In this new environment, a zero trust approach can help agencies minimize their attack surface and cyber risk. Brandon Iske, Chief Engineer for the Security Enablers Portfolio at DISA, Josh Brodbent, Director of Public Sector Solutions Engineering at BeyondTrust, and Frank Briguglio, Global Public Sector Strategist at SailPoint, along with moderator Matt Topper, President and Solutions Catalyst at UberEther will discuss how to build an effective zero trust approach with an emphasis on identity and privilege access management.
Speaker 1: On behalf of BeyondTrust, SailPoint and Carahsoft, we would like to welcome you to today's podcast focused around a panel discussion on Zero Trust and the Pentagon's Identity-Centric Security Roadmap. We're Brandon Iske, Chief Engineer for the Security Enablers Portfolio at DISA, Josh Brodbent, Director of Public Sector Solutions Engineering at BeyondTrust, and Frank Briguglio, Global Public Sector Strategist at SailPoint, along with moderator, Matt Topper, President and Solutions Catalyst at UberEther, we'll discuss how to build an effective Zero Trust approach with an emphasis on identity and privilege access management.
Matt Topper: Well, thank you. Thank you. So what a difference a week makes. We jumped on this call a week ago to prep and had talked about talking about COVID-19 head and agencies moving to work from home, and trying to keep up with the changing demands for users and workers and some of the recent breaches like solar winds waged by Russia, the Microsoft Exchange hacks waged by China and the recent critical infrastructure attacks. And then last Thursday, and Friday happens, the executive order came out from President Biden that spoke very deeply to identity centric security and Zero Trust. And then the day of or the day after the D o t. And DISA dropped their Zero Trust, reference architecture. So lot to talk about today. So I think I'll set everything up with kind of the quote from the executive order around identity and Zero Trust and then we can kind of jump in. So in President Biden's words, to keep pace with today's dynamic and increasingly sophisticated cyber threat environment, the federal government must take decisive steps to modernize its approach to cybersecurity, the federal government must adopt security best practices advanced towards Zero Trust architecture, accelerate movement to secure cloud services, centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. And then, within that, we get into within 60 days, all agencies must update agency plans to prioritize resources for the adoption and use of cloud technology, and develop a plan to implement Zero Trust architecture, which shall incorporate as appropriate the migration steps that the NIST National Institute of Standards within the Department of Commerce has outlined and standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them. Within 180 days of this order. Agencies shall adopt multi factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with federal records laws and other applicable laws. I mean, right there, it kind of lays it out that gas foot to the pedal for identity, and Zero Trust architectures. So I guess, before we really jump into the hard questions, I posed to the panel, what is Zero Trust architecture? And what does it mean to you? Brandon, I'll let you go first.
Brandon Iske: Sure. So again, as I'm Brandon Iske, I'm with the Defense Information Systems agency. And so I'm the Chief Engineer over our ICAM and our Zero Trust and TTI initiatives. So for us, our role in Zero Trust over the last 18 months to 18 to 24 months has really been to define for di D, how we look at Zero Trust and developing the Zero Trust reference architecture. So for us, those are kind of the foundational pieces. And again, from our vantage point, Zero Trust is really on three principles. It's never trust, always verify, assume, breach and verify explicitly. And again, the foundation of that of verifying explicitly is basically always validate identity and on a more continuous basis versus just what we do today. Today, we do have strong authentication with what we do with PGI and certificates. But again, it's kind of more of a point in time concept. So as we move forward, it's how do we bring telemetry? How can we bring these other contexts into play, for how we access things and then have more dynamic access based on those attributes, the other fundamentals of it from my vantage point, there's a series of Seven Pillars that we talk about from a Zero Trust perspective. I won't cover all those right now. But again, from our perspective, that it is about kind of changing the landscape from a network of perimeter centric security architecture to more of a data an app centric model. And so that's really a big shift for the department.
Matt Topper: Josh, your thoughts on BeyondTrust look into and thoughts on Zero Trust?
Josh Brodbent: Yeah, absolutely. So I'm Josh Brodbent, Director of solutions engineering for BeyondTrust software public sector. And obviously, this is a topic that we deal with a lot. As far as Zero Trust architecture goes. For us, the one thing that we like to clarify is that there's really no such thing as Zero Trust solution, right? It's an architecture framework, something that, you know, it's, it's something that we build towards that the line we had towards, as Brandon alluded to, you know, it's about always trust, never verify, assume breach. So these are all things that we want to make sure that we focused on from a privilege perspective. So as we take a look at our perspective, for Zero Trust architecture, part of that is ensuring that no one ever has as much as possible, privileged access unless it's audited and verified.
Matt Topper: Awesome. So, Frank, how does identity-centric security fit into the overall objectives of ICAM and ZTA?
Frank Briguglio: Yeah, absolutely. And, and a lot to unpack there. But let's talk a little bit about, you know, what Josh, and Brandon said, you know, they nailed it in our drivers really the Zero Trust, there's a lot of them, we were already going through this digital transformation, it monetization, we got thrown into this pandemic area, breaches have just been coming left and right, as Matt said, you know, the statistics are, are crazy, if you look over the last couple years, and you know, as an identity practitioner for my entire professional career, which is a long time, if you can see how gray I am. You know, we've been talking about this for a long time. And we really, I think it was Josh that just said it or someone had mentioned it, it's a paradigm shift from network perimeter to more of a, you know, as Brandon said, application and data centric approach, but really what we're talking about, you can't get there without identity, right. And it's twofold. It's not just identity from the point of authentication authorization, we can do that we have PKI, we have MFA tokens, we need to apply them better, we need to apply them in more places. But it really is about taking that inventory of data applications assets, looking at that inventory, and then building the control plane. And it might be controls that are role based, you know, hate to say people, roles are here, it's gonna be a while before we get rid of them. Sure, we can make moves towards dynamic authorization, through Federation and all these other technologies. But what do you need to do that you need contextual data? And it's not just from assuming the device that I'm connecting with is okay, the location is okay. But what about the user? Am I still a suitable user? Is my access appropriate for my current role, my current location and the current actions I'm performing? So identity centric security has to encompass everything from those credentials down to detecting what I'm doing with the access that's been granted and everything in between. It's the process of looking at how entitlements are granted. If we're using dynamic authorization, we need to unpack those policies. When we look at things like cloud infrastructure with these, you know, gnarly JSON policies that are not human readable, or a back in its in its simplest form, exactly. How does that policy get broken down? And how can we ever say, Matt got access to the financial management system on June 14, if we were using an attribute five systems away, we need to be looking at those policies, along with the people that they're impacting and whether or not that's still valid. So in my view, identity has been doing this for a long time, we just need to mature that. And that's really where identity centric is. It should be a maturity model. And in my mind, that, you know, you can't get to Zero Trust architecture without a mature identity footprint.
Matt Topper: Wow. Are we done? Like wrapped it all up? So, as you know, Frank, I 100%. Agree, right? We talked about for deployed operations, the coalition's that spin up and spin down on a regular basis and be able to have more real time access to changing those policies and right we're not at a point anymore where it's just unplugged the cable on the wall, take them off the network, right. We are all in In malicious networks, other people's cellular towers that we have to have a full level of assurance and context from the person to the device, through the network, to the applications through the API's, all the way back to the data sets. And sometimes those data sets are reaching across domains and levels at the same time. So, simple problem, we should have it done by, I don't know, what do you think Brandon? Three, four weeks? Pretty close? So I warned you about this question earlier this week, but a high level executive within the army, may a comment on the Deity, Zero Trust reference architecture that said, literally none of the things in this paper are congruent with any existing system or service in the God today. What are your thoughts, Brandon? And how do we make that not necessarily not true?
Brandon Iske: Thank you for that. Yeah, it's a good friend of mine. And I definitely put the nail right on it, I guess, to some extent. So while I agree that we have a large journey ahead of us, I do think there are a few instances where there are initiatives leaning forward on this. And again, I think, from my perspective, the department and the DOD have traditionally been focused on a network and perimeter centric security model. So it is going to be a culture as much as a technology shift for us to move towards the Zero Trust concepts and principles. So I do agree with that, to some extent, I may not be as bold in the way it was said. But that's, that's my personal style. I'm with them on that comment. And again, I think from our vantage point, we're at the ground floor of trying to define these principles, with the reference architecture that we finally got out the door this month. So again, I think I'm very personally proud of our team of getting that done. It's been a collective effort between DISA NSA, and Cyber Command and D CIO to bring that to fruition. And so again, from my vantage point, that's kind of the starting point for an organization as large as the Department of Defense, to start to have our own ways that we look at this, again, a lot of it is built on this guidance, but it also puts the new the spin on it of things that we're already doing, how those are aligned. And then how do we modernize from there?
Matt Topper: All right, a little later question on this one. So Josh, what are some of the features that differentiate identity and access management from privileged access management? And vice versa? And why are they so important to real world implementations as we move forward with Zero Trust?
Josh Brodbent: Yeah, so. As we look at identity and access management versus privileged access management, identity, and access management is a lot about managing the identities, right. It's not just privileged users, it's all users. But in addition to that, it's ensuring that entitlements and workflows are set in such a way that people who should have privileged access to things they have that access and people who shouldn't are removed from that pool before they ever hit privilege access management solution. So that's important. Once you get to the privileged access management solution. It's about securing credentials, and sessions and assets that have privileged access, right, those critical software junctions. So really, the difference is, one of them is about managing the heartbeats that manage a network. And the other one is about managing the functional accounts and systems that manage the network.
Matt Topper: I'll just ping back an extra question on this. Those accounts? How good do you see federal agencies at managing the service account size that aren't tied to human beings? And what type of opportunity do we have to even make it better?
Josh Brodbent: Am I allowed to answer this question? Like this? Is this public? Right? No, I'm just kidding. So I'm not really. So I will say this, I have worked with large federal agencies, who had multiple staff members who his entire job was to rotate service accounts every day, eight hours a day, 40 hours a week. Not only does that sound like the most boring job that I have ever heard of the job description, it's also entirely ineffective because when they got done, they would have to start over. And there's not guaranteeing that they would get 90 day rotations, right. In addition to that, I've worked in it I was a prodigy. So I actually founded a company when I was in my early teens. And the one thing I have learned about it technicians is, for the most part, they are terrible at documenting service accounts, no matter where you are. So just because that person is changing service accounts all day every day doesn't mean he's changing all the service accounts. Because there's someone that decided, hey, I want my own little service account for this because I'm just testing it and I promise it doesn't actually exist. So, you know, the idea here is number one. Usually there's a significant problem with them ever doing it to begin with. And if they are doing it, they don't have a good way to verify that those are actually all of the service accounts in their network. So, overall, from a manual way of doing this, it's almost impossible to manage this with the level of accuracy that we should consider acceptable for the DOD or federal agencies that we have.
Matt Topper: Agreed. I'd love to get into the tech. We need the how, but I think that's what we call talk to the individual agencies with afterwards. So Brandon, we did have a question come in that said, and I think you're probably best to answer this. How has solar the solar wind event influenced deities, federated identity approach has that had any impact on how you're treating any of the Zero Trust architecture, things moving forward?
Brandon Iske: And I think from my vantage point, the good news is that we were already on our ICAM and Zero Trust journeys. So for us, I think it just further flipped, stomped what we were already trying to champion at our levels. And we did have a lot of executive level leadership already paying attention to our ICAM initiatives. I mean, our pilot for ICAM is focused initially on some financial management applications. So we have a lot of visibility there because of the audits that deity is has undergone, and have findings around access control in general. So we did already, frankly, have a lot of attention. And this is just kind of more and more gas on the fire from my vantage point.
Matt Topper: So let's chat a little bit just about how agencies are utilizing identity and privilege access management to combat threat actor actors today. And then, as we see things maturing things will change as we move into Zero Trust strategy and find ways to get rid of some embedded service accounts and move to some higher assurance authenticators. So, Frank, you ought to take a first shot?
Frank Briguglio: You know, the whole thing is, the environment we've gotten ourselves into with managing the privileged users the fact that we've isolated them as privileged users. I was on a panel yesterday with the CTO and Cisco from BeyondTrust, Morey Haber. And I got the same question, right about privileged users. And, and to me, a privileged user, we're all privileged users, the fact that I'm using a corporate device to be on this webinar, that's a privilege, right? I have access to things within our network to do my daily job. While I may not have the finite keys to the kingdom, I have enough access. But there are some things that I do have access to that is privileged. So it's all contextual based. And I think that's one of our biggest problems is that we focus, you know, privilege on this subset of users and try to control them differently when you know, yes, they're the ones that we want to attack. But really, if you look at recent attacks, they're attacking anyone that can and elevating privileges, finding that hole. And I think we need to take a step back and have a more broad view, you know, starting with our high valued assets, starting with our privileged users, but then open that funnel up. And we need to encompass everything you don't know really how risky I am, if you're only looking at a subset of my access, if you look at my access, as it pertains to me, in one of the many hats that I wear, I may not appear to be a privileged user. But if you look at the fact that I spent a year in the product management organization, I know things I have access to things still in my job as the global public sector strategist, I see our sales information, all of that's privileges, when you look at that broad set of access that I have, it makes me a very risky person. And I think that's one of the things that we fail at a lot is not having the big picture of how risky user is. And I know that's kind of a different way to answer that question. But it definitely is, is germane to that in which, you know, that's why we're here with our partner BeyondTrust. Right. You have to have identity governance, identity, security, and privilege management. But you tie the two together to get that complete visibility. It's not just to make the admins job easier to provision and then title privileged users. It's to bring that access into the big picture of how risky a user is.
Josh Brodbent: Yeah. So you know, this, this topic is something you know, as a privilege company, we clearly have opinions on right. Earlier, Brandon said he started talking about moving the trust to the application, right, rather than the users themselves. So one of the things that I think about, as you know, Frank discusses everybody having privileges that he's not wrong. If you look at two of the more recent attacks, you look at the pipeline breach from last week, it was a nonhuman account that ended up getting attacked and it moves through that. So somebody probably wouldn't have considered a random monitoring device on a pipe, a privileged user, but it certainly was privileged enough, right? So we have to decide as a group, that we're no longer okay with the concept of, you know, the binary, is this user privileged? Or is this user not privileged. And from there, we have to decide, okay, when it comes to our network, and it when it comes to our identity perimeter, instead of a network perimeter, what's ways that we can take privilege away from the identity, that's the Zero Trust architecture, right least amount of privilege necessary. And we can begin to put the privileges on policies and specific applications that we can guarantee by signatures or hashes or things like that, and then not allow applications to run at all if we don't recognize them inside our network. So we're not talking about the privilege of the user anymore. We're talking about the privilege of the applications that are signed with hashes so that they get the rights they need to run and the users have a normal experience. But there's no longer anything to do with the user account. It's like giving a kid a key to a car, but it's the smart key, the valet key that says you can only go 55 right. So technically, he has keys to the car, but he's not getting on the autobomb.
Matt Topper: So you don't give the 15 year old the red key to the Hellcat?
Josh Brodbent: That is a terrible plan? It's honestly but we can talk about that whole story later.
Matt Topper: Now we have a car connection.
Josh Brodbent: Some of them do. And I can go down this rabbit hole. One of my best friends had a Hellcat. And we joked about the keys all the time. So we'll talk about that offline, Matt.
Matt Topper: And the word was had so he definitely used the red key a lot. So another question that came in from the audience. And I'm actually interested in this because I've never seen it before. But right inside of the do, do we have the IAT levels where administrators have to have certain certifications like a security plus or a cx CISSP, depending on the level of data they're touching? Do we believe that things like the forester Zero Trust certification, and I'm going to throw a pitch for one of my favorite organizations that we're currently helping write the certification for identity professionals organization? Are those certifications that should be introduced into that world as everybody's moving forward? And does anyone know of any talk of that happening?
Brandon Iske: I mean, I'd say from our vantage point, I think that's very much an interest for us just because of the established way we do system access and requests. Training requirements are part of that process, that's just naturally something we've done. So that can always expand and then obviously, learning management systems or other ways that we can authoritatively capture that training data, and then validate that upon system request at our system access, or at that recertification campaign, either on a quarterly or annually basis. I mean, that's, that's very much our vision as well.
Frank Briguglio: Absolutely. I have not seen any talk of that mat that being added, you know, anywhere. But as Brandon said, you know, we think of the process and, you know, the basic policies that we go through and attribute evaluations for birthright access, right. And in my humble opinion, you know, if I don't meet one of those 85 7080 levels, right, then I shouldn't even see that there's an entitlement out there that requires it. Right. You know, if I haven't done my cyber awareness training, I should be kicked off the network immediately. There's just these basic things that are these gating factors that really it goes back to what I said earlier about context, right? It's not just about device context, it's about the human context. If I'm not wearing this, you know, striped shirt tomorrow, then there should never be a policy that, you know, that's gonna save policy, you know, let Frank in the door, if he's wearing a striped shirt, how do we verify Frank still wearing that striped shirt tomorrow, but using authoritative data, such as training data, along with, you know, we talked about clearance data all the time background investigation, you know, the privacy world for the civilian marketplace, you know, the commercial organizations are starting to do more identity proofing and, you know, identity vetting. We, as the federal government have had this data for years on our people and we have these policies, you know, I'm talking secret cleared by our for I can get ready into a program. But there's no controls today, besides a form of paper form that really checks that right. You know, I think as we mature and start using this context, in live decisions, workflows, recommendation engines, all of these things, we'll get to that Zero Trust model. You know, those are the things that I'm talking about when I say Maturity Model. Those are the kinds of things that we need to get right. The Federal civilian agencies have had the CDMs Your user record data, which is all the things we just talked about, for a couple of years now, they're still working on reporting that data, or they should be at the point where they're operationalizing. That data that should be in every Access Request today, if I'm considered a privileged user, and I don't pass that trust spread, or in behave test, then I should be kicked out these things, that technologies around today to do this. Right. And I, you know, it's time.
Matt Topper: And I'll just add, continuously verify those attributes.
Frank Briguglio: Absolutely. Absolutely. Yeah, this isn't a once I'm done, this is this is every day, if something changes about me, my access should change. My job title changes, my entitlement should change. If my location changes, chances are, my access should change. It's just contextual information that should drive the access.
Matt Topper: So Josh, there is a question about how do you build this into a system to make sure your identities have least privilege, and are allowed to do what they're asked to do within an agency systems? Right? Because it is an incredibly complex, multi-generational is my favorite new word, I can think Andre, for paying for that term, multi-generational IT systems that we're trying to manage. And I was on a call earlier today talking about, oh, soon, we're gonna have five G's in the jungle. And all of this is going to go away. And I went, I'm still talking about managing some accounts on the mainframe at a federal agency. It's not going away, folks.
Josh Brodbent: Yeah, absolutely, Matt. So you know, you're right. It's not to a point that I alluded to earlier, the way that we do this is by taking the privilege away from the user and putting the privilege in context of policy on applications that are allowed to elevate. So in this way, those applications are allowed to do what they need to do. And you can do this in context across the entire application environment. So that when you're setting your policy, you don't have to have users that have special privileges. Instead, you have policies, where users who should have special privileges, allow applications to elevate. And when you do that, the user ends up with a relatively normal experience, maybe there's a pop up that asks them, Hey, is this for your job? Or do you, you know, are you sure you want to do this, like a normal user account control type pop up. But other than that, you know, it's, it's really about making sure that those end users can get their missions done, can get their jobs done, because the last thing you want, at the end of all of this, is to implement these kinds of architectures and the God and have combat troops or other forward deployed bases, that can't get their job done, because they get stuck behind trying to figure out who had permissions to do what. So you have to enable their experience while securing their identity.
Brandon Iske: And to tie this together, I would say the generational comment that you made very much resonates with me as well, too, because, as I mentioned earlier, I mean, I, from a Zero Trust perspective, and enhanced identity, we can move a lot faster when we're working with some of our more modern cloud services. But we also have a lot of legacy that we have to deal with. And a lot of that is in the financial space. So we do have a mix of kind of modern DRPs, as well as kind of legacy applications or government developed solutions. So we do have a long road ahead of us because of because of that multi-generational miss that I'm now going to steal as well, too, as a perfect herb. That wraps it all together. I thank you on that one.
Matt Topper: I immediately go into try explaining what we do and identity and access management to my grandparents, right. And there's my same way we're trying to protect made friends, right. So Josh, I'm gonna pick on a little bit and I know we didn't talk about this ahead of time, one of the challenges I've seen on the policy side of the world is a lack of consistent policy languages, across network devices, applications, API's. And right there was a huge push, for example, example has fallen to the death of XML, like SAML, should have so far but hasn't much, much faster than SAML did. No one I know has ever liked to write an xacml policy. No one's ever written the language that makes it easy. What are your thoughts on how as an industry, we can bring that forward because that, to me is one of the biggest keys to solving this beyond the identity problem that I don't think a lot of people have really looked at.
Josh Brodbent: Yeah, so I absolutely agree. When you look at identity management, and we have a slide somewhere in a deck that I have presented from time to time, that shows identity management and it breaks it out into blocks. And what's really interesting about the way that it is, is every block is generally a different niche market inside identity management, you know, you have the identity governance people, you have the overarching identity management groups like SailPoint, and Frank. And then you have privilege access management, and then you have multifactor off, depending on how you, you do the blog. So the point is that generally, as we head towards these Zero Trust architectures, these Zero Trust frameworks, it involves multiple vendors, right? Like, you don't get there by just saying, Hey, I'm going to buy this one product, and it's going to do everything I want it to do. And again, that's why I started out by saying, it's not a solution, it's an architecture. Because if you could just go to the store and buy it, it would be easy for, but the truth is, you can't do that. So I agree that a huge challenge around these products is getting them to integrate together. So a couple of the things that we can do is, you know, number one, there are in the works, kind of a standardization of formats for connectors for these light skin connectors. So I mean, that's absolutely one of the places that we feel strongly about and want to continue to work with. But there are other things like just having a common API, or, you know, for us some of the elevation that we do, we don't even need a connector to the software, because we're interacting with the client system itself. So that helps us kind of bypass the concept of, you know, do we need a connector for this to apply a policy to it? Well, no, I just need the executables hash. And I can decide what to do with that executable when it launches, we have kind of that pivot point to be able to say, Well, I mean, it doesn't really matter if they give me an API, because I can still control that application, based on its hash are based on its path or a dozen other things. Right. To summarize that the first part of it is I absolutely agree, we have to agree on a standardized set of connectors, because the truth is, there's a lot of vendors that are going to have to work together in the future to make this work for the government. But also, in the meantime, from a policy perspective, since we don't have to interact with the applications in order to elevate them or not elevate them from a coding side or an API side, it doesn't matter quite as much to us. I am curious to know what Brandon's opinion is on this though,
Brandon Iske: I was gonna foot stomp on here as well, because I think as we look at some of the remote access capabilities in anything you're trying to do with Zero Trust, trying to get contextual information off of the endpoint, basically, waits to usually using an agent. And so if you need an agent for either remote access, or for that enrichment of the status of the endpoint, or the identity of the endpoint, those are kind of proprietary stacks of agents. And though that is not really a common thing that I see in industry, yet at this point, I mean, I think I've seen one or two vendors that maybe are trying to push in that direction. But I mean, the department’s of big place. So even if we had one solution in one area, you're guaranteed to have another somewhere. I mean, you get Army, Air Force, Navy, and Marines and Coast Guard all always doing kind of their own things, but also aligning with the enterprise. So we're always trying to bring the department together from that sense, but there are certain cases where that's just not always feasible. And so the interoperability of some of these Zero Trust concepts, and the solutions that enable them is very much a concern from our vantage point as well.
Matt Topper: I'll just add, for those interested in digging down deeper on this topic, one of the leading and Rossford brought it up in the chat policy languages that is emerging is something called rego that came from the open policy agent, which is essentially the policy framework for Kubernetes. And the nice thing about rego the policy policies get loaded into your controller that controls your Ingress egress, that pattern can be applied to any applications and any application stack and doesn't need changes to the underlying code bases. So something to look to, I will also say, there's a ton of work right now in the second ID events standard, as well as the cape protocol ca ep CIO, continuous access evaluation protocol. Right. As we all know, you authenticate once, and then you authenticate to that app. And that app takes your control for the day. And if your company fires you five minutes, you're still logged in, in your browser to that application. Cape will help us solve to understand all of the places identities have been pushed, and then bring security events together and be able to enact on them in all the applications and systems we've integrated with. So one more down the standards path and then I'm gonna ask the question the Franken Josh, CIO, and maybe it's not standards, but can we talk a little bit about the importance of governance in this environment, even to a low level, just do t wide agreement on attributes and attribute names and values of those attributes. I know within the intelligence community, I think it's been almost 1015 years now, we've had published the UA s standard, which is publicly available, you can search it, which literally lists here's what a user looks like, here's what an NP looks like. And here's what the attributes of those are, if you want to add to that great as your agency, but this is the starting point. And then we have similar things along backend actually, you'd exchange as well as the open ID Connect. AI. Gov profile. Anyone have any thoughts on why we're not there yet?
Frank Briguglio: Yeah, that's an interesting one, Matt, and, you know, based on, you know, some recent experience with many agencies. And actually, this is a, this is a global problem, right? Because this comes up all the time, about what attributes Do we need, and I always go, well, you need the ones that you need to build your policies with. But yes, those standards are extremely valuable. But what's most important, and I mentioned this earlier, is the quality of that data, right? In the source of that data. And when we try and use a single attribute from, you know, an authoritative source, if we're allowing that attribute to ever be modified anywhere downstream, the validity of that attribute goes out the window. Or if we're, we're capturing that same attribute multiple systems. So we really do need a standard data policy. And in most organizations, you know, work this way, I think some of the hurdles are data sharing in a lot of these systems. That was a big problem we encountered in some of the CDM agencies where they didn't have the rights to reuse the data that they have in their legacy system, they had to reapply to be able to use that data attributes are a continuous challenge. It's a key thing. And I think I think Brandon probably has some recent experience with this as well, you know, just going through, you know, some of the prototype activities.
Brandon Iske: Absolutely. I mean, I think what we can and can't do with the data we have, and then I think with some of the frameworks around the Privacy Act, and, and what needs to be done to define what we can and can't do and stay within those bounds is definitely a challenge for us to manage. And then it's kind of like you almost have to have your end state already defined when you're starting. But when you're taking a prototype and iterative approach, it's kind of or cotton that like, where are we taking risk? Where are we doing the right things? Or where do we have to really say, No, we can't do that. Because that particular direction of Dataflow is just kind of off the table because of the way we have to move identity information around.
Matt Topper: It's almost like we need to revisit the network person LDAP schema, but for security attributes?
Frank Briguglio: Yeah, absolutely. You know, it really is, I started out these flashbacks of building directories back in the late 90s. You're absolutely right, it all goes back to that I know, report person, you know, what are the Seven Dwarfs the required seven, and then the optional. And, you know, it really is that and that really does need to be updated. And it really is the source, though, in validating that source data and ensuring the source data is accurate, and not getting it in seven different formats.
Matt Topper: I'd like to give the stage to Frank and Josh to talk a little bit about identity-centric security, and privilege access management and how they give us a better together solution towards a Zero Trust architecture has the true foundational concepts. So, Gents?
Frank Briguglio: Absolutely. So you know, I think we've kind of hit the what each of us does, you know, identity governance is the who, who has access to what should they have that access? Is it suitable? How they're using that access? You know, I like to use a couple different analogies, you know, should Josh from a Combat Command have access to the financial management system? Yes or no? Right? Should Peter have access to the file share, which contains sensitive or classified information or PII? You know, that's really what the identity governance layer does. It defines the access model and for the identity and how entitlements are granted, what digital doors can Matt unlock, you know, what assets lie behind those doors? So what's bundled in that entitlement or that role? Because like I said, roles aren't gone forever, folks. I mean, we're gonna have to deal with them for a while, you know, and we need to maintain compliance around that, whether that compliance is to a security control, a privacy control, or some other, you know, framework that we have to abide by. It doesn't matter what widget but system, what mission system that you build, all users are granted access to it. And that access gives you know, that entitlement gives you access to sensitive resources. So it's that metadata that were most important you know, that are important to us, you know, so as we step towards what this looks like in a better together story, you know, I think we've established, you know, the identity is the new perimeter, right? So, you know, we have to look at everyone. And as the attack surface, you know, expands from on-premise in the data center, cloud, hybrid, whatever with whatever it is, we need this comprehensive solution that's looking across all kinds of accounts, all kinds of credentials, all kinds of access. And that's really, you know, what we're doing here today. So, Josh, from your side, it's a little bit different, right. But, you know, most importantly, going back to Brandon's point earlier about, you know, many of the findings of the fire audit about entitlement, creep and overexposed accounts and orphaned accounts that were still in the systems. And when we come together, like BeyondTrust, and SailPoint, that's the better together story is tying these this automation and government's controls to remove this access or identity debt when it's no longer needed. So Joshua, you know, I know that's a lot. But you know, there's tons of tidbits there for you.
Josh Brodbent: Yeah, that's great. So in that vein, you know, while AI identity management solutions, like SailPoint, while they provide identities with entitlements, the idea is once they receive those entitlements, where are the controls to make sure that those entitlements indeed stay that way, especially for privileged users. So you know, as you're looking through this, the SailPoint, and solutions like it can, can grant an identity with an entitlement. But the important thing is, as we move towards that Zero Trust architecture, is that that identity doesn't actually have privilege, that entitlement grants them the keys to a digital door to some sort of management solution, privileged access management solution that maintains constant control over privileged access accounts. Again, the other point, and there was a question about, you know, application policies, can you can you build and manage those in SailPoint, and allow SailPoint to communicate with the users requested system? So from my perspective, the question is a little bit, right. So from a privilege management perspective, we have policies that govern what users have access to what those things can be granted by entitlements that SailPoint bring. So whether that's, you know, the traditional Active Directory security role, or something more in depth, we can take information that SailPoint grants as an entitlement, and then allow that structure to be defined basically, by SailPoint. And once we're there, the application profile for a user will be defined, and they won't have access to systems that they're not supposed to be entitled to, or they will be allowed to elevate certain things that they may be entitled to. So, you know, as we look at things like that, we have to decide, as a group, that the privileged access, we're granting the identities that we're granting, as we move that identity centric security model, we have to understand how those identities grant access to privilege and how we're going to manage that privilege. So that everyone is always verified, never trust so that everyone has the least privilege possible. And for us, that's really a perspective of no privileges at all, while still allowing them to complete their mission and function.
Frank Briguglio: So Josh, with that, to be kind of the devil's advocate to that, how do we ensure that the users are granted, you know, if we are allowing elevation in certain periods of time, right? You have to be in certain groups or roles, right, you have to have an account? How are we ensuring that access is removed? Because just having, you know, if I have an account within the BeyondTrust system, right? How do we ensure that when Josh no longer exists? How do we get him out? Right, or Josh is no longer suitable. I know, there's certain controls that are native. But I think I think expanding upon building these two systems to communicate with each other, we've done, you know, great things in this space. So can you expand on that a little bit?
Josh Brodbent: Yeah. So again, removing entitlements, and that that entire entitlement management process works better together, because you have a system that's managing those entitlements. And then you have a system that is essentially granting those entitlements based on the policy that SailPoint is managing. So along with that management, is the understanding when a user or a heartbeat no longer exists, that those entitlements should be pulled? Automating that through the workflows of an identity management solution is absolutely the way to go. The one thing that I have learned in my 25 year it Career is that if you trust your engineers, your people, your humans to take care of these things, inevitably someone won't. Like that's, that's just 100% of the time, you know, a lot of us have a million different jobs that we're doing. And there are managers that will literally forget to tell it that somebody got fired or somebody was let go, all of those things occur. And so when you trust your identity centric when you trust your security to any type of manual process, you open the door for vulnerability for attack vectors. So the more things like automating the removal of roles, automating the removal of entitlements automating the entire, you know, de provisioning process that you can do, the better off you are.
Frank Briguglio: Yeah, absolutely. And just one last comment, I think that's why, you know, we're seeing a lot more embedded artificial intelligence machine learning in these platforms to look for deeper into how roles or access should change autonomously by looking at peer group analysis and these fundamental things about the identity and the entitlements, and who has access across the board.
Matt Topper: Absolutely. So I actually want to ask, Brandon, one last question. You see, pretty much everything from an identity Zero Trust network security perspective. Within DISA in your role. I am truly amazed every day, how you can keep up with it all. Me too. So thank you for it, though. Thank you, honestly, for those that don't know, Brandon drives so much forward across the DOD, just more kudos than we could ever give them. But over the next 12 months, what key cybersecurity initiatives are you and the rest of the DOD planning to tackle? And why are those most important right now?
Brandon Iske: Yeah, you know, I'll speak to him. I think from our vantage point, again, there's a lot of broad ones, probably across the department and kind of how we execute duty CIO strategy. But again, the ones I'm kind of focused on in my swim lane, again, are the expansion of our identity and credential access management. So that includes how we do the authentication services and but I kind of simplifies account Lifecycle Management. So we have kind of that near term focus for financial management applications. And then we also have to do that more broadly across the department. We have SR efforts with global directory and what they're doing for our adoption of cloud collaboration capabilities. And so they're doing a lot of really good things for us to enable common identity across a multi-tenant cloud environment. And so those are huge movements for us as well. So we're working in multiple different swim lanes. From the Zero Trust perspective, as I mentioned, moving from a perimeter and network multi-tiered architecture to more data, and application centric is a big shift for us. So there is there will be some opportunities, I think, in the future, for us to help for industry to help us in that particular space. We're doing some initial planning on those phases now. And so obviously, there'll be more to come in that area. So again, from my vantage point, it's execution on the existing things that we're already doing that are foundational to then build upon it and have more context as we go forward. And then some new initiatives, or that will come up to improve how we do remote access and how we do our network management in general in a more automated fashion, so I can keep it short.
Matt Topper: I know you're, you're good. The rest of us can't. I was gonna say I had an absolute wonderful time. And thank you everybody who participated today.
Brandon Iske: Thank you to Carahsoft, UberEther, SailPoint, and BeyondTrust again, for inviting me here as I always appreciate the opportunity to get to have a nice casual conversation like this. So thank you again.
Frank Briguglio: Yeah, thank you, Brandon. We really appreciate it.
Matt Topper: All right.
Josh Brodbent: Thanks, guys. I appreciate it.
Matt Topper: Thank you again, everybody, and have a great afternoon.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft, BeyondTrust or SailPoint can help identify and overcome roadblocks to Zero Trust, please visit www.carahsoft.com or email us at beyondtrust@carahsoft.com and sailpoint@carahsoft.com. Thanks again for listening and have a great day.