Janet Lyons, Federal Marketing Manager, Juniper Networks

How the Technical Community Can Assist the Government to Satisfy Federal Mandates with Zero Trust

Industry Voices Security
Janet Lyons Headshot
The still image is a computer-generated image of a padlock floating in the air with two hands surrounding it. It appears to be glowing with blue lights from behind.

Compliance with the new EO is going to require all hands on deck.

This is the first in a three-part series examining Zero Trust and government agencies. Listen as a panel of industry luminaries discusses the recent White House Executive Order 14028 on “Improving the Nation’s Cybersecurity.” The order is intended to protect critical infrastructure and vital government networks underlying our nation’s economy and way of life. Hosted by Juniper’s Janet Lyons, the panel discusses the implications for government agencies, and how the technical community can help agencies achieve compliance with the new EO. Push play now for helpful insight straight from top experts. 

Show more

You’ll learn

  • Details of the mandate and its implications for federal agencies

  • Why government agencies should care about Zero Trust 

  • How Juniper and our partners can deliver a Zero Trust security model

Who is this for?

Security Professionals Network Professionals

Host

Janet Lyons Headshot
Janet Lyons
Federal Marketing Manager, Juniper Networks 

Guest speakers

Chuck Brooks Headshot
Chuck Brooks
President, Brooks Consulting International 
Shawn Wells Headshot
Shawn Wells
Managing Director, Cybersecurity Strategy & Technology, Accenture Federal Services 
Gregory Garrett headshot
Gregory Garrett
VP Cybersecurity at Peraton
Herb Kelsey Headshot
Herb Kelsey
Federal CTO, Dell Technologies 
Eric Schlesinger Headshot
Eric Schlesinger
Operations & Engineering VP, Cyber Security, Parsons 
Transcript

0:04 great hello everyone my name is sanet lyons i am the field and partner marketing

0:11 manager at juniper i'd like to welcome you to the first in our three-part series covering zero

0:16 trust and government agencies we have brought together a panel of industry luminaries to discuss the white

0:23 house executive order on xero trust its implications to government agencies

0:28 and how the technical community can help government agencies achieve compliance

0:34 before we get started i wanted to make you aware of a couple of things as you've heard we are recording the

0:39 session and we will make it available afterwards during the panel discussion if you have

0:45 a question please utilize the q a panel and we'll try and address it during the session if time doesn't allow we'll be

0:52 sure to follow up afterwards and then finally we're always looking at ways to improve the webinars we bring

0:58 our customers and partners so welcome your feedback when the survey launches at the end of the panel discussion

1:05 thank you again for attending i'm going to turn this over to chuck brooks who was named top tech person to follow by

1:12 linkedin and also cited as top 10 global tech and cyber security expert and influencer

1:18 who's going to lead our discussion today tom the session is yours

1:23 thank you janet it's a pleasure to be here uh welcome everybody for the juniper federal zero trust webinar

1:30 series we're going to be talking about zero trusts and its implications particularly to federal agencies but

1:35 also how the integrator community thoroughly community uh deals with some of the

1:41 challenges with zero trust we have a really illustrious panel and uh janet you said

1:46 luminaries and they certainly are and i'm just gonna read their titles um you'll recognize the companies too uh we

1:53 have sean wells managing director for cyber security strategy and technology at accenture

1:58 federal uh gregory garrett vice president of cyber security at periton

2:04 herb kelsey federal cto at dell technologies eric schlesinger operations and

2:10 engineering vice president cyber security at parsons and tom van meter

2:16 senior essie director at juniper networks uh we're also gonna before i get to to to the questions and answers

2:23 are we're going to be doing a poll and michael if you wouldn't mind putting out the poll we want to get a baseline

2:29 of our uh interest and expertise of the audience and the first question and i'll let you

2:36 give you a little bit to answer it is do you know what your agency needs to do to achieve zero trust compliance with

2:42 executive order 14028 of course we're going to be talking about this executive order in detail

2:49 and i'll leave a few more seconds for you to answer this uh but while we're doing this we could

2:55 actually do two things at the same time um i would like to to introduce uh tom

3:00 to to uh give us a framework of what exactly zero trust is and what's what's in the

3:07 government mandate so then we'll be using this this uh discussion that he's providing us to go

3:13 into the the nitty-gritty of it uh with our panelists tom let me turn it over to you thanks

3:18 chuck and welcome everybody um zero trust is a data centric design

3:25 philosophy or strategy if you will to design secure networks a properly designed zero trust network

3:32 provides authenticated and authorized access to resources and so when we talk about resources we're talking about

3:37 maybe raw data or a server or an application and when we talk about authenticated and

3:43 authorized access we're saying that whoever or could be

3:48 a device like a security camera whatever wants to access that resource they have

3:53 to prove they are who they say they are and then once they prove that who they are

3:59 they have they don't just get access to the resource they have to be authorized to access the resource so let's say john

4:05 doe or jane smith uses a cac or a piv to authenticate who they are just because they're john doe or jane smith doesn't

4:11 mean they get access to the resources they actually have to go through a policy enforcement point that authorizes

4:16 and validates that they are allowed to get to that resource

4:22 zero trust is really the next step in securing the nation's cyber security infrastructure so back in 2014 nist

4:28 published the cyber security framework they updated it in 2018. in 2020 nist published 800 207 which is the zero

4:35 trust architecture document in 2021 president biden signed the executive order of 14028 on improving

4:42 the nation's cyber security and one of the key things in that executive order

4:47 was direction that federal civilian executive branch agencies

4:53 implement zero trust architectures and then in 2022 the office of management and

4:58 budget published a memorandum on federal zero trust strategy and it identified a

5:04 series of specific milestones that need to be accomplished by the end of fiscal year 2024.

5:10 and they laid those milestones out in accordance with the cisa zero trust maturity model and they have like five

5:16 pillars that they talk about so identity and devices and network and applications and data

5:22 so zero trust itself is a change of mindset we're all used to

5:28 a perimeter and in the perimeter there's a security stack and once we get through the security stack

5:33 we have implicit trust everywhere in the perimeter and that's we can go anywhere because we've been validated by the edge

5:40 zero trust is a mind change and it revokes the concept of implicit trust

5:45 and it requires explicit trust to access anything the way in which we do that is we group

5:52 together resources that share common or similar security requirements and we surround those with a small perimeter

5:58 we're going to call that a micro perimeter and then we'll put a policy enforcement point in that micro perimeter so that

6:04 anything or anyone that needs access to the resource inside that micro perimeter

6:11 gets authenticated and authorized

6:16 when we're all said and done we're going to have an outer perimeter with the security stack on the edge of it and then inside that you're going to

6:22 have a backbone that interconnects a bunch of different micro perimeters

6:28 if you if it helps to think about it this way think about like an airline at an excuse me an airport and you've got a

6:33 series of gates and the resource you're trying to get access to with the planes and the the gates to get into the plane

6:39 is the policy enforcement point for each micro perimeter and then the tsa security checkpoint to get into the

6:45 concourse that's the outer perimeter and the concourse connect interconnects all of the micro perimeters so that's that's a

6:51 good analogy if you want to think of it that way once you've got that design put together remember you have to constantly monitor

6:58 and maintain visibility what's going on in the network and then you need automation to

7:04 be able to dynamically change your policies based on what's going on in the network so hopefully that's a good quick summary of

7:11 overview back to you chuck yeah thanks tom it's it's yeah i think simply put it's uh trust no one no thing and

7:18 continually verify um to take now that uh tom's framework and actually put into

7:24 what it means in in in the federal agencies and and with our our federal system integrators i'm going

7:31 to start with uh uh sean first and uh you know what is your what are your thoughts how does a zero trust

7:37 impact federal agencies and and actually how does it impact the the var

7:42 uh federal system integrator and oem network too that has to deal with these agencies

7:48 so on the how does it impact uh the government agencies it's i think it's nice that we're finally preparing

7:54 on how to implement progressive safeguards whether we call them layers but the or or

8:00 terminal the tsa analogy the idea is we're starting to shift towards quite a bit more

8:07 discoverability in governance where we are using automated discovery tools to identify manage and unmanage endpoints software

8:14 network and all that's well and good but i'll we're starting to see

8:20 at least at accenture a shift towards application-centric design patterns

8:26 meaning we are fundamentally trying to encrypt data in

8:32 computation while it's being accessed while it's being transposed across the network and for the first time

8:39 that holistic view of security is being pushed down to the

8:46 developer of how to implement the identity progressive safeguards how to

8:51 implement shared services and it's been a really interesting dynamic in that

8:58 classically a lot of the security has been focused on the sizzo um setting up the organization setting up auditing

9:04 setting up phytara scorecards and what we've started to see for the first part of the question

9:10 is actually a push towards more of the cios and ctos being

9:16 accountable for layered progressive design patterns uh more so than we have in the past

9:24 that's interesting you you really do bring that it's a change of of a policy then too um looking at where

9:30 you're integrating all those elements rather than just decision which is really good insights appreciate that um

9:37 herb i'd like to ask you the same question particularly from the dod perspective i know you do a lot with

9:42 that agency i think you're on youtube

9:50 i i'm losing my uh my video skills here um been able to travel too much yeah

9:55 yeah i think from the dod's perspective i think one is to realize that that they've consolidated their zero trust

10:02 activity into a portfolio office that sits in the cio so they're trying to centralize their understanding of how

10:09 they want to approach this you know the next thing that i would say is that

10:14 you know they've been asking us to help them create a

10:19 a technology footprint that they can repeat so that they can ensure that they don't have drift in the

10:26 implementations that they're seeking and so we're trying to help them with

10:31 that so that so that they can apply these security measures uh in an automated fashion

10:38 use the ai and machine learning from what goes wrong to better inform their

10:43 policy decisions but what they're really looking for is the ability to have

10:49 a repeatable blueprint a repeatable implementation that they can that they

10:55 can spread far and wide because their concern is is that if they if they don't have that kind of control

11:01 within that architecture they'll get drift and they'll get exposure so you know that's how i see them approaching

11:08 it and you know we're we're trying to help them with that in a variety of ways but that's really the impact that i see for them

11:15 they're using as a consolidation as a mechanism to consolidate yeah and you

11:20 mentioned also the automation aspect of it too with machine learning yeah absolutely i mean you know we have

11:29 in security we we have a scale problem that's at least for from it from a technology perspective that's where i

11:35 look at it we know what to do we just don't have enough arms and legs and minds to actually execute it flawlessly

11:41 every single time that we have to so part of what xero trust talks about is

11:47 automating and orchestrating those policy decision points and those policy

11:52 enforcement points and so it's applied consistently and and that's the

11:58 automation and and what we're hoping is that the infrastructure can give us good

12:03 information so that we can use machine learning models to supplement what human beings would do to make better

12:10 progressively better and better decisions as we get attacked and as we learn about what the bad behavior is and

12:16 so there should be a virtuous cycle in there and that's part of that reference architecture for zero trust

12:22 and uh certainly with the announcement of a data and ai uh portfolio office within

12:30 dod they're believing that they can make some headway in that regard as well

12:35 great i think sir gregory i'm going to go actually to you on the next question with with uh and

12:41 and you may also want to speak a little bit this sort of ties into it to your uh your center of excellence that you

12:46 helped create in your in your white paper on xero trust as it fits in but the question is

12:51 how does a company or an agency map to what they have already accomplished to the zero trust

12:56 uh framework uh so they can discover any other potential gaps that might be in the network

13:04 so chuck it's both a privilege and a pleasure to join you today in the distinguished panel

13:11 um it's an excellent question it's an ongoing challenge for the government agencies

13:16 essentially as you know every cio ciso cto is dealing with sort of a technology

13:25 patchwork quilt of hardware and software today each agency is unique from a threat

13:32 profile their technology investment and they're looking to try to find what's the right

13:38 solution that will work for them to as tom just spoke to earlier

13:45 address these various design tenets that are included within

13:50 the xero trust concepts and and i think you know a lot of

13:56 agencies are struggling because right now there's a lot of companies pitching that their software will

14:02 provide a zero trust panacea and so you know as a systems integrator

14:09 at periton what we've done is to try to spend time with as many of the different

14:15 uh partners whether it's cloud service providers cloud access security brokers major

14:22 software providers to actually vet their software we've created a zero trust

14:28 ecosystem a test lab to be able to bring all the different

14:34 vendors capabilities in whether it's their identity credential and access

14:39 management whether it's companies like octa or cyber arc

14:45 bringing in various uh cloud-based internet isolation capabilities

14:51 like menlo security or z-scaler and their z-scale or internet

14:57 access or palo alto networks as herb and others

15:02 talked about with their cortex xdr

15:07 and their xor their security orchestration and automated response technology

15:14 because at the end of the day people want to know that it'll work in their environment that it's compatible

15:20 with their systems and they want to know how they can optimize their overall

15:26 security in a way that aligns with the design tenants that that tom laid out earlier

15:33 and i think that's the big challenge and so what we're trying to do is help educate

15:40 people both internal to our company as well as our business partners

15:46 and our customers as to all the different technology solutions that are out there

15:52 and so you know what i when i talk to clients you know my conversation is

15:57 we're playing a game of chess here and it's really a multi-dimensional all

16:02 technology all-domain game and it's a high-stakes game right and so

16:09 we're trying to figure out the best way to help our clients win this game

16:15 and it's it's a big challenge for all the agents chuck i'd like to extend that add to

16:21 that i mean we're we're being asked to do the same thing and so you know dell's

16:26 making a fairly considerable in investment in a center of excellence for

16:32 xero trust that will allow our customers our federal customer

16:38 to see the interaction at an enterprise level at an edge level and at a tactical level and just as you said their concern

16:46 is being able to validate that those workloads can can function properly and

16:51 the key is if we can accelerate that understanding by giving them a

16:57 quote pre-built zero trust environment of the 20 or 30

17:02 ecosystem partners that it takes to build that that's a tremendous accelerator for them tremendous

17:08 advantage and as i said that's work that that that we've been asked to support and we've been investing in supporting

17:16 that on behalf of our customer yeah great both your centers for excellence seem to be also you know security by design and

17:22 education and orchestration so it's a i'm glad you're both doing that as as we know this zero trust

17:28 involves many vote many vendors it's it's we're all in it together it's like uh

17:34 sean says holistic so the more we're working together the better along that line i'd like to move to eric

17:41 actually um you know how we can work together uh how can the technical community assist the

17:46 government to uh satisfy the the federal mandate and also i'd like you to work in

17:52 uh the growing attack surface on this because that's an issue too uh particularly ukraine russian uh conflict

17:58 going on in our critical infrastructure at risk sure no great question so i would go

18:03 back to what tom said earlier around you know we have to abandon sort of traditional models the idea of that perimeter security

18:10 uh and just you know endpoint protection isn't enough right so and even the concept of layered security right isn't

18:17 enough right so i think it's a cultural and a mind shift to start with when it comes to helping sort of translate you

18:23 know the hundreds of pages that come out from nist i love all their publications but you have to have you know a doctorate in order to

18:30 sometimes translate that into real actionable uh you know intelligence and the ability to

18:35 take that and drive behavior right but it really starts at a culture change and i think shifting from that old school sort of

18:41 perimeter defense into these micro segments or or managing your blast radius starts with realizing

18:48 that trust is really just another vulnerability that a threat actor can exploit right so

18:53 um if you can take the idea of micro segmentation and dealing with your blast radiuses and flip that where your model

19:01 of zero trust is is to take those communities right those little communities that are supposed to be uh

19:06 empirically trusted and then allow that to grow then through there's machine learning and those things that's where zero trust

19:13 can come into play because you you open the aperture slowly versus giving everything to everybody from the beginning now when it comes to how the

19:20 technical community can help our our government partners uh it's it's really to avoid what i consider is the buzzword

19:27 that is jazeera trust i think it's it's it's somewhat scary it's daunting um depending on how you market it and

19:33 how you pitch it uh it could be some what i'll call employee or employer not friendly right it feels like to a

19:40 developer or to the community it could be something you're taking away it could mean that they take it as a you don't

19:46 trust me to do my job it could be um you're gonna make my job harder right so where we can come in

19:52 is really taking our expertise and our partnerships with our vendors and other other area people in this industry

19:58 and being able to bring sort of what i consider a bulletproof strategy which translates not to just putting in

20:05 a technology solution that claims to be xero trust but to put it in because we know it

20:10 offers zero trust and then be able to show and partnership how to prove or validate that it meets those

20:17 guidelines right so it's not a matter of just plugging something in and setting it for getting it it's really being consultative and advisory to make sure

20:24 we can show how it's meeting those mandates good good uh insights there um yeah so

20:31 this is really a process and i think we're gonna be learning from the process as we go along but i'm actually

20:36 surprised how fast it's being adopted already in the federal government which seems to be unusual um uh considering how government

20:43 usually moves much slower but uh so this next question is really for everybody

20:48 i'd like to get your thoughts on uh you know uh who should be responsible for

20:54 implementing zero trust should it be the the cso the cio the cto the cfo the

21:00 c-suite and along those lines it's not just who's responsible to what are those

21:06 challenges that will require whoever is responsible to address and why it should

21:11 be that person or persons uh so i'll start again with sean and that since you brought up initially too

21:18 yeah you were trying to lead the witness um no i'd argue there's there's kind of like three at least three principles the the

21:25 first that we've all been tap dancing around is the perimeter is dead and firewalls and vpns don't protect the

21:31 network anymore so the idea is as agencies are moving to cloud native infrastructure cloud native

21:38 applications there's almost a need to dynamically reconfigure based on users

21:44 and trust scores and optimization which arguably is a technology problem

21:49 so in the concept of perimeter being dead we're often leaning into ctos to

21:56 re-evaluate their architectures maybe there's a no not maybe there's kind of the second

22:02 tenant where the compromise must be assumed so if intruders are omnipresent they're aggressive they're agile they're

22:09 nation states basically defenders have to lay the foundation in a independent

22:14 and autonomous way so that could be dynamic threat analysis

22:19 that could be risk models of multiple attack vectors and scissors are largely

22:25 leading this conversation uh and maybe lastly there's this third element of you know

22:32 data is truly what counts so devices even internal devices can be

22:38 friendly one minute and hostile the next so what we're really ultimately protecting is our sensitive data and the

22:44 intellectual property or the classified data uh not necessarily the device themselves and that conversation lends

22:51 itself to the chief data officers so it's it's really

22:58 energizing for the first time we're able to say no this isn't a cto problem and it's not a ciso problem and it's not a

23:04 data officer problem uh how do we run a strategy that involves all of us

23:11 together um so there's there's been very few i guess as a personal opinion very few

23:17 forcing functions for all of these individuals to work collaboratively together to issue guidance on how

23:24 they're going to meet omb or sizza or executive orders so i'd say between these three

23:30 principles the perimeter's dead compromise must be assumed and data is truly what matters

23:36 it's it's everybody as a collaborative forcing function herb do you want to add to that and also

23:43 so so i'm gonna i'm gonna add a little bit of a contrarian opinion but i think the

23:48 reason will be clear within government and especially within government it's the

23:55 cio and it's because they control the money flow for technology and especially within dod

24:03 where that's not as true where the technology is deployed as part of a weapon system i see this as an

24:10 opportunity for cios in dod specifically to start to control

24:15 the budget flow and ultimately i i really like sean's

24:20 points and i agree with them but i think at some level it's still got to be the cio to control the budget to

24:27 ensure that the eye isn't taken off the ball

24:33 yeah good point so now gregory and eric if you want to answer then we'll get to our next poll question

24:38 yeah i can jump in real quick i mean i think um to sean's point right it's a it's a group effort going forward

24:45 because it is an all-encompassing sort of strategy i think however it's a cultural change for any

24:51 agency or any company it's one thing to say we want to do that and i think it really comes from top down so there may

24:56 be a desire to get to a zero trust architecture or strategy but there's got to be clear

25:02 direction that funnels from the top down that allows then the uh employee base to

25:09 understand the what and the why so they can embrace it because there's a lot of uh what i'll call

25:15 security debt out there when it comes to existing infrastructures that um employ

25:20 you know every time you make a change it has a downstream impact sometimes it has an upstream but mostly downstream that affects the people using it and so it's

25:27 got to be a conversation around a cultural change that comes from many different c-suites but it has to be

25:34 pushed from top down as not a desire but clear direction that makes a lot of sense gregory do you

25:41 want to also uh comment yeah i'd be happy to so i think one of the complexities that federal government

25:48 agencies deal with as well is the federated environment because often i find the headquarters cios

25:56 who are basically enabling policy but the implementation is done at a

26:03 specific center or an institute or a i'll say a field organization or field

26:11 command that has their own separate cio and sometimes their own separate budget

26:17 and so you know it's a lot more complicated so the general response is yeah everybody

26:25 plays a part absolutely and so every time i work a transition for a client

26:31 i'm talking to all the c-suite members you know around their aspect of this challenge and what

26:38 needs to be done but at the end of the day you have to look at that individual agency because some of the agencies are

26:46 so federated with different components they have multiple cios they have

26:51 multiple cisos and they have very diverse budgets

26:56 so candidly you know that's why i often like working with state and local governments because they're a little bit

27:03 easier to deal with they tend to operate more commercial-like and they usually have a single belly button that you can

27:10 go to which is usually the cio to work through the challenges that's just my

27:16 observation yeah it seems like you all have that operation that it is cultured these agencies it determines what

27:22 happens and uh in any event it it seems that zero trust involves

27:28 more uh elements than it did than any other policy has in the past relating to

27:33 to security now we're going to go to our second poll question michaela

27:38 could you put that up

27:44 the question is did you know that you can leverage your existing security in networking

27:49 infrastructure it's part of a transition to zero trust network architecture

27:57 you can either be yes no or i'm not sure we'll give you a few more moments to answer

28:22 okay i think that's good now we're going to move over here are some some results already on the first

28:28 one um uh it looks like an audience is educated

28:34 uh most of them knew 93 knew of the uh the fact that uh

28:39 you can leverage your existing security network infrastructure uh which is good

28:44 uh it's good to see that there's a lot of awareness now on zero trust is relatively new

28:50 now the next question is uh yeah the next question

28:56 i think is really a question that that always has really been perhaps one of the biggest challenges in government uh itself for a lot of

29:03 reasons um so it's also going to be a challenge with zero trust and the question is is what uh

29:09 what can zero how you know how can you integrate zero trust with legacy technologies

29:15 it's not just the technologies the programs the policies the technologies and people too and again i'll open this up and maybe

29:22 we'll reverse it here now uh eric do you want to go first on that yeah sure so um

29:28 what's nice is um and usually this is from the nist publications they don't tell you

29:34 uh how to do it they just give you guidance in what you should consider or what you should do in order to achieve

29:40 said uh you know compliance mandate and the same goes with the zero trust here right so uh the nice thing is it is a

29:47 security strategy where you can look at your existing investments you can look at

29:52 what you've done to harden your environment already and you can layer that on top and look at ways to

29:58 uh translate uh what you've done already with your existing investments into a zero trust

30:03 strategy um it's easy to find what covers down and what are the gaps and

30:08 then you can go from there a lot of it much like most of this type publications come down to policy

30:14 so uh how you how you implement and how you execute and then you layer on the technology with in order to achieve the

30:22 zero trust strategy so um i wouldn't say that every investment and every legacy infrastructure can be made

30:28 or force fit into it but there's a good chance you can massage what you have there uh in order to find and achieve progress

30:35 in order to to take that uh uh forward right it's it's a journey right it's a marathon it's a you know

30:41 i'll give you all those bad analogies right it's not a sprint it's a marathon uh you can't flip the zero trust by

30:46 pushing a button um but uh once you start you can start this it's sort of like an avalanche right as

30:52 once you get a couple snowflakes here and there and you can get some momentum and you can see that material progress

30:58 and start you know sort of inward and work your way out as opposed to the old way of putting a firewall up we go back to the perimeters work in start from

31:04 your critical assets the crown jewels put those micro segments put those you know contain that blast radius

31:10 worry about the data there make sure that's where you've applied your most restrictive zero trust

31:16 strategies and then work your way out through those gates to basically to reverse what tom said take it from the

31:22 plane and work your way out from from there to your car right and so get in a sense you know get more trust

31:28 as you walk your way out so um but i guess to tie a bow around it

31:33 um odds are it's pretty it's it's not hard to take what you have and start to translate it

31:39 in and take and take a first step that's good to know it's encouraging um

31:45 gregory do you want to go next on that yeah i i think uh eric is absolutely

31:50 right i i think it's uh working from the inside out but i'd like to point you know to the

31:56 audience that there's a lot of good documentation that the government has developed

32:02 as sort of starting points to assess where you are i mean i would point people to the cisa

32:09 zero trust maturity model i think that's a good starting point but also point

32:15 people to the dod zero trust reference guide which i think has a lot of good

32:21 here's how you can do it without being overly specific on technology

32:27 i also you know want to complement gsa that put out i think fairly early on a a

32:34 buyer's guide and a five-step basic methodology that mirrors a lot of

32:41 the key components that eric said i think the key is to really do an

32:46 honest assessment and not a i'll say what people would like to hear but an

32:52 honest assessment of where are you from a cyber defensive posture

32:58 and and then look at the specific zero trust design tenants that are

33:04 called out in the nist 800 207 document and say you know do we have the policies

33:11 do we have the capabilities how are we you know implementing this today

33:16 and do an honest assessment of that in their level of maturity and then decide

33:21 to take a phased approach with a certain area or aspect of the organization not

33:28 try to you know implement this on a whole scale all domain all technology approach right

33:35 you know it's like uh you know creating a agile process approach where you're doing you

33:42 know sprints on a limited basis over a period of time to try to figure out

33:48 a evolutionary path rather than a revolutionary path to get to zero trust

33:55 because i can see how important strategy is in this uh and having that uh come to fruition the herb do you want to go next

34:02 yeah i think you know what we've been experiencing is that that gap analysis

34:08 has to be candid and the things that you can keep are the

34:14 things that either adhere to that principle currently or can be readily

34:20 adapted to that zero trust principle but the things that you can't keep are

34:25 things that violate that principle and so it's not really a question of

34:32 you know can you adapt this to your legacy environments it's a question of

34:38 you know what's the amount of friction to get what you currently have to adhere to

34:45 the principle right and and that's kind of the shift that we were talking about earlier which is

34:51 you know this is a shift in how you approach it and so it's a question of you know in almost any model you know is

34:59 what you have adaptable enough to to support the new activity and if it is

35:06 you can keep it if it's not you can't keep it and and that's kind of the process that that we've seen

35:13 going on and the reference material that gregory was uh speaking of is spot on

35:18 it's it's very helpful that makes sense and with all the emerging technologies coming online uh

35:24 being able to adapt really is essential you know whether it be zero trust or

35:29 whether it be any other uh implementation of a technology process thanks sir um

35:35 sean on yeah so for continuing you know the

35:41 impact on devops process i would argue it makes us fundamentally reliant on shared services so we're starting to

35:47 for example further control user access through dynamic trust scoring evaluating the state of the identity the security

35:54 profile the behavior of the device and if i have to do that as an application

35:59 owner i have to be an expert on all these different things instead why isn't there

36:05 a single identity service that allows me to just say should this person log on and all the

36:11 complexity of credential management trust scoring profile evaluation happens

36:16 on the back end so it's pushing us towards somebody usually the cio or the cto

36:23 office providing prolific shared services maybe it's protective dns which is one of the programs says is rolling

36:29 out maybe it's um truly the dynamic trust scoring of identity which is a program department

36:36 of energy is rolling out and so that's that's kind of pushing us in a new design pattern to

36:42 focus more on the mission to be reliant on shared services um

36:47 there's a couple examples of that you know i think we've we've we've all mentioned ideas but there's

36:54 two interesting things maybe the attendees could learn about the first is nist has a program called online

37:01 informative references and the idea is how do we start measuring

37:07 uh in almost giving our auditors the ability to measure are we mature in our

37:12 zero trust journey so there's uh individuals stephen quinn at nist online

37:17 informative references who's actually coalescing a whole of government maturity model that allows us to

37:24 incrementally measure um you know do we do did we just read the memo uh all the way through

37:30 can we get an a on our phytara scorecard for zero trust and what controls at a

37:36 organizational level at a programmatic and even down to a technical level are

37:41 being incorporated there um so while we're standing up our shared services and changing the way our devops team

37:48 uh create buffers around their apps simultaneously we need to audit it and

37:55 what's cool about the nist work is that they're doing it in automated methods so for the question of like devops

38:01 processes usually you have some cicd system a continuous integration system

38:07 and for one of the first times nist is actually publishing controls it's safe

38:12 if you are using the um i think it was uh gregory who mentioned like the z-scalers and the apollos and

38:18 the octas and the linuxes wouldn't it be nice if there was an automated way to see if your technical controls are put

38:25 in place in a machine code method so for those interested you can check

38:30 out the nist national checklist program as a way to increase the velocity of your devops teams while ensuring

38:39 you're staying within the guardrails of of the zero trust controls great yeah i'm a big fan of what they're

38:44 doing particularly nist and this it's a great checklist um now that we have time for one more

38:49 question and ends questions from our audience we have a sophisticated audience as the poll questions have

38:55 verified we'll get one more final poll question afterward too uh the question's sort of a multi-part question how do the

39:01 panel participants plan to help the agencies actually secure agency workloads to meet the zero trust

39:08 parameters is the expectation that the csps aws microsoft etc will provide adequate

39:15 security or is there another process and layer that should be implemented and how will this work in regard to edge

39:22 computing practices who wants to tackle that one i'll go first because it's okay great

39:28 fairly straightforward for for us at dell we are standing up that

39:34 enterprise edge tactical environment at those different scales and form factors

39:42 connecting them with the network and allowing government participants to

39:48 to verify their workloads in those environments so maybe it's heavy

39:54 enterprise centric and they're just getting simple data from the tactical edge how does that impact things or

40:00 maybe they're pushing a lot of ai and ml out to the edge for whatever their

40:06 architecture reason and they need to validate that scaling and so you know for us we're trying to provide

40:13 a test bed uh for those workloads and um and and let them learn before

40:20 they have to commit would anyone else like to weigh in that

40:25 from the panel yeah i would chuck i think in in a similar manner in a

40:30 similar approach at periton uh we're working with customers very

40:36 closely with proofs of concepts under otas and other

40:42 transactional agreements and and various trials to give them the opportunity to test the

40:50 integration the optimization of different devices in different scenarios

40:57 and and be able to put i'll say a parameter around

41:02 what extent they want to implement various different technologies and capabilities within

41:09 their enterprise systems so i think being able to help them provide a secure

41:16 testbed a sandbox to test the different technologies in a way that's not going

41:22 to negatively impact them but yet demonstrates the capability the interoperability the flexibility

41:30 i think those are all positive things that we in industry can do to help the government agencies which

41:37 you know tend to be somewhat risk adverse when it comes to making significant changes in their technology

41:44 stack well and also they would have to use production resources and and that's

41:49 really not available to them you know and so there's some there's some advantages that we have if we can take it out of

41:56 band from them and if i could just add i mean um cisa

42:01 and dhs have partnered with a industry group atari

42:07 and and done a lot of demonstrations and viability tests and

42:13 some proofs of concepts with at least 40 or 50 major vendors

42:19 over the past six months to try to demonstrate and provide proofs of

42:24 concepts i mean i can't tell you chuck how many times government agencies that said greg don't come in here you know

42:32 with a a presentation or white paper show me a demo show me how you can make

42:38 this work give me a proof of concept show me how you've done this for another

42:44 government agency or a state local government agency and you know don't

42:49 want the dog and pony show you know show me the proof that seems to be a trend now in all the

42:56 agencies and it's really encouraging to see with with the knowledge base we have here that i think we will be able to implement zero

43:03 trust in these agencies uh with the talent and skills and knowledge of the companies involved um we have time for

43:10 another michaela for our final uh pulling question

43:19 considering the time frame for agency compliance will you make zero trust a priority for

43:24 2023 we'll give a couple more um

43:32 moments here to for uh our audience to to listen and and i think we're we're up near time um so i

43:39 want to do a couple of things one is that this is the first of of juniper federal zero trust workshops and webinar series

43:47 uh the next one will be uh likely in september and will include csos from federal agencies themselves i think this

43:54 has really uh provided a great understanding of the challenges that they are facing how they can be

44:00 helped by the private sector you know i also wanted to take this time to to thank our

44:05 uh our really illustrious panel um it's rare that you get someone so many people that have so much expertise in one panel

44:12 um and and also are leading uh you know a lot of the zero trust uh movement within within the

44:19 agencies themselves and that's sean wells gregory garrett uh herb kelsey eric schlesinger and of course uh tom

44:26 van meter for for opening us up for us too and uh i want to thank everybody and and

44:32 i think janet uh well here's the final uh um thing it's it's pretty quick um uh

44:39 considering the time frame for agency compliance will you make zero trust a priority in 2023

44:44 uh 50 said yes and 50 said i'm not sure so like everything else compliance is is

44:51 sometimes the the second part to come and we'll leave that up to the lawyers but uh uh

44:57 it is a vital part of any operation and program though so um it's it's difficult to slight that

45:04 too but compliance will be an issue uh particularly with the agencies themselves for adhering to the zero trusts model um i guess we have a couple

45:12 minutes for any final thoughts from the panelists that like to weigh in before we adjourn again thank you for for being

45:18 here it's a great panel and uh i'm looking forward to the next one too

45:27 okay um thank you everybody for for attending and i'll pass it on to to janet who may

45:32 have some additional items to discuss

45:39 thanks so much chuck and thanks again to the to the fantastic panel that we were able to bring together today

45:46 there might have been a little bit of trouble that some of the folks that registered and we

45:52 had a giant registration didn't get the actual reminder invitation so

45:58 this recording is going to be so important because i'm going to make sure that everybody that registered and wasn't able to attend gets the recording

46:04 of it thanks to everybody taking a little bit of time out of your calendars to participate in this workshop as as

46:11 chuck mentioned we do have a second one that's coming up that we're gonna load the panel with uh with uh federal

46:17 agencies and maybe even a few state and local government agency contacts and there will be a third uh probably at the

46:24 beginning of october uh that will finish this whole series off but if you guys

46:29 have any questions you are welcome to reach out to me directly at j lyons lyons

46:36 at juniper.net have a great rest of your afternoon and thanks again to the panel you guys were

46:42 terrific thanks everybody

Show more