Welcome back from the break. Thank you to amazon and web services for hosting our break at the sponsor. Thank you. Now were going to be talking about zero trust, a topic near and dear to some of our hearts, for those of you that havent been to the dream port, you should go over there and talk to them about their zero trust efforts as well. First of all, id like to introduce our moderator, mr. Tom temmon, he is the anchor of the federal drive from federal news network. Thank you, tom, for moderating the panels. His panelists are rick howard the chief Security Officer from palo alto networks. Sylvia burns, the deputy chief Information Officer for enterprise strategy, fidc. And michael friedrick. Over to you, tom. If you have a streaming device you can hear my voice on the radio now through the magic of streaming technology. Our topic today and its really great to be in such a nice intimate setting here with listeners that are close by, we are going to talk about something that in many ways is like a frisbee, coke and skunk words, you have to almost be careful using it in speech and in texts and in the discussions and white papers because the idea of zero trust is an area where some companies have staked a claim to exactly what it is, but were not going to buy that today. We are going to talk about zero trust as something that is value to the entirety community. We have three really good experts to talk about it. So thats where were going to begin is a definition of zero trust. Im going to just start with you. All right. We could talk about that thing for the next 12 hours. We will try to be brief here. Zero trust from my perspective is you absolutely have to know that bad guys are in your network. Okay. You assume that they are in your network and if you do that how do you rearchitect it so you can reduce the risk of Material Impact to your organization. Thats completely different from the way we used to do it back in the 90s where we would put this electronic perimeter around all of our stuff and assume that the bad guys were on the outside. So its a different way to think. Okay. Actually, sylvia, im going to come to you third. Okay. Sure. Because you have a lot of followup. You have the best answer. She gets the government answer. Mike, we will go to you. I would agree, zero trust is an abused word. It is a process, a methodology, a way of thinking about how to attack your network. I know that sounds like a strange statement but you need to attack the concepts of identity and mobile and the workforce and assume the adversaries are inside your network and you need to decide how youre going to define what your assets are, who needs access to them and you need to go through the process as an agency, as a user, as a piece of software that youre leveraging who owns that system and you need to define that. So zero trust just means what it says, i have to assume you only should have access if you need to. This idea that is going on and the technology being leveraged is opening up holes all over our networks as the government and we need to stop that. Okay. And, sylvia, you are doing work at the fdic itself but also as an interagency person for the cso or ciso council. So tell us about that. Sure. I used to be the ciso at the department of the interior and i was one of the cochairs of the cio councils strategy, services and Infrastructure Committee and, you know, in my experience at interior i was involved in the opm breach. So that was a really like impactful experience, if you can imagine, right . I havent heard of that. Please, tell me what happened there. You know that wasnt a big problem at all. I testified twice in front of congress. It is like if you have to tell your mother, one day im going to testify in front of congress, right . So basically i was familiar with the concepts about zero trust. Actually a small team of people working with me before i was in that job in 2010, we were talking about what do we need to do to significantly change our i. T. Environment. We had this notion of protect the data and the network. Thats what zero trust is, i agree with everything that rick and mike are saying. It is a philosophy that for us has become like a way of thinking to drive an architecture for protecting data. Thats really what its about. The adversary is in your network not because its because they want to take your data. Thats the most sensitive thing. So the interagency committee, we started with working with we had an industry government collaboration where we were trying to understand what technologies exist today that fit kind of the mindset of what were trying to do with zero trust. And last spring i published a paper on it. We progressed since last year and we actually kind of converged all activities in working with nist. Interagency Steering Group that im part of is actually working with nist on two things. A subteam working on architecture, and theres another team working on technologies to come to the lab, kick the tires, look at what exists, all of this informing publications that come out for the federal government. So thats what we have been working on. Nist put a draft together, a special publication, 800 document around zero trust architectures that the Interagency Team just reviewed. Nist is working through comments to release publicly for comment. Very serious. I would like to emphasize the point that we talked about this back stage, zero trust is a philosophy, it is not a definition. Youre never going to get there and be 100 complete. The argument i want to tell the Government People is dont make it too complicated. You already have technology in your networks that can get you 80 of the way there. Youre going to spend the next five years doing the next 20 , but you have the technology in your networks right now. If you have a next gen firewall, it can do 80 of the work by making simple rules that say the Guest Network cant connect to the internal network. Just do that, youre halfway down the path. You want to get to a point where developers cant get to secret database we dont want anybody to see. Simple rule in the firewall will get you almost there. It doesnt have to be as complicated as were talking about. We still have 20 minutes. Were going to make it complicated. I heard the words state, zero trust is a state of being, a mindset, it is a philosophy, an architecture, it is an approach and journey. But i think as rick pointed out, it is not a technology necessarily. Nevertheless, it exists in a technological system. How do you besides buying a firewall, setting up rules, maybe thats all you have to do, what are the steps, how do we get to making the federal networks with that Data Protection idea at the center of it. How do we go about getting to zero trust . Let me jump in, observations from talking to folks like sylvia as we talk about the process. Start with classifying data. What your data is, who should have access to this. One of the biggest weaknesses when we talk to agencies, Identity Management is pretty poor, getting to a sense of who is on my network, what devices are on my network, who should have access to my network and what data within my network, and where does this data live . Thats really important to understand because the boundaries are broken when i can read email on my phone, approve invoices for an agency on my phone or on my watch, the boundaries are gone. Now i need to look at where do i protect what, who should have access . Thats the beginning of the conversation. Classify, clarify, and understand. You have to know where it is and whos touching it to start with, who should touch it. Isnt that complicated by the fact that in the cloud era, we hear already this morning that agencies are pursuing a multicommercial cloud strategy, that there could be many substantiations of data and associated applications, how do you know at a given point exactly where it is . Thats the critical part in understanding the contracting process. What vendors have been selected, what technologies youre using to take the cloud smart policy and apply it so that youre not having a vpn here thats weak or problem, or technologies that dont address users coming off the network. Microsegmentation is the beginning. In order to microsegment, you have to do the first step i was talking about. You need to understand who, what, where, when, why. Thats why zero trust initiatives fail. Talked to many in the last couple years about trying to do it. It doesnt fail because they dont have the right technology in place, it fails because they dont have the policy and leadership in place to make decisions, that the general doesnt get access to the really cool data he shouldnt have access to. Right . It fails politically. Cant be done by the info sek team based in the pentagon, these have to be policies at the high level to implement this policy. Sylvia, for fdic, theres data and data. Some is critical commercial data. Yeah. Thats true for everybody, right . Regulated institutions, and theres administrative data. Absolutely. Isnt there need to apply a hierarchy to how you do protections such that tools can be applied efficiently . Absolutely. Everybody has to take a riskbased approach, right . Youre not putting all your energy in the least important things, right . You want to know what the crown jewels are, and put Energy Around that because thats what youre most at risk for. It is always a riskbased approach. So absolutely. Youre going to focus on high value assets, high value data. I want to get back to users, zero trust implies zero trust of what . And as we mentioned earlier, it is everybody. How does that work in the age of contractors being on your network, you being on their network to some extent, and mobility question . This is where you need to select technologies to enable zero trust platform. And agencies need to site the use case and solve it and what the right technology for them is. First thing im going to say is more technology is not always the right answer. Less technology thats better integrated and fits use case is the right answer. You shouldnt select a technology that doesnt integrate with itsm systems or seam systems, ids, or dlp cant talk to it, or ai as it is evolving. And giving trust scores more and getting smarter. You need systems that make themselves smarter, better, faster, more agile. If they dont work together, you bought the wrong tool. Yeah. Simple works better. Can we say that, too, it is easy to try to boil the ocean for these kinds of things, who gets access to what. You can get it down to the individual user. Okay. Start with four big groups. Contractors, government employees, military, who do those groups of people get to attach on the network. When you get that done, get more granular. Start simple, get things done down the journey. Earlier i think rick, you said protect data but open the network. So what does that you said that, im sorry. So this notion, i think everybody had this false sense of security about the perimeter. And that is false because a simple phish event can compromise the network. The concept of zero trust in conversations i had with people in my circles have been really shrinking the perimeter around our most valuable assets. So were not putting the perimeter around the whole organization with all users, for instance, which is what we do today. Youre actually saying where are the most sensitive pieces of information and systems that house it, and put the perimeter around that. You create micro perimeters, right . When you get to that point, if you think about it, implications for large organizations, especially in the federal government, you can open the network up. So at the department of interior we had over 2400 locations. Some locations were in very remote places. I know the same for many of my sister agencies in the federal government have large, sprawling organizations that are located in the middle of nowhere quite honestly, so youre trying to drive them into it is like youre trying to create one solution for a diverse set of circumstances in the physical environment, and if you shrink the perimeter and open the network, you can let your local offices use whatever best quality Broadband Services instead of trying to shove them into the Corporate Network because they dont need to be in the Corporate Network. I love the shrink the perimeter idea. I have a different word or phrase for this. I think of it in terms of data islands. We do still have a perimeter in headquarters, data centers we run and operate, we have mobile employees now with phones and laptops. And other things. Government is using sass services. And as the government moves to the cloud, thats another place your data could go. What we dont want to get into is a situation you buy different technologies to protect the data islands. You want to unify the system with one policy. They have different use cases. If you can simplify it, you have a chance to get it right. Many years we had regime of the idea of multilayer security. The conferences, people used to say networks were like porcupines. I think the phrase went. They were difficult on the outside but soft on the inside. Sounds like youre saying make the smallest part of the inside the date wra, the hardened part, and who cares if somebody bites the porcupine in the neck. Kind of. Move up the tech chain. The technologies that are out there now regardless of numbers of vendors are doing a good job of cloaking Network Access at the initial point of sign on. Integration points that happening are important. You need to leverage different things, single packet authorization, you need to leverage mutual tls encryption. Why . You stop man in the middle. Get people off the network, but leverage that philosophy and technology across multiple places. The thing i want to challenge agencies and leaders to ask questions about, is the tools compliant. A lot of people claim zero trust. If you go to the trade shows. Start by asking, are you fed ramp, common criteria, show scans of data, where do you do your development . Ask the important questions before you get down this road and realize this could be kind of interesting but i have no idea whether this is safe to use in the network. Yes, it gets less crunchy on the outside but not really. Youre putting new technologies in place to be sure people that do get in are appropriate, along with their devices, so you start to establish a greater sense of trust, but you develop automation with that. Once i establish that the device belongs to the user, i can control what they see, when they see it, how they see it better. You reinforce the boundary but make it more open. I would like to push back on that a little bit. I agree, you might need new technologies to do the journey, but i am telling you, you have technology in place that can do 80 of it. Think of how to use that first before you spend money on other things. Thats practical. Totally agree with that. I think theres also look to the future, where we want to be longer term. I think thats all true. The thing that frustrates me, you mention the ads, mike, it frustrates me to hear when i drive, i was saying i am driving my car, have wtop on, and theres an ad about zero trust, somebody selling zero trust. It has become a Big Marketing thing because i think industry realizes it is a hot topic, right . The federal government is keenly interested in it. But in all the work ive done with nist and talking with various agencies quite honestly in the federal sector but also some in the private sector, everybody is still trying to figure out how to crack the nut. Nobody has actually yes, we are using whatever tools we have. To get us to where the vision is, nobody has the lockdown on that. Part of it is i think we need a dialogue between the government and industry so that we not just the government, but other big sectors like the banking sector, like the health care sector, that have Sensitive Data and want to protect that data, so we have an exchange and understand what the two sides are saying, right, and what we need from industry. The government is not building this by ourselves. We need industry, but you have to understand what we need. Funny you Mention Health care. The industry that effects government with dha and va, health care is one of the biggest problems in zero trust. Were now building machines that are remotely managed and monitored, have personal Health Information through big networks. These machines have no sense of them. Iot devices generally have no installable operating system thats common that you can install agents into or monitor in any effective way. As a zero trust philosophy, you have to figure out how do i stop devices being rogue or someone plugging in, masquerading as that and stealing information out of the network. Thats another Big Government issue where i think they need to work with the Technology Vendors out there to define what our goal is. There is not a right answer. But it needs to come. Come back to the definition. This is where i get in trouble, it is not the standard definition, this is how i view zero trust. Theres two big security philosophies out there. Dominating one is zero trust, the other is intrusion kill chains. You need both to keep bad guys out. But in my mind, zero trust isnt passive, it is reducing the attack surface. So any military people, like digging the foxhole, put sandbags around it, overhead cover and wire in front of it. Thats the journey we talked about, passive, not based on how the adversary attacks you, but absolutely needed. A couple recent famous breaches that happened not so much in government but in the commercial sector involved people that were trusted, at one point trusted by the organization. Can a zero trust philosophy result in architecture and technical setup such that people that you trust are not exfiltrating against rules the organization has to have in place. Lets talk about the most famous one that happened recently. Were probably both headed to the same one in capital one. How did this woman succeed . She had access to the network, had privileges to get to that, understood the architecture. Then you come back to the point i made earlier. Identity management. If Identity Management was done properly, she wouldnt have had credentials. Systems that talk to each other and understand the hr system terminated the employee, active director needs to terminate the employee. Guess what, zero trust boundary side says you dont exist. Even if you had the right tool loaded on your machine, it is not going to acknowledge you because