, assess the maturity of your existing security tools based on both their functionality and their integration capabilities. Look for gaps that introduce blind spots, such as missing risk signals about device status or inability to track a user’s activity across on-premises and cloud applications.
Build the four foundational layers.
Next, begin building out each of the foundational layers as follows:
- Dashboards — The ideal dashboard will provide broad insight and real-time alerts, along with clear visualizations of real-time risk scoring. Consider whether you need multiple views for different IT security and stakeholder roles, as well as advanced features like customizable widgets and reports.
- Policy, posture and playbook management — Look for tools with capabilities that are aligned with established security standards like those from NIST, CIS and ISO.
- Threat intelligence and analytics — Favor SIEM, UEBA, SOAR, XDR and related tools that provide dynamic, entity-based risk scoring and that integrate well with your core security and identity solutions.
- Identity layer — Look for solutions that help you centrally administer identities and enforce sophisticated access policies across the entire IT environment.
Look for composable, standards-based tools.
When choosing security tools and services, check for deep integration capabilities that, whenever possible, are based on standards. As noted earlier, standards in the arena of cybersecurity mesh architecture are still evolving, but current examples include as OAuth 2.0, OpenID Connect, SCIM, OPA and CAEP.
Also look for open APIs that enable tools to easily share information, including identity context and risk intelligence. For example, you want your email gateway to be able to communicate with your network firewall, and for both to be able to inform authentication decisions.
Consider the vendor as well as the tool.
The quality of the vendor is as important as the quality of the tool or service. Seek out suppliers that have significant expertise and that have a track record of being responsive to changes in the security landscape and flexible in helping customers secure their environments.
Seek an appropriate level of consolidation.
Organizations are looking to simplify their security stack and licensing overhead through both tool and vendor consolidation. Indeed, a survey by Gartner found that 75% of organizations were pursuing security vendor consolidation in 2022, up from 29% in 2020.
When planning and implementing your cybersecurity mesh architecture, it’s important to strive for an appropriate level of consolidation. For instance, trying to limit your identity fabric to a single identity provider simply may not be realistic to effectively manage all your use cases, such as handling multiple different internal workforce groups as well as external contractors, customers, partners and so on.
The key is to manage your solution roadmap using your CSMA vision. The goal is to work toward an integrated ecosystem as tools and standards continue to evolve, without increasing your technical debt in the long run.
Review and revise!
Creating a cybersecurity mesh architecture is not a one-time project but an ongoing process. After all, your business needs, technologies, standards, available solutions and the threat landscape are all constantly changing. Therefore, it’s essential to regularly evaluate the performance and effectiveness of your cybersecurity ecosystem and make adjustments as needed. Clearly lay out which metrics need to be tracked and reviewed, from technical metrics to measures of how the CSMA strategy is impacting business outcomes.
Keep a particular eye on any areas where you have gaps, such as solutions that lack important functionality, do not integrate well or are not being supported well enough by the vendor. At the same time, keep track of product enhancements, since increasing maturity in one tool can be an opportunity for consolidation to simplify your technology stack.
Adopting a cybersecurity mesh architecture is an involved process, but well worth the investment. Moreover, it is a strategy that begins to yield benefits quickly — each step you take in the journey will help improve cyber security, simplify operations and position your organization for a bright future.