The Cloud movement and the adoption of Cyber Security Mesh Architecture (CSMA) are both responses to similar underlying pressures in the rapidly evolving digital landscape. And their guiding principles are similar — loosely coupled, modular, scalable, flexible, standards-driven, and composable. Just as the Cloud Approach came from the need for greater scalability, flexibility, and efficiency in software deployment and management, CSMA has emerged as a solution to the increasing complexity and distributed nature of modern cybersecurity challenges.
Cloud architectures break down applications into microservices to make them more manageable, resilient, and adaptable. CSMA decentralizes security controls, distributing them closer to the assets they protect. This parallel evolution reflects a broader shift in technological strategy, where both application development and cybersecurity are moving away from monolithic, centralized systems towards more distributed, agile, and responsive frameworks.
This shift is both technological and philosophical, representing a deeper understanding of the need for systems that can rapidly adapt to change while maintaining robust performance and security.
Not surprisingly, the core principles of the Cloud Approach provide strong guidance for CISOs looking to roll out CSMA. Here are some core principles and how they apply to CSMA design and implementation.
Architecture and implementation should abstract infrastructure (as much as possible)
The infrastructure of today is not the infrastructure of tomorrow. That’s not just due to changes in how we deploy and deliver technology: it’s also true even within an enterprise over a brief span.
Today, CTOs and CIOs have multiple options for technology infrastructure: on-prem, cloud, multi-cloud, hybrid cloud, PaaS, SaaS, and serverless. New technologies, such as WebAssembly and fully distributed or edge computing, are constantly emerging and adding new infrastructure options. Developers building applications and teams delivering services want to use the infrastructure of their choice.
To future-proof organizational security not just for upcoming years but even for upcoming months, a CSMA should be designed to abstract infrastructure and work across all modalities while allowing for the easy addition of new capabilities and technologies.. In practical terms, this means a CSMA must be built on top of a foundation of extensible, backward-compatible interfaces that make such abstractions possible. This mindset started in earnest with early SOA and XML architectures and accelerated with the Cloud Approach, where interfaces and interoperability are absolutely critical (and can be bottlenecks and security risks when poorly designed).
Process standardization and instrumentation for all technologies associated with the mesh to ensure holistic processes
Every technology and security process that can be standardized should be standardized (even if it's an internal standard). This can take the form of playbooks, flow diagrams, process specifications, or any other mechanism. That said, CISOs that want to implement more robust process standardization will instrument process flows. Instrumentation enables programmatic systems to measure and evaluate the efficacy of process standardization.
What is measured matters. Left to their own devices, humans will create multiple processes. Worse, information about process execution and what actually happened — for example, during a security response — will be lost or changed through human memory rather than objective measurements. Standardization and instrumentation offer a better way to capture, observe, and enforce accountability for process discipline.
Separation of concerns as a critical design element
In networking and security, separation of concerns has long been considered a crucial design principle. In routers, the control plane manages processes, rules, and policies, while the data plane manages how data moves back and forth. A CSMA should have a control plane and a data plane to enforce the separation of concerns. This is critical to safeguarding the security of your CSMA and enabling dual-track development of data needs, and policy or management needs.
Sophisticated cyber attackers today seek to subvert existing security controls. This is made easier by the design of most tools, which does not separate control and data functions. A CSMA control plane floats a level above the control mechanisms of existing controls, but having it segregated and making it more observable through separation of concerns will make it far easier to wall off attacks. In addition, the separation of concerns will allow for more agile management of systems because the control plane can scale policies and behaviors across all controls and systems.
Everything is connected via APIs. Management is achieved via a single API
In cloud computing, all elements of applications, from compute to storage to message queueing to load balancers, have APIs and are controlled and monitored via those APIs. This approach affords modularity, scalability and resilience. It allows for a “Lego blocks” approach to building infrastructure, either within clouds, across clouds, or spanning on-prem and cloud.
The structure of APIs also makes it possible to design for the future and build in certainty about functionality and compatibility. A CSMA should have at its core a set of well-designed APIs for connecting systems. That said, a CdSMA is best managed via a single, unified management API — similar to what we see with Kubernetes. A single management API streamlines any tooling or processes to control, observe and modify CSMA components and underlying processes.
Containerize controls and avoid appliances
Containers contributed to the rapid growth and adoption of clouds. Building on the initial technology of virtual machines, containers abstracted networking and compute layers. This abstraction made it easier to build applications that could be ported to different environments more easily. In the cloud, this was particularly important because many organizations wanted to run the same applications on-premise and in the cloud. Similarly, they wanted to standardize on infrastructure components like load balancers, application delivery systems, and security controls such as firewalls.
Historically, security controls have been deployed as appliances — often as hardware boxes and, more recently, as specific cloud instances of applications running in their own dedicated VMs or cloud instances. For a CSMA to be most effective, controls should be containerized to enable portability, scalability, and resilience. Containers are easy to stand up and tear down, either horizontally or vertically. A CSMA should follow this design convention and should avoid more brittle and rigid security appliances.
A CSMA That Mirrors the Cloud is a Better CSMA
There is a very good reason why cloud computing took off. It provides a superior paradigm for API and service-driven application delivery, and it makes computing and infrastructure a variable rather than fixed cost. The whole concept of the CSMA is to emphasize flexibility and modularity, both to improve capabilities but also to improve efficiencies and security. CSMA also better matches modern applications’ requirements for ubiquitous and continuous security, which has replaced the old “crunchy exterior, software interior” model of IT defense.
Mirroring the cloud paradigm as core design principles for a CSMA provides a solid foundation for building a cohesive, scalable, and performant security mesh — a living, breathing system that will stand the test of time and grow to meet the needs of any organization.
John Morello is the Co-Founder and CTO of Gutsy. Previously, he was the CTO of Twist lock and helped take the company to over 400 customers, including 45% of the Fortune 100, and a $.5B exit to Palo Alto Networks where he served as VP of Product for Prisma Cloud. John holds multiple cybersecurity patents and is an author of NIST SP 800-190, the Container Security Guide. Prior to Twistlock, he was the CISO of an S&P 500 global chemical company. Before that, he spent 14 years at Microsoft where he worked on security technologies in Windows and Azure and consulted on security projects across the DoD, intelligence community, and at the White House. John graduated summa cum laude from LSU and lives in Baton Rouge with his wife and two sons. A lifelong outdoorsman and NAUI Master Diver and Rescue Diver, he's the former board chair of the Coalition to Restore Coastal Louisiana and current board member of the Coastal Conservation Association.