Note the subtle play on words there? Is cyber security a huge mess of complexity or are we heading for a huge opportunity to integrate and manage disparate technology via an adaptive mesh? The concept of a cyber security mesh seems to have emerged from the lips (or pages) of Gartner – perhaps as early as October 2020 where a blog post from them identified the cyber security mesh as a strategic technology trend for 2021.
So what is this mesh concept? Gartner seem to refer to this as a retrospective reference – something to describe the pattern of complexity and the distributed nature of the modern enterprise. They say “Cybersecurity mesh essentially allows for the security perimeter to be defined around the identity of a person or thing. It enables a more modular, responsive security approach by centralizing policy orchestration and distributing policy enforcement.”
So it sounds like they’re saying we have lots of assets, lots of locations and we need to move towards an identity centric model of security. Seems to fit into the zero trust mantra of security design?
I’ll Raise Your Mesh with a Fabric
Let us add another term to the mix. KuppingerCole – another analyst firm – introduce another term – this time “identity fabric”. A search on their site returns over 50 pieces of content referring to an identity fabric (even one by yours truly when in interviewed in a former life). So what is an identity fabric and what has it got to do with a mesh? KuppingerCole see identity systems requiring unification with the removal of data silos across the enterprise – seemingly achievable with an identity fabric – “which are built to enable seamless yet secure access of everyone and everything to every service”.
So again, I hear complexity, multiple systems, different locations all driven by identity as its foundation.
Introduce Stage Left: Valence Security
So again, I’m hearing complexity – the modern enterprise has a host of different application assets – be it cloud, on-premise, SaaS, proprietary and home grown. All requiring identity and access management – but interestingly not just at the person layer. They also require authentication and authorization functionality at the service layer. How are applications communicating and exchanging data amongst themselves?
Organisations are becoming more fragmented and increasingly dependent on other people, systems and services to be successful. We not only see hyper-federation, but we also have joint ventures, partnerships, software supply chains and service integration across a range of…you guessed it locations, uncontrolled zones and enclaves, devices and stakeholders. Data, ironically, is becoming the glue that holds it all together and data is the very thing organisations need to protect the most.
So Valence talk about being able to “Map, Monitor and Mitigate” this business application mesh by essentially identifying anomalous data flows and providing a process to respond. The main success metric it seems, is increased visibility of application assets and how they data flows between each service. Is it as expected and leveraging the correct controls?
Typical identity and access management capabilities are heavily leveraged towards people – yet the focus on app2app and business function interactions seems quite lacking. The non-person entity (NPE), IoT, machine-to-machine (M2M), RPA (robotic process automation) spaces are all starting introduce the constructs of unique instance identities, with time bound credentials and a strong ability to provision and monitor new access. In my opinion about time.
The major issue of the distributed highly integrated enterprise, is a lack of visibility. How can a CISO or IT security operations team firstly be aware of all asset classes and instances, but then be in a position to identify erroneous data flows, access patterns and behaviours. Using something like the NIST Cyber Security Framework, we’re stuck in the Identify bucket – before we can even start to think about protection and detection – let alone get to the often forgotten respond and recovery phases.
It seems Valence have at least identified an existing problem – that the modern enterprise does have a business mesh and many are struggling with understanding what a) that means and b) how it should be managed.
Company Key Facts
|$7 million (Seed, Oct 2021)
|Yoni Shohet, Shlomi Matichin
Two other interesting vendors that have leveraged similar terminology are Strata Identity and CloudKnox. None of these vendors I would say are competitive – Strata is a hybrid-cloud identity orchestration platform, while CloudKnox (which was acquired by Microsoft) focused on multi cloud infrastructure entitlement management. However, all three are leveraging the mesh and hyper-connected business language, with a focus on trying to put arms around the complexity and visibility issues that creates.
About The Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. He is also a part-time postgraduate on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2021 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “How IAM Countermeasures Can Defend Against Cyberwar”. For further information see here.
NB – this article was not sponsored by Valence Security, but was based on a conversation between Simon Moffatt and Yoni Shohet in Nov 2021.
To brief us on your latest technology please contact us.