Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and this week have the opportunity to go beyond the buzz on one of the biggest issues facing the cybersecurity community today, and that's Zero Trust. We're going to discuss its origins, challenges and best practices to implementation and where we go from. Couldn't ask for a better guest than
the one we have today. Sean Connelly. I love to call him Sean Connery, which is a good thing because he was my favorite James Bond actor. But Sean Connelly is the Executive director for Zero Trust Strategy and Policy at Zscaler. Just joined Zscaler after a distinguished career in the federal government. Ten years at cisa, the cybersecurity and
Infrastructure security Agency, where he led Zero Trust initiatives and so much more. And prior to that, played significant roles in building the architecture at Department of State, NOAA and others. Brings the technical chops, the policy chops. So excited to go deep. Sean, thank you for joining us today. Frank, thank you. Thank you very much. No, it's really good. And you know, there's a lot of buzz around Zero Trust, but I thought
we could start at the beginning and its origins and at its core. What is zero trust? And then obviously we'll discuss why it's important. Sure. I think to begin
with, you hear a lot of the discussions around zero Trust. Go towards trust but verify. Right. That goes back to Ronald Reagan and the. I'm a Reagan fan, so
don't shoot him. No, no, he goes and what he said to Gorbachev there Right.
During the treaty negotiations. And it sounds better in Russian. I think it's Dolby. I do Pro VI or something. But really it's that theory of before with IT systems. And for like the first 20 years, I think in the executive branch, agencies, agencies are building out these tools, but without a means to an end. That's what I mean by Zero Trust. Zero Trust. Sure, you can put all these different types of technologies and tools on the network, but there needs to be a reason for it.
That's where we go with Zero trust, is being able to lower the risk, decrease some of the risk in the agency's networks. Of course, we know we have some of the most high profile systems on the planet. Adversary has been trying to get in our system for decades. And so we need to be able to have a framework, a strategy that everyone can gravitate around about lowering that risk and stopping the adversaries from Getting inside our networks. So sort of pulling that onion a little further
in terms of some of the strategy, what were some of the key events or challenges that led the government to move and adopt some of these approaches? Sure. So
you can go back almost 20 years with some of this and these discussions, these are really called first principles of cybersecurity, minimalization, segmentation, identity. But really it's only been the last maybe five, 10 years where we've been able to have the technology in place and now the policy and interests in place to move toward the zero trust
framework. But if you look how the architectures were built 10, 15 years ago, one of the programs I supported at CISA was the Trusted Internet Connection program, the TIC program. TIC came out in the mid 2000s when Karen Evans was the federal CIO and before I think like 2007 or 2008, OMB to the federal agencies, had this questionnaire going to agencies, how many simple question, how many Internet connections do the agencies
have to the Internet? And the number came back, good luck. Came back to your point, what's the Internet? Those type of simple questions, if we connect to a partner, is that external? But the number floored everyone. It was like around 4,000 connections to the Internet between these hundred plus different federal agencies. And it was concerning because I think the White House, omb, ourselves at the old mppd, at cisa, we didn't expect
to have that large of a number. Federal CIS and CISOs were thinking about growth and the growth of the Internet. They wouldn't be able to contain that. And so again, going back to CARE and Evans, there was this initiative called the TIC initiative, the Trusted Internet Connection Initiative, to be able to start moving a lot of those connections to these finite number of tick access points where you have these security stacks,
your firewalls, your sensors, or different detection mechanisms. And so for a long time the architecture that not only federal it was on, but most commercial enterprises was called the castle and moat solution. So it was all the traffic, whether it was email or web service or DNS, was all forced to route through these finite number tick access points. And a lot of those solutions, those connections, those firewall stacks, were in the
D.C. area. So if you got a very large federated agency with you mentioned State Department, with international embassies and consulates, or one of the ones at more conus, all that traffic still has to route through typically DC to go wherever it has to go to. And that introduces inefficiencies, user inefficiencies, security, inefficiencies but that was the policy
for 10 plus years. And then under Grant Schneider, when he was the federal CISO omb, we started having discussions about how do we move to a more modern security stack. And then outside, what was happening in the White House and executive branches, you started to hear this discussion around zero trust. And so you answered before like, what is zero trust? And the easiest way to explain it, I'm a baseball fan. I go to Bungee. Who's your team? My team's a Yankees. Uh oh, I'm a Mets
fan. So nobody's perfect. The other subway. Exactly. I'll go a bunch of Nats games.
And like in the old, that legacy, the castle moat solution, I was talking before, when you go to a stadium, you may show your ticket once at the gate. But then like in the it land, you can go anywhere in that stadium you wanted to. You can go into the baseball field, go to the press box, the dugout. That's the old castle moat where you had that one checkpoint, that one tick access point where you can review the ticket stub. You can go into Steinbrenner's box.
I wish may tell him how to run the team. So and then in the more modern solution, now, when you go to a baseball game, you still got to check your ticket in the front gate. But then when you go to your seats, there's probably going to be usher there, there may be some other entrance for employees for the baseball team. So you have a much more granular solution being able to like minimize that movement we were talking about before. And that's what zero trust really
comes down to is how do we minimize and segment these different connections? And it
seems like, and correct me if I'm wrong, but Solar Winds was a bit of a. Had a lot of winds in the sails to build some momentum around this. Yes, sure. So you go to 2020 and change administration. The change of just when
a new administration comes in, they're asking, you know, how can we look at this differently? At the same time, the TIC program is just, I mentioned Grant Schneider before, the TIC program policy just came out and agencies were trying to figure out how to get past network solutions. And then to your point, SolarWinds happened and it really from a very high level, all the way from the office of the President down
was everyone's asking, how do we look at cybersecurity differently? And that's where those discussions came out. Go from you can point a direct line from SolarWinds if you will, to the cyber executive Order that came out 14028. There was a number of taskers in there about OMB and CISA and gsa, some other agencies leading the discussions on Zero Trust and helping agencies move out on their Zero trust journeys. And then there's
other. Go ahead. There's other ones, too. And on top of that, obviously, changes in
developments in technology. So the old perimeter security alone ain't gonna cut it with the castles, the moats and any alligators and anything in between. The reality is the cloud drove a lot of this change and other architectural issues. And I'd be curious what you thought some of those challenges were when looking at sort of the maturity models and the like. No, that's exactly right. So, again, we go back that TIC initiative
and the way the agencies were forced to send their traffic through those finite TIC access points. But around 2015, just like you said, cloud started becoming prevalent. FedRamp was getting off the ground there with Maria Rowe, of course, and Matt Goodrich. Agencies were moving their assets to the cloud. The users themselves with tablets and mobile devices, they were not on premise like they were 10, 15 years ago. The systems. Email was
moving to the cloud, DNS was moving to the cloud, Web was moving. So pretty much everything, everything was. It was just off premise now. And so it just didn't make sense to keep routing traffic through these static, small number of tick access points. So, again, it was a combination of technology. Honestly, though, you know, we talked about how these are some cybersecurity principles from long ago. We could have done this 20 years ago at the scale we needed to. So at the time, Tic 1, tick
2 was right. But we were able to advance forward for a number of reasons.
And I think it also requires a rethink in terms of endpoints to data itself. Is that fair? No, that's great. So that's actually where a lot of what we're
doing with Zero Trust, it comes back to the data itself and we're moving security closer to where the data is. What we're doing with the old castle and moat was we were having to shovel that data off all again through those tick access points, move the data where the security is now at scale and the technology is in place. And it could be device protections on the phone, it could be protections that are in the cloud with the services getting protected. It could be the identity
of the user now can get verified for a number of ways. We're able to look at this data or secure this data in new ways using telemetry and Logging and different types of visibilities. Awesome. And can you give some use cases, some real
world examples of how it's being implemented by some of the federal agencies and why does it matter? Why does it matter to the average citizen? Sure. No, I think
that's a great question. So one of the hats I wore, I was a board member, the Technology Modernization Fund, the tmf. The TMF at a high level is almost like a shark tank where agencies were able to come in and pitched their proposals to this board made up of federal CIOs and CISOs. Myself. Who are you? Mark
Cuban or who? Yeah, right. Yeah, yeah. There's about 10 of us. And the agency
would come in saying this is what we want to do in terms of modernizing our systems. And so I think that's a great way. And this is all available, it's all public on the TMF website, gsa about how agencies were using zero trust to advance their mission. And I think to answer the question, there's two ways to look at this. And again this is through the lens of the tmf. Some agencies came with proposals like Veterans affairs. They wanted to be able to get services faster
than veterans or to custom border patrol in dhs. They wanted to get the services or the goods, the import exporters were through the border quickly or like different ones that Department of Labor and HUD and just trying to help information get faster to these people. So sometimes with zero trust solutions are really about baking cybersecurity into whatever that mission is. Getting funds, getting services, getting information faster. That's one way to look
at this. The other way is more holistic, if you will, comprehensive. Where the CIO we call the enterprise CIO or CISO for the agency, Department of Education, Steven Hernandez is a great one. Bo Burles, the CISO from GSA is another one. They said comprehensively we across the agency want to advance our identity management solution, we want to
modernize our networking solution. So from that way different proposals came and it was more like we are looking to advance our networking or our identity solutions and we're looking to use a zero trust framework to do that. And you know, the best time
to implement significant change is at the get go. Right. I mean you sort of mentioned baking it into the design. CISA has doubled down on Secure by design, Department of Energy, Cyber Informed Engineering, where it's not just the cyber ninjas that need to understand. Exactly. Right. Everyone else, yeah. And when we look at modernizing, I'll put you on the spot. Here, because do we need, for all the big IT tech spend,
should there be a percentage that is devoted exclusively to cybersecurity? I think that's one
way to definitely consider. Because if you're an omb, can get that cross cut. Yeah, exactly right. I think we've had 10%, 12%, whatever it may be. Can we say for every modernized solution that comes out, there has to be a certain amount allocated? Maybe it's not to your point, maybe it's not like a funding percentage, but maybe
it says your system needs to do this, this and this requirements. Yes. Support this modern identity solution, be able to have, you know, different device protections or network protections. But absolutely there should be minimum, I don't want to call them baseline, but minimum requirements for that baked into all of these. I think that definitely help. And I
just feel like it's a lot easier than trying to find all the workarounds and the Lego after the fact. And I feel like I've seen this movie over and over and over and over and the one way we can actually do it right is at the get go. So it's not just the principles, it's also the, it's also the acquisition processes where I think we can move the needle. I think to
your point, one thing that was different about the Cyber Executive was order that came out and I've been supporting different federal cyber security programs for like you said, 15 plus years. Was different about the EO was this had the attention of the deputy directors, the assistant secretaries, you know, inside the agencies, the deputy secretaries. And so you had both this bottom up momentum to help modernize these systems. I had this top
down. Those associate secretaries are having to ask their, you know, their staff internally, how are we moving to zero trust? And so it was a different momentum post solar winds across the federal government of how we can modernize a lot of these IT systems in new ways. Awesome. And let's get to some of the challenges and best
practices in terms of implementation. The nouns from the verbs. Sure. I mean conceptually really important. But what were some of the initial, the most significant technical or cultural impediments.
You said the key word there, cultural perspective. I think a lot of people just looked at this as an IT solution and it really is a different framework altogether. It's very important when we talk to agencies or agencies that are talking to their stakeholders, Zero trust is how you implement. Remove trust from the systems. But trust is a human emotion. We still need these teams and the different organizations inside those agencies
and their stakeholders to talk Together in new ways. So you still want that human trust together. And I think when you use that label zero trust sometimes things is oh, everyone's going to be, you know, in this little finite corner by themselves. Yeah. So there's definitely a cultural shift that's continuing to happen. Another one. It takes a
while. It takes a long time to build trust. No, you're exact exactly right. I think when I think Christ Russia before he left in one of the papers that came out, I think OMB put like a 10 year timeline or maybe maybe like 2030 to be able to get some of these system changed over. So it's going to be a multi, you know, time period to get this through. It's not going to be one presidential transition period. Same thing even DOD and we could talk about
Randy Resnick and what they've done in the DOD themselves. They put I think 2027 or so to get some of these zero trust programs in place. So it's going to take years of. Investment commitment without calling out laggards. But lessons learned from anyone.
I figure the only way you learn is by playing the game. I mean if you're a baseball player and you're never on the field, you're always gonna bat a thousand because you never get to play. But the reality is what are some of the hard lessons and the scar tissue that others have learned along the way? One
thing that's interesting, I've again you said seen the same movie over and over again. I've been involved a discussions around shared services around comprehensively some of the small micro agencies that really have I don't see no business. Their mission isn't to, to be able to support laptops. There's a classic case that always goes about marine biologists at one of this micro agencies. He's a marine biologist by day, is the agency CISO
by night. Right. And so how can we take away the IT infrastructure out of those agencies hand let them shift that focus. Exactly right, focus. Let the agencies focus focus on their mission. I mean how much money is federal IT across all executive hundreds of billions of dollars. We should be able to offer some like corporate services, shared services offering these small micro like laptops or identity like their PIV or CAT
cards, cloud solutions, email solutions, just some basic services. And again I think that's just one of the lessons learned those disciplines discussions have happened anew. I think post this discussion around zero. Trust and Chris Inglis did underscore that in the national strategy it
was shifting some of that burden and you can say the same not only at the federal government and some of our state, local, tribal, territorial partners, but also small and medium sized businesses. I mean ransomware has made clear that everyone's a target. Absolutely. It's not just the, the Fortune 100 anymore. So I think that same model plays out not just in, in the government, but private sector. No, I think there's definitely
opportunities for some type of shared services across different critical infrastructure. It's another one we've had discussion about how can we have shared services between them. So how much is
enough? How much should we be investing in trust? That I know that's a hard question. If you knew that we would wouldn't have to have this conversation. Possibly. But how much is enough? I won't say a number, but I will say this. You
know, as technology is continuing to advance, like we said, the adversary is continuing to advance. So I think we need to continually move the goalpost too. It's the only way to be able to look at this. So it's not an end state, it's
definitely the journey. Right? Yeah. We created for instance, myself, John Sims, and we led
the release of a document called the CISA Zero Trust Maturity Model. And it has different stages for an organization. Traditional, that castle moat. We talked about initial stage, advanced stage and optimal stage where an organization should be. But if we release that same attorney model five years from now, I think the optimal stage would change again removing the goalposts as technology and the adversary changes. So I am going to ask you
the unfair question, kind of looking ahead. And you mentioned Yankees. So one of my favorite quotes is Yogi Berra, the future ain't what it used to be. So the reality is what do we think this will look like in the future? Especially with the advent of artificial intelligence learning. What should we be thinking here? I'm open to
your point, like an ART, AI and ML, that we're going to start to see agencies, SOCs or just community security operations centers. The AI is able to take some of that mundane task out of the hands of these defenders and let the cyber defenders really try to figure out what's going on inside their networks. Taking the patching out of it, taking the low level grunt workout. So I'm hoping it takes a lot of time and we've talked about this for a decade plus there's security orchestration,
automated response, soar. We've talked about soar. Ironically, we saw some vulnerabilities with that too
a couple weeks ago. Right, exactly right. Yeah, exactly right. So we gotta trust. But yeah, Trust, trust or not. So there's going to be, I think, discussions around how
do we use AI? Because one thing I think I've heard Phil Venables talk about, this is who. We had on our podcast. Yeah, that's right. That's right. With AI especially, AI depends on large data sets. And I think the defenders can be a little bit ahead of the attackers in a way because as defenders, as a global community, we can support each other and share information. The attackers more, they're, you know, whether it's a nation state or ransomware actor, they're a little bit more focused or
a little have to be a little more secretive. So I think AI can help ideally, the defenders at a faster rate than. Ideally, some of the attackers will, I
do think, applied. Right. It can, I'm not sure it ever levels the playing field because I think the initiative will always remain to one extent or another with the attacker. But I think it could level that playing field in a significant way. Utilized right again and maintained. Right. I mean, when we talk about zero trust, it's not just a single cost and then forget about it. The reality is it's not a skew. It'S not a single product, it's not. A thing per se. It's many things
orchestrated to run. And I'd be curious what you think this means internationally in terms of us leading by example. How do we bring others on board? How do we bring those? Honestly, I have zero trust in some of these countries of concern. No, to your point. NASA or NOAA talk about this. You know, the weather
data that comes into noaa, the space data that comes into NASA, some of their biggest stakeholders are Eastern European countries or certain Asian countries that they all share the data and they need to be able to say the data, share the data. These countries. So you need to be able to. Life, death, kinds of issues. And so you need to be able to share the data in a trusted way, but recognizing who you're, who you're talking with at the same time. So I think that's definitely
of interest. What's funny is, and I've had this talk to some others, omb, the people have, you know, left OMB and stuff, discussions we had again going back to Solar Winds and post Solar Winds. And how do we look about this differently? The last year, my time in cisa, other international organizations, it could be something like, you
know, the EU or NATO organization like that, or it could be countries themselves. They're just starting out on zero trust and they're just starting out on Fedramp and so a lot of those conversations we had four or five years ago, the international components just started to have those same conversations. So it's an interesting time to be talking about that. And is it important for the US to lead in this? I think
absolutely. I think to your point for a couple reasons. A, you know, not only as the federal government be able to show, you know I remember when OPM happened
and federal government cybersecurity was like the laughingstock. It's a total change now we're looked at the federal government leading some of these modern cybersecurity posture but at the same time obviously our relationship with the Silicon Valley and technology we are able to employ and use and you know the labs are able to utilize modern technology I think ahead of where some other countries can be able to use them or we can
get to it first. So sticking with baseball out of left field question. NASA you
brought up and the significance there. NOAA and obviously some of the data. Should space be designated a critical infrastructure sector? I don't see how, how it can't be at
some point. Bingo. Right. Right answer. You can stop now. Go ahead. No, I mean like just look at, I mean the criticality of GPS and st. You have to timing signaling exactly right. You don't want subs bumping into each other under siege. You need clock. But to the same point where we're going before we've had these discussions with the CISO from NASA. No one's looking to put a new type of program on the Voyager. No, no one's looking to put like a new type of agent
on the Voyager 1 or Voyager 2. You know satellite. Those are 10 billion plus miles away past Pluto. So we need to protect that data. We were going before in new ways but sometimes you can't protect the endpoint in ways. We have to recognize that risk and. Just work with it and integrate with other sort of critical
infrastructure owner operators because it's not a single thing there. Yeah, Zero Trust is all
about interoperability. It's all about sharing telemetry not only internally but with organizations, peer organizations, so everyone can learn. And you brought up another significant program and that's Fedramp. How
does Fedramp fit into the Zero Trust discussion Or does it? That's a softball to
me. So for a couple reasons you mentioned before I work at Zscaler. We also when the Zscaler hired me they hired Brian Conrad who was the acting Fedramp program manager for three plus years at gsa. There's a Natural interest or if you had the Venn diagram between Zero Trust and Fedramp or cloud in general, there'll certainly be interest there. We look what I'm sorry GSA is doing now with the new fedramp
like 2.0 if you want a memo that just got released. I don't think it's any secret that Eric Mill, who's leading a lot of those cloud strategy discussions at gsa. Eric's prior position was at the White House under Claire and under Christa Russia and the Federal CIO in CISO leading a lot of those zero trust discussions. We got that same brain trust. They're leading Zero Trust three, four years ago now over at GSA leading some of those Fedramp discussions. So awesome. Natural trust. So it's a
natural cohabitation and coexist. It's a necessity I think the two to come together. So again, sort of with that Yogi Bear future ain't what it used to be. What does this concept of zero trust look like? What's an advanced architecture look like five years from now? Yeah, so that's, let's say so much changes so fast. I think that the principles remain consistent. Exactly those first principles. So I think it's going to
be more where we could talk about there's the different Zero Trust pillars. There's data, there's device, there's application, there's network and then there's identity. Five, eight years ago really didn't hear too much about identity protections. Now you can hear identity's critical. So I think at that point it's going to start to shape toward the identity, the applications themselves and the data. So you didn't hear me talk about the device or the
network. But what's connecting all those together? What's connecting the application, the user and the data? It's the network is the device themselves. So I think it's still going to be to your point, focus on those different pillars but how they'll be connecting together. Just like we talked before, it'll be ways we're probably not even thinking of right now, but it'll be moving security, as we said before, closer to the user, closer
to the data in new ways. And it's inevitable. I mean regardless of what we
want in different places, that's where technology's marching. So we've got to stay. And policy,
and policy, it's critical. So when we OMB released the zero trust strategy 2209, we had to work and I say we again between omb, gsa, ourselves, some of The USDS team almost had to go agency by agency and review that zero trust strategy because even though it was in the memo, what was necessary, trust but verify there. Right. Agencies were still coming to us and asking, do you really mean what I'm reading there? So it's still a lot of just discussions that had to happen.
Hey, Sean, what questions didn't I ask that I should have? Oh, everyone's asking what's
happening next. Not only the technology, but the policy side. A lot of it's going to depend on what happens in November. I think that's fair to say. But I know there are. What's one thing I mentioned, Randy, over at dod, is one they were still trying to figure out from a community is how do we measure zero trust? It's got to be beyond just 853 controls. It sits in a binder on a shelf. And so DOD's leading some of this, being able to use Red Team
assessments against their infrastructure themselves in new ways. And that's what I'm hoping you start to see on the federal side, some type of continual Red team. Good guys are good guys going against our systems themselves just to help understand how the adversary could possibly get in these networks. And I think it is finding its way into acquisition
is what then suddenly everyone has to take or they can't compete. I think to
your point, it starts with policy. Now you're seeing GSA has a number of procurement vehicles for getting for agencies to have red teams in place and the information security officers at the agencies understanding how really use those red teams. They're not coming in to like expose and say I gotcha. But it helps those security officers and the procurement teams then justify why they need to advance their systems. Because we have our
own people being able to walk into our systems. We need to be able to protect them in new ways. Hey, Sean, I was remiss to not thank you for
your many years of public service, so thank you for that. It goes both ways.
I can remember, you know, I was going to start off with this, but a longtime listener, first time caller. I can remember like 10 plus years ago, like over at George Washington University, you were Jason Healy, one of Jason's. He's awesome. Yeah. Releasing one of his books and just hearing you two talk, you know about it and you weren't doing. We weren't even talking about the book. You guys obviously were in the trenches for a long time together and just hearing some of those stories. So
thank you. Goes both ways. Well, thank you, Sean. Clearly you're not the George Costanza
since we got to go back to baseball Yankees of cyber. Thank you for your service for all these years. Thank you for making a difference. And thank you for continuing to make a difference. And thank you for spending some much time with us today. Thank you. Thank you. Frank, thank you for joining us for this episode of Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line if you have any ideas in terms
of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.