In this episode, host Raghu Nandakumara sits down with Sean Connelly, Former Director of CISA’s Zero Trust Initiative, to discuss the evolution of network architectures; why incidents over the past 5 years have catalyzed a greater federal focus on cyber resilience, and specifically Zero Trust; and how CISA is thinking about protecting data in new ways.
In this episode, host Raghu Nandakumara sits down with Sean Connelly, Former Director of CISA’s Zero Trust Initiative, to discuss the evolution of network architectures; why incidents over the past 5 years have catalyzed a greater federal focus on cyber resilience, and specifically Zero Trust; and how CISA is thinking about protecting data in new ways.
Timestamps:
(04:39) How the nature of the perimeter has changed
(12:00) The shift towards being critical-asset focused and how it accelerated cloud adoption
(15:36) The process behind drafting recent regulation and EO 14028
(36:56) Are agencies making the expected improvements?
(41:48) The key challenges moving forward
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com.
--------
Links
Connect with Sean on LinkedIn
0:00:00.0 Sean Connelly: A lot of this is about data security in new ways, but I think the data security pillar has been the weakest and like we had the most to do.
0:00:12.9 Raghu Nandakumara: Welcome to the Segment A Zero Trust Leadership podcast. I'm your host Raghu Nandakumara head of Industry Solutions at Illumio, the Zero Trust segmentation company. On today's episode, I'm joined by a very special guest, Sean Connelly, former Federal Zero Trust architect at the Cybersecurity and Infrastructure Security Agency, or CISA for short. Sean was also the trusted Internet Connections program manager at CISA within the Department of Homeland Security. He joined the DHS back in 2013 and served in a variety of roles since. He was a lead author on the IT modernization report to the president in 2017. And co-authored NIST's special publication towards Zero Trust Architectures in 2019. We recorded this episode back in February. So while Sean has since moved on from CISA, you'll hear him speak from his perspective when he still worked there. We discussed the evolution of network architectures, why incidents over the past five years have catalyzed a greater federal focus on cyber resilience and specifically Zero Trust, and how CISA is thinking about protecting data in new ways. So it gives me great pleasure to welcome onto this episode of the segment, Sean Connelly, federal Zero Trust architect at CISA. Sean, it's a pleasure. Thanks for joining us.
0:01:38.4 Sean Connelly: Oh, thank you. This is a pleasure on my end. Very happy to be on the segment. Thank you.
0:01:43.6 Raghu Nandakumara: Thanks so much. And it's super exciting for us because it's not often you get the chance to engage with someone who's had a direct hand in the authorship of Zero Trust mandates at sort of the government level. But before we get into that, Sean, tell us a bit about your background and the career path that you've taken to get to being a Federal Zero Trust architect.
0:02:07.3 Sean Connelly: Sure. So thank you. So I've been around computers for a long time. Back in the early 80s I had a science project where I used a TRS-80 Model 3, a Radio Shack computer, was in the science fair and learned pretty quickly about user experience because at the science fair, I went to a private school, had 80 plus year old nun trying to use the computer. This is someone literally born back in the 1800s.
[laughter]
0:02:34.5 Sean Connelly: It's a little different trying to have to explain to her how to turn on the computer when it Syntex air meant, but pushing forward. So then I got more into security or networking. First, in the 90s, I installed a ton of Cisco routers, Cisco switches, and that's really where I started to get to know the protocols. And you really... You do routing, you got to understand the protocols almost like the wireshark or ethereal level to age myself a little bit. And then naturally from that, the networking, you gotta start worrying about the perimeter then going into firewalls in the early 2000s.
0:03:07.8 Sean Connelly: And then 2004 or '5, I had the opportunity to work at the State Department and the state Department, of course 200 plus embassies and post around the world, a global network, some of the most advanced persistent threats coming at the State Department. So really was a great experience for me in learning about the federal government, learning how a global network works. And then maybe 2013 or so I believe had the opportunity to move over to MPPD of the old name for CISA. And I've been at CISA for the last 11 years or so. And really that time of State Department and that time in CISA, my primary focus has been on that perimeter, specifically the federal agencies, depending on how you count 'em. There's a 100 plus federal civilian executive branch agencies. And we've been working with those agencies helping secure their networks stop those AP type of threats at the perimeter. And then Zero Trust came along of course. New types of discussions, but really it's for the last almost 20 years, it's been working with the federal enterprise and secure in different ways than I think we had before.
0:04:16.1 Raghu Nandakumara: Awesome. So you spoke about the perimeter and I think if we kinda look at the evolution of architectures of network architectures over the last 20 years, I think probably the greatest sort of evolution has been around on that concept of the perimeter. And I know you've been involved in TIC One, TIC Two and more recently, TIC Three. If you could explain to the audience how the nature of perimeter has changed and why then the security requirements have to evolve with it.
0:04:47.4 Sean Connelly: Sure. That's a, great question. So a lot of what we started out with TIC One, TIC Two, in the mid 2000s, the White House Office of Management budget, they had asked a question to all the federal CIOs and federal CISOs. Pretty simple question. How many connections do you have the internet? How many connections does agency agency have to either partner networks or to the internet itself? And the number that came back was staggering. No one thought it was that many circuits or that many connections. There's over 4000 circuits split across, and this is just the civilian side, not even talking about DOD. So really, the first discussions were around traffic aggregation. How could we not necessarily eliminate those 4000 internet circuits, but be able to concentrate and do what's called traffic aggregation of those circuits in a finite number of data centers firewall stacks known as TIC Access Points. And so that was the first thing was first concentrate the data. And then on top of it, now that we have these circuits concentrating these finite number of TIC Access Points, let's start to put a standardized baseline security perimeter around those devices. And so, again, this goes back to 2008, 2012 up to really about 2015 or so.
0:06:03.2 Sean Connelly: When there was that common architecture was more focused on the, what we call the north south traffic versus the east west traffic. And it was really forcing all that data. It was called a TIC Tacs. We had a lot of agencies that had offices, branch offices in the Midwest or the West coast, but the agencies headquarters had their TIC Access Points on the East Coast. So now even across the conus, across the America, you got 40, 50 milliseconds of time.
0:06:28.7 Sean Connelly: And if the data center was over in the west coast, some agency have to go across from LA over to Dc, have their traffic go out at North South traffic and back across to the West Coast. And it was literally attacks, it was a compromise. And so that was when the discussions when Clouds started to really evolve and mobile started to erupt on the scene that we needed to look at a different way. The perimeter model, the legacy Castle Mo model was never, I think, idealized even back talking about Cisco and the Jericho form which I've heard John Kindervag talk about.
0:07:04.9 Sean Connelly: Even back then I was talking about we need to get deep Parameterization as the Jericho Forum called it. I think John talks about how sometimes Jericho is focused on like TLS connections, encrypted connections from the client to the server. But there's... Jericho had a number of commandments in there in their original document. And one of them was something, and I'm paraphrasing here, but like the more you can put security closer the data, the better it is. And that makes sense.
0:07:31.7 Raghu Nandakumara: Yeah.
0:07:32.0 Sean Connelly: And that was exactly opposite what TIC One and TIC Two was, it was forcing the data, forcing those sessions through those firewall stacks. So that's really where like the federal enterprise was, if you will, around 2015 or 16'. We started on this new journey.
0:07:45.7 Raghu Nandakumara: Actually wanna it's interesting you mentioned that point because one of the reports that you participant in authoring the report to the president on federal IT modernization. And in the executive summary, one thing that's really interesting that you call out these actions enable agencies to move from protection of their network perimeters and managing legacy physical deployments toward protection of federal data and Cloud optimize deployments. The report also emphasizes a risk aid approach that focuses agency resources on their highest value assets. And I think that's really interesting because this almost directly leads to your focus in TIC Three, which is away from sort of perimeters of the organization at large, but really moving that control and focusing on the security of the key things that you're trying to protect.
0:08:37.2 Sean Connelly: Yes, thank you for that report. I was one of a number of authors on there, and it takes time in federal government to move some of the different bureaucracy or policy or mandates. And to your point, that was written in 2017. A lot of those co-authors were still with us when we were starting to roll out the TIC Three guidance after the memo was released in 2019. But it took those number of years, even though to your point, we knew where we wanted to go. But it still takes a while just to shape the policy in a way to begin to not force that change.
0:09:12.3 Sean Connelly: I don't wanna say TIC forces anything, but begin to have different opportunities, different possibilities, but just like you said, it's more about Cloud optimization, data security moving away from... I wouldn't say moving away directly from network security, but having a balance between data security and network security.
0:09:29.6 Raghu Nandakumara: Yeah. And I agree and I think the way that this particular report and just that network modernization consolidation, the way it's phrased, I feel that sets the starting point for that shift towards adopting a Zero Trust approach.
0:09:43.7 Sean Connelly: No, no. Literally that was John Kindervag, I've mentioned them a 100 times in this interview probably, but back in whatever it was, 2010 or 2011 was here. Forrester wrote that, the Chewy Center document back then I was at State Department and I was running around state department with that guidance saying this is where we need to get to. Not sure how to get there, but this is exactly the framework. It was moved forward, honestly, at that time. I think we interpreted it more as a NAC solution and Network Access Control type solution.
0:10:13.7 Sean Connelly: To be fair, NAC is moving security close to the data you got, like enforcement if you on the switch and you got an agent or client 8020.1X on the client itself going the switch. But even that I think was just part of the equation. It took a while for the discussion to evolve and saw what Google's been doing for the last five, 10 years from there when they got compromised about a decade ago and how they've used beyond core and how they're doing encrypted data.
0:10:40.8 Sean Connelly: So I think all these discussions were going on. And then, like you said, just in terms of opportunity of timing, when that report came out in 2017, really Zero Trust starting to resonate around the government in different ways up at NIST, this is pre COVID NIST was holding a number of like workshops and Zero Trust. Every year there's an annual gathering. NSA they were having a large participation in those meetings. Randy Resnick was at NSA at the time. Now he's the DOD Zero Trust portfolio management officer. He was there.
0:11:14.1 Sean Connelly: Some of the key authors of that IT mordenization report mentioned we're at these conferences. So it was starting to percolate around. It just wasn't really in policy yet per se, the Zero Trust. On the same time, like you mentioned, in that modernization, there was that TIC memo or that TIC modernized TIC. And so we tried to position the TIC Three efforts to be able to support and align Zero Trust as much as possible in there.
0:11:38.2 Raghu Nandakumara: Got it. Because the other thing that I noticed before we move off away from the report on the IT modernization is that it's really setting the stall also for public Cloud adoption by federal agencies. Why did you see this shift in moving away from being overly perimeter centric and network centric to being more critical asset focused in terms of security? Why did you feel that was essential to the adoption or to accelerate the adoption of Cloud by federal agencies?
0:12:10.4 Sean Connelly: Well, unfortunately we've had a number of case studies where it's shown a just broad perimeter, based a lot of your focus on the perimeter. The adversary is still getting compromised. A lot of the efforts that you mentioned with the IT mordenization effort actually came out of the OPM breach in 2015, and that was a response to the OPM breach. We'll probably talk about the cyber EO and the Zero Trust stuff going on the last couple of years. A lot of that was focused on the SolarWinds breach. So sometimes there's these breaches and it captures the attention of leadership and that forces these discussions in new ways. But to your point, Cloud was going on long before the breaches happened. Of course, FedRAMP, the GSA LED Cloud mordenization or ATO process has been around for about a decade, but took a couple of years for the program to really stand up and start getting the different Cloud providers to be supported in the FedRAMP program. I can remember when Matt Goodrich was celebrating like the number 20 CSP ATO around 2014 or 2015. Now, I think there are well over 300 different packages for ATO. So just, it takes a while sometimes for this to happen, but yeah, the Cloud adopters happened, just like you said, at the same point. The larger, faster embrace of the Cloud was starting to really happen with agencies.
0:13:26.6 Raghu Nandakumara: Understood. So we'll come back on to Cloud in a second. And you mentioned it yourself that some of these, there was the OPM breach in the mid 2010s. And of course, SolarWinds a couple of years ago, that I guess was the straw that broke the camel's back and maybe it forced the publication of EO 14028. So can you talk to us a bit about, you were there when these things were being formulated, right? Talk a bit about the process.
0:13:52.1 Sean Connelly: Sure. So a couple of things are happening. I'm not going to get into the politics of it, but there was also administrative change. Chris DeRusha, the federal CISO that was coming in, Eric Mill. Eric was part of that group that wrote the IT mordenization report, I worked with Eric for a long time. There's a number of key individuals coming in to government. And again, off of the SolarWinds compromise and reverberations from that, we government, knew we had to be able to set new standards. No one's saying forget about network perimeter, too much legacy tech, if you will, inside agencies. No one's saying get rid of the firewalls, but we need a more comprehensive architecture solution.
0:14:33.6 Sean Connelly: So going back to what you talked about the Cyber Executive Order, there was a number of taskers in there toward OMB, toward GSA, toward CISA, toward NIST, about starting these conversations for how to move forward on a more comprehensive architecture solution. So again, a lot of those people, it's almost like a baton toss, if you will, from different groups. But there was, going back to the IT mordenization Report, there was a clear momentum or direction set in that. And then the Cyber Executive Order was able to manifest more particularly, and just like you're saying, focus on Zero Trust itself in ways that we didn't have that opportunity, I think, under like a prior policy or just legacy code and stuff.
0:15:19.5 Raghu Nandakumara: So without an incident like SolarWinds, or I think Colonial Pipeline was not many months after SolarWinds, were those just served as providing great focus onto the importance of EO 14028? Or without those, would this order have been potentially delayed and maybe not got the importance and focus that it has had?
0:15:44.8 Sean Connelly: Yeah, definitely. There was leadership attention in ways I'm not sure would have been there without them. SolarWinds recognized that really, the warning attacks really going on under the cover of SolarWinds was the focus on Microsoft and how the agencies had a lot of their critical data in different Microsoft Cloud tenants. And so we had to be able to, again, get a more comprehensive solution in front. One thing I think we missed when we went to TIC three, it also happened, of course, just right when COVID happened, like the release of the TIC documents. And we were going to release the Cloud use case for TIC. The first use case, there was a number of use cases required for agencies when OMB released the TIC memo in 1926. There was a number of use cases and we were going to start with the Cloud use case, 'cause that's where I think the most attention was. But when COVID hit and the focus for remote work, we were forced to change up and release a remote use case. There's a lot of the same capabilities between what you're doing to protect remote user toward a branch office and then toward the Cloud.
0:16:48.2 Sean Connelly: There are some similarities, but there are some differences you want to call out. I think agencies are confusing the messaging and some people looked at what we did was, oh, we're just focusing more on the user. And that really wasn't the attention. So we had to release the Cloud use case at the end where we're going with this is, the whole time we were releasing these different use cases for TIC, we we're also working with OMB, the White House, Clare Martorana's team at the federal CIO, and Chris DeRusha's team at the federal CISO, about how to have that more comprehensive solution architecture. So let's see, so with the Cyber Executive Order, and then in the right after that was released a draft to the agencies of the Zero Trust Strategy memo from OMB. And again, that was part of the push to really start having discussions at the leadership level.
0:17:37.1 Sean Connelly: I understand from OMB, they were having discussions like with the deputy secretaries, which are usually the second in charge of the agencies themselves underneath the secretary. So it had the leadership attention, which is what... Listened to John Kindervag. This has to be Zero Trust, both the top down alignment and bottom up. And I'm more on the bottom up side of helping push where I can, but we needed that top down leadership. And like we were talking before the call, having a president available with this clarity saying, agencies, you need to move forward on this modernized cybersecurity architecture certainly helped get everyone's attention.
0:18:10.3 Raghu Nandakumara: Oh, I mean standing on the outside of that, absolutely, when that came out, and then I think everything that has followed from that, I can't think of there being more excitement in the cybersecurity world or something that is coming out of a government in the way that that's driven it. When it dropped for you being on the inside, did you feel... Well, this is a seminal moment in its sort of cybersecurity history and I'm in the middle of it.
0:18:37.2 Sean Connelly: Well, that's a good question. Never thought or heard that in that way. It's been a number of like baton toss looking back now. That may be looking at as like the critical moment where a lot of things got released. But having been at CISA and working with OMB and GSA, there was a lot of effort overall. It was a decade to get to that point. But clearly the response, the interest towards Zero Trust, where the government was looked at post cybersecurity after OPM and the conversation or expectation toward federal cybersecurity posture towards where we are now and how we're being able to talk to you just in general and say, this is how the federal government's doing. This is what we're looking at. It's just a totally different shift to your point, it's changed the narrative in a way I don't think anyone would've expected. And that's really compliment, again, OMB, the White House and the foresight and being able to position the architecture and the memos in a way to gain everyone's attention.
0:19:33.9 Raghu Nandakumara: Yeah, absolutely. And we were talking very briefly offline before starting this, that what is also particularly I think eye-opening interesting about the memo is that coming from the White House and the office of the president, some of the detail and the specifity is unexpected... Unusually unexpected, but also very welcome because we've seen too many and we continue to see like too many sort of regulations which are so high level that when you say, okay, what do I actually need to do? It's not particularly clear. So why was it so important to have that almost level of technical granularity in something that's coming out from the office of the president to drive adoption?
0:20:19.2 Sean Connelly: No, that's a great question and we gotta be careful here because I could hear John Kindervag putting like pins of the Sean Connelly VooDooDAO. While we can concentrate on the tech a little bit, it's really more about the cultural change that happens.
0:20:31.6 Raghu Nandakumara: Yes. Of course.
0:20:32.5 Sean Connelly: But to your point, there was always discussions about protecting the data in new ways. My old boss, Sarah Mosley, when she was the Chief Technical Officer at CISA, she was out there preaching god protective data back in 2015, 2016 Act I Act, which is another one of those quasi think tanks here in Washington, DC They released a paper I think in 2018 about Zero Trust it was out there. But to your point, until you start putting very tactical things into a Zero Trust memo, the cyber executive order, that really gained everyone's attention. But even... And we can talk a little bit about this, even when we put in like agencies can move fast identity online, there were questions like, what does that really mean? There were all the same time going back to tech. We knew there needed to be changes the way that agencies can connect to the Cloud and connect to their users, whether they are the remote users, enterprise users or customer base.
0:21:26.0 Raghu Nandakumara: And moving that traffic through those physical TIC Access Points was not the way to move forward with modern infrastructure. So we needed to be able to release some pressure, offer new ways, so start to see agencies use Secure Access Service Edge. SSE or security service Edge SSE solutions in ways that just wasn't possible before. So there has been almost like you said a very tactical way pillar by pillar. And just to go back, sorry, a bit with OMB and that strategy, we aligned our release of our Zero Trust maturity model, so complimented OMB strategy. And so we says that we had those five pillars. Identity, device, data, application, network, and OMBs memo came out that way and just like you talked about, had for the identity pillar agencies need to do this for the device pillar agencies need to do that. And they gave a very clear roadmap of how to raise security posture across the federal enterprise, but really the organizational changes that happen the same time that are critical for this.
0:22:31.1 Raghu Nandakumara: Yeah, I, and and I agree and I think that the words you used there were really good about, it's really about forcing a cultural shift or a strategy shift, but just specifying that without at least some level of tactical detail means that it's very hard to then pin people down because it's like, okay, well show me actually what you've done and the tactical bits help them show what they've done. So you spoke about the Zero Trust maturity model and there was, I think 2.0 VET was released last year. 1.0 was was a couple of years ago. Talk to us about, I mean that that's fairly sort of quick hot on the heels of to releasing sort of the second version. Why did you feel it was necessary to sort of push through with that second, what are the key learnings from the first version of the implementation of Vet feedback that informed the improvements in enhancements in 2.0?
0:23:22.3 Sean Connelly: Yeah, that's a great question. So let's start out this way. So we released the first version in summer of 2021. The same time OMB released a Zero Trust Strategy draft. And really even though we released version one because I think it was required of us in the cyber executive order, in reality it was more of a draft. We wanted to just get something out there. One of the reason we wanted to release at the time was agencies were responsible for sending in their Zero Trust implementation plan to the White House and from ourselves at CISA and OMB, we wanted agencies have like a common taxonomy. It's common language when they're talking to us because respectfully to OMB ourselves, it's gonna be difficult for reading a hundred plus plans and they don't have some commonality. So we released the maturity model to help guide the agencies and shape the agency's discussion.
0:24:11.8 Sean Connelly: When they came to us and told us how they are improving and released it, we knew we were gonna have to do a a second version. So what was interesting I mentioned those implementation plans that the agencies had to release to OMB and then the summer, the spring and summer 2022, there was a Tiger Team with ourselves and OMB some other agency SMEs. And we went through agency by agency the number of implementation plans. There's 2025 CFO ACT agencies, all acquired agencies, and then a number of the small agencies too. We went through, again, team by team through those and had these discussions with the agencies, to understand where they were on their Zero Trust journey. All that got then reflected into that version two of the memo that we released about, I think April of last year. So really.
0:24:58.9 Sean Connelly: You reflected those discussions. Again, a 100 plus working group meetings with agencies, a lot of meetings with the different vendor community itself, and then academia. At the same time, there was an interest from other governments. And so ourselves and other groups were talking to different governments, like how is the federal government moving forward Zero Trust? How are you supporting connection to the Cloud? And so all of those types of discussions fed into that maturity model. One thing I mentioned before, one of the first tasks for agency was for being able to move to a fast identity online FIDO2.
0:25:32.9 Sean Connelly: And to your point you're talking about before, you can put language into policy, but still, agencies still want to know, is this what you really mean? And for a decade plus now, agencies have been living off their PIV or CAC card where you see federal government employees and they have their card, but we needed other ways to be able to move a multi-factor phishing-resistant MFA forward. So in that policy, OMB had the foresight to put in the ability to use FIDO, but in those discussions in 2022, almost every agency, we had to go and discuss what we meant by it because it was... Identity is kind of one of those funny industries in terms of agencies, how they respect.
0:26:14.2 Sean Connelly: Some agencies have like identity council, other agencies have an identity SME, or if you just even ask the agency, who leads the identity strategy for your agency? Is it the active directory group? Is it the PKI group? Is it like the Cloud or the people that run the Cloud accounts? And so each of those really had almost to get in front of and explained to them what we meant by being able to use fast identity online or just reflective of some of the questions that are coming at us at each of the different pillars out of the strategy.
0:26:40.5 Raghu Nandakumara: Awesome. So if you were to sort of boil down some of those key bits of feedback that you received when you're looking across all of these plans, what were the most significant bits of feedback that informed the updates to the maturity model?
0:26:54.7 Sean Connelly: You mean version two, right? The different version?
0:26:57.9 Raghu Nandakumara: Yeah. Yeah.
0:26:58.9 Sean Connelly: Yeah. Just give a perspective. It's a 20-page document and not even including all the working groups we just talked about. Just when we had the public RFC in September, I think of 2021, we had over 300 plus comments, or 200 plus pages and 300 plus comments on a 20-page document. So it took a while to distill the common themes that you're talking about. Of course, some vendors want to position their tech. We had to take the tech spiel out of that and make sure we're really talking about what we're trying to do, what's our intent here. We put prioritization on what the agencies wanted. So for example, agencies wanted, this kind of was interesting, was more information about how to deprovision devices. There's a lot of support, okay, let's bring something online, but it's not much about deprovisioning. So we wanted to enforce that, start having the agencies think how they have to deprovision stuff.
0:27:49.4 Sean Connelly: I mentioned the MFA, the phishing-resistant MFA and FIDO2 alignment. We put stronger language both toward that and V2. Another thing was on the network side was more toward micro-segmentation, and it was interesting. So we, again, talking to the community, it's really about application segmentation. So there's application segmentation going the app pillar, but we're doing it through different networking tools, and we decided to put it in the networking. And to be fair, all models are wrong, some models are useful, and we're just trying to release this. We're not saying this is the only way to look at it. This is when we talk to agencies, when we talk to the community, just help the agency understand or the community understand what does CISA mean?
0:28:31.0 Sean Connelly: We're not saying we're certainly right in what we're talking about toward application security, segmentation, should it be the network pillar? Another one is encryption. Some communities thought that the encryption should be, I think, in the data pillar. I think we have either the network or application pillar. So there's just a lot of different ways of positioning. I'm definitely not here to say which is right or wrong. Another maturity model that's out there is... I mentioned Randy Resnick before Department of Defence Zero Trust, and they're your trust. DoD's got a lot of great information out there. They've got strategy, they've got the reference architecture, they lean into a lot of the capabilities and controls. I think they have seven pillars going across. We have the five pillars I mentioned before, and then three cross-cutting capabilities, visibility, automation, and governance.
0:29:20.2 Sean Connelly: We're just... Really, honestly, a lot of this is just esthetics. When you listen to Randy's talk, when you listen to us, we're saying the same thing, just slightly different to give it a little different optics and help people understand. Because one of the things I do, I come from a marketing background, and one of the things you hear about is you got to explain something seven times, seven different ways. And that's what we're trying to do here, just help explain this in different ways, the intent. I'll go back to what John Kindervag was positioning 10 plus years ago.
0:29:48.1 Raghu Nandakumara: Yeah, absolutely. And my mind's also racing with all the things that I can react to in everything you've just said, but let's start with the last thing first. I think being able to frame it in any number of ways, ultimately, I think, as Zero Trust practitioners, really what we want is for the agencies, for organizations, etcetera to adopt a Zero Trust strategy, and then execute on the tactics to mature their posture. And so whatever way we tell that story, as long as one of those ways resonates, that's great. So having multiple ways to tell it, is really important. Let's talk about that path towards maturity in the ZTMM, if you'll let me call it that, you've got those traditional, initial, advanced, and optimal stages, and you have these mapped out for each of the pillars. When you initially released the maturity model, and then of course, the follow-up in 2.0, did you initially see that organization heading headlong into getting up to maturity in one pillar before they then moved to the next pillar? Because I see that reflected in some of your 2.0 wording.
0:30:52.4 Sean Connelly: Yeah, that's a great point, and something I didn't even mention about the difference between V1 and V2. V1 has its traditional, advanced, and optimal, and in V2, we have traditional, initial, advanced, and optimal. And we really need to put that initial in because there's such a wide distance, if you will, between traditional and advanced, and we need it some way.
0:31:15.4 Sean Connelly: For initial, to be able to just have an agency or organization understand when are they starting out on that, on their journey. And so it was critical for us to have initial mayor itself. But to your point, a lot of language, we talked a lot of organizations, little different in the civilian executive branch agencies where they're already starting journeys, but we're talking to a lot of agencies are still in the traditional and just starting out. And so just migrating, just from traditional to initial, is where a lot of the greater set of organizations are. But to your point, like the pillars themselves, again, we intentionally made it abstract in a way. So it could be broadly interpreted. But we have heard some, like believing we need to get to the optimal identity pillar before we can focus on the network pillar.
0:32:02.7 Sean Connelly: And that was really not the intent of our model in terms of categorization or how we align them. Ideally, organizations are gonna be moving peril and the different columns themselves. And a lot of them, what my focus on and John Kindervags's focus on, I think some of the stuff you see from Zero Trusts really started out more on the network side. So I think some agencies are already, or organizations were a little more advanced, if you will, on the network versus the data pillar. In general, going back to, we started this conversation, a lot of this is about data security in new ways, but I think the data security pillar has been the weakest and like we had the most to do. And we've almost in this, again, I realize this, we started writing maturity model. It's almost like we put these other categories, application and device and network identity around data 'cause we just couldn't really get the handle on data at scale, on ways we can now.
0:32:56.1 Raghu Nandakumara: Yeah. Oh, I completely agree. I think also in terms of that, the way you move on the maturity model and I think the mountain climbing graphic that you've got in the dark is appropriate because it really is sort of, and if I think back also to your, the IT modernization report, it's that risk-based approach. And if I think about that path up the mountain, it's what is the low hanging fruit or the next easiest step I can take to get me to the next stage. And I kind of zigzag, zigzag up the way and it could be between... And that zigzag could take me from one pillar to the other because the next obvious thing based on my risk assessment is in a different pillar to where I'm focused today.
0:33:44.6 Sean Connelly: Yeah. Just a personal note. So we released the maturity model I think in April of last year. And within a week, just by coincidence, Kevin Mandia and everyone knows Kevin Mandia was presenting at RSA conference and he had took that maturity model mounted and put it into his deck. And I'm sure to get the talking points and get them improved by everyone's pretty monumental. But for them to be able to put that mountain and deck was pretty complimentary to us. But full disclosure, it was John Simms, my colleague. He was more the one pushing for that mountain. It has resonated. I think the tease though is when you get to the sum of that mountain, it's really a mountain range. There may be mountains beyond you. Not to kill the analogy, but the reason I say that is because that optimal, we'll move the flag, we'll move the goalpost at some point. Tech evolves. We need to optimally new and new ways. But yeah, for some reason, to your point, that has resonated going up the mountain, with the way I didn't see coming.
0:34:48.5 Raghu Nandakumara: Yep. I really like it. So how are... So if we think about progress that the agencies are making, how are they tracking this? How frequently is it being tracked and how are they being held accountable?
0:35:02.0 Sean Connelly: Yeah, I will tiptoe around that. When the luxury of being an architect over at CISA, we're focused on the cybersecurity. But to be absolutely fair, that is a priority question for, office of Management budget, The Hill. And we have team that says that they're helping answer those questions themselves. There is a critical need to have measurement. So going back to the strategy, the federal Zero Trust strategy agencies being measured against, how much of their fleet, if you will, their ecosystem has phishing-resistant MFA on it. How much of their data in the Cloud has data categorization? So there are measurements, thankfully going back to what we talked about before. Two of the memo itself to measure that and each of those is to me it's the trending that I could see, I don't wanna get deep dive in which agency versus which agency's doing what.
0:35:52.3 Sean Connelly: But it's more, we are clearly seeing a push towards phishing-resistant MFA in the last few years that can only help the federal government can help the citizens in terms of their being be able to use these network securely. We're seeing a clear trend toward agencies. Moving off of what we talked about with TIC One, TIC Two, a number of federal agencies had to use commercial TIC providers. They're called MTIPS providers. They're a managed service that a few different vendors provide. And agencies for years have been asking for other solutions besides MTIPS. It's very costly. It's very inefficient. Like I talked about the TIC Tacs. We're starting to see agency move off of MTIP solutions, be able to move on sassy solutions, Security Service Edge solutions in ways that clearly not only does it create more efficient networks needs a better security overall, better get better visibility. So there are clear trends for each of those pillars that compliment go back to claiming success, if you will, on some of those different taskers out of the strategy.
0:36:55.0 Raghu Nandakumara: Awesome. And I wrote when the memo was published and the expectations were set, there was sort of a need to see a significant progress by fiscal year '24. From your perspective, are the agencies on their way to sort of achieving that? It seems so.
0:37:15.1 Sean Connelly: Yeah. So the OMB is working with the agencies to measure some of that. But again, it goes back to the... Phishing-resistant to MFA adoption is critical. Being able to deploy, they didn't really mention endpoint detect response, EDR, there's a large push of being to having, a number... A greater number of devices support in some type of endpoint detector response agent in there. The network side, I mentioned SASE, so we are... Oh I say measuring. We are working to ensure that we CISA still gain visibility 'cause it's critical for our mission as agencies are moving onto these new platforms. So there is a number of ways that OMB and The Hill and different organizations, I think even GAO to be responsible to mention them. They're measuring new ways.
0:38:01.4 Raghu Nandakumara: So what happened? So we're in fiscal year '24 that comes and goes. We've made the progress that was desired. What now happens to sort of provide the impetus for the next stage of progress? Or is the momentum sufficient that now sort of the agencies will sort of... They're on their merry way and they'll continue?
0:38:30.4 Sean Connelly: No, that's a great question. From my perspective, I'm able to say OMB is a team captain on Zero Trust and some of this we'll have to wait to see what comes out of OMB, but there are discussions about how to... What's the next step to your point.
0:38:35.0 Raghu Nandakumara: Okay. I just remember you were talking about the comments that were sort of provided back on the Zero Trust maturity Model 1.0. And I remember sort of providing comments on behalf of our company. But I do remember, I think the point you made about certain vendors essentially just chucked in their entire product documentation and said, okay, this is how you deploy our product to do X. And I see, and I remember seeing sort of versions of that and some of the revisions that we got to review and provide comments on. And I remember going and sort of rewriting it from the perspective of this is kind of the capability you're trying to introduce and this is why, etcetera. So if you dig through your comments, I'm sure you've come across things that I've commented on at some point.
0:39:17.4 Sean Connelly: I got a different way to spin that though. One of the positions I hold is that I'm an alternate board member on the tech modernization fund, the Technology Modernization Funds, TMF, just for everyone's awareness. TMF is a solution for agencies that may not be able to get funding through normal channels. Both Congress and the White House are able to, I think in 2018, create this other alternative way for agencies to submit proposals to the TMF. It's run out of GSA, close alignment with OMB and ourselves.
0:39:47.2 Sean Connelly: It's just a number of agencies, but it's a way for agencies to send proposals in how to modernize the system in a new way. But when we have those discussions, I look at the TMF website a lot. You can read right on the front page, there's articles about how there's modernization of systems for an agency, for farmers, for farmers, they're gonna process their data faster. There's another award that went to an agency for businesses being able to get custom goods through their prop reports faster.
0:40:16.1 Sean Connelly: Another one toward veterans and getting their services, their service benefits faster. What you don't hear me saying is you don't hear me saying that those agencies may have been awarded something MFA or that the agencies may be using shifting the Cloud and take advantage of Clouds of data tagging and data categorization. But embedded in each of those awards and other ones are the Zero Trust principle, are the Zero Trust tenants. And that's what it's all about with TMF, getting either services, funds or information to people faster. And so a lot of that is done, again, we ideally want the Zero Trust tenants and the products to be baked in.
0:40:55.0 Sean Connelly: So like you're talking about with vendors and how they came to us with their comments and their services and their intellectual property, we were able to distill out, okay, what is the real intent here? Where's the real value? And use that to inform the maturity model.
0:41:07.8 Raghu Nandakumara: Awesome. So what do you see as the... When you look forward and you think about, okay, the continued maturity of Zero Trust across agencies, what do you see as sort of the key challenges that you foresee going forward?
0:41:23.3 Sean Connelly: Yeah, so let me answer a little different. Like what has been the challenger that's really started to unlock in the last little bit, honestly, this, I think it was actually more in the cyber executive order, again, the precursor to the memo, but there is a need for each agency to have a Zero Trust SME, Subject Matter Expert. We've watched how that role has bounced around inside some agencies where it may have been just a abstract example, but may have started out where the Zero Trust SME was like in the CIO office and then it may go to the CISA office and then it may go to the CTO.
0:42:00.8 Sean Connelly: And it's been indicative of like, just trying to understand how do you position the Zero Trust principles and the ideas and then we call it the discipline inside the agency? And don't get me wrong, there's no perfect answer. Some agencies have done more like Zero Trust councils and they brought in some of their SMEs from the different pillars, if you will, like have identity SMEs in their network SMEs. Other agencies have done more where they have almost a single person or a single office lead that for that agency.
0:42:28.9 Sean Connelly: Some of it was just positioning of the organizational changes that are happening within the agency itself, going from a lot of time, like as agencies are moving to the Cloud, how those organizational changes. So before a lot of like the network operations or security operations for data center security, data center operations, focused on packets and focus on making sure we got our PCAP and have our IDS or having our centers in place. Well, all that type of visibility changes in the Cloud. And so having the organizational changes in place, so agencies now have the right type of SMEs to balance out, sometimes you still see it with the Cloud providers.
0:43:08.2 Sean Connelly: They are having to provide I wanna call legacy, but some of the primordial services. So PCAP is when we always hear that the vendors are having to go back and support. I think Cloud providers in general didn't think Sox and Knox would want to have that raw packet capture, but that's how a lot of the organization, I'm not just speaking for federal government. I mean, just in general, a lot of organizations still have that desire, have tools or have playbooks based around packet capture. And so there is still that organizational change that is happening, different organizations at different rates that are key, I think, to be able to take advantage of trust, Cloud native, more modernization solutions.
0:43:51.6 Raghu Nandakumara: I mean, that I think opens up another can of worms, which is an entire separate podcast episode. Is about sort of How, as you modernize, how do you avoid lifting some of your legacy debt and bringing it with you.
0:44:08.6 Sean Connelly: Sure.
0:44:09.7 Raghu Nandakumara: And adopting new techniques and procedures? But that's for when you come back to the podcast, Sean, we'll have an entire episode on that. So just a couple of things before we wrap, taking a bit of a global perspective. I'm sure there are governments globally, many sort of allies of the US that look at the success that the US agencies are having with the adoption of Zero Trust and seeking to adopt similar approaches to drive their security modernization. Are you able to, put some context, some details about how you're seeing the proliferation of Zero Trust beyond the borders of the US?
0:44:48.7 Sean Connelly: Sure. I'll be careful here, but there have been discussions with agencies, some of the other governments, some of the discussions are towards FedRAMP and just in terms of the program that FedRAMP is, some governments are still starting to stand up their version of government or their version of FedRAMP inside their country. Some countries have done what we did with TIC Two in terms of, add this data or this network aggregation going out of these finite TIC Access Points. And now the governments are the same place where there's Cloud, there's mobile. And so governments are coming to us. How do we take advantage of that Secure Access Service solution or the SSE solution? So we are having those types of discussions. Another one going back to the phishing-resistant MFA. That's another area, again, I think where the federal government is a little different where it had those pivot CAC cards, but a little different to our other governments. But you are seeing a clear interest now in FIDO2 solutions. So it's a broad spectrum of those discussions, not just positioned toward what CISA does, but again, Cloud evolution and just data sovereignty is another area where we hear a lot of questions about.
0:45:56.7 Raghu Nandakumara: Awesome. Okay. So to wrap, because unfortunately we do have to bring this to an end. So you're in a meeting room, kick off with a new agency, and they're about to start their Zero Trust journey. And they say, Hey, Sean Connelly, Federal Zero Trust Architect, we have no clue what Zero Trust is. Can you enlighten us on what we're getting ourselves into? What do you say?
0:46:23.1 Sean Connelly: So that'd be interesting because there are no new agencies in the federal government. So a lot of this is very old technology. We've got some of the oldest tech, right? No one's saying like to NASA that they need to put phisin to MFA on the Voyager satellites or 10 billion miles away or need to put an EDR agent on the Martian Rover. So it's not as much about new organization, but to your point where I think you're going with the question, I mentioned John Kindervag a couple of times. I had the pleasure of working with John a few years ago on a different report to the president from the NSTAC. I always get this wrong. I think it's a National Security Telecommunication Advisory Committee. That document's available on CISA's website. If you just type in NSTAC Zero Trust, it should come right up to it. But in that document, one of the things that's in there, and this is what's great about collaborating with John, was John puts in the five steps for Zero Trust. And John, to his credit, is always saying Zero Trust is really easy.
0:47:23.7 Sean Connelly: So in that document are those five steps. First one is define the protect service. And that's the first step. Now that's different than we were with TIC Two. It was like, whatever you're trying to protect, you're trying to protect the mainframe, trying to protect someone in the Cloud, put it behind the TIC. There was no define and protect service. In Zero Trust it is, what are you trying to protect? Now that you had that first step, the next step is mapping the transaction flows. One of the key things though, going back to what we just talked about with transaction flows, we don't just mean like system to system, client server. Yes, those are important, like some type of packet capture or just way. But it's also the organizational. Who's talking to who? How's the firewall team talking to the accounting team or to the organization itself?
0:48:05.7 Sean Connelly: So those type of flows are critical here. Then you start building out this new architecture. And again, it's data centric solutions where you're trying ideally to put security closer to what's being protected. Part of the key is, going back to the maturity model, is that you're building out this new system. You ideally want to start getting like different signals from each of those pillars. The network pillar you want to signal, from the host device you want to signal, from the identity you want to signal. All those signals then can feed into what the fourth step is, which is creating the policies. I mean, dynamic policies. So as a client talking to a server, there can be access of that. But also again, organizational policies themselves. And then the fifth step is both manifest and monitor and maintain it. So those five steps where you start to find and protect service, map the transaction flows, build up the architecture, define the policies and maintain and monitor. Those are the five steps and things that would start with that question.
0:49:01.6 Raghu Nandakumara: Awesome. Well, Sean, I mean, I have so many more questions for you than I know you've got a busy day to get back to. So I thank you so much for this time today. Really appreciate it. It's been fantastic speaking with you.
0:49:12.9 Sean Connelly: No, this is great. You clearly know network mordenization. You know where we're going. This has been a fun conversation. Thank you so much.
0:49:18.7 Raghu Nandakumara: Thanks so much. Sean.
[music]
0:49:21.1 Raghu Nandakumara: Thanks for tuning in to this week's episode of The Segment. We'll be back with our next episode in two weeks. In the meantime, for more Zero Trust resources, be sure to visit our website, www.illumio.com and find us on LinkedIn and X using the links in our show notes. That's all for today. I'm your host, Raghu Nandakumara, and we'll be back with more soon.