Listen to this podcast with BeyondTrust, MG Joe Brendler, US Army (Ret.), and Stephen M. Wallace, DISA, to understand why Privileged Access Management (PAM) is integral to secure the adoption of emerging initiatives across the government.
Speaker 1: On behalf of BeyondTrust, we would like to welcome you to today's podcast focused around securing God enterprise innovation with ICAM, where Major General Joe Brendler Steve Wallace, Systems Innovation Scientist for the Emerging Technology Doctorate at DISA and Joe Brodbent, Senior Public Sector Security Director at BeyondTrust will discuss why Privileged Access Management is integral to secure the adoption of emerging initiatives across the government.
Josh Brodbent: Thank you. So my name is Josh Brodbent. I am the Senior Public Sector Security Director for BeyondTrust. I will be moderating today's discussion, I have been in the identity and access management space for roughly the last 10 years, specifically focusing on PAM solutions. And I am really excited today to have our panelists with us, Steven and Joe, and I'm going to give them just a couple of seconds to introduce themselves. We'll start with you, Steve, take a second, let us know who you are.
Stephen M. Wallace: Sure. So my name is Steve Wallace. I am the director of the Emerging Technology Directorate at DISA. So we get to work on a number of varying set of sets of technologies and, and I've got a long history with ICAM. And ICAM is one of those subjects that I really do enjoy talking about. So very excited to be here this session. And thanks.
Josh Brodbent: Thank you, Joe, why don't you take a second and introduce yourself?
Joe Brendler: Sure. Thanks, Josh. I am Joe Brendler, I spent a little bit less than 32 years on active duty in the US Army and finished up my career at Fort Meade, Maryland in December of 2016, where I was serving as the Chief of Staff for the United States cybercom, I had a number of assignments prior to that you'd imagine including time on the Army Staff and the opposite CIOG6, and the CJ6 and J6 and Afghanistan, as well as chief of staff at the Defense Information Systems agency prior to that, so I'm an alumnus of Steve's organization. And happy to be here. Thank you.
Josh Brodbent: Happy to have you. Alright, so I'm going to jump right into this. And we're going to start by taking a step back, though, everybody right now is talking about Zero Trust or ZTA. I like to talk about how Zero Trust is a direction or an architecture, it's not necessarily like a silver bullet or one product. Steve will start with you. What is your trust mean to you, or to some of the emerging government programs you're working on it?
Stephen M. Wallace: Sure. So exactly to your point, Zero Trust is a design methodology. It's not a product that you can go and buy and put the flag in the ground and declare success. It's really a methodology and you deploy systems. And you know, you take a relook at your environment. You know, before this, it was least privileged, we always talked about that kind of thing. But Zero Trust is really that more of an envelope that goes around a number of capabilities, and not really just focused on the user as much it's focused on a number of things. When we in the department talk about Zero Trust, we talk about seven pillars, the user and the identity of the user certainly being one of them, probably one of the larger pillars, but there's, you know, six other things that have to factor into a true Zero Trust architecture.
Josh Brodbent: Thank you. What's your take, Joe, on Zero Trust?
Joe Brendler: Yeah, thanks. I think the way you have to start is by understanding that the only truly secure system is one you've already destroyed and therefore can't use and therefore it's in fact secure. Other than that, everything is vulnerable to exploitation by adversaries, and adversaries are continuously trying to identify and exploit those vulnerabilities. So Zero Trust starts from the premise of compromise, that you assume that adversary has already found a way to get in, and that you're not trying to keep them out so much as you're trying to mitigate the damage that they can do now that they've gained some kind of foothold. This requires you to apply this notion of trust, nothing, verify everything, to all sorts of transactions that are occurring on the network on a continuous basis. You know, Steve talked about the Seven Pillars, user device network applications, data analytics and automation. My particular take for myself, I think the ultimate objective is continuous real time visibility and control. And I think what we're talking about is control of behavior and access across all of the pillars. And I think that if you look at what we can do with analytics and automation orchestration today, you can actually employ those pillars to assess information we can gather from the others, and provide a feedback loop that we can use in order to gain continuous real time control over the other pillars. That's kind of the, the notion that was formulated in my mind.
Josh Brodbent: That's great. I appreciate that perspective. So I'm gonna pivot for just a second and still kind of in this same concept of just getting our perspectives. It's been a crazy year in the cyber world, there have been a number of known breaches that have affected the Defense Department's cyber security priorities, but I want to kind of pivot. Everybody likes to talk about SolarWinds, and the things that happen there, rather than the conversation of how that affected you, Steve, for just a second, can you talk about how a strong ICAM posture actually finally caught up to the SolarWinds breach?
Stephen M. Wallace: Sure, so and, you know, it's all publicly available information. But, you know, the way when the breach finally came to light, it was really a strong ICAM policy, where a user was, you know, prompted with a multi-factor authentication step. And the user had the mindset to say, hey, something's wrong here. I didn't actually try to, you know, authenticate. So it was a, you know, all the other sensors in the world. Sure, they were collecting data, but we weren't really sure what we were looking for at that point. It was really, at the end of the day, a strong credentialing policy that led you know, for the world to be up to surface, you know, what was really going on there. So it's, you know, going back to those, you know, those pillars that that identity and the credentialing around the user is really critical to the way that you know, we do business going forward.
Josh Brodbent: Thank you. I really appreciate that perspective. Joe, you know, that recently, President Biden issued an Executive Order around Zero Trust and the way agencies are supposed to shift their priorities, would a top down cyber focus like that have helped you in your role at us cybercom?
Joe Brendler: I want to say yes, upfront, because I want to back out and then say that my own personal preference is to see the world operate from the bottom up. And in order to be successful in a very distributed organization that is inherently heterogeneous, such as the Department of Defense, you have to have people all over and a whole bunch of different types of activities, proceeding in a relatively coherent fashion. But I am applying their own initiative in order to accomplish what they understand to be the intent. But then, if you look at that, you know, the fact that they have to understand that intent also presupposes that there's been some communication from the top down to explain what that is. So it is necessary. And I think that if we look at the Executive Order, we can see that it is a, it's a good thing overall, when you get a document like that, from the top, you know that you've succeeded in illuminating the problem, first of all, and if you look at the structure that's in that document, you can see that we have a focus on threat information sharing, which is good, we've got modernization and appropriate subject, which helps us overcome technical debt, which leads to vulnerabilities that we have to struggle with if we don't modernize supply chain security is a concern. The safety review board and the playbook are both good ideas. And incident detection is an absolutely necessary part of operationalizing cyber security. From my perspective, a compliance mentality will never be sufficient against an active adversary, you have to recognize that you can't protect against what you've never seen. And you have to recognize that the adversary is probably going to adopt an inherently asymmetric approach. So the things you spent the most resources trying to protect, are probably not the things that are going to go after they're going to look for your vulnerability and exploit that instead. So with that, it ties back into the principles of the Zero Trust subject we were just talking about before. And I think from that perspective, this Executive Order does a number of good things, including those that I've mentioned, as well as the identification of what constitutes critical software, all in line with the standards coming from NIST.
Josh Brodbent: You mean to tell me that generally a cyber adversary is not going to advertise the path they're going to take before they get there. I've had this all wrong the entire time. So you know, one of the things kind of kind of branching off of that for Second that that I enjoyed about the Executive Order was really this concept around Zero Trust coming to the forefront of the way that we're going to handle identity centric security. So someone who's been involved in identity and access management for the past 10 plus years. And PAM, specifically, I can't remember when Zero Trust was essentially a marketing words or marketing phrase that one of the PAM vendors came out with, and nobody could really define it or talk about what it was, I think it's absolutely critical that we are defining that. And it really, the implementation of that type of architecture impacts organizational transformation. What are some of the enterprise considerations for balancing the business mission needs across people process and technology? I'm gonna start with you, Steve.
Stephen M. Wallace: Sure. So this has been part of our conversation internally is how do we best make use of these things in the in the feature sets in a lot of these products and that type of thing as we go forward. But also be very mindful and very careful not to make it so tight and so fragile that the user experience goes away, because the users will inevitably get their jobs done one way or the other. Right? So we as security folks have a really bad habit of wanting to turn every dial and flip every switch, and, you know, show our bosses that well, gee whiz, you know, we can make this super tight, we have to be incredibly mindful that oftentimes, when you do that, you create a ridiculously fragile environment that, you know, has a lot of, you know, potential to block user access, and that kind of thing and drive the user out of the system and into other ways. So I'd say above all else, mindful of the usability of the system, and then, you know, not that the security functionality isn't important, but it should be transparent to the user. And they really shouldn't, you know, be very mindful of kind of what is going on around them. So I'd say that is a above all else, one of the most important things and then then also stepping back and rethinking, you made the comment earlier about, you know, compliance and kind of when you enjoy our, we're going back and forth there and you know, the adversary doesn't step up to the plate like Babe Ruth and stick the bat out, and, you know, say, Yep, I'm going to hit it, the left field, and there's nothing you can do about it, that, you know, they're going to move in there, and you've got to, as best you can contain that activity and keep them from, you know, moving as you know, as best you can there. So, for us, it's how do we find that balance, and sort of maintain that user experience all the way through, you know, the other challenge that we have, and I think Joe referred to it earlier, and is the Department of Defense is a very federated environment. And that's probably even be unkind. But the DOD is a very federated IT environment that that comes from, you know, ARPANET was kind of the, you know, the birth of the internet. It's frankly, also one of the oldest it environments, at least, you know, in terms of number of years, it's been modernized over time. But, you know, there's, it's in all sorts of different states. And so, you know, as we go down and move into this journey, not to have the expectation that it's going to be, you know, a one year or a two year or three year type project, this is going to be many years, even looking at some of the most modern it infrastructures out there, as organizations have moved in this direction. It has taken them, you know, in some cases nearly a decade, to get to the point where they felt like they were up on plane and had a consistent approach to it. So we can't look at this as a, you know, there will be quick wins along the way. But it's, you know, to get to a holistic reinvention effectively, of the way that we have purchased a program, it's going to be, you know, some time.
Josh Brodbent: Yeah. You know, on that point, I've used the analogy before that when we're doing things like this, you know, when a painter paints a room, he spends more time taping it than he does painting it most of the time, because he wants to make sure that he has his edges. Right. It's details. Right. Joe, this question is for you. What is the value of performing a PAM analysis on an enterprise environment before embarking on this journey for Zero Trust architecture?
Joe Brendler: From my perspective, Josh, you start by recognizing that failure to control what privileged users can do can have disastrous consequences. And its cyber adversaries objective to exploit vulnerabilities in that. So they don't typically get in initially as a privileged user, they get in as something else and find a way to escalate the privileges and enterprise survey of your current situation with regard to Privileged Access Management. And a coherent approach to designing an improvement path and modernization of that capability, I think is an essential thing.
Josh Brodbent: So, continuing kind of on that line of thought, Joe, from your point of view, how does modernization expanding cloud deployment distributed workforces create new planes of privilege for adversaries to exploit?
Joe Brendler: So I think that we start by recognizing that modernization is generally the path through which we overcome the technical debt that we have today, which is presenting vulnerabilities. The challenge that we have to wrestle with is, as Steve was describing before the Federated nature of the enterprise. And in my own personal opinion, innovation rarely happens from the top down through one program, innovation happens from the bottom up, where you have somebody who's smart enough to recognize that this newly available technology is a fit for the program that they've been wrestling with. And they know how to apply that new technology to solve that problem. The challenge comes when people across that federated organization, don't draw the circle in the same way from a Venn diagram perspective around what they consider to be the problem. And therefore, at some point in the future, when the CIO or some other similar officials says, we can't afford all of these disparate solutions, we've got to come to a best of breed agreement on how we're going to do this, and they choose one program and kill the others, what you end up doing is breaking the things that are outside the circle of the Venn diagram for those other than the one that you chose. And that forces everybody to go back to the drawing board from an innovation perspective, and come up with new ideas. So that is sort of a segue into the workforce aspect of your question, Josh, the workforce has to be competent, it's highly distributed, and it also has to be connected to the top, so to speak with a coherent plan that provides them with an understanding of the modernization intent, and the approach that they're going to follow.
Josh Brodbent: Thanks. That's a great answer. Steve, I'm gonna turn to you. And I'm gonna go backwards just a little bit. But that's because I want to kind of combine your thoughts on that performing a PAM analysis of an enterprise environment before you embark on a Zero Trust architecture? I want to kind of combine that question with another one. How do you see I am and PAM fitting in as parts of I can? And specifically, how do they each collectively contribute to the assurance that we are protecting users and identities? Basically, what's the value in performing that PAM analysis, and then how does that fit broader into the concept of ICAM, as it relates to users and identity?
Stephen M. Wallace: Sure, so PAM, is absolutely a critical component of obviously, the privileged user sort of experience, right, but making giving a privileged user the least amount of privileges as possible, making it timely so that it's not open ended, and ensuring that the you know, it's bound is the bottom line there where traditional, you know, user access tends to be a bit more wide open, you know, they obviously don't have as many rights, that kind of thing. So it's, I guess, I look at it from two different aspects coming at the, you know, the data set on the back side, and the system on the back side, and your privileged users are likely coming from one direction. And again, bounding them as best we can. And then your, you know, your general user population coming in via different methodology, whatever that transport mechanism might be. But, you know, with a, with a more wide open, sort of set there, so are wide open set of accesses. So we definitely want to, I've seen way too many times in the past where we've had, you know, those privileged users coming in with the same credentials and just, you know, as a regular user, just basically getting elevated over the same, you know, conduits, if you will, or the same access methodologies. And that's just, it's a recipe for disaster. So as many ways as we can bound, the privileged user access and tie it to OT strong auditing is, you know, benefits everybody.
Josh Brodbent: Thank you for that. And absolutely strong auditing is a component that is absolutely critical and making sure that as we're going forward with your trust architectures that we can we can define and look at who is continuing to access what identities are accessing what so there is a question posed someone I'm gonna let both of you guys answer this one. How will the DOB go about defining those PMP access privileges in a PAM and enabled Zero Trust environment? Steve, I'll start with you there.
Stephen M. Wallace: So that one's that one's not a trivial that one's not a trivial ask. Right. And I don't know that we've defined that quite well. How the, you know, department wide we are going to tackle that one right now. It's being tackled me in a different enclaves thus far. I haven't Seeing, at least me personally seen a lot of policy around how we want to do at scale some of that privilege access, you know, right now we have policy and procedures around separation of credentials and red forest sorts of concepts. But we certainly need to go, you know, there's opportunity for us to go deeper and get a little bit better defined in that respect.
Josh Brodbent: Thank you. Joe, do you have any thoughts there about ways to approach that?
Joe Brendler: Yeah, so, I think you have to examine policy in the sense of multiple layers of abstraction. And recognize that at the lowest of those, you've got devices that are acting on instructions they've been given according to policies, and they do so in real time continuously. And above that level of abstraction, you have to have the ability to judge whether or not that set of policies is achieving the desired intent. And if things aren't going more or less the way they ought to be, you have to have a mechanism through which you identify the gaps or the modifications to policy that need to be addressed, and produce and disseminate new policy to those devices. And that's just two layers of abstraction. But I think there's the possibility that some of that work could be done with analytics and automation, so that you've got a control system automated to modify the existing set of policies that are being implemented at the very low tactical device level. And then above that, you have sort of the human intervention loop, which is looking at what that automated system is achieving at the macroscopic level, and then adjusting the algorithms that the automated system is using to adjust policy. That's my thoughts.
Josh Brodbent: Thank you. I appreciate that. Steve, I'm gonna pivot back to you for a second, what are like some of the challenges or roadblocks someone or an organization could face when looking to implement ICAM, PAM, IAM, Zero Trust? You know, I mean, I'm kind of broadly lumping them all together, because they're kind of you know, interweaving back and forth. But what do you see as some of the challenges or roadblocks around those strategies?
Stephen M. Wallace: So I've been in different capacities in working in a number of ICAM spaces for about 20 years now. I guess, just shy of 20 years. And the thing that I've seen, I've seen a number of programs come and go with varying degrees of success. And probably one of the biggest challenges that we've seen over the course of that time is the attributes and the you know, not just the, what attributes, but also the syntaxes, and the, you know, the data quality and that sort of thing within those attributes. So as you want to get into more decision making, you know, around and we've talked about a back now for 20 plus years, you know, when you want to get into more decision making around those attributes, few people want to hang their hat on attributes that they don't trust. So if I'm giving you access to my system, and I don't have confidence in the fact that the attributes that we are going to meet be making decisions about our timely and accurate, people tend to back away really quickly and go back to the more traditional ACL that, you know, they can control and they can allow Bobby or Susie or whomever in there manually, the problem is with that approach is that that gets stale to you. Although it's in your control, that gets stale pretty quickly too, because as Bobby or Susie's role changes within the organization, oftentimes those ACLs aren't updated, and they get to sit around and then then you have the issue if they're if their credential gets popped, and you know, what someone might have access to, if they get ahold of those things. So I'd say above all else, you know, the quality and the, you know, deciding what attributes actually matter, and what attributes maybe you don't necessarily need from an enterprise perspective. But what can you gather at a more tactical level, and maintain them and keep them up to date, and maybe make them time bound and make them expire after have to be revalidated after such a period of time. But certainly the enterprise top down, we are going to have these 50 attributes and here's how they're going to be laid out that I don't know that I've ever actually seen that work and work well, from a security perspective, from a white pages. It's not as critical, but when we're really talking about access management, the other side too, is credentialing and being more open to you know, other credentials, and, you know, the Department of Defense made a significant investment, you know, 15 plus years ago, and the common access card, the CAC, which is done great things for us with respect to you know, limiting exposure and credential theft and that kind of thing. It's really done great things for us. But the reality is, is that it didn't catch on in the rest of the world outside of the federal government. So You know, we need to be mindful of a lot of the new technologies, things like Phyto that have come out and username password with MFA, whatever that MFA component might be, whether that's a, you know, an authenticator app or something like that. Those have proven very successful out in the commercial world. And you know, as a department, we need to offer users a variety of access methodologies, or credentialing methodologies. Rather than just the common access card that we have today, we're, we're certainly moving in that direction. The last over the pandemic with the CVR environment that we had, that was all username password MFA. And the department learned quite a bit during that experience, and gave us a lot of data and a lot of education about how in an environment like that can work, you know, with alternate credentials, you know, and the other, you know, on the privileged access side, as I kind of mentioned before, you know, that that time binding and the, the, you know, connectivity to, you know, your ticketing system, that kind of thing, limiting, you know, the scope of what the privileged user can do, I mean, I came from the olden days of Novell NetWare, where, you know, it was supervisor and that had access to everything. And, you know, we have to get, you know, a lot more tight where you have many different tiers of your privileged users, and you don't have a single group, or a very limited set of a single group that can run, you know, the gamut of a system.
Josh Brodbent: Novell that brings backs and doesn't isn't memories. I was, uh, yeah,
Stephen M. Wallace: I figured I'd throw that one out there for old times sake.
Josh Brodbent: Yeah, no, I appreciate that. Joe, I'm gonna pivot to you and give you a chance to also respond to that same question, what are some of the challenges and roadblocks that you see someone can face when looking to implement one of these strategies?
Joe Brendler: So I think the first one is you recognize that identity, the identity of a user or a device is one thing that is the purview and responsibility of one system. But the information about that person or device may actually be resident in the responsibility of a different system. So the attribute based access control, as Steve was talking about, will likely require the integration of different systems in order to aggregate that information to authoritatively authenticate the user, and authoritatively present the information about that user that's necessary to make a determination about whether they should have or continue to have access. And on top of that, the next layer of complexity in my mind is the difficulty of overcoming challenges and making that system function continuously. So when you think about what we've done so far, with multi factor authentication, I think Steve had a great point, the CAC was a great add to security for God. And I remember actually starting to use common access card in 2004. A long time ago, I remember starting to use pk AI certificates to secure email in 2000, a long, long time ago. And that enabled us to implement multi factor authentication at the user level using a technology that's now not the current state of the art. We can add different authenticators that's physical and software ways in which to verify or authoritatively determine the person is who they say they are. But in order to do it on a continuous basis, and have an even higher level of assurance that they are who they say they are, and should continue to have access based on what they're doing at the moment, we can incorporate information about a lot of other factors other than the ones that we've been aggregating today and MFA systems. So a truly modern dynamic multi factor authentication system would include the capability to aggregate information such as DISA has tried to incorporate in some of its pilots involving the way that the user is behaving physically and in terms of their operations on the network. If you think about what we've done historically, from the perspective of our concern about insider threats, we've made the determination that it's appropriate to monitor what people are doing, if we could have that information available, not from a counterintelligence case perspective. But from a continuous multi factor authentication perspective, we can incorporate information, we're probably already gathering in some cases about what the user is doing that would help us make a richer and more meaningful decision about whether they should continue to have access, and so forth. And I think that you can extend that example that I just gave beyond just the user pillar and look at doing it. Across the other pillars as well, device activity monitoring, network activity monitoring, and the aggregate application activity monitoring and the ability to implement something like micro segmentation in order to mitigate the challenges that that would imply on a real time basis. Those are the objectives. And there's a lot of work to do there, just the volume, and the magnitude of it is a challenge. And the integration of it is probably in my mind the principal challenge, because any particular project or pilot is going to have limited scope. And when you have to scale up to something the size of the Department of Defense, it's going to be much harder than it was in the pilot.
Stephen M. Wallace: And, Josh, if I could, if I could just add on to that, you know, when we talked about a back earlier, in the past that we always focus a back on the on the user identity and the attributes about the user. In my mind, Zero Trust is really just a larger a back equation, right? It's, I'm taking that those attributes about the user and you know, I don't know employee type equals whatever, and on and on and on about the user. But I'm also adding in the attributes about the machine. Have I seen this machine before? Is it running a proper version of antivirus? Is it patched? Is it on and on and on attributes about the network where the users coming from potentially geography, you know, time of day, have I seen the user via the analytics have I seen the user come in, during these hunting for what's my risk score associated with it, one on one, but everything becomes an attribute, even on the data side, the data, you know, via metadata takes on those attributes. And it really looks more like a math equation than anything else. But we're really, we're really just taking the attributes about each one of those pillars. And that equates that access control decision, right or wrong to let the user in.
Josh Brodbent: If my CAL 2 Professor could see that I was moderating a web panel about math equations, he would not believe me in this moment. Steve, I'm gonna direct this at you privileged accounts are that subset of accounts that provide highest levels of privileges to perform a task. And I know the argument can be made that any account that has access to data is privileged. So I'm not really going to go down that particular path. But what I'm going to say is wire controls on those accounts important, and what method does the deity use today to define that privilege level access?
Stephen M. Wallace: There's a few examples back to Tom about why that matters. That, you know, to your point, every user has some level of privileges, it's just a measure of how privileged those privileges are, I guess, we need to go back no further than the days of the old Pass the Hash attacks, of you know, where an adversary would get access to a system via one set of credentials, find a cache set of credentials for somebody else on that, you know, on that device, and then work their way up the chain, just going back and forth. So, so your ability to limit one user and as tight as and, you know, as strongly as you can authenticate them and sort of, you know, wrap their privileges, the better, that's when it starts to get messy when things frankly get, you know, left lying around, you don't want too much lying around and you won't don't want whatever that is to potentially have greater privileges. I certainly think it's important across the board. And again, it goes back to those days, if it's not no longer just, you know, purely, you know, the privilege user versus a non, there's such an array, you know, between those that it's important to define that as best you can, again, to my point earlier, not trying to turn every security screw and flip every switch in the world, but, you know, have a pretty strongly defined methodology and stick to it.
Josh Brodbent: Thank you. Yeah, I think that's a great point. Joe, I'm gonna pivot to you. First of all, I really appreciate how you made me feel my age when talking about how old pk AI and CAC is that honored that I get to remember that my kids remind me of that almost every day at this point. So I want to kind of take that and pivot just a little bit. And I'm gonna bounce back and forth between a couple of topics here, but how does Privileged Access Management fit into the overall objective of enterprise network modernization?
Joe Brendler: I just wanted to start by saying that whatever you had in mind about age, I think I got someone Yeah. So you know, starting with that, I think, in fitting PAM, into modernization, you're looking at where does one pin fit on the map. And it's one of the many, many things that you have to do. So I think it's important to look at it in the context of ICAM and how you want to modernize that in the aggregate. I think you have to look at it in terms of the affected systems and how you want to modernize them and, and then integrate those ideas in some form of a coherent roadmap.
Josh Brodbent: Thank you. I think that's a great answer. So just kind of on that general concept of, of ICAM, and kind of the enterprise network modernization, I'm gonna step out to the ICAM part of it for just a second. Steve, what's the latest on ICAM? Are there any updates? Or what's the focus for agency adoption right now?
Stephen M. Wallace: Sure. So DISA has an ICAM prototype underway right now, we're in the final stages of that, if you will, it's definitely been useful over the last year to help us sort of re approach the problem, as I mentioned, you know, the department and the government at large has had a number of identity related programs over the years. And I think we certainly learned from that as we stood this went up. And, you know, really looking forward to sort of what comes out of there's a few new and frankly, approaches that haven't been taken in the past, I don't want to say novel, because that means that it hasn't really been done elsewhere. We're, we've adopted what we've seen elsewhere brought that into the fray. And so, you know, it's we've definitely learned a lot. And there's also been over the last year, some other developments outside of our existing ICAM program that we're looking to incorporate into a unified architecture moving forward. So I don't have anything to formally announce today. But within the very near future, we'll have more to share on it. And I've actually got a diagram up on my screen right now, as that I was working on this morning, as we're trying to find that way forward. So I'm pretty excited about where that's going to go. I mean, we, we talked earlier about the allowing for other credentials, beyond just the CAC, that kind of thing. I think that's a really exciting and important part of it. And then just some of the overall infrastructure that we're going to have behind it, I think will really be a good thing to help move the department forward from the from the high-camp perspective.
Josh Brodbent: Thank you, Joe, thinking more about you. You're saying that you had a couple on me this weekend, my kids were, we took them camping, and my oldest son is in the music now. And we were in the truck. And he's like, Hey, Dad, have you heard of this awesome band called Coldplay? They're amazing. And I just looked at him, it was like, No, you don't get to try to introduce me to Coldplay, this is not a thing. So I have been feeling my age this weekend. But kind of speaking of feeling your age, seeing Zero Trust that I can come to the forefront of the enterprise network modernization? What is your perspective of how those things correlate, and also what it looks like, from your perspective, having seen these concepts get introduced? And now here, we are talking about how they're absolutely a necessity to anything that we're going to do.
Joe Brendler: Thanks. I started the Josh, I got distracted thinking about your comment about age again. And I have to tell you, you know, Coldplay is your example. I still got it on you, because my example is Bob Dylan and Pink Floyd. So, to your question, I think if I were to I mentioned a Venn diagram before, if I were to draw a Venn diagram of what we're discussing, I would start with a box representing the universe and somewhere within it, I would have a big circle that represents the Department of Defense's information networks, the doden. And then within that circle representing Zero Trust, the philosophy that we're trying to apply are the principles through which we're trying to make that doden more resilient. And then within that I can representing one of the central ways that we're trying to achieve that objective.
Josh Brodbent: Awesome. So pivoting to Steve, for just a second, what is the latest on enterprise network modernization? Is there any updates there? I know I asked you about I came earlier, but this is slightly broader in that scope.
Stephen M. Wallace: We are constantly evolving. So across the board, you know, one of the bigger things that we have out there right now, and will be one of our bigger initiatives over the next many months, is a project called Thunderdome, which is really that employing of a number of the Zero Trust concepts that and ICAM underpins all of that, and is, you know, one of the relying services that that we need to be there. But that is going to change a number of things across the board. You know, when we talk about network modernization, the reality is the game has changed, not just in the past 10 years we took we tend to go back 10, 11 years, whatever it is, and talk about how data started moving around, right when the department started adopting a lot more cloud services, the data sort of it was dispersed. Prior to that we had NIPRNet, which was you know, our own unclassified bubble, where the data and the users both were resident, and then the data started moving about, and then slowly the users became more mobile. And then here we come 2020 and the users become far more mobile. And you know, the traditional way of backhauling that traffic in via VPN to turn and send it back out in different direction isn't conducive to a good user experience. It frankly doesn't add a lot of you know, security benefits from that perspective. So, so Thunderdome is our first step towards working to address that, you know, making the network where the user sits less of a factor, and really pushing those boundaries towards the, towards the endpoint, as well as towards the data set. So, you know, when we talk about, you know, network modernization, the first thing you said, you know, Thunderdome is really what comes to mind for us is, is really the realization that, frankly, the game has changed, if you will, and that we need a different approach to the way that we handle it in general. And that both from the security side of things, but also from the network and infrastructure routing perspective and how we integrate in with, you know, other commercial providers, as I talked about that data moving around, you know, having rather than just, you know, cables running from one page to another, when we integrate in with other providers, how do we better mesh the networks and in a more secure fashion, to make the network overall much more resilient. And that's, that's you're going to see some significant changes in that respect over the coming years, with the way that the department approaches it.
Joe Brendler: If I could dovetail on to that Josh, I, you know, one of the things that connects modernization to the Venn diagram I talked about before here is the fact that it really is an overlay to the entire thing. We're talking about having to modernize, as Steve said, in order to evolve. So we are continuously improving or extending the capability we have, but we also have to sustain all of the capable capability that we've developed in the past. So that modernization becomes the method not just for improvement or extension of our capabilities, but also just for the fundamental sustainment of our capabilities, because we cannot afford to purchase wholescale as a replacement solution for the one which is no longer cutting edge. If you look at an organization, the size of the DOD or the Army or any of the services, or even any large size organization within the services, you can't afford the bill to replace all of that system across the entire organization with new cutting edge stuff, so you have to continuously modernize in order to sustain.
Josh Brodbent: Thanks, Joe. I absolutely agree with that. Also, I'm really glad that Steve brought up Thunderdome just because I feel like there's about 14 Mad Max gifts that should be throwing in right here. I'm not necessarily supposed to do that. But speaking of Thunderdome, and by the way, as a side note, I really wish we would get to vote on what we decide to call new things. But apparently this is called SASE networking. That is S-A-S-E. Secure Access Services. Yeah, yes, sir. That's right. So from now on, we really need to like set out some sort of policy to vote on these things because I'm not going to talk about SASE networking for the next three years. I'm really not, but kind of as we talk about that and we talked about Thunderdome and the way that's going to work. And Joe, to your point about not being able to, you know, forklift replace, to stay on the cutting edge, right? When we're talking about these things that are ultimately evolutions of our current network landscape. What do we look for in capabilities for these types of programs? What are you looking for as far as you know, what defines that SASE network for you and the project that you're looking to do with Thunderdome?
Stephen M. Wallace: SASE is definitely a core capability in there. And that was one of the things that as we as we started looking, you know, about a little over a year ago, my team published our tech watch list for 2021 FYI, 2021. And we talked about perimeter modernization or perimeter evolution, I think is what we turned it in there. And what was behind that without actually naming it was the thought of Hey, with the SASE thing, and I had the same reaction when I first I was first talking to someone and they said, Oh, we have this SASE product. And I didn't know if they just meant, you know, it was really cool and smarter, whatever, what the heck the SASE thing meant. So I had to go off and do some research. But where was this emerging, you know, area of the SASE capabilities and how can that improve the department, it really kind of became core to what we were looking at going forward. And the idea was really that you know, as I mentioned before, a lot of times we backhaul traffic into the network just to turn around and send it out. And I give the example that's almost like telling someone to go from DC to Chicago, by way of Miami, right. So I'm going to I'm going to funnel you all the way down there to turn you around and send you in a different direction. It doesn't make for a very unless you really enjoy dripped, it doesn't make for a good journey. And the same is true for it. But that's where we think that SASE can come in. And it's really that that meshing of VPN like capabilities with some of the greater controls and access rigor, that we talked about Zero Trust. That's really where we see SASE coming together now in that product space. We see vendors that they fall into that category, but they accomplish it in many different ways. And, and to be frank, that's why we were less prescriptive when we went out on the street with Thunderdome. Because we didn't, we didn't want the government to very, you know, be deeply prescriptive as sometimes we are and say we want XYZ, we really wanted to see what industry comes back with. And we're really excited, you know, about that opportunities to see how, you know, we can work with industry on that and going forward. So certainly more to come. The teams are assembling the team, the, you know, things are very much moving forward in that space. And there's not just within DISA, a lot of excitement around the Department of Defense around Thunderdome, there were there were already several of the services dabbling in that space. This is from at least from what I understand the department's first big for a kind of into this space. So we are we are over the moon excited about it.
Josh Brodbent: Thank you for that. Also, in reference to your travel example, I would like to introduce you to every airline layover. So just thought, you know, as you were saying that.
Stephen M. Wallace: And I real quick on the Mad Max thing. You do realize that Mad Max actually took place in 2021. Right. So that may have been a factor in some of the naming. Just saying.
Josh Brodbent: Okay, Joe, let's get your thoughts real quick here on that same topic of Thunderdome and the secure access service edge. I want to do that real quick where I actually just looked down and realized that we're getting really close on time. So I also want to give you guys a couple of minutes each to leave us with some parting thoughts. So Joe, real quick, your thoughts on that particular form of modernization.
Joe Brendler: So Steve mentioned at SASE is one of the things that they're looking for in the Thunderdome effort. And along with that you'll see in the documentation they put out there's also Software Defined Wide Area networking containerized security solutions, analytics, an implementation of the deity compliant Connect program and implementation of the ICAM solution. And with the analytics, the ability to provide defensive cyber operations to protect and secure data. So those things function in the aggregate to produce this capability that they're calling Thunderdome that really helps redefine the way we would do security at the edge. And what we think of when we think of where the edge is. In fact, I think this is an opportunity for the Department of Defense to significantly shift the paradigm for its definition of the perimeter. And we've kind of had to do this anyway, over the course of the last couple of years in particular, as COVID required us to push a lot more people out to work from home. So we had to put out VPNs to bring them back into the network so that they could be actually inside the perimeter of the of the doden. So now the dodon perimeter actually includes people's houses. And we've had an increasing rate of adoption of government and commercial cloud solutions. So do these data is now outside the location and what have historically considered to be the perimeter of the doubt. So the way that the requirement is constructed for Thunderdome, you essentially are bringing both of those areas inside the perimeter again, with a new innovative state of the art solution. So that's kind of the way I think about it, Josh.
Josh Brodbent: Awesome. Thank you, Joe. And I'll turn it right back around to you. Real quick, what is maybe a closing thought or two you want to leave this group with?
Joe Brendler: Yeah. So I think that innovation starts from the bottom up, but you got to have coherent direction from the top down to manage it. And the scope of the problem is so vast that the solution is going to require integration of a wide number of different capabilities.
Josh Brodbent: Awesome, thank you. Same question to Steve.
Stephen M. Wallace: Sure. So that totally agree with Joe. It's not just that it can't be directed downward. The folks across the board we have an amazing group of individuals that are deeply talented, that really we need to make sure that their voices get heard. You know, as we're moving forward, they're seeing a lot of this stuff real time and, and where you know, some of our strengths and weaknesses are so absolutely innovation. It comes from the bottom up, but really excited about what we are on the precipice of with respect to ICAM and with respect to You know Thunderdome and where this is all going, it's I've had the privilege of being part of, you know, many different programs over the years. And these are the ones that I think are really going to set us apart and set us forward for the next, you know, decade plus. So Thanks all for having me. I've really appreciated the time, Josh and Joe, good to see you again, Joe. Thank you.
Josh Brodbent: So I was gonna say real quick, kind of the last thought that I wanted to leave people with is, notice how central PAM is and a lot of these conversations and pillars and if that's a conversation that you're beginning to have, we would absolutely love to continue that conversation. With that I'm going to turn it back over to Carahsoft.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft and BeyondTrust can help strengthen your agency's resilience against cyber threats, please visit www.carahsoft.com or email us at iis@carahsoft.com thanks again for listening and have a great day.