How the Technical Community Can Assist the Government to Satisfy Federal Mandates with Zero Trust

0:04 great hello everyone my name is sanet lyons i am the field and partner marketing

0:11 manager at juniper i'd like to welcome you to the first in our three-part series covering zero

0:16 trust and government agencies we have brought together a panel of industry luminaries to discuss the white

0:23 house executive order on xero trust its implications to government agencies

0:28 and how the technical community can help government agencies achieve compliance

0:34 before we get started i wanted to make you aware of a couple of things as you've heard we are recording the

0:39 session and we will make it available afterwards during the panel discussion if you have

0:45 a question please utilize the q a panel and we'll try and address it during the session if time doesn't allow we'll be

0:52 sure to follow up afterwards and then finally we're always looking at ways to improve the webinars we bring

0:58 our customers and partners so welcome your feedback when the survey launches at the end of the panel discussion

1:05 thank you again for attending i'm going to turn this over to chuck brooks who was named top tech person to follow by

1:12 linkedin and also cited as top 10 global tech and cyber security expert and influencer

1:18 who's going to lead our discussion today tom the session is yours

1:23 thank you janet it's a pleasure to be here uh welcome everybody for the juniper federal zero trust webinar

1:30 series we're going to be talking about zero trusts and its implications particularly to federal agencies but

1:35 also how the integrator community thoroughly community uh deals with some of the

1:41 challenges with zero trust we have a really illustrious panel and uh janet you said

1:46 luminaries and they certainly are and i'm just gonna read their titles um you'll recognize the companies too uh we

1:53 have sean wells managing director for cyber security strategy and technology at accenture

1:58 federal uh gregory garrett vice president of cyber security at periton

2:04 herb kelsey federal cto at dell technologies eric schlesinger operations and

2:10 engineering vice president cyber security at parsons and tom van meter

2:16 senior essie director at juniper networks uh we're also gonna before i get to to to the questions and answers

2:23 are we're going to be doing a poll and michael if you wouldn't mind putting out the poll we want to get a baseline

2:29 of our uh interest and expertise of the audience and the first question and i'll let you

2:36 give you a little bit to answer it is do you know what your agency needs to do to achieve zero trust compliance with

2:42 executive order 14028 of course we're going to be talking about this executive order in detail

2:49 and i'll leave a few more seconds for you to answer this uh but while we're doing this we could

2:55 actually do two things at the same time um i would like to to introduce uh tom

3:00 to to uh give us a framework of what exactly zero trust is and what's what's in the

3:07 government mandate so then we'll be using this this uh discussion that he's providing us to go

3:13 into the the nitty-gritty of it uh with our panelists tom let me turn it over to you thanks

3:18 chuck and welcome everybody um zero trust is a data centric design

3:25 philosophy or strategy if you will to design secure networks a properly designed zero trust network

3:32 provides authenticated and authorized access to resources and so when we talk about resources we're talking about

3:37 maybe raw data or a server or an application and when we talk about authenticated and

3:43 authorized access we're saying that whoever or could be

3:48 a device like a security camera whatever wants to access that resource they have

3:53 to prove they are who they say they are and then once they prove that who they are

3:59 they have they don't just get access to the resource they have to be authorized to access the resource so let's say john

4:05 doe or jane smith uses a cac or a piv to authenticate who they are just because they're john doe or jane smith doesn't

4:11 mean they get access to the resources they actually have to go through a policy enforcement point that authorizes

4:16 and validates that they are allowed to get to that resource

4:22 zero trust is really the next step in securing the nation's cyber security infrastructure so back in 2014 nist

4:28 published the cyber security framework they updated it in 2018. in 2020 nist published 800 207 which is the zero

4:35 trust architecture document in 2021 president biden signed the executive order of 14028 on improving

4:42 the nation's cyber security and one of the key things in that executive order

4:47 was direction that federal civilian executive branch agencies

4:53 implement zero trust architectures and then in 2022 the office of management and

4:58 budget published a memorandum on federal zero trust strategy and it identified a

5:04 series of specific milestones that need to be accomplished by the end of fiscal year 2024.

5:10 and they laid those milestones out in accordance with the cisa zero trust maturity model and they have like five

5:16 pillars that they talk about so identity and devices and network and applications and data

5:22 so zero trust itself is a change of mindset we're all used to

5:28 a perimeter and in the perimeter there's a security stack and once we get through the security stack

5:33 we have implicit trust everywhere in the perimeter and that's we can go anywhere because we've been validated by the edge

5:40 zero trust is a mind change and it revokes the concept of implicit trust

5:45 and it requires explicit trust to access anything the way in which we do that is we group

5:52 together resources that share common or similar security requirements and we surround those with a small perimeter

5:58 we're going to call that a micro perimeter and then we'll put a policy enforcement point in that micro perimeter so that

6:04 anything or anyone that needs access to the resource inside that micro perimeter

6:11 gets authenticated and authorized

6:16 when we're all said and done we're going to have an outer perimeter with the security stack on the edge of it and then inside that you're going to

6:22 have a backbone that interconnects a bunch of different micro perimeters

6:28 if you if it helps to think about it this way think about like an airline at an excuse me an airport and you've got a

6:33 series of gates and the resource you're trying to get access to with the planes and the the gates to get into the plane

6:39 is the policy enforcement point for each micro perimeter and then the tsa security checkpoint to get into the

6:45 concourse that's the outer perimeter and the concourse connect interconnects all of the micro perimeters so that's that's a

6:51 good analogy if you want to think of it that way once you've got that design put together remember you have to constantly monitor

6:58 and maintain visibility what's going on in the network and then you need automation to

7:04 be able to dynamically change your policies based on what's going on in the network so hopefully that's a good quick summary of

7:11 overview back to you chuck yeah thanks tom it's it's yeah i think simply put it's uh trust no one no thing and

7:18 continually verify um to take now that uh tom's framework and actually put into

7:24 what it means in in in the federal agencies and and with our our federal system integrators i'm going

7:31 to start with uh uh sean first and uh you know what is your what are your thoughts how does a zero trust

7:37 impact federal agencies and and actually how does it impact the the var

7:42 uh federal system integrator and oem network too that has to deal with these agencies

7:48 so on the how does it impact uh the government agencies it's i think it's nice that we're finally preparing

7:54 on how to implement progressive safeguards whether we call them layers but the or or

8:00 terminal the tsa analogy the idea is we're starting to shift towards quite a bit more

8:07 discoverability in governance where we are using automated discovery tools to identify manage and unmanage endpoints software

8:14 network and all that's well and good but i'll we're starting to see

8:20 at least at accenture a shift towards application-centric design patterns

8:26 meaning we are fundamentally trying to encrypt data in

8:32 computation while it's being accessed while it's being transposed across the network and for the first time

8:39 that holistic view of security is being pushed down to the

8:46 developer of how to implement the identity progressive safeguards how to

8:51 implement shared services and it's been a really interesting dynamic in that

8:58 classically a lot of the security has been focused on the sizzo um setting up the organization setting up auditing

9:04 setting up phytara scorecards and what we've started to see for the first part of the question

9:10 is actually a push towards more of the cios and ctos being

9:16 accountable for layered progressive design patterns uh more so than we have in the past

9:24 that's interesting you you really do bring that it's a change of of a policy then too um looking at where

9:30 you're integrating all those elements rather than just decision which is really good insights appreciate that um

9:37 herb i'd like to ask you the same question particularly from the dod perspective i know you do a lot with

9:42 that agency i think you're on youtube

9:50 i i'm losing my uh my video skills here um been able to travel too much yeah

9:55 yeah i think from the dod's perspective i think one is to realize that that they've consolidated their zero trust

10:02 activity into a portfolio office that sits in the cio so they're trying to centralize their understanding of how

10:09 they want to approach this you know the next thing that i would say is that

10:14 you know they've been asking us to help them create a

10:19 a technology footprint that they can repeat so that they can ensure that they don't have drift in the

10:26 implementations that they're seeking and so we're trying to help them with

10:31 that so that so that they can apply these security measures uh in an automated fashion

10:38 use the ai and machine learning from what goes wrong to better inform their

10:43 policy decisions but what they're really looking for is the ability to have

10:49 a repeatable blueprint a repeatable implementation that they can that they

10:55 can spread far and wide because their concern is is that if they if they don't have that kind of control

11:01 within that architecture they'll get drift and they'll get exposure so you know that's how i see them approaching

11:08 it and you know we're we're trying to help them with that in a variety of ways but that's really the impact that i see for them

11:15 they're using as a consolidation as a mechanism to consolidate yeah and you

11:20 mentioned also the automation aspect of it too with machine learning yeah absolutely i mean you know we have

11:29 in security we we have a scale problem that's at least for from it from a technology perspective that's where i

11:35 look at it we know what to do we just don't have enough arms and legs and minds to actually execute it flawlessly

11:41 every single time that we have to so part of what xero trust talks about is

11:47 automating and orchestrating those policy decision points and those policy

11:52 enforcement points and so it's applied consistently and and that's the

11:58 automation and and what we're hoping is that the infrastructure can give us good

12:03 information so that we can use machine learning models to supplement what human beings would do to make better

12:10 progressively better and better decisions as we get attacked and as we learn about what the bad behavior is and

12:16 so there should be a virtuous cycle in there and that's part of that reference architecture for zero trust

12:22 and uh certainly with the announcement of a data and ai uh portfolio office within

12:30 dod they're believing that they can make some headway in that regard as well

12:35 great i think sir gregory i'm going to go actually to you on the next question with with uh and

12:41 and you may also want to speak a little bit this sort of ties into it to your uh your center of excellence that you

12:46 helped create in your in your white paper on xero trust as it fits in but the question is

12:51 how does a company or an agency map to what they have already accomplished to the zero trust

12:56 uh framework uh so they can discover any other potential gaps that might be in the network

13:04 so chuck it's both a privilege and a pleasure to join you today in the distinguished panel

13:11 um it's an excellent question it's an ongoing challenge for the government agencies

13:16 essentially as you know every cio ciso cto is dealing with sort of a technology

13:25 patchwork quilt of hardware and software today each agency is unique from a threat

13:32 profile their technology investment and they're looking to try to find what's the right

13:38 solution that will work for them to as tom just spoke to earlier

13:45 address these various design tenets that are included within

13:50 the xero trust concepts and and i think you know a lot of

13:56 agencies are struggling because right now there's a lot of companies pitching that their software will

14:02 provide a zero trust panacea and so you know as a systems integrator

14:09 at periton what we've done is to try to spend time with as many of the different

14:15 uh partners whether it's cloud service providers cloud access security brokers major

14:22 software providers to actually vet their software we've created a zero trust

14:28 ecosystem a test lab to be able to bring all the different

14:34 vendors capabilities in whether it's their identity credential and access

14:39 management whether it's companies like octa or cyber arc

14:45 bringing in various uh cloud-based internet isolation capabilities

14:51 like menlo security or z-scaler and their z-scale or internet

14:57 access or palo alto networks as herb and others

15:02 talked about with their cortex xdr

15:07 and their xor their security orchestration and automated response technology

15:14 because at the end of the day people want to know that it'll work in their environment that it's compatible

15:20 with their systems and they want to know how they can optimize their overall

15:26 security in a way that aligns with the design tenants that that tom laid out earlier

15:33 and i think that's the big challenge and so what we're trying to do is help educate

15:40 people both internal to our company as well as our business partners

15:46 and our customers as to all the different technology solutions that are out there

15:52 and so you know what i when i talk to clients you know my conversation is

15:57 we're playing a game of chess here and it's really a multi-dimensional all

16:02 technology all-domain game and it's a high-stakes game right and so

16:09 we're trying to figure out the best way to help our clients win this game

16:15 and it's it's a big challenge for all the agents chuck i'd like to extend that add to

16:21 that i mean we're we're being asked to do the same thing and so you know dell's

16:26 making a fairly considerable in investment in a center of excellence for

16:32 xero trust that will allow our customers our federal customer

16:38 to see the interaction at an enterprise level at an edge level and at a tactical level and just as you said their concern

16:46 is being able to validate that those workloads can can function properly and

16:51 the key is if we can accelerate that understanding by giving them a

16:57 quote pre-built zero trust environment of the 20 or 30

17:02 ecosystem partners that it takes to build that that's a tremendous accelerator for them tremendous

17:08 advantage and as i said that's work that that that we've been asked to support and we've been investing in supporting

17:16 that on behalf of our customer yeah great both your centers for excellence seem to be also you know security by design and

17:22 education and orchestration so it's a i'm glad you're both doing that as as we know this zero trust

17:28 involves many vote many vendors it's it's we're all in it together it's like uh

17:34 sean says holistic so the more we're working together the better along that line i'd like to move to eric

17:41 actually um you know how we can work together uh how can the technical community assist the

17:46 government to uh satisfy the the federal mandate and also i'd like you to work in

17:52 uh the growing attack surface on this because that's an issue too uh particularly ukraine russian uh conflict

17:58 going on in our critical infrastructure at risk sure no great question so i would go

18:03 back to what tom said earlier around you know we have to abandon sort of traditional models the idea of that perimeter security

18:10 uh and just you know endpoint protection isn't enough right so and even the concept of layered security right isn't

18:17 enough right so i think it's a cultural and a mind shift to start with when it comes to helping sort of translate you

18:23 know the hundreds of pages that come out from nist i love all their publications but you have to have you know a doctorate in order to

18:30 sometimes translate that into real actionable uh you know intelligence and the ability to

18:35 take that and drive behavior right but it really starts at a culture change and i think shifting from that old school sort of

18:41 perimeter defense into these micro segments or or managing your blast radius starts with realizing

18:48 that trust is really just another vulnerability that a threat actor can exploit right so

18:53 um if you can take the idea of micro segmentation and dealing with your blast radiuses and flip that where your model

19:01 of zero trust is is to take those communities right those little communities that are supposed to be uh

19:06 empirically trusted and then allow that to grow then through there's machine learning and those things that's where zero trust

19:13 can come into play because you you open the aperture slowly versus giving everything to everybody from the beginning now when it comes to how the

19:20 technical community can help our our government partners uh it's it's really to avoid what i consider is the buzzword

19:27 that is jazeera trust i think it's it's it's somewhat scary it's daunting um depending on how you market it and

19:33 how you pitch it uh it could be some what i'll call employee or employer not friendly right it feels like to a

19:40 developer or to the community it could be something you're taking away it could mean that they take it as a you don't

19:46 trust me to do my job it could be um you're gonna make my job harder right so where we can come in

19:52 is really taking our expertise and our partnerships with our vendors and other other area people in this industry

19:58 and being able to bring sort of what i consider a bulletproof strategy which translates not to just putting in

20:05 a technology solution that claims to be xero trust but to put it in because we know it

20:10 offers zero trust and then be able to show and partnership how to prove or validate that it meets those

20:17 guidelines right so it's not a matter of just plugging something in and setting it for getting it it's really being consultative and advisory to make sure

20:24 we can show how it's meeting those mandates good good uh insights there um yeah so

20:31 this is really a process and i think we're gonna be learning from the process as we go along but i'm actually

20:36 surprised how fast it's being adopted already in the federal government which seems to be unusual um uh considering how government

20:43 usually moves much slower but uh so this next question is really for everybody

20:48 i'd like to get your thoughts on uh you know uh who should be responsible for

20:54 implementing zero trust should it be the the cso the cio the cto the cfo the

21:00 c-suite and along those lines it's not just who's responsible to what are those

21:06 challenges that will require whoever is responsible to address and why it should

21:11 be that person or persons uh so i'll start again with sean and that since you brought up initially too

21:18 yeah you were trying to lead the witness um no i'd argue there's there's kind of like three at least three principles the the

21:25 first that we've all been tap dancing around is the perimeter is dead and firewalls and vpns don't protect the

21:31 network anymore so the idea is as agencies are moving to cloud native infrastructure cloud native

21:38 applications there's almost a need to dynamically reconfigure based on users

21:44 and trust scores and optimization which arguably is a technology problem

21:49 so in the concept of perimeter being dead we're often leaning into ctos to

21:56 re-evaluate their architectures maybe there's a no not maybe there's kind of the second

22:02 tenant where the compromise must be assumed so if intruders are omnipresent they're aggressive they're agile they're

22:09 nation states basically defenders have to lay the foundation in a independent

22:14 and autonomous way so that could be dynamic threat analysis

22:19 that could be risk models of multiple attack vectors and scissors are largely

22:25 leading this conversation uh and maybe lastly there's this third element of you know

22:32 data is truly what counts so devices even internal devices can be

22:38 friendly one minute and hostile the next so what we're really ultimately protecting is our sensitive data and the

22:44 intellectual property or the classified data uh not necessarily the device themselves and that conversation lends

22:51 itself to the chief data officers so it's it's really

22:58 energizing for the first time we're able to say no this isn't a cto problem and it's not a ciso problem and it's not a

23:04 data officer problem uh how do we run a strategy that involves all of us

23:11 together um so there's there's been very few i guess as a personal opinion very few

23:17 forcing functions for all of these individuals to work collaboratively together to issue guidance on how

23:24 they're going to meet omb or sizza or executive orders so i'd say between these three

23:30 principles the perimeter's dead compromise must be assumed and data is truly what matters

23:36 it's it's everybody as a collaborative forcing function herb do you want to add to that and also

23:43 so so i'm gonna i'm gonna add a little bit of a contrarian opinion but i think the

23:48 reason will be clear within government and especially within government it's the

23:55 cio and it's because they control the money flow for technology and especially within dod

24:03 where that's not as true where the technology is deployed as part of a weapon system i see this as an

24:10 opportunity for cios in dod specifically to start to control

24:15 the budget flow and ultimately i i really like sean's

24:20 points and i agree with them but i think at some level it's still got to be the cio to control the budget to

24:27 ensure that the eye isn't taken off the ball

24:33 yeah good point so now gregory and eric if you want to answer then we'll get to our next poll question

24:38 yeah i can jump in real quick i mean i think um to sean's point right it's a it's a group effort going forward

24:45 because it is an all-encompassing sort of strategy i think however it's a cultural change for any

24:51 agency or any company it's one thing to say we want to do that and i think it really comes from top down so there may

24:56 be a desire to get to a zero trust architecture or strategy but there's got to be clear

25:02 direction that funnels from the top down that allows then the uh employee base to

25:09 understand the what and the why so they can embrace it because there's a lot of uh what i'll call

25:15 security debt out there when it comes to existing infrastructures that um employ

25:20 you know every time you make a change it has a downstream impact sometimes it has an upstream but mostly downstream that affects the people using it and so it's

25:27 got to be a conversation around a cultural change that comes from many different c-suites but it has to be

25:34 pushed from top down as not a desire but clear direction that makes a lot of sense gregory do you

25:41 want to also uh comment yeah i'd be happy to so i think one of the complexities that federal government

25:48 agencies deal with as well is the federated environment because often i find the headquarters cios

25:56 who are basically enabling policy but the implementation is done at a

26:03 specific center or an institute or a i'll say a field organization or field

26:11 command that has their own separate cio and sometimes their own separate budget

26:17 and so you know it's a lot more complicated so the general response is yeah everybody

26:25 plays a part absolutely and so every time i work a transition for a client

26:31 i'm talking to all the c-suite members you know around their aspect of this challenge and what

26:38 needs to be done but at the end of the day you have to look at that individual agency because some of the agencies are

26:46 so federated with different components they have multiple cios they have

26:51 multiple cisos and they have very diverse budgets

26:56 so candidly you know that's why i often like working with state and local governments because they're a little bit

27:03 easier to deal with they tend to operate more commercial-like and they usually have a single belly button that you can

27:10 go to which is usually the cio to work through the challenges that's just my

27:16 observation yeah it seems like you all have that operation that it is cultured these agencies it determines what

27:22 happens and uh in any event it it seems that zero trust involves

27:28 more uh elements than it did than any other policy has in the past relating to

27:33 to security now we're going to go to our second poll question michaela

27:38 could you put that up

27:44 the question is did you know that you can leverage your existing security in networking

27:49 infrastructure it's part of a transition to zero trust network architecture

27:57 you can either be yes no or i'm not sure we'll give you a few more moments to answer

28:22 okay i think that's good now we're going to move over here are some some results already on the first

28:28 one um uh it looks like an audience is educated

28:34 uh most of them knew 93 knew of the uh the fact that uh

28:39 you can leverage your existing security network infrastructure uh which is good

28:44 uh it's good to see that there's a lot of awareness now on zero trust is relatively new

28:50 now the next question is uh yeah the next question

28:56 i think is really a question that that always has really been perhaps one of the biggest challenges in government uh itself for a lot of

29:03 reasons um so it's also going to be a challenge with zero trust and the question is is what uh

29:09 what can zero how you know how can you integrate zero trust with legacy technologies

29:15 it's not just the technologies the programs the policies the technologies and people too and again i'll open this up and maybe

29:22 we'll reverse it here now uh eric do you want to go first on that yeah sure so um

29:28 what's nice is um and usually this is from the nist publications they don't tell you

29:34 uh how to do it they just give you guidance in what you should consider or what you should do in order to achieve

29:40 said uh you know compliance mandate and the same goes with the zero trust here right so uh the nice thing is it is a

29:47 security strategy where you can look at your existing investments you can look at

29:52 what you've done to harden your environment already and you can layer that on top and look at ways to

29:58 uh translate uh what you've done already with your existing investments into a zero trust

30:03 strategy um it's easy to find what covers down and what are the gaps and

30:08 then you can go from there a lot of it much like most of this type publications come down to policy

30:14 so uh how you how you implement and how you execute and then you layer on the technology with in order to achieve the

30:22 zero trust strategy so um i wouldn't say that every investment and every legacy infrastructure can be made

30:28 or force fit into it but there's a good chance you can massage what you have there uh in order to find and achieve progress

30:35 in order to to take that uh uh forward right it's it's a journey right it's a marathon it's a you know

30:41 i'll give you all those bad analogies right it's not a sprint it's a marathon uh you can't flip the zero trust by

30:46 pushing a button um but uh once you start you can start this it's sort of like an avalanche right as

30:52 once you get a couple snowflakes here and there and you can get some momentum and you can see that material progress

30:58 and start you know sort of inward and work your way out as opposed to the old way of putting a firewall up we go back to the perimeters work in start from

31:04 your critical assets the crown jewels put those micro segments put those you know contain that blast radius

31:10 worry about the data there make sure that's where you've applied your most restrictive zero trust

31:16 strategies and then work your way out through those gates to basically to reverse what tom said take it from the

31:22 plane and work your way out from from there to your car right and so get in a sense you know get more trust

31:28 as you walk your way out so um but i guess to tie a bow around it

31:33 um odds are it's pretty it's it's not hard to take what you have and start to translate it

31:39 in and take and take a first step that's good to know it's encouraging um

31:45 gregory do you want to go next on that yeah i i think uh eric is absolutely

31:50 right i i think it's uh working from the inside out but i'd like to point you know to the

31:56 audience that there's a lot of good documentation that the government has developed

32:02 as sort of starting points to assess where you are i mean i would point people to the cisa

32:09 zero trust maturity model i think that's a good starting point but also point

32:15 people to the dod zero trust reference guide which i think has a lot of good

32:21 here's how you can do it without being overly specific on technology

32:27 i also you know want to complement gsa that put out i think fairly early on a a

32:34 buyer's guide and a five-step basic methodology that mirrors a lot of

32:41 the key components that eric said i think the key is to really do an

32:46 honest assessment and not a i'll say what people would like to hear but an

32:52 honest assessment of where are you from a cyber defensive posture

32:58 and and then look at the specific zero trust design tenants that are

33:04 called out in the nist 800 207 document and say you know do we have the policies

33:11 do we have the capabilities how are we you know implementing this today

33:16 and do an honest assessment of that in their level of maturity and then decide

33:21 to take a phased approach with a certain area or aspect of the organization not

33:28 try to you know implement this on a whole scale all domain all technology approach right

33:35 you know it's like uh you know creating a agile process approach where you're doing you

33:42 know sprints on a limited basis over a period of time to try to figure out

33:48 a evolutionary path rather than a revolutionary path to get to zero trust

33:55 because i can see how important strategy is in this uh and having that uh come to fruition the herb do you want to go next

34:02 yeah i think you know what we've been experiencing is that that gap analysis

34:08 has to be candid and the things that you can keep are the

34:14 things that either adhere to that principle currently or can be readily

34:20 adapted to that zero trust principle but the things that you can't keep are

34:25 things that violate that principle and so it's not really a question of

34:32 you know can you adapt this to your legacy environments it's a question of

34:38 you know what's the amount of friction to get what you currently have to adhere to

34:45 the principle right and and that's kind of the shift that we were talking about earlier which is

34:51 you know this is a shift in how you approach it and so it's a question of you know in almost any model you know is

34:59 what you have adaptable enough to to support the new activity and if it is

35:06 you can keep it if it's not you can't keep it and and that's kind of the process that that we've seen

35:13 going on and the reference material that gregory was uh speaking of is spot on

35:18 it's it's very helpful that makes sense and with all the emerging technologies coming online uh

35:24 being able to adapt really is essential you know whether it be zero trust or

35:29 whether it be any other uh implementation of a technology process thanks sir um

35:35 sean on yeah so for continuing you know the

35:41 impact on devops process i would argue it makes us fundamentally reliant on shared services so we're starting to

35:47 for example further control user access through dynamic trust scoring evaluating the state of the identity the security

35:54 profile the behavior of the device and if i have to do that as an application

35:59 owner i have to be an expert on all these different things instead why isn't there

36:05 a single identity service that allows me to just say should this person log on and all the

36:11 complexity of credential management trust scoring profile evaluation happens

36:16 on the back end so it's pushing us towards somebody usually the cio or the cto

36:23 office providing prolific shared services maybe it's protective dns which is one of the programs says is rolling

36:29 out maybe it's um truly the dynamic trust scoring of identity which is a program department

36:36 of energy is rolling out and so that's that's kind of pushing us in a new design pattern to

36:42 focus more on the mission to be reliant on shared services um

36:47 there's a couple examples of that you know i think we've we've we've all mentioned ideas but there's

36:54 two interesting things maybe the attendees could learn about the first is nist has a program called online

37:01 informative references and the idea is how do we start measuring

37:07 uh in almost giving our auditors the ability to measure are we mature in our

37:12 zero trust journey so there's uh individuals stephen quinn at nist online

37:17 informative references who's actually coalescing a whole of government maturity model that allows us to

37:24 incrementally measure um you know do we do did we just read the memo uh all the way through

37:30 can we get an a on our phytara scorecard for zero trust and what controls at a

37:36 organizational level at a programmatic and even down to a technical level are

37:41 being incorporated there um so while we're standing up our shared services and changing the way our devops team

37:48 uh create buffers around their apps simultaneously we need to audit it and

37:55 what's cool about the nist work is that they're doing it in automated methods so for the question of like devops

38:01 processes usually you have some cicd system a continuous integration system

38:07 and for one of the first times nist is actually publishing controls it's safe

38:12 if you are using the um i think it was uh gregory who mentioned like the z-scalers and the apollos and

38:18 the octas and the linuxes wouldn't it be nice if there was an automated way to see if your technical controls are put

38:25 in place in a machine code method so for those interested you can check

38:30 out the nist national checklist program as a way to increase the velocity of your devops teams while ensuring

38:39 you're staying within the guardrails of of the zero trust controls great yeah i'm a big fan of what they're

38:44 doing particularly nist and this it's a great checklist um now that we have time for one more

38:49 question and ends questions from our audience we have a sophisticated audience as the poll questions have

38:55 verified we'll get one more final poll question afterward too uh the question's sort of a multi-part question how do the

39:01 panel participants plan to help the agencies actually secure agency workloads to meet the zero trust

39:08 parameters is the expectation that the csps aws microsoft etc will provide adequate

39:15 security or is there another process and layer that should be implemented and how will this work in regard to edge

39:22 computing practices who wants to tackle that one i'll go first because it's okay great

39:28 fairly straightforward for for us at dell we are standing up that

39:34 enterprise edge tactical environment at those different scales and form factors

39:42 connecting them with the network and allowing government participants to

39:48 to verify their workloads in those environments so maybe it's heavy

39:54 enterprise centric and they're just getting simple data from the tactical edge how does that impact things or

40:00 maybe they're pushing a lot of ai and ml out to the edge for whatever their

40:06 architecture reason and they need to validate that scaling and so you know for us we're trying to provide

40:13 a test bed uh for those workloads and um and and let them learn before

40:20 they have to commit would anyone else like to weigh in that

40:25 from the panel yeah i would chuck i think in in a similar manner in a

40:30 similar approach at periton uh we're working with customers very

40:36 closely with proofs of concepts under otas and other

40:42 transactional agreements and and various trials to give them the opportunity to test the

40:50 integration the optimization of different devices in different scenarios

40:57 and and be able to put i'll say a parameter around

41:02 what extent they want to implement various different technologies and capabilities within

41:09 their enterprise systems so i think being able to help them provide a secure

41:16 testbed a sandbox to test the different technologies in a way that's not going

41:22 to negatively impact them but yet demonstrates the capability the interoperability the flexibility

41:30 i think those are all positive things that we in industry can do to help the government agencies which

41:37 you know tend to be somewhat risk adverse when it comes to making significant changes in their technology

41:44 stack well and also they would have to use production resources and and that's

41:49 really not available to them you know and so there's some there's some advantages that we have if we can take it out of

41:56 band from them and if i could just add i mean um cisa

42:01 and dhs have partnered with a industry group atari

42:07 and and done a lot of demonstrations and viability tests and

42:13 some proofs of concepts with at least 40 or 50 major vendors

42:19 over the past six months to try to demonstrate and provide proofs of

42:24 concepts i mean i can't tell you chuck how many times government agencies that said greg don't come in here you know

42:32 with a a presentation or white paper show me a demo show me how you can make

42:38 this work give me a proof of concept show me how you've done this for another

42:44 government agency or a state local government agency and you know don't

42:49 want the dog and pony show you know show me the proof that seems to be a trend now in all the

42:56 agencies and it's really encouraging to see with with the knowledge base we have here that i think we will be able to implement zero

43:03 trust in these agencies uh with the talent and skills and knowledge of the companies involved um we have time for

43:10 another michaela for our final uh pulling question

43:19 considering the time frame for agency compliance will you make zero trust a priority for

43:24 2023 we'll give a couple more um

43:32 moments here to for uh our audience to to listen and and i think we're we're up near time um so i

43:39 want to do a couple of things one is that this is the first of of juniper federal zero trust workshops and webinar series

43:47 uh the next one will be uh likely in september and will include csos from federal agencies themselves i think this

43:54 has really uh provided a great understanding of the challenges that they are facing how they can be

44:00 helped by the private sector you know i also wanted to take this time to to thank our

44:05 uh our really illustrious panel um it's rare that you get someone so many people that have so much expertise in one panel

44:12 um and and also are leading uh you know a lot of the zero trust uh movement within within the

44:19 agencies themselves and that's sean wells gregory garrett uh herb kelsey eric schlesinger and of course uh tom

44:26 van meter for for opening us up for us too and uh i want to thank everybody and and

44:32 i think janet uh well here's the final uh um thing it's it's pretty quick um uh

44:39 considering the time frame for agency compliance will you make zero trust a priority in 2023

44:44 uh 50 said yes and 50 said i'm not sure so like everything else compliance is is

44:51 sometimes the the second part to come and we'll leave that up to the lawyers but uh uh

44:57 it is a vital part of any operation and program though so um it's it's difficult to slight that

45:04 too but compliance will be an issue uh particularly with the agencies themselves for adhering to the zero trusts model um i guess we have a couple

45:12 minutes for any final thoughts from the panelists that like to weigh in before we adjourn again thank you for for being

45:18 here it's a great panel and uh i'm looking forward to the next one too

45:27 okay um thank you everybody for for attending and i'll pass it on to to janet who may

45:32 have some additional items to discuss

45:39 thanks so much chuck and thanks again to the to the fantastic panel that we were able to bring together today

45:46 there might have been a little bit of trouble that some of the folks that registered and we

45:52 had a giant registration didn't get the actual reminder invitation so

45:58 this recording is going to be so important because i'm going to make sure that everybody that registered and wasn't able to attend gets the recording

46:04 of it thanks to everybody taking a little bit of time out of your calendars to participate in this workshop as as

46:11 chuck mentioned we do have a second one that's coming up that we're gonna load the panel with uh with uh federal

46:17 agencies and maybe even a few state and local government agency contacts and there will be a third uh probably at the

46:24 beginning of october uh that will finish this whole series off but if you guys

46:29 have any questions you are welcome to reach out to me directly at j lyons lyons

46:36 at juniper.net have a great rest of your afternoon and thanks again to the panel you guys were

46:42 terrific thanks everybody