During this podcast, experts from Okta, Zscaler, and GuidePoint discuss how some agencies are approaching their Zero Trust journey, successful use cases, and best practices agencies should consider.
Speaker 1: On behalf of Okta, Zscaler, GuidePoint Security and Carahsoft, we would like to welcome you to today's podcast focused around strategies for Zero Trust Today, Not Tomorrow. Where Jean-Paul Bergeaux federal CTO at GuidePoint, Sean Frazier, Federal CSO at Okta, Danny Connelly, Federal CISO at Zscaler and Jose Padin, US Public Sector Director of Pre-Sales Engineering at Zscaler, will discuss the critical components of a successful Zero Trust strategy and the importance of leveraging the seven tenets of NIST 800-207 guidelines.
Jean-Paul Bergeaux: So I just wanted to start real quick, introducing you guys a little bit further, just give us who you are, a bit about your background. Obviously, the companies are kind of evident, but something interesting about yourself as well. Sean.
Sean Frazier: I guess I'll start, am I on first there? Hi, Sean Frazier, a federal CSO for Okta. I'm a big believer in Zero Trust security. I've been doing innovative technology in public sector for most of my career, I started a company called Netscape, which you may remember. And then this thing called the browser, which we use to kind of create the internet and buy things on the internet. Seemed like a good idea at the time. Interesting thing about me is during a lockdown last year, I published my first book. So that was always an interesting exercise, but I figured I had a little time on my hands. I wasn't traveling, so why not?
Jean-Paul Bergeaux: Awesome. And Danny.
Danny Connelly: Hey, good afternoon. I'm Danny Connelly. I am the Americas CISO, and I also cover the federal space for Zscaler. I am about three weeks into my role at Zscaler. Previously, I was the associate CISO with the operations branch at CDC, responsible for all really, cybersecurity operational capabilities for the last 11 years. So very familiar with what's happening in the front line, what it takes to keep up with these evolving threats. Excited to be here today and appreciate it.
Jean-Paul Bergeaux: Thanks Jose, go ahead.
Jose Padin: Hi, I'm Jose Padin. I'm the Director of Pre-Sales Engineering for Public Sector. I help our government customers understand how a modern cloud security platform can help their agency improve their security stance and have better user performance. I've been watching Zero Trust for a long time since the original guidance originally came out. To me, it's been a genius way to think about and flip how we think about security, how we design our architectures. What is important today as compared to the last? This is my favorite subject to talk about. In the past, when we were at bars and maybe in the future, if we could go to bars again, I'll talk about Zero Trust at a bar. To me, this is a perfect conversation.
Jean-Paul Bergeaux: Jean-Paul Bergeaux, a little bit about my background, I really started not in cybersecurity. I started in infrastructure, building out architectures. My coming into cybersecurity was really around trying to take everything and put together architectures. Which is why Zero Trust is, I think, really important and one of my passions because I think that's actually what Zero Trust is about. It's taking all these disparate tools and trying to put it into an architecture that works, get rid of all these different silos of different things in different products and put them into something that honestly will make them work better together than apart. So I'm passionate about Zero Trust. And something interesting about myself, I actually delivered my second out of five children in the side of a road with my wife and myself only, in a car. So that's the most interesting thing. If you google "Bergeaux toll road baby," you will find interviews on television with me and my wife. And my first daughter, my second child Ellie. So that's the most interesting thing about me.
Danny Connelly: That's pretty impressive.
Jean-Paul Bergeaux: No, it was pretty scary. A lot of praying goes on in the side of the road when your wife is delivering a child. And kudos to 9-1-1 they were on top of it, they gave me everything I needed to do. So, I'm going to jump right in with a warmup question, easy one. We'll start with Jose. There's lots of different versions of Zero Trust architectures and concepts. And I like to kind of draw a difference because some of the concepts are higher level. The architectures draw a little bit more detail. Are there any particular ones that you were drawn to you really like and why?
Jose Padin: Zero Trust isn't necessarily new, right? So there was concepts of essentially, is the traditional security we have, is it actually working, right? Is building a castle and a moat, actually adding any value when it comes to security. And so a lot of people looked at concepts, well, what if we did something different? And so you'll see Forrester's original kind of, paper and actually coining the name Google and what they did from advancing the concepts. Some of the other thought leader type of architectures were out there. And what we're seeing now is kind of a phase two of that, where you're now getting into more detail. What does it actually mean? If I'm a government agency and I want to adopt a Zero Trust architecture and methodology, what do I actually need to do? Please help me. And that's the documents that are coming out now and 800-207, which sure Sean's going to have something to say about, is a great document.
And by the way, I read a lot of NIST papers. I don't talk about that at bars, 800-207 is one of the best that's written in plain English. You could follow it, understand it. You can really get something out without having to like decipher a lot of policies. So highly recommend everyone to talk about it. But what's key there too, is it breaks down in practical ways that you can start adopting it by use cases. We'll get into some details, but to me, highly recommend grabbing 800-207, read it, and you'll be surprised. It's something that's really digestible and help you get a good idea of what Zero Trust means.
Jean-Paul Bergeaux: Thank you. Sean, I know where you're going. I'll let you go.
Sean Frazier: To me, this represents kind of, an evolution born out of necessity, right? If you think about where Zero Trust started, and it really started in the mid aughts when a group in the U-K called the Jericho Forum, which was a bunch of CISOs in the U-K, got together and saw cloud and saw mobile and thought, you know what, the security constructs we're building don't help us with the new world we're heading to. So they posited that, they wrote a few papers about that. John Kindervag picked it up when he was at Forrester and kind of expanded upon it. And what we're seeing here is an evolution of that.
And I say born out of necessity because the whole reason why Google wrote the BeyondCorp papers was because they got hit with the Aurora attack back in 2010. And they were like, look, we need a better way to do security. We need a more holistic security process or thought process around security and that's where it came from. Of course, when you're Google and you have all these smart people in IT, you write papers about it. So it's kind of like a thesis, right? So they started out with a thesis, they said, here's what we think is going to happen. And they documented along the way and to their credit and very transparently, kind of documented their journey and said, okay, here's some issues that we had, here's where we stumbled, here's where we were success. And in 2018, they came out and kind of claimed victory by basically saying they had not been subjected to any credential breaches that were successful after implementing Zero Trust or implementing their BeyondCorp architecture, so it was very successful.
And we kind of took that workup, ACT-IAC by the Federal CIO Council asked us to do a lot of research around what it was. And we looked at BeyondCorp. We looked at Beyond the Perimeter that Intel was doing. We looked at all of the writings from Forrester and Chase Cunningham and everybody else, because one of the things that we discovered was that Zero Trust meant different things to different people. And we want to make sure we were forming a common language.
And there's another one that's even more important that's in the ACT-IAC work, which is the triangle. And the triangle represents the need or the ability to do simplification of security architecture based on Zero Trust. And what I mean by that is, you focused on the things that matters. You focused on data being delivered by applications to a user on a device, regardless of location. So, that triangle really represents kind of the aspirational notion of Zero Trust in order to simplify the security architecture. The complexity in security is killing us. I hope I don't get any argument about that, but you can't layer upon layer security architectures and expect to be more secure.
Jean-Paul Bergeaux: Danny, do you want to deviate anywhere or you just going to agree?
Danny Connelly: No, I agree with both. I personally liked this 800-207. I mean it is supposed to be iterative process improvement. From a old legacy network centric approach and get to Zero Trust overnight. It's meant to be iterative. And I like the way this 800-207, kind of ties in the TIC three, oh, security capabilities.
Jean-Paul Bergeaux: I think I agree with all that. And when I look at it, Jose you hit it well, I think I was always really happy with the way that Google approached their situation and then their implementation. I actually think the way they did it really drove the industry forward. Because they're so prominent and because they were in that journey with BeyondCorp Zero Trust, it really did help the industry a lot. I would say that my definite favorite is NIST 207. I'm not a NIST document guy. I mean, I agree with Jose, your thoughts there that it's one of the better written, most understandable documents I've ever seen on Zero Trust and from NIST as well. So I really like it.
But it's funny, before we had this pre-call and I talked to Sean, I didn't know that Sean was part of the ACT-IAC and that's actually my second favorite. I found ACT-IAC right after it got published because it was included in an RFI that one of the agencies published. Right after you guys published it Sean, it was thrown into an RFI that I responded to with GuidePoint on a Zero Trust initiative. And I was like, this is a great document. I was very impressed with it. And I think that's probably a really good document that goes under the radar. And I would advise people to jump to as well as the NIST 800-207.
Sean Frazier: Our goal. Our goal for that document was, as I mentioned, was to get a common language that people understood what Zero Trust meant and what the tenets of Zero Trust were. And it's no accident that a lot of that ended up in 207, because the NIST people were right there with us. They were in our meetings, they were watching what we were doing. They were listening to the things we were talking about. It was very collaborative. We brought in a lot of agencies. We brought in a lot of vendors and we brought in Forrester and Gartner and all the analysts to present their view of it. And then we distilled that down into what the agencies should really care about. And I think the next step for this and the place where we're headed and what we'll talk about is how do I get there? So now we know what it is, how do I get there?
Jean-Paul Bergeaux: So I'll go back to you, Sean, you're my next in the rotation starting point. When you look at a lot of these different, which ones do you see that are very similar, which we already just talked about 800-207 and ACT-IAC being very similar, but which ones are different and how did that matter? What does that add to the conversation when you find some similarities, but specifically any differences between some of the different Zero Trusts, either architecture or concept, which is a little bit different between the two?
Sean Frazier: So I think there are way more similarities than differences. And what I mean by that is at their core, they're focused on the same thing, which is protecting the data, the access to the data, anywhere from anyone, any time. So that is the core tenet of all of these architectures. Now you'll have differences. If you look at Microsoft's take on it or Google's take on it, there're going to be some nuances that are different to their environment. And John Kindervag always likes to say that the Zero Trust journey is a bespoke journey. Meaning, every organization's journey is going to be a little bit of different, a little bit differences. There are going to be little things that are nuanced that they care about deeply, but at their core, you focus on the primary tenets, or what I consider the scriptures of Zero Trust, which are the identity, the application, the devices, the network has a role to play. The network is becomes a signaling device, but as we're going to find out when 5-G hits, the network becomes less and less relevant from a decision perspective on how do I provide this security?
Jean-Paul Bergeaux: Yep. Danny, any, any thoughts on some of the differences and how it helps?
Danny Connelly: It's all about movement away from the network layer, right? Network now just becomes a transport mechanism and pushing up the stack to focus on identity and application-based running.
Jean-Paul Bergeaux: Anything else Jose?
Jose Padin: I think, both of those points. But I just want to really make it clear for everyone listening. What has changed? What is really changing with Zero Trust? I built networks 20 years ago, was in IT. Everything was about let's defend the network, we don't want anyone into the network. We're trying to protect the network. And as a IT person, it was like, why do we care about the network? To be honest with you, when you think about it, when a user is at home and they're going to Netflix is Netflix saying, I need to protect the network, right? The entire world is going on there and you're part of that network to access the resource. What they care about is protecting apps and data. And that's what's really important. When you think about it, with Zero Trust says, let's look at what's really important.
If someone comes onto my network, is that what I really am worried about? Or am I worried about what they do when they're on my network to the apps and data that I care about and the model completely flips. If you think about it that way, sometimes Zero Trust they'll say it's a buzz word or whatever, I don't think of it in that way. I think of it as really flipping to focusing on what's important. And what's important is the apps and data and Zero Trust gives you a way to flip that and make sure that you're securing, what's important as opposed to, maybe it's not so important someone's in or out of your network. It's what they're going to do on there and how you protect what's important. And that's how I look at it.
Sean Frazier: I kind of view it as it's an inevitability, right? We're just, now we're waking up to the fact that we don't live in the same world we lived in 10 years ago. And if last year taught us anything, it taught us that with a fine tooth period or an exclamation point, which is our apps are in the cloud. Our users are everywhere. Our devices are everywhere. Those are the things we got to pay attention to location, completely irrelevant.
Danny Connelly: Implementing security in the old legacy way of doing business, it's not feasible. It's not scalable. You can't survive. You can't keep up with IT modernization and all the new cloud initiatives underway, there's so many projects going on that you can't use the old way of doing business to provide security for those environments.
Jean-Paul Bergeaux: I was going to add, I purposely have Microsoft up here because you look at this architecture and it's really busy. There's a lot here and I like that. But I also like when you look at Google's it's a little bit simpler, but it's still kind of busy. That's part of the reason I really liked NIST is while this is busy, for some reason, it's just way more consumable. And it actually has a lot of the same pieces that the other ones have, but the way that it's put together, I find as much more consumable. But there's value, I think, in understanding down to the details of all these different pieces that are in there. I've said a couple of times, and I'm going to say exactly what I mean by this, there is a difference between a Zero Trust Architecture, which is what we're looking at, right? These three would be Zero Trust Architectures. And then there's a difference between concepts, right? This is the sameness 800, 207, but this is more conceptual of trying to understand what your goals are, not how you're doing it.
And I would say the same thing with your diagram that you were joking was very simple, but you're trying to convey a conceptual idea of what we're doing rather than an architecture. And I think it's really important to look at those different pieces from all the different providers. And I don't have Forrester up here, I have their conceptual diagram actually, but I don't have their architecture because I don't know if I have the rights because it wasn't on their website. I have some of their documents that's because I have access to it. So I didn't put their architecture, but this is their conceptual diagram. But all of them add some little nuance differences. I think it's valuable to at least consume a little bit of the differences and try to look at them all.
They do provide just more different prism way to look at that idea that you guys just intimated, which is we're pivoting from a network moat defense to a data and application as what we're trying to defend. How do we defend the data and the application? Well, we control the access no matter where they're coming from, no matter what, we're just trying to control that access. And at the high level, that's all Zero Trust is controlling, that access in a dynamic fashion with an ingestion of all the different telemetry that's going on at that moment. We'll get into more about how that works. But to me, that's the differences. And I do think that’s—
Sean Frazier: And whether it's bubbles or pillars, we wanted to represent some of the same big rocks that people were going to have to focus on and were going to have to look at when you look at a Zero Trust architecture. So there was a lot of synergy to that. I think one of the other things that we were very careful to do, it's challenging, right? One of the biggest challenges is most organizations are looking at and go, I don't know where to start. This is a lot of stuff. Especially, you pointed out, the Microsoft diagram, there are a lot of pieces to it. I got to do all that stuff.
We took a whole section in the ACT-IAC paper, I think section seven, where we talked about, you might already be a little Zero Trustee, and here's why. And here's some things you have that you can leverage the Zero Trust journey that you've already got. You've already got this pillar, you already have strong ICAM. Great, leverage that. You've already got CDM for continuous diagnostics and mitigation for your continuous validation of stuff. Great, leverage that. So that's the stuff that NIST pulled into 207, which is really important. Which is don't reinvent the wheel, build your bespoke architecture based upon some things you've already got and then have aspirations of where you're going to go.
Jean-Paul Bergeaux: That's key. A lot of people don't realize that they have a significant amount of what they need in Zero Trust. In federal agencies, most of them are fairly well built out enterprises. They have the pieces, a majority, they don't have everything, but they have a lot of pieces that they can start to stitch together for that architecture, I think is a really good point.
I'm going to jump to you, Danny, what are the pain points? And then what are the motivations, both sides of that, that are leading federal agencies to implementing Zero Trust?
Danny Connelly: Over the last few years, it's been increasingly difficult to keep up with, going back to from WannaCry, the ransomware piece, to the struts incident, to all the ransomware issues going on today, we can't really keep up with the evolving threats and do security at the same time. A lot of the same security professionals are involved with all the projects, whether it be some new cloud services that are being stood up or some enterprise project to support the mission, they're involved with the same projects, right?
It's difficult to keep up with that and monitor, maintain the network and the security of the network. So it's just increasingly difficult to keep up with that. I think federal agencies, specifically the CDC, everybody's dealing with the same threats, there are specific custom threats, of course, nation state actor threats. And with COVID, in January, who didn't see a major increase in threats targeting any accessible Republican. It's just increased dramatically over the last few years. So I think, people who aren't able to keep up with the existing initiatives and defend their network are going to have major breaches. And I think that's why we're going to see the biggest breaches in 2020 and it's going to continue until folks modernize and move towards a Zero Trust architecture. So that combined with obviously IT modernization activities, cloud adoption, TIC 3.0 that's a game changer in itself. Just being able to go outside of the traditional TIC for all of your ingress and egress points. That is a lot of flexibility there. I think those are the key points of why folks or why agencies are moving away from the old network center.
Sean Frazier: This brings us again, back to a defensible position of focusing on what matters, right? We spread ourselves too thin when we think about the entire network. And if anyone thinks that their firewalls, their VPNs are keeping the bad guys off their network they're 100% wrong. So you get back to the defensible position and none of this stuff happens in a vacuum. The Zero Trust principles come directly from the NIST cybersecurity framework, right? It's protecting the crown jewels, protecting what's most important. The identity guidance that came out of NIST in 2017, so 63, three, plays an important role in the ICAM part of Zero Trust. The M-1917 O-M-B guidance, which has layered upon that. TIC 3.0, that Danny pointed out also not done in a vacuum. A lot of the use cases aligned to some of the Zero Trust stuff. So all of this stuff is interrelated and you have to look at it holistically. You can't look at one thing and look one way and look at Zero Trust and look at it different.
Jean-Paul Bergeaux: Every new cloud service set up or new cloud environment, you don't have the time to put firewalls, right? You can't just go out and spit up new firewalls. And it's just such a time consuming process and the business can't wait. The business needs their new service today, right? So you just need to be able to respond faster and the only way to do that is with a Zero Trust approach.
Sean Frazier: Deploying in Salesforce, that firewall isn't going to help me anyway, right? The new world is not wrapped with firewalls.
Jose Padin: Right. And the one thing I would add, when we talk about pain point and motivation, we do have to look at it holistically, but what I think is almost the biggest pain is that the traditional mindset in government of creating these big programs. So, I'm going to move to Zero Trust, I'm going to create my five-year plan and at the end of 2024 I'll get to Zero Trust and then I'll have a Zero Trust solution. That mindset ends up being one of the biggest pain points that people have. So you can move to a Zero Trust architecture, you probably have, just like Sean said, bits of it today. So for example, you can get an inline secure proxy that gives you a hundred percent visibility into what your users are doing on all ports and protocols. You can do that now, that works whether you're in the office or out of the office.
And it doesn't require you to have to go re-architect everything. You can take a traditional VPN where traffic might get in and can move laterally, could do things like that and you can upgrade that to a modern approach to technology that has only inside out connections. And there is no opportunity for lateral movement and you could do that today without having to wait or redesign and re-architect everything. So if we kind of change our mindset from how am I going to create a multi-year program for Zero Trust to where can I get wins today? Where can I modernize and increase my security stance today? And use identity all the way through this, to make sure that I know who is doing what with what apps at what point in time and not just implicitly allow access throughout that, you can get those wins in the near term. And I think that's one of probably, the biggest pain points that we all need to kind of think about differently and approach this from a different angle.
Sean Frazier: Yeah. I think it's an important point that needs to be stated, which is there is no expiration date for Zero Trust. There is no date where you will be done, it's a lifestyle choice. By the same token, you wouldn't say I'm going to stop exercising on December 31st, I'm done with my health. I'm good. I never have to exercise again. This is a lifestyle change. This is going to be with you part of your D-N-A forever.
Jean-Paul Bergeaux: The main conversations I'm having with government agencies is around them knowing the world has shifted and trying to figure that out and trying to figure out how to protect data, how to protect applications with that change. But also like you said, Danny, government agencies and I think all large organizations, are overwhelmed with how much security they have in their environment and trying to get their handle on it and trying to make it useful, effective, and coming together. And it goes back to my passion in this as an architect is, I see a lot of agencies who have a lot of great tools, but they're either owned by a bunch of different parts of the organization, the network team owns a piece. The infrastructure team owns a piece. The security team owns the piece. The governance owns a piece. And so all these different teams on different parts of security.
So I'm going to pivot away for a second because we've got a Q and A question. And the question was, would a Zero Trust architecture have protected against a supply chain attack like we saw with SolarWinds coming down. So I'm going to give it to you Jose, since you asked, go ahead.
Jose Padin: Again, this was a serious attack, was highly sophisticated. But the one thing that I just want to point out too, is when it's talked about as highly sophisticated, it was highly sophisticated on the way that the recon and creation of the exploit happen. So exploiting the supply chain, getting into a trusted vendor, creating a executable that looks good, that even if you were scanning, you wouldn't really see anything happen. That was pretty sophisticated, targeted, and also covering their tracks on delivery. So that once it was delivered, there was also some sophistication in covering tracks of whether it was delivered or not. That was great. But if we think about what this means in the future, the actual exploits after delivery, it actually wasn't that sophisticated after. So once these exploits came up, the ex fil was going on, it followed very similar patterns.
And what's interesting from a Zero Trust perspective, is that the patterns that it followed, where you might have end points coming up and going to sites that either have a low reputation or that are generally dynamically not accessed by these internal resources. If you're doing just scanning, And if you're just doing reputation and content type security, you're never going to catch that. It's just going to look like normal traffic that's going on because you don't have the behavior analysis of what really is happening on those end points, because you're not looking at advanced techniques of security threats, and you're not trying to maybe sandbox different technologies ongoing out into the internet and see what is actually happening with these payloads and packets. You're not understanding that sometimes there's dynamic sites that will come up for 15 minutes, offer malicious activity and then go away.
But the destination or the end point, that's going to the destination in 99.99% of the time never goes to these types of websites. Why would you allow that to randomly pop up and start accessing random websites on the internet? From a defense in depth, the deeper ends of security, the ones, quite frankly, when we're in conversations and they're like, well, we're good, we have security. Is it really worth it to invest in the additional security? The answer now is yes, it is. You really need to think about how you're going to get to a level where you can have behavior analysis. You really need to think about how you're going to get into a level where you have protection against advanced threats, because that's the real lesson learned here about SolarWinds.
The sophistication to get in the supply chain, hopefully CMMC can help with that. Lots of stories you can make about that. But the reality is three more supply chains can get exploited and exploit can come on if you're actually watching for the way the exploits work and that's where Zero Trust can help you. So if you understand what's happening on those end points, you're able to get a better visibility into what those end points are doing. And you can have the advanced security around that on identity or endpoint, specific basis to know what's good and what's bad.
Jean-Paul Bergeaux: You have something to add to that, Danny?
Danny Connelly: With SolarWinds, we're talking about now, but tomorrow it's going to be something else. So, it goes back to the fundamentals. What does it need access to? And making sure that we could restrict that. Are the SolarWinds servers talking to other network infrastructure devices, or whatever apps and systems it's trying to monitor, it needs access to that. And when I say access, I mean at the network layer. Are you able to make a S-M-B connection from the SolarWinds server to your critical server in the D-M-Z or somewhere else? It shouldn't be able to do that.
Sean Frazier: I was going to give a much shorter answer, which basically just say yes. And the reason I say yes is two things. There are two core tenets of Zero Trust that help. Obviously, you think about everything with security to be prevention and detection. By the time you get the detection you've already lost. So we're looking at about protection. There's two pieces. One is inventory, know thyself. Know what you're protecting. Inventory is important. User inventory, device inventory, application inventory, API inventory, critical account, privilege account inventory, all those things. Know what you're protecting and then provide this protection. So strong, adaptive multifactor authentication. If you've got passwords, you've got to use M-F-A. If you don't have passwords and you're using P-K-I, that's great. But know what you're protecting, know what the C-A chain is, know the keys and the infrastructure of that and how it's being protected, how it's being accessed. To Danny's point, providing that kind of bubble around it for access and continuously do that. So the third piece do it every single time.
Jean-Paul Bergeaux: I think, I think the only way you catch this type of supply chain attack is after they land, when they try to move laterally and they try to use either identities or the network to make that next step, I don't see how you're going to detect a malicious update of a trusted vendor. You're not going to be able to defend against that.
Sean Frazier: No, it's signed with a valid key. All the things that were prepared on the other side to detect is like, that key looks valid to me. It sails right through. You've lost it when they've already gotten there.
Jean-Paul Bergeaux: Right. That next step, like Danny said, I think there's two places you might catch them in a Zero Trust. And we're not getting into the great details so I'm going to stay high level. It's either them using an identity to attempt to do something and dynamically we're going to see that there's something wrong or something odd about that. Or them trying to go across a network path that in a Zero Trust, Hey, wait, you don't do that or you're trying to do something that we've white listed against the network or something, because that did happen.
If you look at what happened inside of this, I know best under N-D-A. I can't tell you more than too much about it, but I got a briefing directly from the inside of FireEye on how they caught this. And what I will tell you is they caught it because they were tracking people and things making moves. And that's what Zero Trust is about. It's understanding who is accessing what and how important is that? And should they have access? And if they do, have they ever done it before? All those contextual things, and that's how they caught them. And I wish I could go into detail because I don't know what they've publicly said, but I know what they told me, but basically they used a Zero Trust tenet.
They're not an identity company, so they didn't use one of their products to do it. They used a Zero Trust tenant to catch. And so that's why my answer is, yes, it really comes down to an implementation to catch that next step once they get inside. Who wants to take the other Q and A, we have? So the question is, have you worked with the D-O-D and specifically with DISA and their proof of concept of Zero Trust implementation? And if you are, can you speak about the architecture or any lessons learned? So anybody want to jump in on that?
Jose Padin: What I think is really important right now is D-O-D is becoming serious about Zero Trust. So you can see just recently Vice Admiral Norton had a great discussion, a great talk about adopting Zero Trust. It's really a shift into making sure that, I think her words were, the critical infrastructure and resources and information are being accessed by the ones that are supposed to access that. So again, flipping whether the network or the resources are important, so the proof of concepts are going on. It's going to be really important as the framework is publicly released, the architectures are released and we can get into some detail to really dissect that and really get into the deltas from anywhere else that exists. That should be all publicly released last week, or very soon. And from there, we'll be able to compare it to the existing frameworks that are out there, see where it fits in. But again, all of the talk, everything that's going on with the labs, it's important for the D-O-D to think about this differently and evolve. And it's great to see DOD being forward-thinking and how to think about IT and IT security.
Sean Frazier: Yeah. DOD is all in on Zero Trust. And the reason is because they get it, they understand that modernization doesn't happen without the hand-in-hand security architecture to go with modernization, which to them, and to me would be Zero Trust. All of those things super important. And one of the reasons is because they fundamentally understand it. There are a couple of pieces of it. We used to call this comply to connect to get on the network. Now we're calling it comply to access. So we move it up from the network layer, move it up to the application layer, but it's still the same concept. So they understand the fundamental concepts and how that is adaptable to where they're going. So modernization Zero Trust, peas, and carrots.
Danny Connelly: I have my own question if that's okay?
Jean-Paul Bergeaux: Yeah, go ahead.
Danny Connelly: Does that mean NAC kind of goes away right at that point?
Jean-Paul Bergeaux: No, NAC can be part of that. At its core, Zero Trust is an architecture that stitches all the pieces together, Danny. I don't see NAC going away. Doesn't mean that NAC is in every single Zero Trust model, but if you have it, you can use it and it can be part of—
Sean Frazier: I'm going to play devil's advocate and say NAC becomes way less important because NAC is still there for the network, but the network isn't there anymore. The network the way we think about it. So if you bring on an iPad on base and need to get access to it, sure, NAC plays a role, but if you never go on base, you don't drag the thing back to NAC to make a network access decision.
Jose Padin: And if I could jump in, I would just say if your security is based on a physical location and if that's the defining notion around the security, I don't know if that passes really the Zero Trust test. And I know people are kind of going down that route and many people are in year eight of a attempted NAC rollout. I would say that you want to shift it away from the network. And I think there's ways to evolve security from that.
Jean-Paul Bergeaux: Your point, Sean, is valid if you're never on the network, which is really where the NAC lives, then where are you using it? I think that what we need to see is the NAC idea and what it does become valid no matter where you are, right?
Sean Frazier: That's exactly right. You move it from the network layer to the application layer. You're still doing policy and posture, but you're doing it in a different way. So I always like to call us when we're Okta, we're an identity company, but I always call us an identity centric trust platform, because we are a trust platform. We're doing that posture, looking at device, looking at user, making the assessment in real time, every single time. And we're just not doing it at the network layer anymore. So what NAC does from a posture. Yeah, absolutely. But NAC in and of itself, done.
Danny Connelly: That's my thought too, is like Zscaler client that's doing the posture checks or he is doing that assessment. So what's the need to actually have NAC. With NAC, if one of your ports in the data center isn't using 8021 X and it's the grips. So that to the end point and do the posture assessments, you get the same benefit.
Sean Frazier: And that's why Zscaler and we in Okta, are very important partners because we provide two sides of the same equation solving that same problem. So we are the chocolate and peanut butter. Cause I'm going a little less healthy now, not peas and carrots. We are the chocolate and peanut butter of Zero Trust.
Jean-Paul Bergeaux: And we haven't said this, but full disclosure, GuidePoint has been using both Okta and Zscaler internally. So I've been here five years. So going back further than that, I think going back six, eight years for both. And that's because our organization operated, from its beginning, basically virtual. So we couldn't put castle moat in place as the company. We've in this model from the moment we were in designed. And so we internally use that marriage between Okta and Zscaler as a company. I want to jump to one of the questions that I think is a good one. Do you have any federal agencies you know that have at least, some success in Zero Trust in their use cases and where they are with it?
Sean Frazier: Yeah, we have tons. Almost every customer I'm talking to is looking at Zero Trust and that accelerated last year, for obvious reasons. Now, remote workforce being one of the biggest use cases around Zero Trust and adopting a Zero Trust architecture that's accelerated and lit a fire under everything. It's not like we're talking to these customers about Zero Trust and these other customers about other things, we're talking to every customer about Zero Trust.
Jose Padin: There's two things that I would say: first, to answer the question directly, yes, there are many customers that are using Zscaler's technology. We have FedRAMP high, FedRAMP moderate for our base. We have users on that today and there are many users that are using the technology. So one, have confidence and it is being leveraged in the federal government and has accreditation needed in order to get through A-T-Os. The second, I would say is earlier to the discussion is almost every agency is, if we think about what we've talked about so far up until this point, bit by bit pieces of what are Zero Trust.
If we keep the paradigm that there is only one way to do Zero Trust and I will be healthy on December 31st, and then I will stop exercising then it gets into is someone using Zero Trust or not? When we realize, are we eating healthier? Are we exercising regularly? Are we doing the right things from protecting our apps data and using identity? Do that. Then the answer changes, and we can say, yes, almost every agency is using some aspects of Zero Trust architecture and methodology in that way. Can they use more? Can we get healthier? Can we do better? Can we continue to exercise? Yes. And that's kind of the mindset that I think would be the healthiest mindset to think about this going forward.
Sean Frazier: I think there's a couple of areas of collaboration too, that are important. So one is, if you download the ACT-IAC papers, selfless plug, there are a lot of names in the bottom of that. There are a lot of agency names, feel free to reach out to those folks if you know them. The other piece is there are reference architectures being spun up. So N-C-C-O-E, National Cybersecurity Center of Excellence is working on one now. So they're working on a building block, which is a companion to 207. Typically, what they do is they do an 1800 campaign into 800, get involved with N-C-C-O-E, talk to your peers. There will be agency representation, there'll be industry representation. There'll probably be Forrester and other folks involved in that too, to make sure they're shepherding and talking about all the use cases that we need to talk about. So there are plenty of places to get help.
Jean-Paul Bergeaux: As far as successful, I really liked what you said Jose, there is no destination here. It's always going to be part of a journey. It's always going to be an iterative cycle. And I think there are some agencies that are embracing it and have started down that journey. Every agency seems to do the same thing is let's first assess what we have in the environment. We've got to figure out what we have and what we can use before we can do anything else. This is a great conversation right here of what are people focusing on? Are they focusing on TIC 3.0 or are they focusing on the Zero Trust architecture? Are they allowing C-D-M to be a part of that conversation on the civilian side? There's a lot of different intermixing of all of these different initiatives throughout the federal government that can allow people to move that ball forward and just move towards a Zero Trust architecture and start to put the pieces in place.
Like I said, at the beginning, it's about taking what you have and making it work together holistically rather than having all these different pieces parts, and just dumping it into a sim or dumping it into a set of logs, and then trying to figure out what's going on. To me, that's what Zero Trust does and I think it's about the dynamic decision at the time of request, is that user coming from that end point with that basis of network, wherever it is, going to that piece and assessment of the current status of that data or application? All of those pieces, being a part of a decision to allow or not at the moment of access, not predetermined. In order to make that happen, you have to take all those pieces you have and put them into a decision engine.
That's the core structure that everybody's trying to move towards. And I think some are getting there. I hear people say adaptive auth or, like Zscaler, what you guys do, having the end point where the users are coming from being individually monitored and individually accepted or not, depending on what they're doing in the network, all of those pieces are true. It's just bringing all those pieces together. It looks like, not surprisingly, Zero Trust killed everything as far as TIC 3.0, C-D-M our audits. But that's because we're on a Zero Trust.
Sean Frazier: I would say again that none of this stuff's happening in a vacuum, so I'm sure a lot of people were wishing that they could hit multiples on here because when you're looking at TIC 3.0, which is really just kind of expanding or thinking differently about the perimeter. As in the perimeter no longer exists versus where we lived 10, 15 years ago, you'd want to do these things together.
Jean-Paul Bergeaux: Because you brought that up, let's talk a little bit about Zero Trust and TIC three, dot, oh, this is actually right out of the 800-207, document, section six. Anybody wants to go grab it and pull it, read it themselves it's actually out of section six. So Danny, I'll jump to you. Can you talk a little bit about where that intersection between those two are?
Danny Connelly: It's tightly woven, I can't speak to the verbiage in the document of how it relates to security capabilities specifically. In the security capabilities catalog came out of the TIC 3.0 standard. It's a game changer, it gives the agencies the flexibility to go out and no longer have to funnel all traffic back through a central network point. To have Einstein or D-H-S monitoring. That's really a game changer, especially with the remote workforce right now, everyone on this call is probably remote right now, right?
So the attackers don't stop. They're attacking our networks today. I think the first or the most critical priority are those remote users. How are you securing their access to the internet? Do they have traditional protections in place like, outbound fire walling or URL filtering or S-S-L decryption or threat prevention? How are you extending that to remote users? I'm sure, folks don't have a full security stack on their home network. I certainly don't. So how are you actually able to do that? And TIC 3.0, gives agencies the flexibility to go away from that whole mindset and really leverage your a SAS based offerings like Zscale and Okta to accomplish what they're doing. So I think that's a critical priority that really everyone's facing.
Sean Frazier: I'm just going to say what Danny said. He was a spot on, these things are related in a way that when you look at...we talked about compensating controls of NAC versus non NAC when you're not on the network, this is the same thing. Your traffic's not coming back to me anymore, but I need compensating security controls, wherever it may live. A good friend of mine talked about this early in the pandemic, he said, basically my agency went from having, 20 branch offices to 20,000 branch offices because now I've got to worry about everyone's home office, they are now part of the infrastructure. So I need compensating controls. I need strong authentication. I need encryption to the end. I need posture assessment of the device. I need all of these things all the way out to an area or an environment that I don't control.
Jean-Paul Bergeaux: Jose, you going to add anything or are you good?
Jose Padin: What's really important to me is just the fact that TIC 3.0, was released and what happened during COVID, it's such a great example of having an accreditation body, someone responsible for security, being able to understand that this has been a wave that has been coming for a really long time. And now the fact that everyone's at home, we need to redefine the security. TIC was amazing because there was a million internet connections, no one knew where they were, we had itemized them. 2.0, we added security. 2.2, we changed a little bit of the model of how we can do that. With TIC 3.0, it's exactly what's in alignment with today is users are everywhere. Data is everywhere, so let's change the way that we're using our accreditation around this to allow people to work in a modern world.
Jean-Paul Bergeaux: One of the biggest problems I have dealt with when it comes to securing the last several years is because of the TIC 2 and 2.2 structures, anytime you're trying to inspect traffic, you're having to always suck that traffic into those enforcement points and inspection points. So when you have a cloud infrastructure or you have a remote site, if you're funneling it all in for costs, because you can't afford to have three different TICs and manage three of them. So now you're funding everything through one, or maybe you're a very large and in a lot, and you have three TICs, but you really need 20, the problem becomes it causes performance issues. It causes all kinds of inspection and performance issues around the entire thing. So to me, TIC 3.0, is really trying to serve the needs of what the reality is with cloud and with disparate sites, now remote users.
We went from discussing remote users and having them to everybody being a remote user in one year. It has basically made TIC 3.0, really important, really fast, but it was already important because you were trying to fix this funneling issue, that was nobody's fault, it's just the way the world worked. That's what they were trying to do. They were trying to give that flexibility to fix these back hauling and funneling issues to these inspection points and these policy enforcement points. But this, to me, goes back to the same thing, and I'm a broken record, is Zero Trust is an architecture and TIC 3.0, fits right into that as part of that architecture. The only way we can do enforcement and inspection is if we have it where we can make it work and where everybody wants to use it. And I'm not constantly fighting it, it fits right into a part of the more grand total solution that Zero Trust offers.
Sean Frazier: And you bring up one of the most important things that we, as security people, never talk about, which is user experience. If you want to enable a better user experience, you don't do it by throttling their connection, especially when users are used to getting their Gmail on their iPhone in two seconds and their corporate email takes 20 minutes. That is not good user experience. So the fact that Zero Trust enables that, the TIC enables that, helps with user experience is really a win for security because we almost never get to say that. We almost never get to say we're helping usability.
Jean-Paul Bergeaux: We're the bad guys. We're the ones that want to complain about because we're restricting them.
Sean Frazier: Now we get to say that.
Jean-Paul Bergeaux: I'm not going to say they're wrong. We have a good reason to do it, but that's not a wrong complaint.
Sean Frazier: If we can get usability and security in the bargain, that's a win baby.
Jean-Paul Bergeaux: That's right. This is the conversation I'm having everywhere, in all the agencies. The number one issue people are saying they have with implementing Zero Trust is the cross-discipline issues. So I have a network that owns part of it, I have the identity that might be living with the infrastructure folks. I have pieces of it that live in security and bringing all those disciplines together, to work together, to create that Zero Trust architecture is what people were saying. Look at the people on some of these documents, whether it's ACT-IAC or NIST, those guys are just dying to help agencies. So as they kind of worked through these problems and they're feeling overwhelmed and they want to talk to somebody, we're all approachable, all those different resources that you see on these documents, you'd be surprised at how approachable they are to help you.
Sean Frazier: And that's one of the biggest problems, the whole stove pipe and fiefdoms around deployment is one of the biggest problems, which is why I always get back to the word holistic. You need a holistic approach to Zero Trust. You need to have a center of excellence. We did the same thing 12 years ago with mobility. When mobility was having every different subdivision had their own mobile platforms and their mobile stuff, and they're doing their own mobile thing. You got to bring it together. You got to make it more holistic within, inside the organization so that they participate in all of those decisions and conversations.
Jean-Paul Bergeaux: Any last things you want to say that you can get in about 30 seconds before we close out here?
Danny Connelly: I would just say, if you could do a pilot, do a pilot Zscaler, Okta. Get the network teams. So most cloud SAS platforms have very robust role-based access controls. The network team can have the pieces that they're responsible for, security team can have the functions they're responsible for, identity access management control, identity pieces. You could do all that would have cloud-based solution like, Zscaler or Okta. That breaks down the silos nationally. So if you could get to the point, instead of just talking about potential solutions, actually trying them, I think that works itself out.
Jean-Paul Bergeaux: And both of your organizations can stand that up very fast because you're a cloud based organization.
Sean Frazier: We can be running in minutes. We will not be the bottleneck. We're, we're fast, we're agile.
Jose Padin: That ties right back to the NIST use cases. So enterprise's satellite facilities, multiple cloud enterprise, enterprises with contracted services and non employee access, collaboration across enterprise boundaries, enterprise with public or customer facing services. I think that covers just about every agency, has one of those use cases. Just like Danny and Sean said, the technology can help you today, start using it today. And we can tie it right back to use case and to the TIC use cases that are coming out and what's happening in D-O-D to be able to assist our customers.
Sean Frazier: We're happy to do it together because we do this with Zscaler all the time where we sit down and do an assessment. We have a Zero Trust maturity model on our website, you can go to. We can take that and sit down with you at a table with Zscaler and map that out. So bring us in.
Jean-Paul Bergeaux: Well, thank you guys, I appreciate it. As we expected, when we prepped for this, we didn't get close to anywhere, all the questions we had. Thanks for the great conversation. I'll just throw it out there that we are all approachable. I think everybody in this is willing to help and really is passionate about helping. Obviously, work for companies that want to go do things, but we all are passionate about just helping. Please reach out if you need anything.
Danny Connelly: Great. Thank you.
Sean Frazier: Thanks guys.
Jose Padin: Thank you.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft or Okta and Zscaler can assist your organization, please visit www.carahsoft.com, or email us at okta@carahsoft.com and zscaler@carahsoft.com. Thanks again for listening and have a great day.