The End of Perimeter Security? The Rise of Cybersecurity Mesh
Imagine a world where firewalls and antivirus software were enough to keep your company safe. Those days are long gone. Over the years, the cybersecurity industry has transformed dramatically. What's truly alarming is how cybercrime has grown into a massive global threat with staggering financial implications.
By 2025, cybercrime will cost the world economy $10.5 trillion annually—a 15% year-over-year increase since 2021. In this increasingly threatening environment, it's clear that legacy, perimeter-based defenses are no longer sufficient. We urgently need a new approach, one that is as agile and adaptive as the threats we're facing.
The answer lies in cybersecurity mesh, a revolutionary concept that is changing the way we think about network security. Let's delve into what cybersecurity mesh is and why it's the future of protecting our digital assets.
A New Era of Security: Embracing the Mesh
For years, we relied on a castle-and-moat approach to cybersecurity. Firewalls, intrusion detection systems, and VPNs formed a digital fortress around our networks. This worked well when all our assets were neatly contained within the corporate perimeter.
But today's reality is quite different. The rise of remote work, cloud services, and IoT devices has blurred the lines of the traditional network boundary. Data and applications are scattered across multiple environments, both on-premises and in the cloud, making the concept of a traditional perimeter obsolete.
This new reality creates massive blind spots and vulnerabilities. A single compromised device or user account can easily bypass our perimeter defenses. Once inside, attackers can move laterally, exploiting internal network connections to access sensitive data.
Cybersecurity mesh offers a solution to this problem by ditching the old "castle wall" mentality and creating a flexible, scalable security perimeter around each access point. Instead of trying to protect one extensive network, we're securing each device, user, and connection individually.
Imagine this: Instead of having one big lock on your front door, you're putting smart locks on every door, window, and access point in your house. Each lock knows who should be allowed in and can make decisions on its own.
The Power of the Mesh: Key Benefits
Cybersecurity mesh isn't just a buzzword—it delivers real benefits for organizations of all sizes:
Stronger Defense
Individual security around every access point creates a web that's harder for attackers to penetrate. Each node in the mesh acts as a defensive point, making it significantly more difficult for attackers to move laterally across the network.
Faster Threat Response
The interconnected nature of security tools facilitates rapid information sharing that leads to swift threat identification and a synchronized defensive response. When a threat is detected at one node, it's quickly shared with the entire mesh, allowing for a coordinated and immediate response.
Improved Scalability
The mesh easily adapts to growth, adding security for new devices and users without complex upgrades. This is a crucial advantage for businesses that are constantly evolving and adding new technology to their infrastructure.
Flexibility And Context-Aware Decisions
Security follows data and users, regardless of location (cloud, on-premise, etc.) and adapts based on context. This dynamic approach ensures that security measures are always in place, no matter where users or data are located.
Simplified Management
By using standard tools that work well together, overall security becomes less of a headache to manage. The mesh simplifies security management by providing a centralized view of all security events and a single platform for managing and configuring security policies.
Building Your Cybersecurity Mesh: A Practical Guide
Starting with cybersecurity mesh can seem daunting, but it doesn't have to be. Here's a practical guide to get you going:
Assess Your Current Setup
First, take a good look at what you've got. What devices are connected to your network? What security measures are already in place? This inventory will help you figure out where you need to focus. For example, you might want to start by focusing on devices that are most likely to be targeted by attackers or that contain sensitive data.
Define Your Security Perimeter
Identify the boundaries of your network, including all your devices, cloud services, and access points. Remember, with remote work, your perimeter extends beyond the office walls. You need to understand where your data resides and how it's accessed to effectively define your security perimeter.
Choose And Integrate Your Tools
You'll need a mix of security tools that work together. These might include firewalls, intrusion detection systems, identity management solutions, and cloud security posture management tools. Look for tools that can easily integrate with each other and share threat information to create a cohesive security mesh.
Implement Zero Trust
Zero trust is a key principle of cybersecurity mesh. It means verifying every user and device every time they try to access your network. Start by setting up strong authentication methods, such as multi-factor authentication, to ensure that only authorized users can access your network.
Set Up Monitoring
You need to keep an eye on what's happening across your network. Implement tools that give you real-time visibility into user activities, data movement, and potential threats. These monitoring tools can help you identify suspicious activity early and respond quickly to security incidents.
Train Your Team
Your staff are a crucial part of your security. Make sure they understand the new system and their role in keeping things secure. Regular training sessions can help keep everyone up to speed and empower them to identify and report potential security risks.
Start Small And Scale
Don't try to overhaul everything at once. Pick a small area of your network to start with, then gradually expand your mesh as you get more comfortable with the system. A phased approach allows you to test and refine your security strategy before implementing it across your entire network.
Monitor And Respond
Keep a close eye on your mesh. Set up alerts for suspicious activity and have a clear response plan in place. Regular monitoring and response are essential for ensuring the ongoing security and effectiveness of your cybersecurity mesh.
The Future of Security: Cybersecurity Mesh is Here
Cybercrime is not slowing down. In 2023, the average cost of a data breach hit $4.45 million, a 15% increase over three years. And it's not just big corporations at risk—43% of cyberattacks now target small businesses. The threat front is evolving faster than ever, and we're seeing more sophisticated ransomware, AI-powered attacks, and threats to cloud infrastructure.
The message is clear: adapt or risk becoming tomorrow's breach headline. The time to implement cybersecurity mesh is now. Your data integrity, customer trust, and the very future of your business may depend on this crucial step.
Mesh VPNs: The Next Generation of VPN
As organizations increasingly seek to support and secure more remote network connections, many are rethinking the traditional VPN. Many VPN alternatives exist to help secure remote access — mesh VPNs chief among them.
Mesh virtual private networks (VPNs) use a peer-to-peer architecture that can theoretically be less expensive than traditional VPN approaches. VPNs, which are estimated to be used by 1.6 billion people, don’t carry the same weight they used to in the security stack, given massive security holes, port shadow weaknesses, and broad consensus on their susceptibility to cyberattacks.
Still, the global VPN market is robust — and expected to almost triple by 2030 to $137 billion.
In legacy network stacks a VPN was used to access network-based resources such as on-prem line of business apps and file shares as if you were on the corporate network. In traditional enterprise networks if you were within the network perimeter you had inherent network-level access to most everything on the network. Hybrid networks and a push toward zero-trust concepts have the industry moving away from this way of thinking, making the concept of a network perimeter less of a focal point when it comes to securing enterprises. If you’re running a traditional hub-and-spoke VPN architecture, making the switch to mesh VPN might be worth considering.
Mesh VPN: The New Paradigm for Secure Remote Access
Mesh VPN is a relatively new concept that is quickly gaining momentum as more vendors bring their services to market. At its core, mesh VPN solves a few weaknesses in the traditional VPN approach and fundamentally integrates tightly with current security stacks.
Unlike a client-server VPN with a hub-and-spoke model, there is no VPN server on the perimeter as a potential attack surface. Traditional VPN servers are frequently easy to identify as there are a finite number of VPN standards or even proprietary protocols. This makes discovery a cinch and attack a natural progression for bad actors. Conversely, members of a mesh VPN can reside behind a corporate firewall, on a home network, or on a cellular connection, behind NAT and other technical components that frequently cause difficulty with VPNs. The ability for nodes to connect to each other comes from a control plane that is typically managed and maintained by the VPN vendor.
Traditional VPNs primarily come in two flavors: site-to-site and remote access. With current networks extending to edge devices tasked with enabling business operations many edge deployments require either a software VPN client or a network appliance configured with a site-to-site VPN connection. Mesh VPNs can certainly leverage a software VPN client on all of the popular operating systems but can also be implemented directly into containerized applications and other cutting-edge deployments that may not be a great fit for traditional VPNs.
Mesh VPN: A Secure and Flexible Approach to Network Connectivity
Mesh VPNs by default only provide access to other members of the mesh VPN, not to the entire network. This could include servers, workstations, storage devices, cloud-based resources, or even application containers. This capability can often be further refined to provide access only to the devices and services appropriate for a particular user: meaning while a variety of systems and services are accessible on the mesh VPN, individual users only have access to the services to which they have a business need for access. The net result of these capabilities is essentially dynamic firewall rules between nodes based on the user’s roles and business requirements. From a management perspective, nodes and services can be grouped and restricted using concepts that are familiar to cloud administrators such as resource tagging and access control lists.
Most mesh VPN solutions further enhance these concepts by offering API-based management, meaning the process of assigning roles and access can be integrated with other management and orchestration tools already being leveraged within the organization. This could be in the form of an extended detection and response (XDR) solution, or simply script-based automation that interacts with business systems.
Mesh VPN: A Natural Fit for the Hybrid Workforce
Mesh VPN solutions are built from the ground up for hybrid work. As such, security staples like identity management (IDM) and mobile device management (MDM) help form a cohesive foundation for the hybrid workforce. Integration with IDM helps streamline onboarding (and perhaps more importantly offboarding), as well as dynamic changes to system access based on changes to user identities. Mesh VPN solutions make sense in security devices alongside MDM as customer laptops, tablets, and even mobile phones can potentially be added as VPN nodes.
Mesh VPN: Considerations and Potential Drawbacks
For a mesh VPN service to be successful in the enterprise there are some non-negotiables. Integration with current authentication services is an absolute must, and this extends to authenticating devices and ensuring they meet device management policies. Additionally, integration with existing tools in the security stack such as event monitoring and EDR (endpoint detection and response) is going to be a hard requirement for devices accessing protected services.
Mesh VPN solutions check a lot of boxes, but as always there is a flip side of the coin. Businesses still operating in more of an old-school, on-prem architecture will likely have better options for a couple of reasons.
Businesses still functioning with the concept of a hard network perimeter and little to no cloud presence may not garner much value from the hybrid identity and zero-trust capabilities which mesh VPN can help introduce. Likewise, if business resources (such as file servers or line of business apps) are primarily contained within the network perimeter a centralized VPN server may be the better investment.
Speaking of investments, one potentially major downside to mesh VPN solutions comes down to subscription costs. Most mesh VPN offerings have a monthly subscription cost per user, which can add up quickly, particularly for some of the more premium capabilities. As more and more legacy VPN solutions pivot to subscription-based licensing this concern must be weighed carefully.
A Look at Tailscale: A Mesh VPN in Action
Tailscale is a popular mesh VPN solution that is gaining traction in the market. Let's explore how Tailscale approaches the challenges of secure remote access in a modern, distributed IT environment.
Subnet Routing
VPNs have been used as a way to allow remote users to access resources within the perimeter of the corporate network. Mesh VPNs are designed as a peer-to-peer network, meaning the scope of the network extends by default only to those devices with the VPN client installed. This becomes a bit of an issue when trying to provide access to applications or services in a centralized location. Do you install the VPN client on each server? How do you support workloads that are clustered across multiple servers, or run in a stack like containerized apps? What about devices that simply don’t support software installation, such as industrial hardware or even printers?
Tailscale offers the concept of subnet routers to function as a gateway to one or more devices on a network segment. This feature allows users to install the Tailscale client on a single computer within a network, and configure it to provide connectivity to other devices on that network. The process to enable a subnet router in Tailscale requires two steps for security purposes. First, you must configure the Tailscale node as a subnet router, which on Windows involves starting Tailscale from the command line using the --advertise-routes parameter followed by IPv4 subnets defined in CIDR notation. For example, the following command serves the entire 192.168.1.x Class C subnet to the Tailscale network (the tailnet).
tailscale up --advertise-routes=192.168.1.0/24
Individual endpoints can be shared by specifying the full IP address followed by the /32 CIDR subnet mask. Multiple subnets (or endpoints) can be defined by separating them with a comma.
The second step to enable a subnet router involves using the Tailscale admin console to enable individual routes.
Once the route is approved in the admin console, tailnet members will be able to access the applications and services on the target subnet.
Access Control Lists
In a zero-trust world access to corporate resources should be limited to the minimal number of users required. Being able to access the corporate network through a VPN should not automatically grant access to web servers or file shares, even at the network level. Tailscale offers tools to limit what devices and users can reach network resources using access control lists (ACLs).
ACLs in Tailscale boil down to a source and a destination. Unlike traditional firewall rules, Tailscale ACLs always result in an ‘allow’ action; connectivity is only allowed if you explicitly define a rule. Within the Tailscale ACL policy editor, you can leverage users or devices in bulk using groups or tags respectively, or individually using host or usernames. Access to devices or subnets made accessible to the Tailnet using subnet routing can also be allowed by referencing the subnet in the destination portion of the rule:
{ "action": "accept", "src": ["tag:mobile"], "dst": ["192.168.1.0/24:80,139,443,445"], },
This rule states that devices with the mobile tag are allowed to connect to devices on the 192.168.1.0/24 subnet, but only on ports 80, 139, 443, and 445. Asterisks can be used as wildcards for both source and destination, either for the host or the allowed ports.
Exit Nodes
One common VPN use case is to protect sensitive internet traffic while devices are connected to public networks. Some industries require internet traffic to be monitored and/or filtered. There are several ways to achieve these requirements, but having all traffic routed through a central network has the potential to streamline the process. Tailscale’s exit node feature facilitates meeting these needs.
Exit nodes are configured similarly to subnet routing. The option is enabled in the Tailscale client on the device designated as the exit node, and then the configuration is approved by an admin in the admin console. Exit nodes can be configured as recommended (also known as suggested) or mandatory, which allows Tailscale to either select an exit node based on latency or performance or to force mobile users to send all traffic through a single exit node. Mandatory exit nodes require Tailscale’s premium or enterprise plan, as well as an MDM solution.
Internal DNS Servers
By default, Tailscale uses a feature termed ‘Magic DNS’ to provide name resolution to tailnet members. This name resolution does not extend to devices served on subnets and can prove problematic when attempting to access services predicated on DNS such as Active Directory.
Tailscale offers, however, the ability to define one or more internal DNS servers to use for name resolution. These DNS server entries can be configured for split DNS, providing the ability to only forward requests for a specific domain to the internal DNS server. Combining split DNS with subnet routing and ACLs presents a compelling blend of functionality.
Roles
Creating a full-featured VPN solution is great and all, but it’s not the end of the story in modern IT security and compliance requirements. Separation of duties is a key best practice and a frequent component of compliance checklists. Tailscale offers several built-in roles you can quickly use to meet these business needs:
Two additional roles, owner and admins, have full access to all aspects of the admin console. There can only be one owner, and in order to delete that account the owner role must first be transferred.
Embracing the Future of Network Security
As the cybersecurity landscape continues to evolve, cybersecurity mesh is poised to become the standard for network security. By embracing a more distributed and flexible approach, organizations can stay ahead of the curve and protect their digital assets in an increasingly complex and threat-ridden world.