On behalf of F5 and Carahsoft, we would like to welcome you to today's podcast, focused around zero trust, where Scott Rose, computer scientist at NIST and a co-author on NIST's 800-207, Zero Trust Architecture publication; Gerald Caron, Director of Enterprise Network Management for the Department of State; Brandon Iske, Chief Engineer at DISA; and Jason Wilburn, zero trust engineer at F5, will discuss the pros and cons of different zero trust designs, how other federal initiatives tie into zero trust, and understanding what zero trust principles do for cybersecurity posture.
Ryan Johnson: Thank you. Once again thanks, everyone, for joining. My name is Ryan Johnson. I'm a solutions engineering manager with F5 Government Solutions. Today, we have a group of exciting guests, mostly from the federal space, to discuss zero trust in theory and talk about the implementation of zero trust. First off, I have Scott Rose with NIST. Scott, would you like to talk a little bit about yourself?
Scott Rose: Sure, thanks. I'm Scott Rose. I am currently at the Information Technology Lab at NIST. I am the coauthor of the NIST special publication 800-207, Zero Trust Architecture, and also, attached as a subject matter expert for the upcoming NCCOE, or National Cybersecurity Center of Excellence Project on Zero Trust Architecture.
Ryan Johnson: Thank you, Scott. If anyone hasn't had a chance to read that 800-207, definitely take a look. It's well worth your time. Next off, we have Gerald Caron who's with HHS. Gerald, would you like to tell us a little about yourself?
Gerald Caron: Well, I'm on detail to HHS, but technically I am the representative of the Department of State, then SES. I'm the director for Enterprise Network Management at the Department of State. Basically, the infrastructure person, do the network, active directory, a lot of the security implementation aspects of things. I am participating and starting to co-chair the CIO's innnovation council working group on zero trust. I am Forrester certified and zero trust strategist as well.
Ryan Johnson: Very good. Thank you, Gerald. Next up, we have Jason Wilburn with F5 Networks. He's identity and access guru or [inaudible 00:02:20], if you will. Jason, would you like to tell us a little bit about yourself?
Jason Wilburn: Sure. Thanks, Ryan. So, I'm a system engineer, covering the system integrator space for F5 Federal. But as Ryan mentioned, I am also the co-lead for [inaudible 00:02:35], which is anything related to access and authorization controls or access policy manager product.
Ryan Johnson: Thank you, Jason. Next up, we have Brandon Iske with DISA. Brandon, would you like to tell us a little bit about yourself.
Brandon Iske: Yes, thank you, Ryan. So, I'm Brandon Iske. I'm the Chief Engineer for our Security Enablers Portfolio. So, that includes ICAM or Identity and Credential Access Management, Zero Trust reference architecture development, Public Key Infrastructure, PKI, and then Software Defined Enterprise. So, I'm part of the Defense Information Systems Agency. Again, it's a [inaudible 00:03:12] support agency to the Department of Defense. Thank you.
Ryan Johnson: Well, thank you, Brandon. There are two topic we're going to talk about. The first is behind the theory Zero Trust, understanding federal zero trust straight from the source. The second topic is the reality, the implementation of zero trust. So, jumping into the first topic, the theory. This question to you, Scott Rose. You're one of the authors of NIST 800-207 Zero Trust Architecture. Can you tell us briefly what problem zero trust is trying to solve, and what are the main goals?
Scott Rose: Well, yeah, zero trust is the new paradigm of how you want to look at enterprise security. Basically it's taking a lot of the trends that we saw emerging over the last 10 years or so and pulling them together and layering them together to solve what we see is like company attacks that the common script from attacks that you see are going out there. It's where the initial breach happens. The attacker then moves laterally through the network, and then performs the actual attack ransomware, data exfil, whatever. Then they're not discovered until the next audit, some six, eight months later.
Zero trust tries to minimize that kind of attack scenario where you segment away, you micro segment away resources, you do endpoint security, you do strong authentication both inside the infrastructure, on-prem as well as outside coming in to limit that lateral movement and make sure that every connection from a client to an enterprise and resource is both authenticated and authorized. The ideas that you want to try, don't rely on your perimeter defenses anymore, but you're doing it every step of the way. So, there's a little mini perimeter around like now, every resource and every user. So, you always have, at least, more knowledge, not total knowledge, of what's going on in your enterprise.
Ryan Johnson: Thank you Scott. This next question is for you, Gerald. What is the biggest misconception about zero trust?
Gerald Caron: First of all, the level setting on the definition that I find is most difficult and people really understanding. No offense to any of the vendors here, but depending on who you talk to, they spend the definition their own way. So getting that common understanding of what zero trust is, is really important. Some people think its identity, but it's a little more than that. As Scott was saying, it's about protecting what's important and shifting that paradigm in that culture that we do. We're very compliance-focused culture. FISMA makes us that way, put our scorecards, things like that.
But I think zero trust gets us to a more effective cybersecurity posture. Commonly, we've done that peanut butter spread approach, where we try to protect everything equally, with Frederick the Great says, "If you try to protect everything equally, you protect nothing." That quote up, basically, but great IT innovator that he was. But really that peanut butter spread approach is not sustainable. You can't cover everything you can't 100 be and 100% patched when you have 109,000 workstations across the world. It's pretty unlikely.
So what's important, as Scott was talking about? What's important? Definitely, if you need to understand what zero trust is. You're grappling with that definition. Yes, definitely. Don't suggest, but do read 800-207. I believe, and Scott would agree with me that, that's going to morph as new technologies and capabilities and concepts come about, that that is going to morph and mature as we go along on this journey as well.
Ryan Johnson: Yeah, I would agree with you on that. This next question's to Brandon. Looking ahead, what are the next or the biggest stumbling blocks for creating a zero trust environment?
Brandon Iske: Thank you for that question. So from my perspective, I think within DISA and DoD again, we're a very large environment. So I think from our vantage point, just trying to set the standards is really what where we're at. So again, we very much leverage the 800-207 as a framework for DoD and what we develop for the zero trust reference architecture. So, we've recently approved that. So that's available internal to the DoD right now. So that's our way to get the common framework, and language, and taxonomy established across the department.
Other trends, we see, again a lot of the pillars of zero trust really do rely on existing capabilities and cybersecurity efforts that we have. From my vantage point, I think there are a few gaps in those technologies, at least, for what the department has adopted from an enterprise perspective. So, I'll talk on some of those. Again, it's making sure we're doing the existing capabilities, whether it's ICAM, whether it's endpoint, whether it's network segmentation. All those things really have to start coming together. Again, it's eliminating those stove pipes and enabling more API access to these capabilities, tighter integration, and really trying to drive towards conditional access beyond just what we do with PKI, CAC, or PIV today.
The one gap I see the department has been looking at pretty heavily across the board is as how do we access our IL5 cloud environments from commercial internet. Really with COVID and mass telework, that's been a big challenge for us is to enable secure, collaboration, and access to applications and data, but still from most of us being off the network. So, for [inaudible 00:09:07] that's a big challenge because, in those cases, a lot of our designs assume all the users are on inside the perimeter. So, this concept really changes that or turns the problem on its head. So again, that's secure access.
We're also looking at some of the SASE-type capabilities or secure access edge capabilities. But even in that space, the duty is large. We're not going to be able to just use one vendor across the board. So, trying to drive interoperability of those capabilities, looking at what's best of breed, but also how can we... I don't want to have 10 agents on my computer just to be able to get to different applications across the department. So those are some of the big challenge I think we still see us ahead beyond just the obvious cultural challenges of getting everyone to understand the concept, build their maturity model towards that, and then adopt these concepts and integrations.
Ryan Johnson: Yeah. I would definitely agree with you. This is not a single vendor solution by any means. This will be a grouping of different vendors to maybe some homegrown stuff to address these type of issues. Thank you, Brandon. Next question is to Jason Wilburn. Zero trust makes identity to the new perimeter. Why does zero trust take this approach?
Jason Wilburn: So, one of the things that I always laugh when I hear that it's the new perimeter because I've heard that it's the new perimeter for 10 years. I think I even have it coined from F5 from eight years ago, they said identity is the new perimeter. So I guess my wife's car that's 10 years old is still new to her. So, the fact is, is identity, really, is a linchpin in a zero trust infrastructure because without identity, you can't really secure anything because we have to know who that person is or what is making that request. That becomes really important in a couple of things.
One is the account creation. Are we creating accounts? Where do those accounts live, and how many entities of that identity actually just wrote an organization because the identity of John Smith can exist in multiple places? Really, what we're trying to do is to reduce the number of identities down to really holistically one single identity for, say, John Smith. But also, the next piece and that is really getting down to how they authenticate or how they assert themselves inside of the environment. That really gets down to things like multifactor neighbor, or if we can really get to the holy grail of going full password, which in the federal space we do a lot of password list-based authentication, doing things like smart cars, CAF, PIV, things like that.
That's really what we're trying to do is truly validate that that user is who they really are because to truly achieve zero trust, a lot of things revolve around one knowing who that user is and then once that user starts doing things within the network, really, should he be able to do those things in this network based off the permission levels and their user behavior and the device they're coming from, and where they're going to, but it all really revolves around the first step, and that user... they're truly identifying who that user is.
Ryan Johnson: Yeah. That ties into what everyone else has said, as well Jason. Appreciate that. The-
Gerald Caron: Ryan, can I add something to that question?
Ryan Johnson: Absolutely.
Gerald Caron: That identity of the new perimeter thing really scares me because then people get super focused on identity and say [inaudible 00:12:57] zero trust. That's just a, for lack of a better term, a pillar. Everything Jason said is absolutely important. But if Jason's account got compromised, for instance, what's the first two questions probably the cyber guy is going to ask that's looking at the problem? What did he have access to, and is there [inaudible 00:13:16]?
So it actually becomes about the data more than anything. So, it's about protecting that data at the end of the day. So I think it's really important. I think one of the things that, really, an identity itself is we do it very linear today, where it's one-time authentication, it's one-time access and then. Okay. Have a nice day. It's got to be a constant dynamic checking and rechecking of many other factors, as well as authentication and access. It's going to be continuous.
Jason Wilburn: Yeah. You're completely right, Gerald. Identity really is just one more data point to determine access to something, right?
Gerald Caron: Yeah, I totally agree. I just like to clarify that that's just one piece of it. [crosstalk 00:14:01].
Ryan Johnson: Not the entire enchilada, if you will.
Gerald Caron: Correct because I see a lot of people talk about it that way.
Jason Wilburn: No, no.
Ryan Johnson: Yeah, I would agree with you on that because a lot of places aren't doing that currently, and they think this is the solution, but it's just, like you said, part of the solution.
Jason Wilburn: Right. The enforcement point, like to take back to Scott's document, with the 207, the enforcement point's right, they will know about the identity, but the enforcement point takes in a lot more consideration beyond just the user's identity. There's all that telemetry data that we're getting in. What's the machines coming from? What they're trying to access? There's lots more information than just the user identity to determine access control.
Gerald Caron: Right. It's not always a human, right.
Jason Wilburn: That's right.
Gerald Caron: There's data flowing all the time and then there's data at rest. So, you got to protect that. There's not always the human involved.
Jason Wilburn: Completely right. So let's go down the road of what do we do with the service account that's coming from and making an API call from one PC to another PC in the same data center. How do you validate that and secure that beyond really when I think... a lot of times when we talk about zero trust, a lot of times we talk about remote users or just users in general, talking to resources and what we've been trying to get away from [inaudible 00:15:24] the user doesn't really matter where they live, whether they live in corporate environment or whether they live at home, or they're in Starbucks, where the user live resides doesn't really matter because at a network level, that's just an IP address.
We care about, one, how did they authenticate; and two, what device are they trying to access from, not just... is he on the corporate... The corporate land might give us more information and more telemetry by just being on the WiFi at Starbucks, but it's more than identity definitely.
Ryan Johnson: One thing that really hits home for me is the proliferation of modern applications, and API's talking everything. You got APIs on the cloud or even within the same agency or interagency or app, however, and Gerald's point about these non-human interactions verifying those, especially, when it's so spread out with different APIs. To me that really hits home. The next question is to Scott. There are multiple architectures listed in the 800-207. Why would an organization choose one architecture over another?
Scott Rose: Basically, as they need to look at whatever they're trying to push a zero trust architecture on, what workflow, what mission they're doing, all that will help decide which model will fit best for them. You got to take into account, both what they may already have owned or what technology needs they have, what can they just... what they can use anyway, just configure in a different way. Let's say they already went with vendor A and they have an installed base, but there are certain features that they're not using now, but as they move towards a zero trust architecture, they just turn those on because some things work better than others, some solutions require like agents installed, may not be able to put agents on things, especially if you're looking at [inaudible 00:17:28] an IoT kind of deployment. You can't push a lot of agents on the small form devices, but you have to go with a different model there.
But when it comes to the approaches that we described, like the enhanced identity governance, microsegmentation, software-defined perimeters, I think of the most mature as zero trust enterprises and architectures out there will have elements of all three. Those three approaches, we're just calling those like what is the load bearing technology that you're using in your architecture, whereas the models are more of what kind of products are you using, that dictates the model. Whereas like what technology are you putting the emphasis on, whether you're the identity management governance part, the micro segmentation parts, or using a software-defined networking or software-defined perimeter model. All those depends what's you're doing in that initial analysis, both what is the mission or workflow that you're working on to try and make more secure, and then you develop the other set of policies and controls around those, and then those guide you as to which model that you may be going towards.
Ryan Johnson: Thank you, Scott. Appreciate that. Next question is to Gerald. Looking into the future, what's next in zero trust? What technologies are going to impact zero trust security or require security in a different way than we see right now?
Gerald Caron: Technology moves so fast nowadays, you can't keep up. As I'm speaking right now something new, something new just come out that I don't know about. But Brandon, I think, mentioned SASE and edge computing. I think that's something that people are very much looking at services through the cloud. One of the things I advocate for that I'm looking at is I hate being tethered to an on-premise network. We're in a new normal. Everybody's working mobily now. I have to Boomerang back just to go back out to the cloud on the internet. So, how can I be untethered but to have all the security that I need in telemetry to make the right decisions is something that I'm looking at. So, it's something that I advocate for as well.
So, technology is moving so fast. I think some are a little more mature than others in this space. But I see it's going to be very much competitive because we're all looking this way now. I think, as I said before, we're all trying to become more effective at our cybersecurity, not just check marks and coming compliant. We really need to protect the data and then the things that we need to protect. I equate I get to protect the crown jewels versus the bologna sandwich. You can have my bologna sandwich. But I'm going to put my concentration on those crown jewels.
So understanding what's important to you and understanding what the heck is your risk posture. A lot of people struggle with accepting and understanding what their risk is. There is a lot of non-technical aspects to zero trust that people need to understand, the methodologies, what is your risk tolerance and the processes, and what is the data, and where is your data, and what is that categorization of that data. Those are all non-technical things. There's a lot of work in those areas that people do struggle with that I find. So, there's a lot. But I see every day talking with a lot of vendors, there's a lot of maturity in the space, and I just look forward to seeing some of the capabilities because there's a lot of concepts in 800-207, like I talked about ongoing authentication and ongoing access.
Right now, it's very linear still. That's something that would be maturing that people are looking at doing so. I think there's a lot. I look forward to it because a lot of people are putting their emphasis here, especially, with what we just experienced with the solar winds. There's a lot of focus in this area now, even more so if there wasn't before.
Brandon Iske: Ryan, if I can add in there, I think, Gerald is spot on. I think, as we can build towards more dynamic access, conditional access, and then having applications be aware of that context to govern what I can and can't do what's on that application. I think that's where... As all this comes together, those are the type of outcomes that we start to get at, whether if I'm from a personal device and maybe a low-assurance model, maybe I can't download attachments or something, but I can view those or view some content. So, those additional granular controls, I think, start to come out there, become achievable once we have some of these capabilities, conditional access and aggregation of telemetry together as well.
Jason Wilburn: If I can jump in, too, Ryan. I think that just being able to absorb the additional telemetry data, whether it be some sort of behavioral analytics coming out of a risk engine, just coming out of various security tools, I thought had mentioned this before, the breaking down of the silos between the team. I think that's one of the biggest things about zero trust. Holistically, from a security model perspective, what we're saying is that, hey, it all needs to work together as a single point of control that is closest to the resource, that Gerald mentioned. There can be some context around it that no longer is it just the firewall blocking IPEs and things like that, and DLP looking at data exfil, and antivirus looking at what's happening on the server from a virus perspective or malware happening on the client. It all needs to work together, and it all needs to come back because that becomes part of the behavior or of the workflow that's happening between the client and the resources for accessing so that we can truly understand, is this a permitted flow? Yeah, this is a permitted user coming from a permitted device to a resource that it should have allowed to.
But based off not just what happened at the very beginning of the session, but what's happening throughout the life of the session, what's changed throughout the life of the session, that becomes critically important to really secure everything day one because back to Gerald's data exfil comment. Cool. You've got access to the data right now. Should you be able to download some document or upload some document five minutes into the session based off what something has changed? Maybe not.
Ryan Johnson: Yeah, I agree that's what we're trying to get to. All right. That concludes the first topic of the theory. Now, we're going to jump into the second topic, the reality, adopting zero trust. The first question is once again to Scott Rose. What components are available to federal entities to assist in forming zero trust architecture?
Scott Rose: Well, most of these are not real solid technologies, but it's more of frameworks and things that may help. There are existing government programs already out there. Both like a DHS, they have their CDM program. There's FICAM, things like that. These are already in place to actually build these, kind of like what Gerald called the pillars of zero trust. They've already been in place for a while. We looked at how zero trust extends those, how those reliant on those programs.
I mean, as well as we have for NIST, there's the risk management framework. That isn't the end all be all, but you can think of that as a tool to help one level down. Once you've developed that architecture, the RMF can maybe help develop that set of controls and checks in place to actually ensure that what you're doing, you're implementing correctly to your stated goals. These things are in place that are basically technology neutral, that whatever vendors you're using, you can always apply these frameworks and tools to help along the way.
In a way, that NIST, the Special Publication 800-207, that's also... think of that as a framework, [inaudible 00:25:53] just both on the architects, but also the way that the architects can then talk to the procurement people. They can, hopefully, understand what exactly you want. So when the procurement and the architects talk to the vendors, they're all speaking that same set of term, not just [inaudible 00:26:09] randomly zero trust or something like that. There's actually a set of rules and uses for these technologies that they can both use as a common set of terms.
Ryan Johnson: All right, next question... Thanks again for that, Scott. Next question is for Gerald. What are the things that enterprise needs to understand before migrating to ZTA or zero trust architecture?
Gerald Caron: That's a really good question. Think of the difficulty that some folks are going to have. I mentioned the data, understanding the data, where it is, where it's going and what classification it is. The where it's going. Where is it normally go? What is the flow? What is normal look like? How do you baseline normal? That's going to be really difficult because understanding what normal looks like will depend on when something happens now, what actions do I have to take? So understanding where that data flow is, where that data resides, what it is, who owns it because you're going to have to work with data owners. It's going to take a village. It's not just the network guys, not just the IT guys. It's going to take a village to do with zero trust in my estimate at an agency.
But, as Scott was saying, be on the same page with terminology and things like that. But I think that's the difficult part. I think that answers one of the questions is how do you know what abnormal is? Well, you got to know what normal looks like to know what abnormal looks like. So I think that's really important. So, I like the inside out method, that start with the data, and then all right, what's facilitating access to that data. Device app. What do you do with those things, and then work back to the identity, given the right access to the right people at the right time.
We talked about this from the end user standpoint a lot. I want to go back to this. The administrators as well are very powerful. So you have to address the administrators. I think that gets lost a lot of times when people start talking about... They talk about users accessing data. Well, your administrators need to be addressed as well in a zero trust. So that's something that's difficult.
The one other thing I would say that's difficult, Ryan, is that we all, as different agencies, we all share data, we all classify it differently. If I want to share with Brandon a certain amount of data, I do sensitive but unclassified, but he may classify it in a different way. Where do we meet when we want to share data with those different classifications, so that we can properly do that? Then when I give Brandon my data, it's my data. He's going to be a good steward for it. If he doesn't have the right things in place, now, I've put my data out there. So, how can we all get on that same page? Interagency sharing is I think going to be a challenge as well.
Ryan Johnson: Absolutely. It makes complete sense. That's a big, big challenge. Next question is for Brandon. Is it necessary to have a ZTA if the enterprise does not utilize cloud resources?
Brandon Iske: Thank you for that question. I would say absolutely. Again, the threat is the same whether you're in the cloud or not. So, whether you have disconnected resources, or closed networks, or connected networks. You still have very similar threats to some extent. So I think it absolutely applies. Again whether you look across the pillars, whether it's identity or endpoint, we still have to do those same things and even what we're doing in DoD to enhance our identity ICAM processes. Again, it's all about authentication and account lifecycle management. Those are the big pieces that... We still have a long journey to get to from an enterprise perspective to get those under control in a better fashion than what we do today.
We have CAC or PIV programs that are very strong, but again, those are a strong authenticator. It's the entire lifecycle of the additional pieces of identity that come into play. Again, all those same concepts apply regardless of where the data or applications exist. Other efforts that we've done in this arena as well, too, I would say is our cloud-based internet isolation. So again, this is a way that we move the end user browsing to a cloud environment for our actual benefit. So, in this case, basically, my browsing session is going to be terminated in a cloud environment. From a data protection and exploit perspective, those drive by downloads basically would happen in that cloud environment, not on my endpoint. So, it actually comes to help us also in this mass telework environment as well, too.
So, I can split my traffic going straight to the cloud for browsing and not backhaul that all the way back to the VPN to come on to the internal network. So, that's given us a few really big benefits, again, in a very hybrid model where in some cases, we're using cloud; in other cases, we still have a huge set of legacy that's still going to be on-prem for the foreseeable future until they modernize or whatever schedule they have to modernize.
Jason Wilburn: Brandon, if I could ask a question about the browser isolation component. Is this going to be in when a user is accessing internal resources inside of the agencies, or is this going to be also a service that's internet-facing? So, when a user's setting on-prem or anywhere, and he's now going to the internet once they go to Google, is all internet traffic really going to be browser isolated? Is that the envisioning?
Brandon Iske: So, it is what we're doing. So, the basically .com or any commercial internet browsing [inaudible 00:31:55] capability [inaudible 00:31:57] .mil is going to bypass that. So, whether I'm on a VPN or the .mil resources already internet facing, those are the [inaudible 00:32:08]. So I mean, basically, you're not routing either way. So, it does allow us to basically not be backhauling that traffic back onto the doden or [inaudible 00:32:16] for duty terminology, for our internal network.
Ryan Johnson: Thank you, Brandon. Next question is to Scott Rose. Looking to the future, what is next in zero trust? What technologies are going to impact it or acquired in a different way than what we see right now? I love the question.
Scott Rose: Yeah. I don't know for sure because everybody makes predictions and are constantly surprised about how they don't pan out. But at least in the near term, I see a lot of people focusing both on IoT like we are as well. How do you get those and manage those in an automatic fashion? So, you don't actually have to have human administrators going out and touching all those devices or doing something to those devices. They're getting to the point where you can just quickly get them onboard them onto a network. You know exactly what they're doing because they say what they're doing in [inaudible 00:33:19]. Manufacturer vouches for them. You onboard them, you have go through the entire lifecycle, and you offboard them if you need to all in a more streamlined automated fashion. That's going to be coming on as people look for IoT solutions.
The other one is we're seeing more people looking at machine learning when it comes to developing user profiles as feedback to what we call like the policy engine or the trust algorithm moving on. Building up again, what does this user normally do in order to see when something abnormal happens? You always [inaudible 00:33:57] this. You have a person, say, working in HR, and they connect to this database with all the user information. They do roughly, say, three to five gigs of traffic going back and forth from this database a day. Suddenly, you see that jump up to 800 gigs. That should cause a red flag going up because that's abnormal. But then again, maybe it's because there's the annual performance review, where they're downloading everything and going through everything.
Maybe that happens every year at a certain time. Then again, you're building up that profile saying, "Okay, we know that does happen at a certain timeframe. So what happens outside of that timeframe, then maybe something strange is going on." Those kind of trends we're seeing, just try and improve the dynamic nature of zero trust. That's kind of the things that are just on the horizon and starting to appear.
Ryan Johnson: Thank you, Scott. Next question is for Gerald. What mistakes or what are the biggest misunderstandings with zero trust in the industry or within federal entities right now?
Gerald Caron: Definition. Understanding the totality of zero trust, understanding as a full architecture, full framework. People talk about it in bits and pieces. Unfortunately, some vendors will talk about zero trust, but you got to understand the whole landscape of it because they may come in and do the authentication and access management piece, but not do the data segmentation piece, or the app hardening piece, or network mapping for understanding where your data's flowing and things. So, understanding that it's not just a one-product thing. It is truly going to be an integration. It's going to take a whole effort, a whole village to do it.
So, really understanding and getting level set, and understanding the use cases and understanding what your risk tolerance is, is very important. What are you willing to take risk for? What's important to you? Putting your emphasis on what's important. The cafeteria schedule, okay. But your medical records, I'm going to put a little more emphasis on that probably than the cafeteria schedule. So, and understanding where does that reside? How do I protect that and things? So, really understanding what it is you're trying to accomplish, and then we all have our little special snowflakes in all of our different agencies. So, what is our little spin on things? So understanding what your use cases are, I think's really important.
Ryan Johnson: Thank you, Gerald. Next question is for Jason. Let's go to another identity question, Jason. If identity is a new perimeter, what should federal agency entities consider when looking at making identity their enforcement point? How is this achieved?
Jason Wilburn: So, it's not going to be the enforcement point. It's just going to be another piece of information, a data point that can be used by an enforcement point. To Gerald's point, it needs to be looked at holistically. Identity just needs to be one part of it. I think the biggest thing is understanding really where are all your identities within an organization. Are they all in active directory? Are they all in a SaaS-based [inaudible 00:37:22]? Do each application have their own directory structure? So, while you think that John Smith's account only exists in say active directory, it might exist in multiple locations. So then you need a good strategy to onboard identity, decommission identity, and then also validate identity. That means back into needing some sort of MFA or a good authentication method.
Ryan Johnson: Next question is to Scott. What are the concerns a federal entity needs to understand before migrating to ZTA?
Scott Rose: Well, the concerns I need to think or that they need to worry about is, basically, they need to know what they do, they need to know their mission, they need to know the risks inherent to that they're doing their mission, and then they need to know what they have, who both.... These are accounts of the network, the devices, the workflows, they need to have those knowledge at first. They need to be able to detect and monitor things previously before they can actually start moving down this road to zero trust because you can't really build a policy and a set of checks around things that you don't actually know. So, those are the main concerns.
Other concerns are how it will impact the users. We need to educate them to make sure everybody else is onboard because if the other kind of operating units in an organization or a federal agency or something, if they're not onboard, there's going to be a problem because the way things are... because they may result in the changes of the workflow of [inaudible 00:39:02] times. They're accessing things. What permissions they have or don't have? There's always that learning curve when you're trying to actually refine these policies. If that becomes aggravating, they're going to start trying to find ways around it. That's the last thing you want because then you have the shadow IT springing up behind it and things that you've sorted all these strange traffic that you're not seeing on the network, but people claim that it's very important for them to do their job. Those sorts of things. So you need to actually realize that going down the road of zero trust is a unified front. Everybody needs to take those steps together.
Ryan Johnson: Yeah. Thank you, Scott. Probably the last question here, this is directed to Gerald once again. How does zero trust relate to TIC 3.0 and CDM?
Gerald Caron: So, I think the great thing about CDM, for those that have been participating in it, it's such a good foundational things that I think you can build on for zero trust. I think Brandon said it, well, earlier, is like, you're probably already doing some things and taking a good inventory of some of those efforts that you already have going on, and how it fits into the zero trust architecture that... So, there may be some tweaks. TIC, I think, definitely is part of... a contributor to the solution, especially, some of these efforts that allow for the telemetry and the services to do that untethering that I was talking about, and get all that data and make decisions based off that.
Definitely. I think the way CDM is taking in and doing like the asset discovery, a lot of the understanding of the mapping, eventually in the subsequent phases later on to do the network access control, so you can quarantine or trigger an action on a device. There's a lot of good things that I think they provide some good building blocks that will get you a part of your zero trust solution. Not the totality. Of course, we've already talked about that, but I think there's some good foundational pieces that they've put in place that contribute to the overall zero trust architecture.
Scott Rose: Yeah. To follow up on that, if you go through the part of the NIST 800-207, we have a coauthor from DHS, and he's the head of the TIC program. We made sure that, at least, the text that we had in those sections where we talk about CDM and TIC, we had a lot of input and overview from DHS there. So, he made sure that the wordings and both of the tone and both matchly don't contradict. So yeah, we made sure that we were expressing the fact that these programs are interlaced.
Thanks for listening. If you would like more information on how Carahsoft or F5 can assist your federal agency, please visit www.carahsoft.com or email us at f5-sales@carahsoft.com. Thanks again for listening, and have a great day.