0:00:01 Emily Wearmouth: Hello and welcome to another edition of the Security Visionaries podcast, a place where we bring experts in and we grill 'em about all sorts of stuff to help you, our listener, understand a little bit more about data cyber, all of the trends and things that are going on in your world. And my guest this week is a friend of the podcast We're getting towards Christmas, so we're inviting all the friends around. Steve Riley, welcome to the podcast.
0:00:22 Steve Riley: Thanks, Emily. Good to be here with you.
0:00:25 Emily Wearmouth: So for the listeners who've not heard a Steve Riley episode before Steve comes to us, I always start with where people's careers started off. And Steve comes from a systems analyst type background. I think it gives a good feel for how you might tackle the so systems analysts then through lots of different tech companies, some time as a Gottner analyst, where I think you possibly honed your brilliant skills of explaining things in a way that makes them really easy to understand. And now working as a field CTO, have I covered all of the essentials there, Steve?
0:00:55 Steve Riley: Sounds good to me.
0:00:57 Emily Wearmouth: Now, I've brought Steve on to the podcast today because I want to talk about an acronym, which technically speaking breaks all of our editorial rules. We try and avoid acronyms like the plague, but I guess that's kind of why we've got you here today, Steve. There are acronyms floating around and sometimes they merit a little pause, some discussion just to make sure that we're all on the same page of understanding what they are. Now, today's acronym is CSMA, which stands for Cybersecurity Mesh Architecture. Now everybody's thinking, oh, shall I skip this podcast? You shouldn't skip this episode. It's going to be a really good one. I promise you it starts with an acronym, but it gets good. So start us off, Steve. What is CSMA?
0:01:36 Steve Riley: CSMA is an initiative that tries to convince vendors to work together to create a common data dictionary and data format to exchange signals and other information about the decisions these security tools are making so that other tools could then refine the decisions they might make later.
0:01:58 Emily Wearmouth: So who is evangelizing for this acronym? Who is out there telling everybody we should be getting behind it?
0:02:04 Steve Riley: The idea has been around for a while, but lately most of the effort that I see coming from Gartner and one particular analyst there, he's actually a good friend of mine. We've known each other for over 20 years. He's been writing a lot about it. He's up to I think a third or fourth version at this point. And when he puts the slide up of all of the vendors who are participating in this, it gets larger and larger every year.
0:02:28 Emily Wearmouth: And is this anything that we see the NISTs, et cetera, of the world getting behind? Or is it still very much a sort of more that academic analyst type perspective on the world?
0:02:39 Steve Riley: That's an interesting question, Emily. I haven't gone to see if any government agencies are responding to this yet, but I can. I'm not immediately thinking of any examples. So I imagine that it's still mostly an industry initiative at this point.
0:02:54 Emily Wearmouth: Yeah, I mean, if it is, and it might be, it's not something I've heard a lot about with nist, we hear constant evangelizing about zero trust, but it's not one I've heard at this point inserted into that conversation. But as we'll hear in a bit, it does have a place within that zero trust type framework as well, doesn't it? So is this just a way of describing what is essentially a platform play but with multiple vendors or is it materially different to when you bring in a single vendor for a platform who has components that already talk to one another?
0:03:29 Steve Riley: Well, remember that no such thing as a Grand Unified platform exists, and this is something that Netskope has talked about maybe for a couple of years now. We see giant vendors who have portfolios of products mostly through acquisitions and promises to integrate them better together. But closing the next acquisition always seems to be a higher priority. What we have seen though is that many info security buyers are trying to move away from giant collections of a bunch of different tools, whether they're from one vendor or a bunch of other vendors, and move toward, let's say this interesting set of four platforms. So one would be identity management, which isn't just a directory, but also includes things like governance and administration and permissions and privileges, the right sizing. The next would be the endpoint protection platform. We all think about stuff in clouds now. So why do we care about endpoints?
0:04:33 Steve Riley: We care about endpoints because all interesting ideas originate in human heads and they travel down through human arms and fingers onto some device, and that device is the first digital representation of that interesting information. So it still deserves protection, but then that information doesn't want to stay there. It wants to move around so other people can add value to it or people can extract value from it. So the third platform would be like networking, data security, that's us net scope. And then the fourth platform would be like a threat detection and response that's always going to be necessary. No protection measure is perfect. Now, vendors in these four spaces are working some harder than others to interoperate with the various other platforms and with other types of tools too. CSMA is an effort to try to bring even more tools, not just like the four platforms I described earlier, but a variety of standalone tools that might serve niche use cases so that they can all participate and exchange information with each other and generate more signals in context.
0:05:45 Emily Wearmouth: What do you mean by signals in context specifically? The signals bit I got, but the context bit.
0:05:51 Steve Riley: Well, we're jumping into the zero trust related element of this conversation. Now. Many vendors have all kinds of spin on what they think zero trust is, and I'm going to take the opportunity and supply the Netscope one here for just a moment.
0:06:10 Emily Wearmouth: I gave him a soapbox and he's using it. Yeah,
0:06:12 Steve Riley: Of course you did. Did you hear me drag it on stage? Scree. Okay. And this kind of comes from some of the work that I and another analyst at Gartner did when we were working to establish Gartner's position on zero trust. The thinking is that in meat space, MEAT space that humans occupy,
0:06:33 Emily Wearmouth: Sorry, that's
0:06:34 Steve Riley: Quite funny. It was a cyberspace, right? Okay. So in meat space, it's impossible to eliminate trust. Lee, when I first joined Netskope, you and I didn't know each other, and so a little bit of trust existed because we were netscope, but I can't think of any situation where there's zero trust between people. But as we've worked together over the years, we've learned more and more about each other, collaborated on things, sat around bars and had a drink or two. So a high level of trust exists between us right now. The same thing is true in cyber space. It is impossible to eliminate trust in digital systems. In fact, for those who are sufficiently motivated, you could find some research papers in the mid 1990s that discussed this dilemma. And so this notion of zero trust is just like strange. So think about it this way, zero trust exists at the beginning of an interaction.
0:07:28 Steve Riley: Two nodes who've never seen each other have to communicate no trust, but in order for them to do something effective, like actually have a meaningful interaction, a certain amount of trust must be established that trust derives from signals and context. So let's actually use an example that involves two different signals, and one of them will be the device type and the other will be a label on a document. If a device type is managed, then that establishes a reasonably high level of trust right there. Between that device and any, let's say, internal system that stores documents, perhaps we don't need to evaluate other signals. In that case, the person on a managed device has full access to all the content. Now, if the device signal shows unmanaged, meaning it's a personal device not owned by the company, then we want to look at the label as a secondary signal and the label is public, then the person on that unmanaged device could still have full access. If the label is private, then we want to reduce the amount of access the person has on that unmanaged device to say read only.
0:08:52 Emily Wearmouth: So the label is on the file rather than on the device or the user.
0:08:55 Steve Riley: That's right. It is the label on the data, the file on the file. And then if the label says confidential, then the policy might say no access at all from managed devices. In other words, the policy states that to work with confidential information, you must be on a managed device only. This is what a good zero trust strategy is built from. It's this idea of being able to combine signals, generate some context about that and determine exactly the following. It ensures that the right people have the right access to the right resources at the right times for the right reasons. The five rights. So here at Netskope we actually refer to this as continuous adaptive trust, zero trust At the beginning, certain trust gets built as the interaction unfolds, as signals change like label on a file or the health of a device. Access can be tailored based on the context that those signals indicate that a device might be compromised in some reason for some fashion right now because the user downloaded something unsafe from someplace else, then the access can be modified until the situation is remediated and then that control can be removed.
0:10:13 Steve Riley: This is a much more effective way of achieving that strategy than just pretending that you can eliminate trust completely from digital systems. Now, CSMA why this matters is that it is emerging to be one of the best mechanisms for the widest variety of tools to provide signals to the widest variety of other tools that can enforce those policies. But a caveat exists, the policy enforcing tools and the tool that provides the signals they need to have some sort of shared language, some shared data definition and data format, some APIs that are documented. So this information can be exchanged and that's the goal of CS MA is to set about some of those standards across the vendor community.
0:11:08 Emily Wearmouth: And how far along is it in terms of locking in those standards or are we still seeing individual vendors needing to negotiate between them, how they're going to integrate each other's insights into their platforms?
0:11:21 Steve Riley: Well, the Gartner research to this is on, like I mentioned earlier, it's on it third or fourth iteration at this point, and the community of vendors who express interest is very, very large. What I'm not seeing just yet is an actual large number of vendors who've agreed upon the standardized format. So I think the conversations are ongoing about what those formats might look like. Remember, this pushes a lot of vendors into areas that are kind of uncomfortable. Some cases, these are competitors who need to figure out how to cooperate so that all of their buyers can benefit more, and I think that might be a little bit of the friction that still exists in this effort. I'm not saying it's impeding the effort, and I'm sure that over time the Avengers will figure out how to work around this, but it does exist at the moment.
0:12:11 Emily Wearmouth: It sounds, and I can see the cat paraphernalia behind you, but it sounds a bit like possibly herding cats, and I wonder if it's just Gartner trying to herd those cats, whether it needs another body as sort of a clearly independent, impartial body that locks in a standard that everybody then conforms to in order to cross a threshold and deal with those competitive antagonisms. What are your thoughts on that?
0:12:37 Steve Riley: I think that would work. Of course, it always reminds me of the XKCD cartoon, something about standards. One more. Oh, that's great too. But yeah, I think that something maybe a little bit more formalized with an independent body, it would help propel this even further. But that's another area that I actually haven't looked into. So that would be maybe an interesting thing for our watchers to follow up on is that what is the latest state of CSMA seriousness among vendors and perhaps an organization that's working to propel those standards further.
0:13:11 Emily Wearmouth: And if as an organization, you like the sound of this, it sounds good. It sounds like you've got a lot of vendors sitting in your security stack and you'd quite like them to work together better. So you're going to go on a new year mission to get everybody signed up to this. What sort of goals and objectives should you have in mind or metrics specifically that you should be pursuing that would enable you to measure whether it was worth doing in 12 months time? What sort of metrics is it going to be informing or influencing?
0:13:40 Steve Riley: Well, Emily, I think you've actually touched upon something important here is because analysts can make some fantastic statements about the value of something and an independent body can sort of work toward furthering those goals. But in reality, vendors respond to, well one thing and that's customers who buy stuff. And so I would suggest that the best way for this effort to actually materialize is for buyers beginning to demand that vendors begin working toward this shared data format and shared data definitions so that the information exchange can become a reality if vendors love to promise something, but it takes the buyers, those of you who are watching or listening here today who purchase technology, if you agree that this idea of better interoperability between all vendors to create more signals for a more robust zero trust strategy, then you've got to tell your vendors that's what you want, and also ensure that all of the vendors who are interesting to you are conforming to the same latest standard, which is easily available.
0:14:51 Steve Riley: Everybody's a Gartner client, so everybody who is a client can get access to that information, and that's what has to happen. As far as specific metrics, I would just say that the metric is presence on roadmaps and the ability to demonstrate that the efforts exist in our shipping in products. Now is an API or set of APIs available that specifically relate to sharing information according to the CSMA standards and practices that are evolving? If those APIs are present, then the vendors are pretty serious about this. But if they don't exist yet, if it's just like some marketing diagram with no actual implementation behind it, then start demanding that the vendors release this stuff, supply a cadence that their various products and services will be CSMA ready and also perhaps ask for some demos. Ask for a vendor you care about who has something that is CSMA ready to show that they can interact with another vendor you care about who's also CSMA ready, set up a little lab or something at the vendor's expense just so that you have the chance to see it with your own eyes and then make some plans toward how you can move the rest of the organization even further.
0:16:14 Emily Wearmouth: I felt like I was watching Steve, the activist come out there like, you were going to get placards out and everybody was going to be encouraged to march with you and make certain demands. That was quite exciting to see. So I'm now going to flip the question slightly. You want these people to get their placards and go on their march and ask these questions with their vendors. Why would they do it? Is it about improving their security posture? Is it about finding efficiencies within their teams? Is it going to ultimately cost them less? Are they going to be spending less money with their vendors? What are the organizational benefits when this beautiful future world exists?
0:16:47 Steve Riley: Well, cybersecurity mesh architecture definitely is related to helping improve information security and reduce risk, all those related sorts of things, simply because that exchange of information allows responders and policy creators, and when I say policy creators, I don't mean politics. I mean people who sit in console and write policies. It allows both of these teams to be more effective at what they do. The more signals I can put in all my policies, the better I can craft them to respond to the variety of wrinkles that might appear. And the more information that can come to these threat detection and response tools about the specific nature of an event, it helps the tools synthesize events into incidents. These are the things that responders actually need to react to. This is all just going to be better for everyone. It'll be better for buyers of technology. It'll be better for vendors of technology because instead of thinking about creating small partnerships between two or three others, it gives vendors more opportunity to interact with more other vendors and which improves the choices that buyers can have now too, right? If platform A and platform B work really well together, but platform A and platform C don't work so well together, if someone really likes platform C but it doesn't work with the platform A, they already have, then what do you do? Do you choose platform C that's got all the features you like, but less interoperability? Or do you choose platform B that might not have all the features you want but has great interoperability? I would actually encourage folks to prioritize interoperability over features at this point,
0:18:44 Emily Wearmouth: Right?
0:18:45 Steve Riley: Simply because if you're prioritizing features and less interoperability, that's not that much different than where we lived 10 years ago where we had 76 tools that didn't operate at all, right? So by prioritizing interoperability, you've got that. You've got that. You're closer to that nirvana of the continuous adaptive trust strategy informed by signals and context. So we just need our vendors to continue down this road so that buyers have the best choice and they don't have to make a compromise.
0:19:15 Emily Wearmouth: And who, if anybody disagrees with this? So you've said that Gartner sort of leading this mass protest you at the front with a bell, I'm sure saying that this is a great thing. Is anybody pitching a different approach to the same goal? Or is anybody resisting these integrations? Is there any opposition or is it just, it's a bit of work to do it, and that's the biggest resistance?
0:19:40 Steve Riley: The resistance is the work. The resistance is, oh, if I have an API so that someone else can twiddle me or so that change my policies, I might be losing competitive advantage because now the person might not no longer log into my console and see my logo eight hours a day. I think all of the reasons that people might manufacture for not wanting to participate in CSMA have nothing whatsoever to do with helping their customers, but it's more about worrying. Maybe it's like worrying about dilution or something like that, but we live in a world with increasing divisions and mistrust and distrust. It's filled with organizations and entities who seem to care only about their own survival and less and less about living in a flourishing world. Maybe that's a little grandiose for a conversation on CSMA, but if CSMA can reflect a little bit of a pushback toward that and encourage cooperation and show the value of cooperation, then maybe that can take one small step toward reducing just some of the, I don't know, anger that exists in our world right now.
0:20:54 Emily Wearmouth: I like that. I like the energy mainly. You've got me. I'm definitely getting a placard out later about something or other. You've come, you've come with good energy today, Steve,
0:21:05 Steve Riley: Emily, I used to be aer. I used to be a doubter. I remember when I first encountered this, I was like, none of these vendors are going to open, open.
0:21:12 Emily Wearmouth: I know when I first raised this with you, you said, no, I've got a whole conversation on text where you're like, no, Emily, it's not going to be. It's too much work. No one's got a vested interest in it. You're like a new man. What changed?
0:21:23 Steve Riley: Yep. What changed is my buddy who's been writing the research, he has demonstrated perseverance and he's shown the longer and longer vendor list. He believes in this. I trust him, and he's convinced me that this is a worthwhile effort.
0:21:42 Emily Wearmouth: Do you want to give him a name check?
0:21:45 Steve Riley: Patrick Hevesi.
0:21:46 Emily Wearmouth: There we go. Patrick. Steve is behind you all the way. And are you seeing, last question. Are you seeing CSMA type integrations happening perhaps under vendor branding? Are these things sort happening slowly from individual vendor sides and being productized almost?
0:22:05 Steve Riley: Yeah, so let's use NES UPP as an example. We have this thing called Cloud exchange, which is composed of four other components. Every NES UPP customer can avail themselves of this. There's no charge for it, and it manifests itself in a set of APIs with a documented data format and data dictionary. Does it align with CSMA right now? No, but it is an effort that shows our desire to integrate with more tools that our customers have bought, and it would not be that difficult for us to incorporate the CSMA evolving standards into what it is that we already do. So it could very well be the case. Emily, and this is a good point that some vendors are marching toward this, but as you said, it's under a different branded name. I think that's just maybe sort of like an interim approach as the standards mature.
0:23:02 Emily Wearmouth: Interesting. Brilliant. I promised that people would not be bored, and I think apart from that one acronym, I think we've avoided all other acronyms. So I think you've done a very good job of explaining one without throwing another seven in the explanation.
0:23:16 Steve Riley: Well, thank you.
0:23:17 Emily Wearmouth: Thank you very much for joining us today. Thank you for making that just a little bit clearer for everybody.
0:23:21 Steve Riley: Yeah, you're welcome.
0:23:22 Emily Wearmouth: You have been listening to the Security Visionaries podcast, and I've been your host, Emily Wout, and if you have enjoyed this episode, have a rummage in our back catalog, see some of the other ones where Steve came in and joined us and made things just a little bit clearer. And I know we've actually got another one. We're doing a double head of recording this week, so if you've enjoyed this one, there'll be another one hot on its tails. Another acronym explained and made just a little bit more clear. If you want, thank you for joining us and we'll catch you next time.
){kind=icon}
