President Biden’s Executive Order (EO) has accelerated the crucial need to improve U.S. cybersecurity and move towards Zero Trust. When building a true Zero Trust Architecture (ZTA), it’s critical for agencies to understand that security solutions need to work together to provide the best line of defense. Hear SailPoint, Thales, and BeyondTrust collaborate with government security leaders to discuss this topic.
Speaker 1: On behalf of BeyondTrust, SailPoint, Thales and Carahsoft, we would like to welcome you to today's podcast focused on improving National Cybersecurity government and industry collaboration for Zero Trust where Gerald Caron, Chief Information Officer and AIG for IT at the Department of Health and Human Services Office of the Inspector General, and Lawrence Hale, Director of IT security subcategory at the Office of Information Technology. We'll discuss how security solutions must work together when building a true Zero Trust architecture.
Frank Briguglio: Thank you very much. This is Frank Briguglio from SailPoint. I'm the global public sector strategist here at SailPoint. Thank you, Carahsoft, and all of our partners here today, and welcome to our government panelists. I'd like to start off with Mr. Caron so he can introduce himself. And then we'll go to Mr. Hale, and then Josh Brodbent. And Eric, and then we'll go ahead and get started. Gerald, it's all yours.
Gerald J. Caron III: Hey, thank you for having me. My name is Gerald Caron. I am the Chief Information Officer and Assistant Inspector General for IT within the Department of Health and Human Services Office of the Inspector General.
Frank Briguglio: Mr. Hale?
Lawrence Hale: I'm Larry Hale. I'm the director of the IT security subcategory in GSAs Federal Acquisition Service in the IT category office.
Frank Briguglio: Thank you, sir. Josh?
Josh Brodbent: Hi, I'm Josh Brodbent. I am the senior security director for public sector for BeyondTrust software. I've been here for about five years and supporting the broader Pam solutions for 10 now.
Frank Briguglio: And Eric?
Eric Avidgor: Hi, I'm Eric Avidgor. I'm the Director of Product Management at Thales for specifically for identity and access management. Have been with the company for 16 years throughout different acquisitions.
Frank Briguglio: Great, it's always my pleasure to have the opportunity to speak with our government and Alliance partners. Today, we have a great discussion lined up around cyber security Executive Order released by the Biden administration back in May, first some key takeaways and buzz from the EO, one being that Zero Trust initiatives across the federal government need to be accelerated to improve our cybersecurity also from the EO, which was kind of interesting was the definition and classification of critical software missed and SISA. You know, since came together and released guidance on this. And the Define critical software as software that has or has direct dependencies upon one or more components with at least the following attributes. And these are interesting, and this is kind of setting the stage for our conversation. It's software that's defined and run with elevated privileges to manage privileges. It has direct or privileged access to networking or computing resources. It's designed to control access to data operational technology, and it performs a function critical the trust, or it operates outside the normal trust boundaries with privileged access. Now, this sounds all kind of familiar, we just heard Josh introduced himself from BeyondTrust. What's interesting about the list of what was defined this critical software is I can is at the top of this, and identity credentialing and access management is not only critical software, but it's critical to these other components that were listed, such as operating systems, container environment, and port security, network control and protection, monitoring and configuration, operational analysis, remote access and configuration management, and backup and recovery. So really, you know, this is going to be a great tie in to this conversation where we have three ICAM vendors here, along with Zero Trust experts from our government agencies. So, you know, as we've seen, as we know, federal agencies have been making significant progress towards digital transformation, IT monetization, even before the pandemic at a pretty good pace as a matter of fact, and with the rapid adoption of new hybrid and cloud infrastructures, SAS platforms, infrastructure as a service during the pandemic, we've opened our boundaries, obviously to remote workforce and even new mission partners, or introducing more risk and we've seen from some of the significant breaches over the past, you know, let's call it several years, but several months. You know, when we look at the solar winds incident, we look at the pipeline incident, you know, those are two big, impactful breaches that probably affected most of us here today. And every citizen for that matter. There's no shortage of definition for Zero Trust. This is really you know, there's been buzz in Zero Trust for several years now. And one thing before we get started, you'll hear about the pillars of Zero Trust, you'll hear about the fundamentals tenants, I'm going to start off with how NIST defines Zero Trust. And then we're going to ask the panel to define Zero Trust in their own terms and what it means to them. The seven tenants that NIST included in Ms. 207, was it all data sources and computing services are considered resources, all communication is secured regardless of network location, access to individual enterprise resources is granted on a per session basis. Access to resources is determined by dynamic policy, the enterprise monitors and measures the integrity and security posture of all owned and associated assets. And all resource authentication authorization are dynamic and strictly enforced, before access is allowed. And the enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications. Yes, I had to read all those. So that's how this defined Zero Trust and the tenants of Zero Trust. Gerald, why don't we start off with you? With that, what does Zero Trust mean to you and to your agency?
Gerald J. Caron III: Means that I got work to do. Yes. Yeah, so um, I actually had to develop a little diagram to be printed on a plotter so that I could educate folks on Zero Trust that I talked to, because the, you know, they talk about, I'm doing Zero Trust, and they're doing like the snippet of something. And it's like, No, you don't understand the full landscape. It's a little more than that. No offense to anybody here. But you know, a lot of people, you know, scope it to identity, and it's a little more than just identity. You know, I like to use the example if Frank's account got compromised, you know, what's the first thing the cyber analyst is probably going to ask, what did they have access to? And is there x, Phil? So what is it about It becomes about data. And that's what we're trying to protect. At the end of the day, that is the end, all data is not created equal. So moving closer to the data to protect the data, making sure the right people have the right access to the right data at the right time. And what facilitates access to that data, which is an application a lot of people talk about endpoints, but I like to say it's actually the application because usually it's a browser or an app or something like that. But not to say that you're not going to do something along with the device. But at the end of the day, it's about protecting data. And we all know, all data is not created equal. I always use the example of the bologna sandwich in the crown jewels, or the cafeteria schedule, the cafeteria schedule gets compromised. Okay, well, they know what day Turkey is going to be. But as long as they're not getting to my crown jewels, can I contain that? All right, they're not getting access to my crown jewels, my crown jewels is still protected. If I can answer that question. I've been successful in Zero Trust. But I think there's three main pillars, as I said, data endpoint/application, which facilitates access to the data and identity, right access to the right people, the right data at the right time. And that's basically my little five minute elevator speech of Zero Trust definition.
Frank Briguglio: Perfect. Perfect. Larry, over to you.
Lawrence Hale: Gerald said it so well, I can't put icing on that cake. It was it- Gerald, you beautifully characterized it and, and clearly, you know, demonstrated that deep knowledge. So when I'm talking to people about Zero Trust, and helping agencies think through their planning for Zero Trust, one of the important things that I think people need to understand is, one, there's no single silver bullet. And two, it does not call for an entire rip and replace, there's a need to assess what you have, as Gerald said, what data is the most important? Where are the crown jewels? How do you protect them? And how do you control access to them? How do you use the technology that you have today to optimize that Zero Trust architecture? And then where do you need to enhance in order to better protect better isolate? And better identify who and what is getting access to those crown jewels?
Frank Briguglio: Absolutely. So now let's get an industry perspective. Let's start off with Josh, what does Zero Trust mean to you?
Josh Brodbent: So, you know, obviously this is a conversation that that's been ongoing, like you said, it kind of got some buzz A few years ago, it's really starting to get some traction and be defined now, which is nice. But the first thing when I started out Zero Trust conversation is exactly what Larry said a minute ago, there's no silver bullet. There's no such thing as a Zero Trust solution, all encompassing. But I've used Zero Trust as an architecture or a posture that you have an or a direction that you had event and not necessarily a thing that's established, something we want to head towards. And at the end of the day, to me Zero Trust boils down to two things, always authenticate and verify and assume you're breached and never trust anything. And when we take that posture and we apply it towards identity or data or application, then we begin to take a look at what Zero Trust looks like inside our particular environment. So.
Frank Briguglio: Absolutely, Eric?
Eric Avidgor: Sure. I think, you know, one of the interesting things that's been happening in the past two years is really the explosion of Zero Trust. And I think the pandemic for me is that big bang of Zero Trust, right? It existed before that, right. But now it's become so much more important back to I think Gerald mentioned something interesting. Everybody thinks identity, and especially me coming. You know, from an identity vendor, I will tell you, identity is important. However, it is all about data. I absolutely agree. It is all about protecting data, where it matters when it matters. The question becomes, and that's one of the gaps that you know, we've been seeing with our customers globally, is that mix of identities and data and applications and environments, there's always a gap. There are always users that are not covered good enough, with multi factor authentication, there's always data, there are always applications in the cloud on prem that are not covered well enough with multifactor. In Single Sign On, there are always environments that users log on to with passwords, the journey towards Zero Trust, to me is the journey of covering those gaps. It's not a one size fits all solution. It's never a single application, it's a journey towards covering more gaps.
Frank Briguglio: Absolutely. And I agree with all of you, you know, as an identity practitioner, you know, having been doing this for 20, something years, within the federal government, you know, I'd like to say the identity community's been pitching the same story all along. We're finally just getting the seat at the table in the recognition where identity belongs. It is critical. But with that, you know, prior to the Executive Order, I believe, Josh, Eric, everyone kind of hit on this that, you know, this is not a new topic, right. So, prior to the Executive Order, prior to the pandemic, many of the agencies were already going down this path to Zero Trust. Gerald, in your experience in your agency, for example, does the impact of the Executive Order and the release of NIST207, change your strategy at all, towards Zero Trust? Or were you already right in a line, I know you're involved in some of the backs back end of this stuff. So we might be cheating here. But you know, really interested to hear the impact of the Executive Order on your program.
Gerald J. Caron III: So I think what the Executive Order really does is it really helps tell the agencies as a whole, because this isn't just something that kind of falls under the CIO. This is things of village, there is it's not like the network people. It's not just the identity people that are doing Zero Trust. It's not just one group, it's going to take a village. And it's a journey. Josh, I think started going down this road. It's a framework, it's an architecture is not a project. It's a program. So I look at it as a program. But what it does is it gets everybody's attention. Now it gets, you know, a senior level management, the secretaries of the agencies, the undersecretary, the Assistant Secretary, the whole organization, understanding that this is important, we have to put resources, we have to put prioritization towards this, we all must buy in, we all must participate. Now my job is to get everybody understand what it is we're talking about. And that's what I've been evangelizing and trying to do for the last few years in my previous job, and now bringing people up to speed with my vision of what it is and what needs to be done in my current job. In that sense, it really has helped me say, in the justified, yes, this is important. I've been evangelizing this. And as you can see, as an Executive Order, and it's now important, so there's more attention. Of course, it helps with the need for resources and prioritization of boards, which is a great deal. So, you know, my approach now is I'm inventory I'm, you know, been here a few months in my new position. And I'm doing an inventory. As I think Larry said in some other said, you know, don't throw the baby out with the bathwater. I'm inventorying, what capabilities, what tools, whether they're operational security, what can contribute to Zero Trust? And how can I fit the puzzle pieces into that overall architecture and concept, and then I'll prioritize, what do I need to do? And then I'll identify my gaps. And you know, how do I fill those gaps, and that's kind of my overall high level probes that I'm taking to this. But first, I started with an architecture. I have it compartmentalised. And I'm happy to share this with anybody that's interested compartmentalize in functional areas, so I can prioritize within those boxes. But I have an architecture a framework and concepts. And then I'm applying those tools to those boxes, the way I have it, and what fits in what boxes and then I'll identify the gaps and what can contribute and what I can start working towards. So that's kind of been my approach. But the Executive Order has absolutely helped say, yeah, this is a priority agencies. So it's not just the CIO saying it.
Frank Briguglio: Right, Larry, your take on this.
Lawrence Hale: So yes, I absolutely agree the Executive Order, get a great service, frankly, to get agency heads attention. When the chief executive, when the president says this is important, it gets everybody's attention, setting a 60 day deadline for agencies to submit their plans. They don't have to get to Zero Trust in 60 days, but they have to show that they're planning for it. As a result of that, or in support of that, my office produced a Zero Trust Buyer's Guide, which we released about 30 days after the Executive Order. So kind of in the middle of that 60 day planning window. And, you know, in the preamble of that Buyer's Guide, we also said the words, you know, there's no silver bullet, it's not a journey. I mean, it is a journey, not a destination. So, you know, when Gerald has identified his gaps, when our executive branch agencies have identified their gaps, the buyer's guide gives them a resource to help find out Well, well, now how can I address those gaps? Again, there are families of technologies of products of services. And many agencies, frankly, don't have the in house necessarily the in house capabilities to actually do their assessments and to develop their architecture. And so many need to get access to commercial expertise to, you know, cybersecurity expertise that's available through industry. So all of those services are available, and the buyer's guide helps agencies find, you know, where can I get this help? And where can I get the right tools when I need them?
Frank Briguglio: Yeah, that's a critical thing. And in Larry, this one's going to come back to you. Many of the agencies, all the agencies, you know, are progressing down this path with the DHS CDM program and in diversity, a lot of tools, does the buyers guide, align those tools with the gap analysis, I would presume I'm going to take a look this the first time I've heard of your Buyer's Guide, I'm definitely going to go take a look at IT. I think, you know, as there's been a lot of work done in the CDM program to provide this foundation, and it would be a shame to see that work scrapped. You know, there's a lot of key initiatives. And I personally think this is an opportunity for the CDM program to really support Zero Trust initiative. And for those two to come together. Your take on that?
Lawrence Hale: Absolutely. I agree completely. And, you know, CDM is a is a vital ingredient in that architecture. Clearly, the concept, if you think of Zero Trust, as a concept, the concept of continuously, you know, doing continuous diagnostics, and mitigating the idea of time sensitive access controls, I mean, least privilege access and access for a session, not for ever, and basing access on what your function is not on where you're accessing from. All of those concepts are consistent with continuous diagnostics and mitigation. And with the tools and the processes that the CDM program promotes, again, that that need to assess what you have, and ensure that you're using the capabilities that you have deployed, that you're using them appropriately. And that those that your utilization of those tools and features supports both your CDM and your Zero Trust concept and your Zero Trust architecture. Absolutely.
Frank Briguglio: Yes. You know, kind of a follow on to also one thing that you mentioned, Larry, about the assessment, and then the architecture expertise, and you're all mentioned also about having to educate, one of the things that's been a gap, and we've heard a lot about in the price is, you know, just our ability to have those resources within the agencies to support, you know, these types of initiatives. You see, this is going to be a big problem as we get into kind of the full swing. Are you having to retool the resources rescale resources? I mean, this seems like it's going to be a pretty heavy load.
Lawrence Hale: I'll take the first swing at it. I mean, it is an architecture, it is a change in mentality and a change in concept. The good news is that it's not new, that it's not a new concept and that that the Executive Order has leveraged and doubled down on a concept that was already gaining traction and that was gaining a lot of positive attention from the from recognized experts across government and industry. You know, the work that Gerald has done The work that the folks who wrote the, the ACC Diack paper on Zero Trust architecture, there's the NIST, the NIST publication itself, there's a lot of great resources now, and various groups. So there's plenty of opportunity to develop the expertise, the knowledge, the capabilities. And again, as you pointed out, Frank, it's consistent with where we've been and where we've been going with programs like continuous diagnostics and mitigation. So it's not like a 180 on, you know, Hey, stop everything stop, you've been doing everything wrong, go the go this way. It's really just honestly taking it to the next level, and thinking architecturally about my whole stack, not just Hey, do I have the right tools in the right places? But you know, how am I how am I protecting that data? And how am I controlling access, not just individual people, but access from system to system, you know, is vitally important as identifying people is identifying system to system access.
Frank Briguglio: Absolutely. Gerald, did you have a comment on that?
Gerald J. Caron III: Yeah, a couple things you were asking about resources. And Larry mentioned, you know, a few of the publications. But another thing is the people to actually implement. And if there's one thing that the pandemic gave us, that I can, you know, say is a good thing is we have proven that we can do our work remotely. And OPM just released some guidance, you know, that, hey, consider, you know, support and remote work, you know, can the job be done remotely, then there's some reports for remote work. So what does that do? That has greatly increased my hiring pool when I have vacancies or, you know, my contractors can work, I don't have to be in the DC area. And in that diverted pool of expertise, I now have a much bigger pool to select from. The other thing, I think, and to go off what some of what Larry was talking about, too, is, if you read the title of the Executive Order, it's improving the nation's cybersecurity, improving the nation's cybersecurity, the spirit of the Executive Order, if you read it is moving, I think, and this is Jerry's editorial comments, his opinion, we're very compliance focused government. And you know, FISMA is very compliant focus of our scorecard is very blind, focused CDM was based on FISMA requirements, which is very compliance focused, the spirit of improving the nation, cybersecurity Executive Order, is getting us to be more effective at security. Whereas there's a big difference between effectiveness and compliance. And the example I used to like to use is, if you look at 853 controls, it will say, must provide authentication for the system. Okay, user name and password, I provided authentication. No, that's not effective. So I think we're trying to move towards effective now, I think CDM is gonna have to change. And I think, you know, the, the head of stasis said, Zero, Trust is the thing, and in that program will change, I think we'll see some standards change. I know right now, in some of the working groups I'm in it's hard to map 153 controls to some of the concepts of Zero Trust, you know, and when our o AIG, It comes in audit us, they're gonna say you didn't do this? Well, I'm being effective at my security, though. And that's the spirit of what FISMA is trying to do in reality and things. So I think we're gonna see some of those standards change. But I think we're really the mindset now. And you know, not to rehash everything Larry said, because he said, you know, both the architecture and, and the journey and, and everything, but we're moving to be effective at what we're doing, not just compliance, because we know compliance and effectiveness, there are two different things.
Frank Briguglio: Absolutely, you know, I talked about this a lot about operationalizing systems, and in a lot of that is around some of the CDM data itself, you know, a lot of that data that's gathered, especially for the master user record, can be used to then move to that Zero Trust, you know, dynamic access model, when we have all those attributes now about the identity, and about the privileges entitlements. And you know, as we collect the, the assets that the agencies have, now we can start building, we can get to that protect phase in the Cybersecurity Framework and build that baseline of what access should look like. And then, you know, get to the detect phase after that, and tie all the analytics together and tie it back to the identity and back to protection and back to discovery. So there's all of this really gets tied together, but it really is that operationalizing of the systems and one of the things that Then I see a lot of, you know, many of these systems are still disconnected. They're still implemented as silos. And that's one of the key things. And I'm sure you know, and I'm going to ask Eric and Josh here in a second what they're seeing from the industry trends, but tying all of these, the sim store environment to authentication authorization, to privileged user control, and even to what we do in the identity governance process, being able to provide context, around access and around anomalies. So Josh, why don't you give us your take on where things are at and trends you're saying?
Josh Brodbent: Yeah, so as far as where things are, you know, we see with the EO coming out, obviously, that the uptake and focus on Zero Trust, and the NIST publication, all of that stuff is definitely continuing to accelerate what was already a trend of implementing this, this Zero Trust architecture. And I like to think going back to what Gerald was saying a few minutes ago about compliance versus like being effective. To me, that's very much the difference between the journey versus destination, right? At the end of the day, technically, you can arrive at the destination of being compliant, but with the way that cyber security is with the way that the constant wargames are, you're never going to be effective at cyber security if you merely maintain compliance. And that's one of those things that that we are seeing, from a trend standpoint, is the concept of really having to educate our customers more than then sell to our customers, right? To talk about what privilege management means to talk about what Zero Trust means and to talk about, you know, just in time privileges, as the solutions access exactly what they need, with exactly amount, the amount of privileges for exactly the time they need, those kinds of things are becoming a conversation and more than that they're becoming an educational conversation. So rather than having a demonstration, or a concept, or a call around exactly what our products do, we're seeing a trend of being able to educate agencies more on the way that our solution fits into that broader, broader concept of Zero Trust and how it integrates with tools, as you were saying, Frank, like, it integrates with identity providers and other things, because that, that is how this journey is going to continue is by allowing tools to work together and not be siloed in individual categories. Because the more data you have around what's going on from a, from an identity perspective, from a privilege perspective, from a data perspective, the more information and analytics you can perform around that the more you can make things contextually aware, the more this journey continues in a direction to be effective.
Frank Briguglio: Exactly. Josh, I want to go over to Eric, Eric, in the last, I would say a year, year and a half. With the White House, I can strategy that that came out the monetization strategy that came out changes to NIST 863. And now Zero Trust, what are you seeing from the credentialing side? What do you see is going to be the most important thing as we move forward with Zero Trust?
Eric Avidgor: So, maybe if we take a step back, you know, we've been in the authentication space for 20 years. Traditionally, what you used to see is most agencies, companies out there used to focus truly on authenticating remote users, right? And a user comes in through VPN, we need to add multi factor authentication. Why? Because we don't trust him. The pandemic smash that whole concept, right? I mean, everybody is remote loss of the perimeter. The VPN is collapse. Everybody's everywhere. Data is everywhere. How do we authenticate people, users machines from anywhere from any device? And to me The Executive Order is the climax of that that whole pandemic journey. And what happened is that in the Executive Order, if you look at sections three C and three d, they speak really about classifying data, discovering data, and then authenticating users and encrypting data, the question becomes, And that, to me is our biggest challenge for us as vendors and for agencies. The question becomes, I think, either Gerald or Larry mentioned this earlier, not all data is created equal. True. For me, it is also not only not all users are created equal. And what I mean by that, in a very simplistic way is that different users have different needs. And if we assume that every user can prove who he is in the same exact way and access data in the same exact way, we are doomed to fail. We need to accept the fact that some users will be able to use their phone to authenticate and login some will not some are not allowed to carry a mobile phone with them. Some can use hardware devices, some are not able to do that. What we do know is that passwords are bad period. The main question and the main challenge we have is how do we allow different types of users to authenticate in a way that is acceptable, in their use case, acceptable and secure enough in their use case? How do we enable that? And how do we get to a point where we cover more gaps where we cover more environments, and allow us in general to have a better security posture?
Frank Briguglio: Yeah, absolutely. You bring up a good point. You know, I think one of the things that we've all touched upon a little is your trust means a lot, or means different things to a lot of different folks. And there's definitely this need for an established Maturity Model, I think, for the agencies to gauge and help in that assessment process. And I've seen a couple drafts of a maturity model. And I think is that progress is that's going to be a huge benefit, along with some of the work from the announcement last week from the NIST cybersecurity center excellence on the implementation project, actually exercising some of these tenants, through use cases in tying some of these systems together and making all this stuff worked together. But you know, to keep the conversation going, what pillars you know, we talked a little bit about credentialing, we talked a little bit about privileges. I think he talked about data, but there's other areas within the Zero Trust, call it model. What are some of the other key areas that you're looking at outside of those that you think are important that might be gaps or blind spots for agencies?
Gerald J. Caron III: So one of the. I'm going to play off what Eric was just talking about a little bit, too, we can talk about the technical aspects of this all day. But just as important is the process procedures and people aspect of this right, and the governance and the policies? What is your risk tolerance? We've quickly learned what our risk tolerances were when we weren't telecommuting, we were asking everybody come in offices, and then all of a sudden, we change our risk tolerance to allow everybody to remotely work. Now, did we have to do some things security wise? Yes. So understanding the risk tolerances, and Eric was talking about not all users are created equal, well, how they are coming in, are not created equal, the types of devices that they're using are not created equal. All of these add up to a different level risk factor, I've kind of put together this Excel spreadsheet, and you can change some of the factors. So like, if I'm a clear to government person, and I am coming off from an on prem desktop, which I know I have, you know, 20 security agents being able to see from a known network that is that I'm fully managing, you know, my risk is going to be lower, and I'm using a PIV card, my risk is going to be lower than sorry, contractors, the conduct cleared contractor coming off a BYOD device, using username and password. And coming from the local coffee shop that has free Wi Fi, my risk is a little different. So I may not allow them to use the same things if they were coming from a GNOME Desktop that I'm fully managing or fully managed device kind of thing. And I think the other thing is factors change. The you know, we have cloud we have conditional access policies. Did I do impossible travel? Hey, I need to dynamically assess at all times what’s going on? I like to use the example of I use this example frequently. Have you go to the movie theater nowadays, the multiplex movie theater, where are they taking their ticket, they're taking your ticket in the lobby, they're not taking it at the vulnerable movie doors. Once I have access and I get my ticket taken, I have access to the full movie theater, I can go into any movie, the why because there's no ticket taker at the door. And there's no officer constantly checking. I think we have to get to a place to do ongoing authentication, and ongoing access, and dynamically make sure that all of these factors that I was talking about and all the risk of those when you add them up and understand what your risk tolerance is, because there's a methodology that you have to put together to understand what your risk tolerances, what actions Am I going to now trigger as a result of things that the initial or the things that may change? While a person is accessing CIO devices, I think you got a treat as an identity as well as a digital human identity as well. And assess all the other risk factors. So there's a big in somebody said it earlier, is this is an integration, because we're taking in a lot of telemetry from a lot of different factors and have to make decisions in as real time as possible on those factors to again, at the end of the day, protect the data.
Frank Briguglio: Yeah, absolutely. Larry, anything on that talk?
Lawrence Hale: Honestly, Gerald said it. Nailed it. Honestly though, the maturity model and the assessment of recognizing and because I work with multiple agencies, recognizing that each one's in a different place on that Maturity Model today. So there is no One size fits all. And one must assess the maturity of your current architecture, and then map out that journey. And again, prioritizing the data prioritizing the critical data. But that that need for that maturity assessment, that maturity model, and that map of the of the journey. Those are vital.
Frank Briguglio: Yeah, absolutely. I'm really looking forward to seeing more of what gets produced. I know, I've been involved in, like I said, reviewing some of the drafts. And I think as we move down that path, you know, going back to the don't throw the baby out with the bathwater, we still have things like RMF, we still have the Cybersecurity Framework, we still have all these other things that we need to break into this as requirements and targets. And it just continues to, you know, for us, and the government continues to grow in complexity. So with that said, how do we make it less complex? I think one of the things that was mentioned that this is a team sport, it's not only a team sport within the agency, security team, meet compliance team meet, you know, the operations team meet everybody, because we all need to come together. But we're also seeing is this in the vendor community as well, through standards and relationships, we're seeing organizations need much more open and willing to work with each other, because we know our customers demand that. But also, you know, in my humble experience with, with large, big box vendors that claim they do it all, they usually though, right, and there's gaps in that, and I'm guilty, I've worked for a couple of them, you know, that square peg doesn't always fit in the round hole. So niche vendors, and you know, I consider SailPoint and each vendor, we need to work with our partners, like palace like BeyondTrust, like everyone else, right? So it becomes this big Kumbaya moment, and I'm kind of an old hippie, I kind of like that. We're all getting together, we're all trying to get along, but we're not getting along and the perimeters dissolve, as we know it. And, you know, I think it's important to recognize, as Josh said earlier, you know, we have to go into this expecting we've been breached, you know, the adversaries have gotten inside of our network, and what do we do that extend it becomes, you know, this thing about visibility and analytics, you know, so over for the government panelists, what do you see, you know, within agencies, and where you can address this from, from the GSA perspective, you know, how important is analytics and you see, like, big growth in the analytics area of Zero Trust.
Lawrence Hale: In a word, yes. Once again, understanding that agencies are at different points on this journey. But understanding your current architecture and understanding the delta between what you have today and what you need, and then understanding, you know, the east west movement, the traffic movement in your network, and having that visibility and analyzing that, you know, understanding and accepting that you've already been breached. The basic concept of Zero Trust is, you know, there is no perimeter. And you have to treat every Access Request as potentially hostile. And, you know, therefore, don't trust always verify. So the analytics are vital to support the construction of that architecture, you know, because you don't want to over protect the Bologna salad, are you the bologna sandwich, but you absolutely must construct the architecture to protect the crown jewels. And you need to understand how and how those crown jewels are being accessed and when and why and from where, and by whom? For what purpose. So without robust analytics, you can't accomplish those things.
Josh Brodbent: I just want to say that I never want to protect the Bologna salad. I will give that away.
Lawrence Hale: Is it almost lunchtime?
Eric Avidgor: You know, maybe another point I think I was hearing earlier about context and about authenticating user based on who he is where he's connecting from, where on earth He is connecting from which device, you know that that context, I think there's even a level beyond that, which is the continuous refining of and this ties also back to analytics, right? The continuous refining of those laws, those rules, those policies we put in place, because the end of the day, we put in place a policy, which is right and correct for now. Tomorrow morning, something happens. We suddenly have users in Iceland, we suddenly have Android devices in our mix. Suddenly, we noticed that we've been breached but not through office 365. Maybe we've been breached through our Salesforce account or through our human resources portal, right. And we need to change something in our rules and we need to tweak them. And that's an endless continuous process that gets us to a better place. And that's where really for me analytics tie back in it is looking again and again at what happens. Now another interesting point that I heard earlier and to me is so critical in a succeeding in in getting to that Zero Trust point, there's an interesting dynamic happening in the past year, I would say, which is the fact that we have grown to understand the scope of what Zero Trust is, also means that we need from an organization perspective within agencies. And by the way, in the industry as well. And in enterprises worldwide, this is no longer the job of the network engineer, or of the remote access team, or even not of the identity and access management team within the company. This is the job of the CISO combined with Identity and Access folks and directory folks and networking people. And in many cases, even the CFO, the challenge is bringing all of everybody together to get to a common understanding of what we want to achieve, to agree on the approach and then to start marching. And that's the challenge, we'll need to figure out how to how to address all of us.
Gerald J. Caron III: I just want to add to Eric, don't forget the business owner. The business owners aren't always the IT folks. Right. But they own the data. They know the right data. Couple things to add, and Eric was going down this road. And I think you know, ML and AI, definitely, what does normal look like? A lot of people struggle with baselining what normal looks like and they're going to settle for it. But AI and ML, I think over time, if you apply it right, you know, this is normal, this is normal. And as Eric was saying, I think getting more assurances, you know, my percentage of what normal is looking like, over time, and then boom, this is not normal, because we're going to be looking at unstructured data, we're not going to have time to index this stuff and make decisions based off waiting for the index. Because we know how long it takes to index a lot of these databases, we have to make decisions off based off unstructured data that we can relate as best we can. And ML and MI are going to help or AI is going to help baseline what that understanding is. I think one thing I think that's great about true Zero Trust is, you know, a lot of times we've talked in the past about the malicious outsider, you know, that's outside the firewall, you know, the bad guy from the nation states. Yeah, we have to worry about them. But we look at the media and, and years past, it's been insiders that have done a lot of the damage to our federal government. So everything about Zero Trust, if you apply it, you're addressing all of those, even the non-malicious Insider, that's just trying to get their job done in circumventing security in some form or fashion just to get their mission done. Not trying to be malicious, just trying to get a job done. You're protecting against all those types of people. And you got to include those end users because you're going to change how they function and do their job potentially, in a different way as you're applying these things. So they got to be included, too. So we talked about a playbook. And I think the playbook is like, alright, who are the players on the field that you need? Who's the coaching staff, you know, overseeing project managers, the trainer's the waterboy, all those things, and who's in the executive suite, who's making sure that we have the resources, and we have the ability to get this done? Putting together that type of playbook, just like you would for football, is something I think I would recommend that agencies do.
Frank Briguglio: Yeah, absolutely. So I'd like to ask Larry, Gerald, you guys choose the order. But what do you want to leave the audience with? The attendees are here to hear from you, not necessarily as vendors? So what are some of the key takeaways, gotchas, blind spots, you know, whether it's, you know, can be anything, what do you want to leave the audience with?
Lawrence Hale: The basic takeaway that I want to leave? One, this is real, it's important, and it really is a vast improvement on implementing real security, not just compliance. So the resources are there, the guide, the guidelines are there, the experts are available. There's a lot of help out there to help agencies make this journey. Take that, you know, journey. 1000 miles starts with one step. Take those first steps, assess what you have today and assess your current maturity, and do those analytics to determine what needs to be protected. And it really does work. I don't know this firsthand. But my understanding is that, that the key that broke open, the solar winds exploit was in fact, multi factor authentication, where an employee in a leading cybersecurity firm received basically a text saying, did you request this access? Yes, no. And being a conscious and aware cyber security person said, I didn't ask her that. No. And that triggered the investigation that then revealed that again, that that enterprise had been breached, and that opened up the whole reveal the whole exploit of solar winds. So it's down to something as simple as that, answering yes or no, but having the processes in place, and it really We'll make a difference.
Gerald J. Caron III: So what I'd leave with and Larry mentioned the resources, there's a lot of documentation out there, GSA has produced a 100, dus, 207. DISAs produced some NSA has produced some, there's a lot of good documentation to understand what Zero Trust is. No offense to you guys. But there's a lot of vendors, of course, that that are that are, you know, saying we help with the Executive Order, we help with Zero Trust? And yes, they're all right, they do. But we've all said it here today. And we all agree, this is a journey, this is an architecture, this is an integration effort. There's no one silver bullet that does all of it. So definitely get that make sure you understand that. And I think some of those resources help with that. And just as important as all the technical aspects, and we as engineers, and IT guys, we like to talk about the technical, the non-technical is just as important, and it's probably tougher part of this whole effort, you know, the governance aspect, the policies that you need to establish, how is the functions going to change the workflows, the all of those things? What are your risk tolerances, understanding what those methodologies that you want to put in place those policies, those things, where's your data? How is it categorized correctly? You know, those are non-technical things that are just as important to the success of the overall journey of Zero Trust as implementing the technical aspects. We've talked a lot about the other things, I'm not going to rehash those. But those are just some of the things that I want to add on our reemphasize.
Frank Briguglio: Thank you very much, Josh, why don't you take a couple minutes, and I'll give a couple minutes there to tell us how BeyondTrust can support Zero Trust and any takeaways that you want to leave the audience with? Yeah.
Josh Brodbent: So you know, one, one big takeaway that I want to leave based on, you know, the last 15 minutes or so of conversation is, while it is a change in a way that we that we're going to approach security as far as that perimeter dissolving, and the concept of Zero Trust, I think it's the responsibility of vendors to make sure that we are actually reducing the impact on end users to make sure that mission still get done. Because at the end of the day, work still has to get done, the government agencies still have missions that they have to complete. So for us, it's about making sure that yes, Zero Trust, that journey is continued specifically with Pam. But it's also about making sure that as much as possible, we don't get in the way. Because these people still have jobs to do. And as far as they're concerned, they want to do their jobs as simply as they did yesterday, which you know, in the government is not always simple at all. But we don't want to add complexity to that. So we really want to make sure that as we're assisting people along this journey, that as a vendor, we're giving them solutions that aren't just robots, but are actually easier to implement, you know, at the end of it, relatively low impact on the end users and administrators that are going to use them. Thank you, Josh.
Eric Avidgor: So I think one of the you know, we all of us vendors in this space, we are security geeks, right? I mean, we get it, we explain why security is required, I think sometimes we forget, and we need to keep reminding ourselves is that security needs to be in place to enable business to enable the government to do its business to get the job done to do everything that is needed. If I am migrating as a company or as a government agency into the cloud. It's because I want to be able to do additional things, I want to be able to serve additional needs. I need to do that security because HIPAA is telling me so when PCI is telling me so and now the Executive Order is telling me so but I still need to do business. And if we can allow back to one of my previous points, if we at Thales can allow more users, more user types, internal users, external users, contractors, suppliers, anything you can imagine any type of user to authenticate securely into an environment. And to do that back to Josh's point, in an easy way, would single sign on when it makes sense, then we've done our job.
Frank Briguglio: Thank you. So I want to take this moment to thank our panelists, Mr. Caron, Mr. Hale, Mr. Brodbent. Mr. Amador, it's absolutely been a pleasure. It always is. And if there's any way we can all you know, support you in the future, don't hesitate to reach out to any of us. And with that, thank you very much and have a great rest of your day.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft BeyondTrust SailPoint or Thales can help improve your agency's cybersecurity posture, please visit www.carahsoft.com or email us at iis@carahsoft.com. Thanks again for listening and have a great day.