A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Protecting Data in New Ways
Season Two
· Episode
4

Protecting Data in New Ways

In this episode, host Raghu Nandakumara sits down with Sean Connelly, Former Director, CISA Zero Trust Initiative Office, to discuss the evolution of network architectures; why incidents over the past 5 years have catalyzed a greater federal focus on cyber resilience, and specifically Zero Trust; and how CISA is thinking about protecting data in new ways.

Transcript

00:03 Sean Connelly  

Looking at data security in new ways, but I think the data security pillar has been the weakest and we had the most to do.

00:12 Raghu Nandakumara

Welcome to The Segment, a Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust Segmentation company. On today's episode, I'm joined by a very special guest, Sean Connolly, Former Federal Zero Trust Architect at the Cybersecurity and Infrastructure Security Agency, or CISA, for short. Sean was also the trusted Internet Connections Program Manager at CISA within the Department of Homeland Security (DHS). He joined the DHS back in 2013 and has served in a variety of roles since then. He was a lead author on the IT Modernization report to the president in 2017 and co-authored NIST's Special Publication Toward Zero Trust  Architectures in 2019. We recorded this episode back in February, so while Sean has since moved on from CISA, you'll hear him speak from his perspective when he still worked there. We discuss the evolution of network architectures, why incidents over the past five years have catalyzed a greater federal focus on cyber resilience and, specifically Zero Trust, and how CISA is thinking about protecting data in new ways. So, it gives me great pleasure to welcome onto this episode of The Segment, Sean Connelly, Federal Zero Trust Architect at CISA. Sean, it's a pleasure. Thanks for joining us.  

1:39 Sean Connelly

Oh, thank you. It's been a pleasure on my end. Very happy to be on The Segment. Thank you.  

1:45 Raghu Nandakumara

Thanks so much. And it's super exciting for us because it's not often you get the chance to engage with someone who's had a direct hand in the authorship of Zero Trust mandates at the government level. But before we get into that, Sean, tell us a bit about your background and the career path that you've taken to get to being a Federal Zero Trust Architect.  

2:07 Sean Connelly

Sure, so thank you. So, I've been around computers for a long time. Back in the early 80s, I had a side project where I used a TRS80 model three, a RadioShack computer. I was in the science fair and learned pretty quickly about user experience. Because at the science fair, I went to a private school, and an 80-plus-year-old nun trying to use the computer. This is someone literally born back in the 1800s. And it's a little different trying to explain to her how to turn on the computer and what a syntax error means. But pushing forward, so then I got more into security or networking for security. In the 90s, I installed a ton of Cisco routers, Cisco switches, and that's really where I started to get to know the protocols. And you really, when you do routing, you've got to understand the protocols almost like the Wireshark or ether real level, to age myself a little bit. And then, naturally, from that network, you need to start worrying about the perimeter. Then getting into firewalls in the early 2000s. And then 2004 or 2005, I had the opportunity to work at the State Department. And the State Department, of course, 200+ embassies and posts around the world, the Global Network. Some of the most advanced persistent threats come in at the State Department. So, it really was a great experience for me and learning about the federal government learning how a global network works. And then maybe in 2013, or so I believe, I had the opportunity to move over to NPPD, the old name for CISA, and I've been at Cisco for the last 11 years or so. And really, that time at the State Department and time at CISA, my primary focus has been on that perimeter, specifically at the federal agencies. Depending on how you count on, there are 100+ federal civilian, executive branch agencies, and we've been working with those agencies helping secure their networks and stop those AP types of threats at the perimeter. And then Zero Trust came along, of course, new types of discussions, but really, it's for the last almost 20 years. It's been working with the federal enterprise and helping secure in different ways than I think we had before.  

4:16 Raghu Nandakumara

Awesome. So, you spoke about the perimeter. And I think if we kind of look at the evolution of architectures of network architectures over the last 20 years, I think probably the greatest sort of evolution has been around that concept of the perimeter. And I know you've been involved in TIC one, TIC two, and more recently, TIC three. If you could explain to the audience how the nature of the perimeter has changed and why, then the security requirements have to evolve with it.  

4:46 Sean Connelly

Sure, that's a great question. So, a lot of what we started out with TIC one, TIC two. In the mid 2000s, the White House Office of Management Budget, they had asked a question to all the federal CIOs and federal CISOs a pretty simple question: "How many connections do you have on the internet? How many connections does the agency have to either partner networks or to the internet itself?" The number that came back was staggering. No one thought it was that many circuits are that many connections. It was over 4000 circuits split across, and this is just the civilian side, not even talking about DOD. So, really, the first discussions were around traffic aggregation. How could we not necessarily eliminate those 4000 Internet circuits but be able to concentrate and do what's called Traffic aggregation of those circuits in a finite number of data centers, firewall stacks, known as TIC access points? And so that was the first thing was first concentrate the data. And then on top of that, now that we have the circuits to control and these finite number of TIC access points, let's start to put a standardized baseline security perimeter around those devices. And so again, this goes back to 2008, 2012, up to really about 2015 or so, when there was that common architecture was more focused on what we call the north-south traffic versus the east-west traffic. And it was really focusing all that data; it was called a TIC tax; we had a lot of agencies that had branch offices in the Midwest or the West Coast. But the agency's headquarters had their TIC access points on the east coast. So now, even across America, the 40/50 milliseconds of time, and if the data center was over in the West Coast, some agency you have to go in across from LA over to DC, have their traffic go out at North-South traffic, and back across the West Coast. And there's literally a tax; it was a compromise. And so that was when the discussions with cloud started to really evolve, and mobile started to erupt on the scene that we needed to look at a different way. The procurement, the perimeter model, the legacy castle, and the moat model were never, I think, idealized even back talking about. Even back then, Cisco and the Jericho Forum, for which I've heard John Kindervag about then was, talked about how we need to get deep perimeterization of the Jericho Forum. I think John talks about how sometimes Jericho is focused on like TLS connections, encrypted connections from the client to the server, but there's Jericho had a number of commandments in their original document. And one of them was something I'm paraphrasing here, but like, "The more you can put security close to the data, the better it is." And that makes sense, right? And that was exactly opposite with TIC one and TIC two was. It was forcing the data forcing of sessions through those firewall stacks. So that's really where, like the federal enterprise was, if you will, in 2015 or 2016, we started on this new journey.  

7:45 Raghu Nandakumara

It's interesting. You mentioned that point because one of the reports that that you are a participant in authoring the report to the President on federal IT modernization. In the executive summary, one thing that is really interesting is that you call out how these actions enable agencies to move from protection of their network perimeters and managing legacy, physical deployments toward protection of federal data, and cloud optimize deployments. The report also emphasizes a risk-based approach that focuses agency resources on their highest value assets. And I think that's really interesting because this almost directly leads to your focus in TIC three which is away from sort of perimeters of the organization at large. But really moving that control and focusing on the security of the key things that you're trying to protect.  

8:38 Sean Connelly

Yes, thank you for [mentioning] that report. I was one of the number of authors on there. And it takes time in the federal government to move some of the different bureaucracies or policy or mandates.  And to your point, that was written in 2017. A lot of those co-authors were still with us when we started to roll out the TIC three guidance after the memo was released in 2019. But it took those number of years even though, to your point, we knew where he wanted to go, but it still takes a while just to shape the policy in a way to begin to force that change; I don't want to say it took forces anything. But begin to have different opportunities and different possibilities. But just like it said, it's more about cloud optimization, data security moving away, from I wouldn't say moving away directly from network security, but having a balance between data security and network security.

09:29 Raghu Nandakumara

Yeah, I agree. And I think the way that this particular report and just that network modernization consolidation, the way it's phrased, I feel that sets the starting point for that shift towards adopting a Zero Trust approach.

09:44 Sean Connelly

No, literally, that was John Kennedy. I'll mention him 100 times in his interview probably, but back in whatever was 2010 or 2011 was here for sternly wrote that the Chewy Center document. Back then, I was at State Department, and I was running around State Department with that guidance, saying this is where we need to get to. Not sure how to get there. But this is exactly the framework that has moved forward. Honestly, at that time, I think we interpreted it more as a knack solution and network access control type solution. To be fair, NAC is moving security close to the data, you got like enforcement, if you want to switch and you got an agent or client 802.1x on the clients itself going to switch. But even that, I think, was just part of the equation. It took a while for the discussion to evolve, and we saw what Google has been doing for the last 5-10 years from there when they got compromised about a decade ago, how they viewed with beyond core, and how they're doing encrypted data. So, I think all these discussions are going on. And then, like I said, just in terms of opportunity of timing when that report came out in 2017, really Zero Trust was starting to resonate around the government in different ways. Up at NIST, this is pre-COVID, NIST was holding a number of workshops on Zero Trust. Every year, there's an annual gathering. NSA, they were having a large participation in those meetings. Randy Resnick, who was at the NSA at the time, now is the DoD Zero Trust Portfolio Management Officer, he was there. Some of the key authors of that IT modernization report mentioned were at the at these conferences. So, it was starting to percolate around; it just wasn't really in the policy per se, the Zero Trust. On the same time, you'd mentioned modernization; there was a TIC memo or that modernized TIC. And so we tried to position the TIC three efforts to be able to support and align Zero Trust as much as possible in there.

11:38 Raghu Nandakumara

Got it, because the other thing that I noticed before we move off away from the report on the IT modernization is that it's really setting the stall also for public cloud adoption by federal agencies. Why did you see this shift in moving away from being overly perimeter-centric and network-centric to being more critical asset focused in terms of security? Why did you feel that it was essential to the adoption or to accelerate the adoption of cloud by federal agencies?  

12:10 Sean Connelly

Well, unfortunately, we've had a number of case studies where it's shown average is a broad perimeter base. A lot of your focus on the perimeter, the adversary still being compromised. A lot of the efforts that you mentioned with the IT modernization effort actually came out of the OPM breach in 2015. And that was a response to the OPM breach. We'll probably talk about the cyber EO and the Zero Trust stuff going on in the last couple of years. A lot of that was focused on the SolarWinds breach. So sometimes there are these breaches, and it captures the attention of leadership and then forces these discussions in new ways. But to your point, cloud was going on long before the breach has happened. Of course, FedRAMP, the GSA lead, cloud modernization or ATO process has been around for about a decade, but it took a couple of years for a program to really stand up and start getting the different cloud providers to be supported in the FedRAMP program. I can remember when Matt Goodrich was celebrating like the number 20 CSP ATO around 2014 or 2015. Now, I think there are well over 300 different packages for ATO. So just it takes a while sometimes for this to happen. But yeah, the cloud adoption has happened. Just like you said, it's the same point. They're larger or faster, embracing the cloud, we're starting to really happen of agencies.  

13:27 Raghu Nandakumara

Understood. So, we'll come back on to cloud in a second. And you mentioned it yourself that some of those the OPM breach in the mid-2010s. And then, of course, SolarWinds a couple of years ago, that, I guess, was the straw that broke the camel's back, and maybe it forced the publication of EO 14028. So, can you talk to us a bit about, you were there when these things were being formulated, right? Talk a bit about the process.  

13:52 Sean Connelly

Sure. So, a couple of things are happening. And I'm not going to get the politics of it. But there was also administrative change. Chris DeRusha, the Federal CISO, that was coming in. Eric Mill, Eric was part of that group that wrote the IT modernization report. Eric was there for a long time. There's a number of key individuals coming into government. And, again, off of the SolarWinds compromised and reverberations from that, we, as a government, knew we had to be able to set new standards. No one's saying forget about network perimeters, too much legacy tech, if you will, inside agencies. No one's going to get rid of the firewalls, but we need a more comprehensive architecture solution. So, going back to what you talked about the cyber Executive Order, there were a number of taskers in there toward OMB, toward GSA, towards CISA, towards NIST, starting as conversations for how to move forward and a more comprehensive architecture solution. So again, a lot of those people, it's almost like a baton toss, if you will, from different groups, but there was going back to IT Modernization Report, there was a clear momentum or direction set in that. And then the cyber executive order was able to manifest more particularly and just like you're saying, focus on Zero Trust  itself, in ways that we didn't have that opportunity, I think, or under like a prior policy or just legacy code and stuff.

15:19 Raghu Nandakumara

So without an incident like SolarWinds, or I think Colonial Pipeline was not many months after SolarWinds. Were those just those are served as providing great focus onto the importance of EO 14028? Or without those, would this order have been potentially delayed and maybe not got the importance and focus that it has had?

15:44 Sean Connelly

Yeah, definitely, there was leadership attention in ways I'm not sure it would have been there without that. With SolarWinds, that really, the warning attacks really going on the coverage of SolarWinds was the focus on Microsoft and how the agencies had a lot of their critical data in different Microsoft cloud tenants. And so, we had to be able to, again, get a more comprehensive solution in front. One thing I think we missed when we went to TIC three, and also happened, of course, just right when COVID happened, like the release of the TIC documents. And we were going to release the cloud use case for TIC, the first use case. There are a number of use cases required for agencies. When OMB released the TIC memo 1926, there were a number of use cases, and we were going to start with the cloud use case because that's where I think our most attention was. But when COVID hit and the focus for remote work, we were forced to change up and release a remote user use case. A lot of the same capabilities between what you're doing to protect remote users toward a branch office and then toward the cloud. There are some similarities, but there are some differences you want to call out. I think agencies are really confusing the messaging. And some people looked at what we did, and it was, oh, we're just focusing more on the user. And that really wasn't the intention. So we had to release the cloud use case at the end, but where we're going with this is, the whole time we're releasing these different use cases for TIC, we're also working with OMB, the White House, Clare Martorana’s team at the Federal CIO, and Chris DeRusha’s team, the Federal CISO, about how to have that more comprehensive solution architecture. So, let's see, within the cyber Executive Order, and then right after that was released as a draft to the agencies of the Zero Trust strategy memo from OMB. And again, that was part of the push to really start having discussions at the leadership level. At OMB, they were having discussions like with the deputy secretaries, which are usually the second in charge of the agencies themselves don't need the secretary. So, it had the leadership's attention, which is what he, listened to John Kindervag, everybody knew this has to be as your interest both a top-down alignment and bottom up. And I'm more on the bottom upside and helping push when I can. But we needed that top-down leadership, and like we were talking about before the call, having a president available with clarity, saying, "Agencies, you need to move forward as modernize cybersecurity architecture," certainly helped get everyone's attention.

18:10 Raghu Nandakumara

Oh, standing on the outside of that. Absolutely. When that came out, and then I think everything that has followed from there, I can't think of there being more excitement in the cybersecurity world of something that's coming out of a government in the way that that's driven it. When it dropped for you being on the inside, how did you feel? Well, this is a seminal moment in its sort of cybersecurity history. And I'm in the middle of it.  

18:36 Sean Connelly

Well, that's a good question. I never thought I heard that in that way. It's been a number of like baton tosses. Looking back now, sure, that may be looking at as like the critical moment where a lot of things got released. But having been at CISA and working with OMB and GSA, there's a lot of effort overall; it was a decade to get to that point. But clearly, the response, the interest towards Zero Trust, where the government was looked at post cybersecurity, after OPM and the conversation, their expectation towards federal cybersecurity posture, towards where we are now, and how we're being able to talk to you just in general and say, “This is what federal government's doing; this is what we're looking at.” It's just a totally different ship to your point. It's changed the narrative in a way I don't think anyone would have expected, and that's really compliment again, OMB, the White House and their foresight, and be able to position the architecture in the memos in a way to gain everyone's attention.

19:33 Raghu Nandakumara

Yeah, absolutely. And we were talking very briefly offline before starting this that, what is also particularly I think, eye opening interesting about the memo. Is that coming from the White House and the Office of the President? Some of the detail in the specificity is unexpected, unusually unexpected, but also very welcomed because we've seen too many, and we continue to see too many sorts of regulations which are so high level that when you say, "Okay, well, what do I actually need to do?" It's not particularly clear. So why was it so important to have that almost level of technical granularity is something that's coming out from the Office of the President to drive adoption?  

20:19 Sean Connelly

Now, that's a great question. And we got to be careful here, because I could hear John Kindervag, putting like pins in the Sean Connelly voodoo doll. While we can concentrate on the tech a little bit, it's really more about the cultural change that happens. But to your point, there are always discussions about protecting the data in new ways. My old boss, Sarah Mosley, when she was the Chief Technical Officer at CiscoCISA, she was out there preaching, "You’ve got to protect the data," back in 2015, 2016. Hack Diag, which is another one of those quasi-think tanks here in Washington, DC, they released a paper, I think in 2018, about Zero Trust, so it was out there, but to your point until you start putting very tactical things into a Zero Trust memo, the cyber executive order that really gained everyone's attention. But even then, we could talk a little about this; even when we put in like agencies can move fast identity online, there were questions like, what does that really mean? There were all at the same time going back to tech, we knew that needed to change the way that agencies can connect to the cloud and connect to their users, whether they are their remote users, enterprise users, or customer base. And moving that traffic through those physical tech access points was not the way to move forward in modern infrastructure. So, we needed to be able to release some pressure and offer new ways. So, we are starting to see agencies use secure access service edge (SASE) or security service edge (SSE) solutions, the ways it just wasn't possible before. So, there has been, almost like you said, a very tactical way, pillar by pillar. And just to go back a bit with OMB and that strategy, we aligned our release of our Zero Trust maturity model, so complimented on the strategy. And at CISA, so we had those five pillars, right? Identity device, data, application network, and, oh, and his memo came out that way. And just like it talked about, had oh the identity pillar agencies need to do this. Well, the device pillar agencies need to do that. And it gave a very clear roadmap of how to raise security posture across the federal enterprise. But really, there are the organizational changes that happen at the same time that are critical to this.  

22:29 Raghu Nandakumara

Yeah. And I agree, I think that the words you use were really good about, it's really about forcing a cultural shift or a strategy shift. But just specifying that without at least some level of tactical detail means that it's very hard to then pin people down because it's like, okay, well, show me actually what you've done. And the tactical bits help them show what they've done. So, you spoke about the Zero Trust Maturity Model. And there was I think, 2.0, that was released last year. 1.0 was a couple of years ago. Talk to us about that. That's fairly sort of quick, hot on the heels of releasing sort of the second version. Why did you feel it was necessary to sort of push through with that? What are the key learnings from the first version, the implementation of it, and feedback that informed the improvements or enhancements in 2.0?  

23:21 Sean Connelly

Yeah, that's a great question. So, let's start out this way. So, we released the first version in summer 2021. The same time OMB released Zero Trust strategy, draft. And really, even though we released version one, because I think it was required, it was in the cyber executive order. In reality, it was more of a draft who wanted to just get something out there. One of the reasons we wanted to release at the time was agencies were responsible for sending in their Zero Trust implementation plan to the White House. And from ourselves at CISA and OMB, we want agencies to have like a common taxonomy, a common language, when they're talking to us because, particularly to OMB and ourselves, it's going to be difficult for reading 100+ plans, and they don't have some commonality. So we released the maturity model to help guide agencies and ship agencies discussion when they came to us and told us how they are improving, but I released it, we knew we were going to have to do a second version. So, what was interesting was that I mentioned those implementation plans that the agencies had to release to OMB. And then summer, the spring, and summer of 2022. There was a tiger team with ourselves and, OMB, and some other agencies SMEs (subject matter experts). And we went through an agency by agency, the number of implementation plans; there's 20/25, CFO act agencies, all part agencies, and then a number of the smaller agencies too. We went through again, team by team through those and had these discussions with the agencies to understand where they were on their Zero Trust journey. All that got then reflected into it at version two of the memo that released about, I think, April of last year, so really reflected those discussions, again 100+ working group meetings with agencies a lot of meetings with the different vendor communities itself and then academia. At the same time, there's interest from other governments. And so ourselves and other groups are talking to different governments, like, "How is the federal government moving forward Zero Trust? How are you supporting connected to the cloud?" And so all those types of discussions fit into that maturity model. One thing I mentioned before, one of the first task for the agency was for being able to move to a fast identity, online FIDO2. And to your point, you're talking about before you can put language into policy. But still, agencies still want to know, "Is this what you really mean?" And for decades plus how agencies have been living off their paper CAC card; we're using federal government employees, and they have their card. But we need other ways to be able to move a multifactor phishing-resistant MFA forward. So, in that policy, OMB had the foresight to put in the ability to use FIDO. But in those discussions in 2022, almost every agency, we had to go and discuss what we meant by it because its identity is kind of one of those funny industries in terms of agencies and how they respect. Some agencies have like identity counsel; other agencies have an identity SME? Or, if you didn't even ask the agency, who leads the identity strategy for the agency? Is it the Active Directory Group? Is it the PKI group? Is it like the cloud or the people that run the cloud accounts? And so each of those really had almost to get in front of and explain what we meant by being used fast identity online, or just reflective of some of the questions that are coming at us at each of the different pillars out of the strategy.  

26:39 Raghu Nandakumara

Awesome. So, if you were to sort of boil down some of those key bits of feedback that you're receiving and looking at across all of these plans, what were the most significant bits of feedback that informed the updates to the maturity model?  

26:52 Sean Connelly

You mean version two, right? A different version? Yeah, just get a perspective. It's a 20-page document and not even including all the workers; we just talked about just when we had the public RFC in September, I think, or 2021. We had over 300 comments or 200+ pages, and 30+ comments, and a 20-page document. So, it took a while to distill the common themes. You're talking about, of course, some vendors want to position their tech; we had to take the text feel out of that nature; we're really talking about what we're trying to do, what's our intent here. When we put prioritization agencies wanted. So, for example, agencies wanted this kind of was interesting; they wanted more information about de-provisioning, about how to de-provision devices. A lot of, let's bring something online or is not much about de-provisioning. So, we wanted to enforce that started having the agencies think how they have to de-provision stuff. I mentioned the MFA to phishing resistant MFA and FIDO2 alignment. We put stronger language, both toward that and v2. Another thing was on the network side was more toward micro-segmentation. And it was interesting. So, again, the document community, it was really about application segmentation. So, there's applications segmentation going the app pillar, but we're doing it through different networking tools, and we decided to put it in the networking. And to be fair, all models are wrong. Some models are useful, and we're just trying to release this. We're not saying this is the only way to look at it. This is when we talked to agencies. When he talked to me it just helped agency understand the community understand what does CISA mean. But we're not saying we're certainly right, and what we're talking about towards application security, segmentation sort of be the network pillar. Another one is encryption. Some communities thought that the encryption should be, I think, in the data pillar; I think we have either the network or application pillar. So there's just a lot of different ways to position and not definitely not here to say, which was right or wrong. Another maturity model that's out there, as I mentioned, is Randy Resnick before the Department of Defense (DoD) and their Zero Trust. DoD has a lot of great information out there, they got a strategy to get the reference architecture, they lean into a lot of the capabilities or controls, I think they have seven players going across. We have the five pillars I mentioned before and then three cross-cutting capabilities: visibility, automation, and governance. We just really, honestly, a lot of us just aesthetics. When you listen to Randy's talk and listen to us, we're saying the same thing, just slightly different give it a little different optics and help people understand because one things I do I come from a marketing background, and one of the things you hear about is, you've got to explain something seven times seven different ways, and that's what I'm trying to do here just help explain this in different ways the intent. I'll go back to what John Kindervag was positioning 10-plus years ago.

29:45 Raghu Nandakumara

Yeah, absolutely. My mind is racing with all the things that I can react to and everything you've just said. But let's start with the last thing first. I think being able to frame it in a number of ways ultimately, I think, as Zero Trust practitioners, is really what we want is for, for the agencies, for organizations, etc., to adopt a Zero Trust strategy and then execute the tactics to mature their posture. And so whatever way we tell that story, as long as one of those ways resonates, that's great. So having multiple ways to tell it is, is really important. Let's talk about sort of that path towards maturity in the ZTM land, if you'll let me call it that. You've got sort of those traditional initial advanced and optimal stages, and you have these maps down for each of the pillars. When you initially released the maturity model and then, of course, the follow-up into dot zero, did you initially see that organization sort of heading headlong into getting up sort of optimal maturity in one pillar before they then move to the next pillar? Because I see that reflected in some of your 2.0 wording.  

30:51 Sean Connelly

Yeah, that's a great point. And something I'd even mentioned about the difference between v1 and v2. V1 has traditional, advanced, and optimal. In v2, we have traditional initial and advanced optimal. And we really need to put that initial in because there's such a wide distance, if you will, between traditional and advanced, and like we needed some way for initial to be able to just have an agency or organization understand when are they starting out on that journey. And so, it was critical for us to have initials in there. But to your point, a lot of language, we talked a lot of organizations a little different in the civilian executive branch agencies, where they're already starting to journey. We're talking to a lot of agencies are still in the traditional and just starting out. And so just migrating, just from traditional to initial is where a lot of the greater set of organizations are. But to your point, like the pillars themselves, again, we intentionally made it abstract in a way so it could be broadly interpreted. But we have heard some, like believing we need to get to the optimal identity pillar before we can focus on the network pillar. And that's really not the intent of our model in terms of categorization or how we align them. Ideally, organizations will be moving parallel and the different columns themselves. And a lot of my focus and John Kindervag's focus, I think some of the stuff you see from Zero Trust really started out more on the network side. So I think some agencies already or organizations were a little more advanced, if you will, on the network, versus the data pillar. In general, going back to we started this conversation, a lot of this is about data security in new ways. But I think the data security pillar has been the weakest and like we had the most to do. And we've almost done this, again, to realize this. When we started writing the maturity model, it's almost like we put these other categories, applications, and device and network identities around data because we just couldn't really get a handle on data at scale in ways we can now.

32:55 Raghu Nandakumara

Yep, I completely agree. I think also in terms of that, the way you move on the maturity model, and I think the mountain climbing graphic that you've got in the in dark is appropriate, because it really is sort of, if I think back also to your IT modernization report, it's that risk-based approach. And if I think about that path up the mountain, it's what is the low-hanging fruit or the next easiest step I can take to get me to the next stage. And I kind of zigzag up the way and, and it could be better. And that's exactly, take me from one pillar to the other. Because the next obvious thing based on my risk assessment is in a different pillar to where I'm focused today.  

33:43 Sean Connelly

Yeah, just a personal note. So, we released the maturity model, I think, in April of last year. And within a week, just by coincidence, Kevin Mandia, and everyone knows Kevin Mandia, was presenting at RSA Conference. And he took that maturity model mountain and put it into his deck, and I'm sure to get the talking points and get him approved by everyone; it's pretty monumental. But for them to be able to put that mountain deck was pretty complimentary to us. But full disclosure, it was Johnson's like a colleague; he was more than one pushing for that mountain. It has resonated. I think the tease, though, is when you get to the summit, that mountain, it's really a mountain range, and there may be mountains behind you, not have killed analogy, but the reason I say that is because that optimal, we'll move the flag, we'll move the goalposts at some point right as tech evolves, we need to add on new and new ways. But yeah, so for some reason, to your point, that has resonated going up the mountain that I didn't see coming.  

34:48 Raghu Nandakumara

Yep, I really like it. So how are… so if we think about progress, the agencies are making, how are they tracking this? How frequently is it being tracked? And how will they being held accountable?

35:01 Sean Connelly

Yeah, I will tiptoe around that. The luxury of being an architect over at CISA, we're focused on cybersecurity. But to be absolutely fair, at is a priority question for Office of Management Budget, the hill, and we have team that sits in there to help and answer those questions themselves. There is a critical need to have measurement. So going back to the strategy, the Federal Zero Trust strategy, agencies have been measured against how much of their fleet, who in their ecosystem has phishing-resistant MFE on it, how much of their data in the cloud is data categorization. So, there are measurements, thankfully, going back to what we talked about before, to have the memo itself to measure that. And each of those is to me, the training, and I could see I don't want to get deep dive in which agency versus which agency is doing well, but it's more, we are clearly seeing a push towards Fisher's as to MFA in the last few years that can only help the federal government can help the citizens in terms of their being able to use these networks securely. We're seeing a clear trend toward agencies moving off of what we talked about with TIC one and TIC two; a number of federal agencies had to use commercial TIC providers. They’re called M TIC providers. They're a managed service that few different vendors provide, and agencies, for years, have been asking for other solutions, besides M tips. It's very costly, it's very inefficient, like I talked about the TIC tax. We're starting to see the agency move off of entered solutions to be able to move on SASE solutions with security cert service and solutions in ways that clearly not only does it create more efficient networks, is a better security overall, but to get better visibility. So, there are clear trends for each of those pillars complement go back to claiming success, if you will, on some of those different pastures out of the strategy.  

36:54 Raghu Nandakumara

Awesome. When the, when the memo was published, and the expectations were set that, there was sort of a need to see significant progress by fiscal year 24. From your perspective, are the agencies on the way to sort of achieving that? It seems so.

27:14 Sean Connelly

Yeah, so the OMB is working with the agency to measure some of that. But again, it goes back to the phishing to MFA adoption is critical. Being able to put in and really mention endpoint detection and response EDR. There's a large push of being, having a number, a greater number of devices supporting some type of endpoint detection response agent in there. On the network side, I mentioned SASE. So, we are measuring, as imagined, we are working to ensure that we, CISA, still gain visibility because it's critical for our mission as agencies are moving on to these new platforms. So, there's a number of ways that OMB and the hill and different organizations, I think at GAO, to be responsible, dimension them, they're measuring new ways.

38:00 Raghu Nandakumara

So, what happened? So, we're in fiscal year 24, that comes and goes, we've made the progress that was desired. What now happens to sort of provide the impetus for the next stage of progress? Or is the momentum sufficient that now sort of the agencies will, sort of, they're on their merry way and they'll continue?  

38:21 Sean Connelly

No, that's a great question that from my perspective, I'm able to say OMB is a team captain on Zero Trust, and some others will have to wait to see what comes out of OMB. But there are discussions about what’s the next step to your board is.

38:34 Raghu Nandakumara

Okay, I just remember, you're talking about the comments that were sort of provided back on the surface of Maturity Model 1.0, and I remember sort of providing comments on behalf of our company. But I do remember, I think, the point you made about certain vendors essentially just chucked in their entire product documentation and said, "This is how you deploy out from up to do x." And I remember seeing versions of that and some of the, some of the revisions that we got to review and provide comments on. And I remember going in and sort of rewriting it from the perspective of this is kind of the capability you're trying to introduce, and this is why, etc. So, if you think through your comments, I'm sure you've come across things that I've commented on at some point.  

39:15 Sean Connelly

I got a different way to spin that though. One of the positions I hold is that I'm an alternate board member on the tech modernization fund, the technology modernization funds, TMF, just for everyone's awareness. TMF is a solution for agencies that may not be able to get funding through normal channels that both Congress and the White House are able to, I think in 2018, create this other alternative way for agencies to submit proposals to the TMF. It's run out of GSA's close alignment with OMB and ourselves at CISA. A number of agencies, but it's a way for agencies to send proposals and how to modernize the system in a new way. But when we have those discussion, I looked at the TMF website a lot. You can read right on the front page, there's articles about how the modernization of systems for an agency for farmers for farmers to process their data faster. There's another award that went to an agency for businesses being able to get custom goods through their proper ports faster, another one toward veterans and getting those services, their service benefits faster. What you don't hear me saying is you don't hear me saying that those agencies may have been awarded something MFA, or the two agencies may be using shifting the cloud and taking advantage of clouds of data tagging and data categorization. But embedded in each of those awards another ones are the Zero Trust principle, are the Zero Trust tenants. And that's what it's all about with TMF getting either services, funds, or information to people faster. And so a lot of has done again, we ideally wanted Zero Trust tenants and the products to be baked in. So, like you're talking about with vendors, and how they came to us with their comments and their services and their intellectual property, we were able to still allow, okay, what is what is the real intent here? Where's the real value and use that to inform the maturity model?  

41:11 Raghu Nandakumara

Awesome. So, what do you see as the when you look forward? And you think about, okay, the continued maturity of Zero Trust across agencies? What do you see as sort of the key challenges that you foresee going forward?  

41:22 Sean Connelly

Yeah, so I mean, after a little different, like what has been the challenge that's really started to unlock in the last little bit. Honestly, I think this is actually more than the cyber Executive Order, again, the precursor to the memo, but there is a need for each agency to have a Zero Trust SME, subject matter expert. We've watched how that role was bounced around inside some agencies where it may have been just an abstract example but may have started out where the Zero Trust SME was like in the CIO office, and then it may go to the CISO office, and then it may go to the CTO has been indicative of like, just to understand how do you position the Zero Trust principles? And the ideas, and then we call it, you have discipline inside the agency? And don't get me wrong, There's no perfect answer. Some agencies have done more like Zero Trust counselors and brought in some of their SMEs from the different pillars, if you will, like have identities SMEs in their networks SMEs. Other agencies have done more where they have an almost, a single person or single office leave that for that agency. some of that was just the positioning of the organizational changes that are happening within the agency itself, going from a lot of time, like as agencies are moving to the cloud, how does organizational changes, so before laterally, the network operations, security operations, for data centers, secure data center operations focused on packets and focus on making sure we got our p cap and have our IDs or having our centers in place. Well, all that type of visibility changes in the cloud. And so having the organizational changes in play, so agencies now have the right type of SMEs to balance out. Sometimes, we still see it with the cloud providers; they're having to provide, I wouldn't call it, legacy, but some of the primordial services. So, PCAPs, when we always hear that the vendors are having to go back and support. I think cloud providers, in general, didn't think SOCs and NOCs would want to have that raw packet capture. But that's how a lot of the organization, I'm not just speaking for the federal government. I mean, just in general, a lot of organizations still have that desire, have tools or have playbooks based around packet capture. And so, there's still that organizational change that is happening with different positions at different rates that are key, I think, to be able to take advantage of Zero Trust, cloud-native, more monetization solutions.  

43:53 Raghu Nandakumara

I mean, that that I think opens up a sense, the openness opens up another can of worms, which is an entire separate podcast episode is about sort of how, as you modernize, how do you avoid sort of lifting you're sort of some of your legacy debt and bringing it with you adopting new techniques and procedures, but that that's for when you come back to the podcast, Sean. We will have an entire episode on that. So, but just a couple of things before we before you wrap, taking a bit of a global perspective. I'm sure there are governments globally, many sort of allies to the US that look at the success that the US, the US agencies are having with the adoption of Zero Trust and seeking to adopt similar approaches to drive their security modernization. Are you able to put some context and details about how you're seeing the proliferation of Zero Trust beyond the borders of the US?  

44:47 Sean Connelly

Sure, I'll be careful here, but there have been discussions with agencies, some of the federal governments, and some of the discussions are towards FedRAMP. And just in terms of the program that FedRAMP is, some governments are still trying to stand up their version of government or their version of FedRAMP inside their country. Some countries have done what we did with TIC two in terms of whether they had this data or there's network aggregation going on, these finite TIC access points. And now the government are in the same place where there's cloud, there’s mobile. And so, governments are coming to us. How do we take advantage of that secure access service solution or the SSE solution? So, we are having those types of discussions. Another one going back to the phishing-resistant MFA. That's another area. Again, I think, where the federal government’s a little different, we had PIV and CAC cards. But a little different from our other governments. But you are seeing a clear interest now in FIDO2 solutions. So, it's a broad spectrum of those discussions, not just position toward what CISA does. But again, cloud evolution and just data sovereignty is another area where I hear a lot of questions.

45:56 Raghu Nandakumara

Awesome. Okay. So, to wrap up, unfortunately, we do have to bring this to an end. So, you're in a meeting room kick-off with a new agency, and they're about to start their Zero Trust journey. And they say, "Hey, Sean Connelly, Federal Zero Trust Architect, we have no clue what Zero Trust is. Can you enlighten us on what we're getting ourselves into?" What do you say?  

46:22 Sean Connelly

So that's, that'd be interesting because there are no new agencies in the federal government, right? So, a lot of this is very, very old technology; we got some of the oldest tech, right? No one's saying, like to NASA, that they need to put phishing MFA on the Voyager satellites that are 10 billion miles away or need to put an EDR agent around the Martian rover. So, it's not as much about the new organization. But to your point, where I think you're going with a question, I mentioned John Kindervag a couple of times; I had the pleasure of working with John a few years ago on a different port to the president from the pen stack. I always get this wrong. I think it was a National Security Telecommunications Advisory Committee. Those documents are available on CISA's website. If you just type in NSTAC Zero Trust, it should come right up to it. But in that document, one of the things that's in there, and this is what's great about collaborating with John, was John puts in the five steps for Zero Trust. And John, to his credit, is always saying Zero Trust is, is really easy. So, in that document are those five steps. The first one is to define the protected surface. And that's the first step. Now, that's different than we were with TIC Two whatever you're trying to protect, you try to protect the mainframe, trying to protect some of the cloud, put it behind the TIC. There was no define the protect surface. In Zero Trust, it is what are you trying to protect? Now you know that you have that first step, the next step is mapping the transaction flows. One of the key things, though, going back to, we just talked about transaction flows, we don't just mean like system, the system, client-server, yes, those are important, like some type of packet capture or just way, but it's also the organizational who's talking to who has a firewall between talking to the accounting team or to the organization itself. So those types of flows are critical here. Then you start building out this new architecture. And again, it's data-centric solutions you're trying to, ideally, to put security closer to what's being protected. Part of the key is going back to the maturity model; as you're building out this new system, you ideally want to start getting different signals from each of those pillars. The network pillar, you want to signal from the host device, you want to have signal from identity you want signal, all those signals that can feed into what the fourth step is, which is creating the policies. Meaning dynamic policies. So, as a client, I'm going to serve, or there can be access to that, but also, again, organizational policies itself. And then the fifth step is both manifest, monitor and maintain it. So, those five steps, which start with finding a protect service, you must transaction flows, build out the architecture, define the policies, and maintain and monitor. Those are the five steps and things I would start with that question.  

49:01 Raghu Nandakumara

Awesome. Well, Sean, I mean, I have so many more questions for you, then I know you've got a busy day to get back to. I thank you so much for this time today. Really appreciate it. It's been fantastic speaking with you.  

49:13 Sean Connelly

No, this is great. You clearly know network modernization, you know where we're going to. This has been a fun conversation. Thank you so much.  

49:20 Raghu Nandakumara

Thanks so much, Sean. Thanks for tuning in to this week's episode of The Segment. We'll be back with our next episode in two weeks. In the meantime, for more Zero Trust resources, be sure to visit our website, www.illumio.com, and find us on LinkedIn and X using the links in our show notes. That's all for today. I'm your host, Raghu Nandakumara, and we'll be back with more soon.  

Back to top
Read more