In this insightful episode, join Tom Tittermary, Rich Johnson, and Ryan McArthur as they dive into the critical role Zero Trust plays within the Department of Defense (DoD). The panel explores how Zero Trust principles are reshaping cybersecurity strategies, improving data protection, and strengthening national security in an era of evolving threats. The conversation addresses key challenges in implementing Zero Trust within the DoD, including cultural shifts, technological barriers, and the complexities of securing legacy systems. The panel also discusses the evolution of Zero Trust policies, frameworks, and tactics over the years, shedding light on lessons learned and what the future holds for its adoption.
Zero Trusts Given: Expert Perspectives on DoD Security Strategy with Ryan McArthur
Tom Tittermary
Hey, everybody, welcome to the very first inaugural episode of Zero Trust given a podcast that is out there for the federal government employees, members of the systems integrator community to listen to talk about, contribute around what is Zero Trust, with a little bit of a focus around the Department of Defense. My name is Tom Tittermary, you're gonna be here with me every time we do this podcast. To my left, I have one. Mr. Tom Gianelos, Tom, why don't you introduce yourself to the crowd? Hey everybody.
Tom Gianelos
My name is Tom Gianelos, like, I said, like Tom said, we'll be kind of working this podcast together, hopefully bringing in some varied guests throughout each of the weeks. And we're here just to give you an idea of Zero Trust and the best way to move forward in that model.
Tom Tittermary
And Tom, thank you very much. Speaking of guests, we have two awesome guests today. Rich, why don't you introduce yourself
Rich Johnson
to the group? Yes. Hey, Rich Johnson, I've been in this industry for about 40 years now, and the topic of Zero Trust has been coming up for about the past six years, and it's a topic I love to engage on. There's a lot of confusion about it in the industry. I think our goal here today is to kind of lay out some framework and really get down into what it is and what it isn't.
Tom Tittermary
Yeah. And then our second guest today, I won, Mr. Ryan McArthur, Ryan, why don't you introduce yourself?
Ryan McArthur
Yeah? So, Ryan McArthur, been in the defense cloud industry for the last 20 years. It's been fun ride, and I'm looking forward to conversation today. Well,
Tom Tittermary
thank you very much. So every individual show that I go to, every conference that I go to, every hallway that I run down to, it, every show that I run into, I see Zero Trust on every banner of pretty much every vendor that I see walking through and anyone that I engage with, everyone's got a Zero Trust tool. Many are happy to tell me that they do Zero Trust. If you do X, Y, Z, and you buy my product, you get Zero Trust. So I know that everybody at this table spends a ton of time in this space and where we work, which I haven't mentioned yet, but maybe later, we kind of find ourselves in the middle of this consistently and constantly. So let me offer this question up to the group, and I want to hear everybody's responses around this. What is Zero Trust? How do you put it simply? How do you expand upon that? I offer it up to the group.
Rich Johnson
Yeah. Tom one thing that I will say about this, and we've run into this time and time again. I remember about five years ago, we were at a show, and, you know, vendors are popping up Zero Trust all over their product. And we joked about the fact that, you know, this vendor was going to have the best Zero Trust dog food that was at the show that day. And it really does come down to what is Zero Trust. And I think that there could be a lot of definitions out there. And quite honestly, I don't really care that there's 1000 definitions. What's really important is, what does it mean to the federal government, specifically in our space, the US, Department of Defense, but in federal government as a whole, and I think that there are some very, very clear definitions as to what Zero Trust is and what it should look like when implemented properly within a vendor space. I always like to go back to the fact that we think Zero Trust is a brand new thing. Reality is, it's been around for 20 years now. It's a evolving concept that started way back with the the Jericho project. We saw hints of it with the DISA black core. Then, you know, John kind of dropped that famous, you know, bomb on us and said that, hey, trust is the vulnerability, and security must be designed with the strategy of never trust, always verify. And he coined the term Zero Trust, and we've been off and running ever since, fortunately, it's now been codified for us in a way that we can actually implement it. But definitely interested to hear from from Ryan and Tommy on on this topic.
Ryan McArthur
I think when you look at the department, and you look at the federal government as a whole, I think it really comes back to, like, what everybody's trying to get after individually. So everybody kind of starts at the beginning. They all kind of start from an identity perspective. Everybody kind of goes the initial every, every organization we've looked at, they all kind of start with the basic which I think starts with identity. But then when they go from an identity side, they kind of move to different parts. Some of them kind of go after the network. Some of them go to how they can go from their infrastructure as a whole. Some of them go to their user base. Some of them go after workload. Some of them go to their cloud. So then it kind of goes to hodge podge of different spaces, and that's all based off of where the defense architecture can be, where the if you look in the Fed space, where the Fed space, how that architecture is set up in the tech 3.0 so I think it's, it's pretty interesting how it's evolved over the last or, I think it even the last five to six years. The zero, the DoD Zero Trust office wasn't even stood up until 2022 the initial architecture was actually kind of put in place. They wrote the architecture, then they put the mandates out, and now it's in 2027 so I think it's, it's, it's been kind of fun to watch it evolve. I mean, we started talking about Zero Trust in the Defense Department, I think in around 2018 2017 time frame. But it wasn't a. Till 2022, and I say we, because I just left government in April, but, but if you look at 20 something, I realized it was that early at all. Yeah, so you heard the word, you heard the word Zero Trust, like bouncing around the Defense Department in the Pentagon. It was bouncing around. It was just a word that was used, kind of like agile there's a word that was to run around, and now Zero Trust turned into, like, a dirty word, like, kind of like, ads turned into dirty word. It's this kind of a thing that just kind of gets thrown around, that everybody wants to use everyone to throw around. But I think that what's, what's kind of gone on is, instead of throwing a word that I'm going to say, I'm selling Zero Trust, we have to go how we're going to get into the solutions. That's how we're going to get after, how we're going to evolve, how we're going to get into from a solution perspective, and not talking about from companies. But how are we going to go after we going to go after problem sets with companies as a whole? I think
Tom Tittermary
that is going to sound weird when I when I say it out loud, but I think Zero Trust is the new cloud, and I say that just in terms of, like, a mega trend relative to it, where, if you wanted your product or service or component relative to your company to be relevant, what was cloud? Right? Like I'm putting, I'm kind of showing my age a little bit, but nobody wanted to talk about stuff that wasn't cloud, because that was one of the major initiatives. So now a lot of people that I run into are framing like, Hey, what is your product, service, etc, do? And, by the way, was it due to Zero Trust? So everybody's got that angle where they're describing what they do. And there's a lot of creative writing that happens in a fair number of those exercises. I use Zero Trust, dog food, around those, those individual types of things. But I mean, at the end of the day to Tom, where do you stand in this? What's, what's your trust?
Tom Gianelos
To you? Well, Zero Trust. It's, it's everything that you just, guys just described the problems that we're having with adopting Zero Trust is really just still a cultural thing, right? Whereas before, everything was just sort of siloed. You had your network team, your identity team, your server team, your your endpoint team, your your storage team and stuff, and that everyone was able to work sort of independently toward a common goal. But Zero Trust is is is more of an umbrella construct, such that all these teams had to start working together. And I know working within the federal government, that's been probably the biggest challenge thus far, is bringing those groups that previously were not speaking to each other in very, very meaningful ways, or having now to bridge those gaps and start working together to achieve that, that ultimate end,
Ryan McArthur
yeah, it's like, it's like, you haven't turned as cis. Oh, and in the well, I mean, if you look at the department, you look in federal government, you have CIS owes. But it's like a cis Oh hasn't been turned into as Zero Trust is czar almost. They still have a cis Oh, kind of mindset where it's where it's still tunnel vision, and it's not picking on, says those. Because you have, you know, 3040, years of of certain mindsets. But speaking to what Tommy has, you have the network team. You have the security team, you have the identity team, you have you have all these certain little layers that and they they have their little column deep thumbs, but they have their little little layers to them, bringing them underneath an umbrella of oversight is is kind of hard, and how you run that, how you do that, how you how you bring them together as a team and move towards a certain goal from a Zero Trust, like I said, a dirty word. It said it's it's hard. And in like, I said, zero cizz Oh, mindset is I still work in kind of layers. I almost feel like you have to have a person that either sits with the CIS Oh, or you have to kind of put a label on a cis Oh, that says, hey, you're now a Zero Trust is R and says, this is your this is your new construct inside of a CIO shop.
Rich Johnson
I was gonna say Tom that Ryan brings a really good point, because it's important to realize that Zero Trust, it's not a noun, it's a verb, you know. So you don't have a hey, give me some Zero Trust. You don't get that way. So you really have to approach it from the fact that, as Tony was saying, it's a framework, it's a strategy. So that's why I thought it was kind of interesting when the DoD released their DoD Zero Trust strategy. My first question was strategy for what? For storage, for data centers, for remote access. So it's a set of principles that you apply to whatever you're doing to conform it to a set of principles, which is why I think having like a Zero Trust CISA or czar that's making sure that you're heading in the right direction with whatever you're doing is so important. Is it adhering to these principles that are going to be used to secure our platform, our data, our infrastructure?
Tom Tittermary
Yeah, I think one of the so we all have the luxury of working with an awesome guy named Conrad, my Reno and his I always try to look for like the way to take really complex things and say in as few words as possible, and the way that he the phrase he came up with, through Zero Trust, is dynamic. Need to Know. And I like that a lot. And I think it's just a really rich way to say it, where there's a lot of meat on that bone around it's dynamic. What does that mean? Okay, what are the factors I'm going to choose that are going to allow an individual or a thing to have access to a resource? Right? Is that identity is that the posture of the host, is that the geo location is that it recent accesses to other things like that's so by the way, it's from an acronym and definition perspective, right? That's very specific. PDP. So that's policy decision point data, and we partner with everybody to collect that type of data. And there are folks, you know, when you go to these shows and you talk to people, everybody's PDP piece is the only one that matters, right? When, in reality, like there's there needs to be some level of ecosystem where I can aggregate risk around a thing, or a person aggregating another thing in a bigger way that cross pollinates identity and posture and GEO, location and access and all those different types of things, right? So that all that sits over on dynamic need to know, right? So that's on the dynamic side. What's dynamic about it, the need to know side gets really interesting, because now, now we're talking about policy enforcement point. We're talking about P, E, P, how do I enforce that policy decision, like, based upon a certain amount of risk if somebody's gonna get access to a thing, right? So there's what we do, and we'll get into that at some point. But how do I allow that person, in the most granular way possible, access to an application once they're in that application? How do they limit their access so they don't get to see everything in Salesforce and they're limited down to their role in the context for what they should be seeing at that point in time? If I get into an unstructured data repository, how do I maintain swim lanes across those big things so the people are only getting exactly what they want? Tommy, I've had conversations with folks from your community that say, Hey, in the unstructured documents, how do i Black? Black space out or, you know, delimit out individual pieces of unstructured content in documents where, based upon the context, I want somebody to have access to the document, but not individual keywords in it, right? So all these things and just, just for that reason, dynamic need to know, to me, just seems like a really easy way to kind of cross both of that sides of that type of the thing, right? Yeah,
Ryan McArthur
it's a good way to capture like it is actually a good, good way to frame out what Zero Trust is supposed to be. It's a good way from a defense, even from a defense perspective, looking at how you're just accessing a single, single thing. I don't actually think I've heard Conrad say that, but it's a good I mean, yeah, I know Conrad says it, but I haven't heard him say that, because hearing it from Conrad would be funny, because I know how passionate he gets. So
Tom Tittermary
we just said Conrad seven times. There's a reason why my future plans for this podcast include a whole episode that's just Conrad. So yeah, buckle up for that one, because that's going to be a good one. Yeah. So one other fun fact on this. We were sitting around talking before the show started, and we're recording this at the lovely Carahsoft recording studios, and the people here are absolutely wonderful. They brought us enough coffee that for us to do this podcast for a month in a row, and they had these beautiful video cameras set up. And we immediately were panicked, on our side, because we're engineers, and we saw video cameras, and we went, Oh no, this needs to be an audio podcast only because, by the way, this is probably going to have a lot of engineers most of the times we come to record this. And you know, a lot of us have faces made for radio. But anyway, so moving right along and
Tom Gianelos
back on the topic. Mine's not agreeing with that statement too much. I
Tom Tittermary
think you took that personally, right?
Ryan McArthur
I mean, I'm, yeah,
Tom Gianelos
be a monster commercial.
Tom Tittermary
We can't be, yeah, we're people props that aren't sponsors of the show.
Ryan McArthur
My, my orange drink of pleasure.
Rich Johnson
Tom, I did want to kind of take this back and pull it out of the geekness for a second, because when we talk about Zero Trust, usually we're doing it in the realm of network security of some layer. But I think for the common man that's out there that's coming in and being hit with this term Zero Trust, what's the best way to understand this? The one I always the analogy I typically use is that of TSA. You know, you show up at the airport, and this is a beautiful implementation of Zero Trust. I walk into the airport, and the first thing that happens, I had to get through these, these, all these gates, and they don't trust me. I have to prove who I am. I have to assert my identity with some legal form of identification, maybe a passport or or a state issue driver's license. They don't trust my luggage. I have to have it scan. They, you know, a few years ago, they didn't even trust my shoes. I had to take them off and send it through a conveyor belt to make sure I want to they weren't going to try to light them on fire or something. And so once I get through that layer of security, they don't just grant me full access to the airport. I have certain places I can go and certain things I can do. I try to get to is a gate that's not associated with my flight. I'm blocked from doing that when I try to get on my flight, they once again check my ticket to make sure I'm getting on the proper flight, and if I then come back to that same airport the next day, guess what? I start all over again. So that continual dynamic access, as you were referring to before, it's a continual assessment process. Just because I was at TSA and going through security yesterday doesn't grant me access for the rest of my life. It's a constant thing. I'll have to go through again and again and yet. And the other thing I want to point out is TSA is always improving their architecture. You know, used to be a metal detector. Now I've got a full body scan I'm going through. And so they're constantly improving it. So Zero Trust as a principle, whether we apply it to airlines or network security and data. It should be something that's always evolving. You're never going to be done with your Zero Trust journey. If you're implementing this, it's something that you're going to have to constantly looking to improve up upon, because our adversaries are constantly improving their attack vector.
Tom Tittermary
Yeah. I mean, one of the the other one that I always, I always like to bring. Up, just because, with what we do, like, we just go to a lot of government facilities, we wind up a lot of security gates, and we have meetings at different places, right? So the whole notion of everybody understands this, everybody that does this understands the notion of an escort versus a non escort badge, right? So that one of the one of the most fun days I ever had, I was visiting a systems integrator customer in Southern California, down in Rocket City, and they gave me a non escort badge. And this integrator had these really cool, interesting, like, displays in the hallways of like radar arrays and like side I had a great day, but I wandered wherever I wanted. I went to my meeting, and then I had about two hours where I just wanted the halls and checked out all the cool stuff in the hallways, right? So that's a non escort badge, and I hate to say it with a lot of customers I talk to when we talk about how I get access to things, if somebody shows up to a gate somewhere, from an IT perspective, with the right credentials. Well, then they can walk around, they can walk the network, they can go to the application that they're supposed to just like I went to the meeting that I went to. But they could also just wander around, poke around and see what else they can kind of get their hands on, right? And sometimes that's a big perimeter, sometimes it's a small perimeter, but it's a perimeter, and I have freedom of movement, right? So it's a non escort, bad versus, like, I think of a much more Zero Trust way, the way that I like to think about it a lot is very specifically, like an escort badge. Like, I've had some very interesting conversations with my escort at a facility when I needed to take a comfort break, about, what about how close they needed to be to me in that individual scenario, right? And most of the time they had eyes on me, right? So I hate to say it, but that's kind of how Zero Trust needs to pivot now, right? It needs to be more times that I'm checking against the status, against the individual, making sure they're not security risk. There needs to be more view over specifically where that person is going. And you need to be able to delimit those paths and routes that that person is allowed to go to, to applications, to data, to everything, if you, if, if you're capable of doing it, right.
Tom Gianelos
Interesting. You're, you know, all of these examples are, are, are based solely on identity. So it's who you are as a person, right? That's, that's probably one of the most primary elements of Zero Trust, is relying on that identity aspect of who you are, and not just things you may have, like an IP address or or something like that, some other attribute within it, within a network confine, it's really based on you as a person. Well,
Ryan McArthur
I think it starts, I think it starts with you as an identity, like, if you go back to, like, the the TSA concept, right? It starts with you as an identity, right? Then it goes to, you have a ticket. Ticket takes you. So then that's an attribute. The attribute goes to, now I have a gate, then I have, I'm going on an airplane, so I have a specific airplane. I'm supposed to be assigned to have a specific seat. Have a specific seat. Those are all attributes that you that you're supposed to go to right then you have, like, a specific terminal that you're supposed to go to, you have a specific gate you're supposed to go to. You have all the things that you're supposed to do, but you can't go into the door. You can't go into where we're baggage claim. You can't go back out. Like there's certain things that, yes, identity is the basis. It's the beginning of every single thing. Is why? I go back to in my the very beginning of our conversation, which is every organization we've had conversations with as a company. Even go back to my defense space, you find I think pillar one is identity. I think in the I can't, I don't have the DoD memorized, and I don't, I don't remember Feds off top my head. But identity is generally where every organization starts with, because you have attributes. You have identity that has to start with every single thing that you're going to do. Well,
Tom Tittermary
it's you can extend the metaphor further right where the metal detector is. Are you going to bring a threat into this perimeter? Yeah, right. So that's posture. It's just simple cross pollination across the whole Zero Trust conversation about All right, so you are who you say you are. Great. Do you have anything based on where you're going that could be a problem? Yeah, right. Just be able to assess the posture the individual device the user is accessing from, or where they're accessing it
Ryan McArthur
from. Frank, yeah. But I wanted to pull on the thread that you were talking about earlier, about the in case, I don't think we talked about it enough when you were talking about the policy enforcement point in the defense point was about the because really look about it from like a single pane of glass perspective, about how we get after solution sets. And I'm not speaking about from a company side, but each company that every organization, you still have to look at it how we're going to work as a single pane of glass from a solution. So every, every Zero Trust company, or every say company Zero Trust but a solution that comes out right? So if it's whether it's an endpoint, whether it's a and it's an exchange, or whether it's an identity provider, every one of them have data that they're providing. They have to integrate back to something. They have to integrate with something providing a solution set down to a product. So if it's an endpoint provider they're providing, they're providing a solution down to down to a product, down to a laptop, or down to a server or whatever, then they're providing that. So that end point is going up to something else, an enforcement point. That enforcement point is then providing a single pane of glass to other things, which should be a reach, reaching point to identity, then down to so you have end point, you have identity, then you have enforcement point from the policy side of the house. But the important thing that we don't ever really talk about is, while you hear from the government, I want to have a single pane of glass, but there's not a lot of companies that come in and actually provide that capability across the board. We ask for the government ask for it all the time, but there's not a lot of companies that can actually go and speak truth to power on what that capability can be and how they can provide it. And. As a whole. And I think that that's an important aspect that has to be part of a message for a company, that solution as a solution needs to be there. Because if you can do that holistically from identity enforcement and point it's important capability from a Zero Trust side that we just need at the
Tom Tittermary
so I've had this conversation with a bunch of different systems integrators, and I think that's a big I think that's a big area where they can help in a lot of cases, right? So it's funny, it's folks in the listening audience can't see this, but I got my laptop open in front of me, and I'm looking at the Zero Trust reference architecture, ov one from DISA, from the version one reference architecture. So there's a graph in there. I think it's page. It's figure three from February 2021 if anybody wants to follow along at home, along at home. But it's this big thing of like all the PDP goes to a sim, right? We talk about logging in the context of Zero Trust. It's like all these different components of PDP going to a sim. And then there's this magic arrow that goes up, and it says analytics and confidence scoring and entity behavior analysis that happens in the middle, right? And this is where, in a lot of cases, AI or ml get quoted as coming into the picture to aggregate this risk. And, by the way, today maybe, but today, this is people that are just really good at firing Wide Area algorithms against, you know, the major sim vendors that everybody in this room might know, which we're gonna have a couple of months later. I just don't want to call them out yet, right? And then finally, at the top, there's this, this bubble at the top right, where it's like, all right, based on all this log data I took in, based on all this analysis I did, how does that change policy, right? So it's funny, one company I won't name service now, right? So we're doing a bunch of work with them where, you know, they're holding the CMDB for a lot of different federal customers. It seems like a decent aggregation point for to bounce things off of, to then have them give us a nod and be like, hey, Z scaler, these guys don't get these individual things anymore, right from that perspective. But I think you're exactly right where the evolution of this for me is. Again, there's two sides. I need to come up with some sort of methodology, and it can be, you know, department based or agency based, where, how do I aggregate a scale of one to 100 the sensitivity about an individual piece of data, yeah, or an application B, how do I generate a risk score around an individual from a scale of one to 100 that will tell me, you know, this person's a 70 because everything's good with their identity and posture, but I don't like where they're dialing in from, right? But how do I calculate the score on both sides? It's something that that we as a vendor are not going to do, right? Like, I can't tell you a, the sensitivity of your data and B, I can't tell you how you aggregate risk for your agency, your your milled up, your co com, right? But those things, then we, then we, as you know who we are, get to have more influence in the middle. But it's a tricky picture, right? Like, if your device is pound, what does that mean? Like, how many off of 100 is that right? GEOS, GEOS are easier, right? Because then you go, All right, well, this geo has a risk score of x, y, z, right? Identity is a pass fail from a from a large perspective. But you're also going to want to pull data from people like data authorization vendors, like, has this person gone from reading, you know, 20 megs of unstructured data in the last week to 20 gigs, because that signal over noise and that needs to find its way into the risk score. So it's, I don't want to for anybody. We just came up with a couple of super simple metaphors for how to talk about zero stress at a high level, the very complicated
Ryan McArthur
problem. Oh yeah, yeah, no, it definitely is. And it's one of the, again, it's one of the things that perplexes, the identity teams. It provides us the network teams, the end point teams, and that's partially why they're there's not in fighting, but it's it's more of like why there's discussions that go between those groups. And when you go to who owns the problem, who, who gets after the problem, it's why there's such an issue, because then there's also you don't want to get into contracting. But if you look at the contracting side, each one of those shops have contracting groups that they work with, and it causes, I would say it causes issues on the on the cloud service provider side, where we're we're working with each individual group, and we're trying to bring them all together to get after a problem. And we're like, Hey guys, you're both trying to solve the same thing. Just come together and work on it in the same, same effort. We can, we can solve that solution. I'll give you a
Tom Tittermary
perfect example of that one. And I feel like I'm talking too much, so I'm gonna say this, and I'm gonna bow out for gonna bow out for a minute, but on that one particularly, here's what's really interesting. And this goes back Tom to what you're talking about, about Zero Trust culture specifically, right? And the contracting shops specifically, is anybody that's recently responded to a wide area, large scale, DOD or government, RFP, there's hundreds and hundreds of pages, right? And a lot of times the former requirements that were relative to the program on a re compete don't get rewritten to match Zero Trust principles, right? So for example, I'll give one example. I'll bring up the this is Zero Trust reference architecture again. So you know the main characters in this Zero Trust policy creation from a DOD perspective. So there is Zero Trust PMO office and Randy Resnick and his 91 basic controls, 152, advanced controls. He in Baltimore because I got to see him talk there. Talked about, hey, what's the last best document that you've seen on Zero Trust? He called out that this is Zero Trust reference architecture, 2.0 Right. So there's a lot of good framework base line material here. So in the Zero Trust reference architecture 2.0 the zero. Trust connectivity mechanism got called that as SDP, Software Defined perimeter, specifically to their credit. But I don't see that popping up in a lot of contracts to
Ryan McArthur
their credit. If you look at DISA to the time between 1.0 and 2.0 the the update was fast. I mean, it was like, what a year and a half. It was a year and a half, year and a half like update reference architectures in defense. I mean, I've seen, I've seen policies take 10 years in defense. I mean, that's, it's not a joke. I mean, I guess, legitimately, take 10 years for policy to go through. I mean, you're talking about a reference architecture in real time, Zero Trust solution sets. I mean, this, I was able to do a reference architecture update relatively quickly because, I mean, the approval process for something like that to go through is it's not minuscule. DISA has to have, effectively the entire department, sign off on something like that. It has to go through army review, Air Force review, like they push it out on academs and effectively get signed off. Or it goes through DoD sale and then it gets pushed but that's huge. I totally want to yes and what you're saying, it was very impressive what they did, just to say that, from a contracting perspective, I see a log jam on the government side of rewriting these requirements, because there's hundreds of pages of these requirements, and a lot of times the architectural changes that have to happen in order to make these structures Zero Trust are significant rewrites. So I'm just saying from a manpower perspective, it gets really tricky right there. Yeah. And I think a lot of that goes back to if you look at the differences between the contracts and the technical side, there tends to be, and this is just speaking from experience, there sometimes tends to be a break in where contracts and technical do contract writing. So contracts will drive where writing goes, because it has to meet certain milestones and the technical is trying to drive in the what needs to be there, but like you can only do so much from what the deliverable needs to be. But on the same side, if you have a new capability in something new that's coming, like a new reference architecture that's come in, that's that's something that's high level, it has to be digested by that whole entire technical team. Most contracts are, generally, they've been being built for 18 months prior to them going out. So a general, like, we'll just say it at five, like, a $5 billion contract, that's usually a 36 month lead time between award and all the pre work. So it's a three year lead time. So that's three years worth of work. They're not in if a reference architecture came out before that, or during the middle of that, they won't do the rewrite. They'll just push it. And that's, you know, because you want to lose 18 months for the work because a new reference architect architecture came out, no, because that's new. RPS, no. RFIs, new, new everything. That's it's a lot it hurts. I mean, it would say it hurts the government, but, I mean, it's, it's a lot of government works man hours that goes out,
Rich Johnson
yeah, and I think we've seen that actually play out, at least within the Department of Defense. So I would say that the you know, that the ICAM architectures for identity, credentialing and authorization, I believe that definitely has been slowed down by the emergence of Zero Trust, because as you, as you mentioned, Ryan, they were well down the path of implementing a design that they had put together, and then all of a sudden, Zero Trust pops out, and everyone has to comply to that, and you have to hit the brakes and back up a little bit and try to retrofit this now in and we see this also with A lot of RFIs that have popped out, because you'll see it. You'll know it because there's this little blurb right in the middle of this document someplace, must comply with Zero Trust. And that's it. You know, you get this whole architecture and this little one sentence that says, must comply with Zero Trust. It's like now you got to figure out, well, what does that mean in the scope of this architecture, this RFI that has emerged, and how does it where does it play? Where does it not play? So it definitely becomes complex to try to retrofit and make things shoe horn into this Zero Trust paradigm. I did want to kind of circle back to a couple comments that was made. So it's the DISA Zero Trust reference architecture, version one, version two. For me, it laid down some solid footwork. Obviously, that's piggybacking on the NIST special publication, 800 207 which was in many ways, the Bible. That was the one that popped out that finally said, Hey guys, enough of this nonsense. This is what Zero Trust is, but it's conceptual. And so that came out as a conceptual guideline as to what kind of thing is like. You know, you talked about this, policy enforcement points, policy decision points, the ability to administrate this stuff and and all these software defined perimeter constructs. But now, how do I actually build that. And I think that's where the Zero Trust strategy that came out of the out of the DoD was very, very helpful, because it did define 152 activities. But I would say, even more importantly, 152 outcomes, you know, you got those 91 target activities video to go after, because that's what was deemed necessary to. Secure our Department of Defense infrastructure against nation state actors that are out there. But the outcomes, it's easy to go through and check off all these little, you know, characteristics, yeah, I've got, I've got 125 products inside of my my portfolio that I've already deployed in my infrastructure. I can do something like that, or something like this one, or something like that one, and you can check off all those boxes that have 152 and no time at all, and say, Hey, we're already there. But the reality is, if you were already there, then you would already be at a state of Zero Trust, and they're not. So the outcomes are more important, because that gives us a tangible thing of proof of hey, if I if I can achieve the outcome, then I've done what we need to do to be Zero Trust ready. And again, it's something that's going to constantly evolve, but at least you're hitting the target, as opposed to just kind of guessing at it. I feel like the past five years, we've all been kind of guessing at it a little bit in terms of what we wanted to implement. And now we've got a much clearer picture, I think, as to if I can at least do these things and get these outcomes, then I will be meeting some of these, these requirements that have come out of the out of the federal government over
Ryan McArthur
the last several years. I mean, I'd say to the like, to the credit both defense and federal. Like pushing the What's it? I mean, I mean defenses mandate. Federal is pushing guidelines about getting to certain states, but pushing where they need to go, where they want the Defense Department to go, where, where they want federal to go, has, has at least put lines, I'd say, in the sand for federal and and conquer concrete for defense. But I think the the larger question that that a lot of the Defense Department is still trying to figure out is, who are my partners, like, who are the partners that I work with in the cloud. It's really cloud space, because you're not really doing a lot of any on prem inside this, because you have to also take into account where congressional requirements are that it says all things go to cloud effectively. NDA says, Hey, you all things go this way. So there's that. So you have to figure out who's my partners. Because you can't just say, Hey, I'm a cloud service provider and I can provide you capability. That's that means that you're selling me something. But that's not really what what the defense department wants. They want somebody who's going to partner with them to get them where they need to be. That's, that's thing, one thing two is the Defense Department has an entire legacy federal has an entire legacy infrastructure to maintain, on top of bringing on new functionality and new capability while they deprecate an older infrastructure. And sometimes that's a hard problem and pill to swallow. When you're not really, I would say not just not getting new money. They're not really getting new money. They're so most, most agencies, are taking cuts in a lot of ways. So you're go back to the partner conversation. You're having to have conversations on which partners I can bring in and what solutions are going to get me my biggest bang for my buck, starting with identity, moving into like what we're looking at with certain defense agencies. Do I look at NSX, helping with SD Wan, helping with sase, helping? Where do I get my biggest bang for my buck? So I can start deprecating services and moving towards where I need to go to meet my mandates. So I think that you start to look at where we can move and where we can help, both with industry, defense, federal, those are the problems that as you look across organizations in fed, fed save and in defense, that everybody's trying to work through, and when you look at certain services in defense, like, some are more nimble than others. Like, if you look at the army, that's like, moving, you know, 10 tank battalions all at once. Like it, they're, they're great, but they move slow. I mean, I'm a retired Army warran officer. Like, they move slow because it's, it's 1.4 million users. Like, it's not easy to move a force that Big Air Force is, is fairly nimble. You know, Navy again, aircraft carriers, because they're, they're dispersed. They have, they have a ton of PEOs. I think it's like 3030, PES I think it's what overseas inside the Navy. So they tend to, each of them have their own nuances that you have to deal with and have to adjust to. And I think that it's important that both industry and defense as they work together, that the industry always remembers partnership is like the biggest thing that we that we lean in on and we understand what the defense and federal civilian space is trying to deal with. And I think that that's it. Sometimes it gets lost in translation.
Tom Tittermary
Yeah. I mean, one of the ways that that ends up popping up for me, right, is especially working with the Department of Defense, something to consider in any of these individual components, right on the PDP side or the pep side, is the ability to scale and the total amount of, you know, manpower, and I typically call it like human intellectual capital, like, how many smart people do I Need to architect, build, run this thing effectively across the the mill, depth and the CO coms, right? What is, what is the solution? I could scale to 1.4 million users and be relevant, right? And actually be functional and not require 2000 people to run so that that becomes an individual piece. And then the other thing that always becomes a conversation is the conversation around enterprise work. Cloud is typically, you know, the go to, in terms of we need to figure out how to get to cloud, and then running into individual tactical communities, or scenarios where enterprise is desired but limited in some ways, especially, there's an awful lot of, hey, spoiler, like for everybody, everybody at this table works at a cloud company. There's this interesting thing going on in industry right now where me and a bunch of other, you know, company partners that we work with that have significant cloud presences. Everybody wants cloud because of scale and easy use and manageability and reduce human intellectual capital. Everybody, in a lot of ways, has concerns about cloud because, well, hey, what happens if I lose connectivity and the cloud goes away? And that most oftentimes comes up in that tactical scenario, right? We talk about it with, you know, tornadoes and hurricanes and weather events too, or power grid loss, but what happens when the cloud goes away? And I think that I've been doing a lot of interesting work with a lot of vendors across the space where most of us as cloud vendors, we just figured our piece out recently, and I'll probably talk about that a later episode. But how to be both, right? How to be that enterprise cloud company that also works in that tactical scenario. But that's a really tricky one too, because that 1.4 million users right relative to army, there's X number that are enterprise, and then there's X number that sometimes are tactical and sometimes are enterprise. So how do I leverage those two having multiple solutions on both sides, and how do I work that piece out? Yeah, I
Ryan McArthur
mean thinking, thinking about like my old hat, you know, really old hat, sitting in government and had my tactical advisor hat on. It's funny, I used to have like, discussions with people about, you know, the Defense Department moved from having this, this thought process of, hey, we were a completely, you'd have these disconnected all the time kind of thought process, like, 2018 you know, you there was a contract I never talked about anymore. But like, you have certain thought processes, like, hey, it's always going to be detail. Always you have, like, there was always a denied or disconnected that was going to be a really long, extended periods of time.
Tom Tittermary
And just to hate say it, but like, so detail, for those of you that aren't familiar with the acronym, so you want,
Ryan McArthur
I disconnected, intermittent, low bandwidth. Sometimes, everybody, yeah, sometimes correct what happens
Tom Tittermary
in this application when it loses connectivity to the internet or something to call back to?
Ryan McArthur
Moving on, sorry. So you know, you you have, like, there was a mindset for a long period of time that you had just, there would be periods where it was just completely disconnected. There's still some subsets, like submarines have, like, just, they're disconnected, but you're not putting cloud on a submarine. Like, just, we're gonna be honest, like, this is just not happening. They run certain ways. But for the most part, when you look at tactical force and you start to look at work, commercial has come. Star link, you have all these other, I'm not gonna endorse like, 1000 companies here, but you have Leo he Oh, Geo, there's tons of connectivity worldwide. You've moved to more of a of an operational connectivity workflow. And it was started to get more discuss in like the 2000 to 2020 2020, 2220 23 time frame of of not a disconnected word work, but how are we pushing out, like the operational workforce, towards the end and as far out to the edge as possible? And there's initiatives in the Defense Department that talks about like the tactical force and how far out that operational connectivity is going to go and push in the limits of operational connectivity, because of the commercial partners and what they bring into the table, and what the defense department do you have 5g and just everything that's out there globally, I think detail has become less of my saying is less of a requirement. I think it's become less of a concern. And you've closed the gap as, just like Cloud used to be less of a concern you used to have, like bespoke requirements of isolated you know, Aisle Five had to be this isolated thing, and aisle four had to be an isolated thing. I think it's, it's evolved. But with that, I think that you've also got different aspects about how, how you can get after it, you know, holistically, even, like, with what we're doing, you know, with, I mean, like, I'll leave that for you, for your time on that, but like, you can start to solve tactical in a lot of different ways. That doesn't have to have, like, you know, a completely disconnected workforce. You can really start to just solve a solution set and not have to be worried about being completely disconnected, because I have everything that's on the table now. But I used to joke with, you know, my team. I was like, you know, really now the only people you have to be worried about are the 10 hats, the 10 hat folks, you know, the doomsday errors in the department? Yeah, you know the ones that are just like, hey, what happens when?
Tom Tittermary
What happens when for nuclear weapons? How am I supposed to get my email if you're
Ryan McArthur
worried about if you're worried about it, then, guys, we got bigger problems, you know? But no, there's, there are some certain requirements in the department where you have to have like, coup and but, yeah, those are not cloud requirements. Those are on prem. Those are, those are certain requirements that are, you're not, you're not BCP, you're not having a, you're not having a, you know, a Microsoft Office Productivity Suite. You know, you're not having that. You're not having a on, you know, cloud solution set. You're having a basic, you. You know, on prem capability, and that's it. It's never coming back online. And if that happens, don't worry about it. You got bigger problems. But we used to have the tin hat conversation. I used to laugh. Well,
Rich Johnson
I would say, Ryan, that it's a balancing act. So I just came back from the army technical exchange meeting in Savannah, Georgia last week. And, you know, just like all the previous Thames that I've attended, you know, they get up and when it comes to Zero Trust, they're like, please, please, please to the vendor community, don't forget about tactical, because you don't make it an afterthought, because it can be a more challenging thing to accomplish than enterprise. Enterprises scale, right? That's that's the massive thing. But at this stage, we all understand the size and depth of the DOD, but tactical can be a very unique challenge, and sometimes it's not because they can't get to the cloud. Is because because of the mission, you know, they don't want to get to they don't want to have any electronic signature that's out there that someone can see, and so they will have to go in silent, running and dark for a period of time, and need to be able to operate. And so it's a balancing act, because what do you have? Do you have the kit where the, you know, they open the laptop and the password is literally, you know, someone's written on a piece of tape on the device. So, you know, to make it easy, because when you got young men and women that are out there in the field with bullets flying overhead, the last thing you want them to do is to be, you know, impaired from doing their job and completing the mission because of network security. So this mantra of do no harm when it comes to Zero Trust. You know, Zero Trust should be something that enhances and provides enabling capabilities for them in the field, not something that ties their hands together and makes their life even harder than it was, because we all know that in that environment, if they have to work around it. They're just gonna turn it off. They're going to they will find a way, just like water, they will find a way to to circumvent that, to be able to complete their mission. And so that's, that's the kind of thing I think, as a vendor space, we have to really embrace and make sure that when we think about Zero Trust, we keep in mind that element of it, and that we don't, you know, make it something that's so rigid, you know, and hard that that it breaks the operational model. It needs to conform to the environment. Going back again, it's a principle. It's not a product. So it should conform and meet the needs of the particular individuals in that particular mission
Tom Tittermary
set, yeah. And it goes back to, I mean, the other thing is, spend some time down rich with you down at four liberty. And like, two of the big overarching things that people gave us to consider were, hey, whatever the solution is, I want it to be no key, a brick phone, resilient, like it just has to work. It has to every single individual time it has to work. And by the way, I would like it to be as simple as humanly possible, because it might be somebody who's not an IT expert that needs to get this individual thing to work right. So when we were building out our thing, I think that we took that to heart. We, we kind of kind of laid that out there, right? The other super interesting cross pollinating thing that we get to kind of function in here is in the tactical space. You got mission partners, right? So how do I Zero Trust and integrate and basically coordinate and collaborate with mission partners from different countries, right? So that is, that's a big topic of conversation. Like we were out in to pay com when we, you know, spend some time over in Germany, we end up having that conversation quite a bit. But just to offer that up, and out there, there's a lot of different ways that people talk about skin in that cat, put them in our identity system, integrate identity systems like, it's, it just gets fascinating and interesting. But
Ryan McArthur
I'll offer it up from a from honestly, from a technology perspective, I think it's, it's completely solvable, easy. I honestly, from a technology perspective, it's a totally solvable solution, not, not hard.
Tom Tittermary
Well, cool guys, that's been Zero Trust given we're just going to wrap it up
Ryan McArthur
and get, truthfully, technology wise, it's, it's not a problem of, of, hey, I can, I can't do that. It really comes back to policies across a couple couple sides. There's the policies of us, and then there's the policies of foreign, foreign governments. So you have sovereignty requirements of their data. You have sovereignty requirements of our data. And then there's the thou, not shout, not share of certain things. We have sharing agreements of certain requirements. But what's blurred the lines between countries is cloud. Cloud was, if you look at governmental policies, and I we said this earlier, generally years for things to get updated in that in that level. It generally takes years for stuff like that. And I don't think cloud has caught I don't think the regulations and policies and laws within countries have actually caught up to where cloud is pushing the boundaries. And if you also look in in in the mission partner space, most of mission partner is not on the unclass space. It's in the class size space. So now you're now you're crossing the boundary of mostly sensitive information between countries. And those are sensitive enclaves in which we control, or they control, so the information sharing that happens between those two groups has to be tightly maintained. So it's not like, Hey, I'm gonna allow. You to sit in this space and you're going to have access? Does that happen? Yeah, sure. But it's very tightly maintained, so it's not an open, open share. We can't treat like the commercial, the commercial environment. Could we do that? Yeah, sure. If, if we evolved our policy, laws, regulations worldwide, yeah, sure, we could. I think that if you look at what NATO is going to is going to get after they're going to create a classified enclave for themselves. NATO has got tons of of countries that are part of of that, but that solves one problem set. But then you have, where is us? Data, where is, you know, where's the five? Each of the five eye data is, where are the other countries? Data is that are holistic to those nations, and then how does that feed into or NATO ways, or how does that feed into each of those host nations and how they share with each other? So I think the problem, honestly, the problem the the challenge that we get to work through from a country perspective, is one getting through those policies from a showing how technology can secure those clouds without breaking the rules, laws and regulations of those countries and making them feel comfortable with with the security boundaries and laws that they have. That's the challenge that we have to we have to do holistically. And that's not just, you know, little less. That's also the hyper scalers are going after that. You know, the, I would say the four big hyper scalers are have that problem set, because, you know, deploying, you know, data centers worldwide, all the time, everywhere, is, is a hard thing to do. And then, you know, having them all be bespoke is, is hard. That's a that's a heavy cost. It's a heavy burden. It's heavy to manage. But I think that there's definitely a path from a technical perspective, and there's also policy changes that can be done. But I think the way that that gets shown is the partnership between organizations and showing how the technical can bridge the gap from a security perspective, to show how it can be done. I mean, we've shown some things, even with our, with our not just us, us with service now with an IDP, obviously we have baked into that solution set, is that your service, that was that service now an IDP solution, same solution, same solution. So we that was an unclassified space, but that can be done in a classified space, that can be done in a higher classification space. Like that can all be done. We just need to show how it would, show the security boundaries would be, still be maintained to again, a willing participant that's willing to
Tom Tittermary
go through that. Yeah, I know the demo you're talking about. Again, you're gonna hear this name a lot, Conrad, my arena was super smart, his garage. Also, if you're out there, I'm, God, this is the first podcast that we're doing, so I'm assuming that we're going to have some way for you to get to, you know, the speakers on the call. But if that's like some some demo that you're interested in and checking out, we could easily provide that rich you were I saw you. You were getting ready to say something.
Rich Johnson
I just wanted to kind of add on to what Ryan was saying there, in terms of that challenge of dealing with mission partners and working with them and inter operating because Zero Trust. Unlike a networking protocol like BGP or rip or such an Initiation Protocol like SAP, where I've got clear definitions as to how these things communicate with each other, I can take two routers from different vendors, plug them together and they can speak BGP. They're going to pass routes. Life is great when you look at the space right now for Zero Trust. If I were to take 10 agencies and have them implement a Zero Trust architecture, I would have 10 disparate different architectures and solutions that would that would emerge. Then the question comes up, how do they talk together? How does your Zero Trust solution talk to my Zero Trust solution? And that's that's a challenge that we have to address. ATAR did a one of their their demos last year in 2023 and they actually threw that out as a as one of the gauntlets, one of the things to to overcome, which I thought was a really Ford leaning, visionary thing, to to ask vendors and solution providers to actually address, because that is going to be a challenge. So we're going to have to figure out how we're going to deal with that, and it's one of the things I feel like that's slowing people down. So we've talked a lot about the DoD today, but the CISA put out a document I think was extremely important and to to bring up, which was the Zero Trust maturity model, because they kind of, you know, gave guidance to agencies on, okay, where do you start? Because that's, you know, that breaking that inertia and figure out, where do you start first. You know, what do you have to do that can be, you know, it can be mobilizing in many ways, and you don't want to pick the wrong solution, because if you do, then you maybe you can't communicate with anybody else. I can see the mill comes even in the US DoD all picking separate, different solutions. So making these things all talk together is going to be critical. And when it comes to where do you start first, I get this question all the time. I always say, at all seven pillars. You know, you really can't start at just identity. You can't just start at device. I will say that, you know. They're all going to mature at their own different level, I think, like device. You know, most federal agencies have been dealing with device probably the longest they've got. EDR X, Dr solutions, things there, HBSS solutions that are already done, strengthening that piece of it. Identity is coming along. Is probably this next big one. But then you look at the hard ones, like data. No one's even, you know, got their arms wrapped around about what these tags should be, and how do I enforce them, and how do I apply them, and all and the governance of all that data, that's that's a really tough one. And you brought up earlier, you know, this whole idea you guys were already talking about. Well, what about this big policy engine? We all, we always see it, and it's always depicted as this monolithic policy engine inside of everyone's thing. But right now, every vendor is coming to this with their own little policy engine. This is my policy engine. It controls my my solution. And there's their policy engine over there. We need a, you know, the One Ring to rule them all, type of analogy here, one one policy guidance. So orchestrating layer that's going to, you know, impact and impart knowledge and and policy changes to all these different solutions and figuring that off. Those are the big challenges. And honestly, no one's got, no one's got a handle on all that stuff just yet, but it's, I think we can't let some of these things immobilize us. We have to break iner show. We have to get started. We got to work on the things that we can work on now we got to start figuring out if your agency hasn't come up with an enterprise level data, you know, model yet. Well, go build your own for now, at least you'll you'll get some exposure, you'll understand what needs to be there. But that's that one that is going to take. It's unfortunately, gonna take a while, I think, before that emerges across various agencies. But anyway, to me, that's when you when you brought up mission partners. It just, you know, amplifies that problem and that challenge. If
Ryan McArthur
you look at the well, someone tell them one, and then Mr. The one on the end point. I end point across that every service. I mean, everybody's had end point for years. Just more about just evolving, it enriches 100% right? There's a lot of things within the Zero Trust that Zero Trust architectures, and whether it be in the CISA side or on the defense side, everybody's moving along in different different layers. On the identity side, I think, yes, everybody has been moving towards an identity. I think the problem that gets missed on the identity side is we've all gone after identity because you have pivot, you have CAC, you have. But the problem that gets missed is the attributes tying attributes to identity. That is usually what trips everybody up, because you can have identity all day, but if you don't have attributes associated with those identities, then doesn't matter, because then I can't associate you to anything you need to have access to. So that's that's been I would say what defense has been going after. I think that that's what every federal civilian agency has been going agency has been going after. And I think it's even and one of the things we haven't talked about is, like, where the FSI community comes into all of us. Because we talked about, hey, how we're, how us as OEMs are working with all of these organizations. But really, the FSI is really the kind of the glue in between all of it, and then in the mission partner space, one of the other things that, and it's this isn't mission partners are, are have been, have been growing into this space. But there's also the US has been kind of chugging along on on Cloud for a little bit. And I would say both in the on class, unclass has been moving along in mission partner for a little bit, and then classified is just kind of starting in the mission partner space, so it's us has been going for a little bit, but in the defense space, I would say mission partner is just kind of kicking off for most part. So Zero Trust over arching. I would say there's a catch up period. So there's going to be a time where I would say there's an intersection between US defense and name the country in every country is in a different in different point. And as we said with what which was mentioning each pillar, every one of them are at a different point on each one. But I would say there's going to be a press point where we're all kind of get to a certain point on the Zero Trust maturity model that we will all be able to like intersect on back to what I said, where we can meet on a technical solution for mission partner.
Tom Tittermary
And, yeah, that So to go back, agree with everything you said, right? But to go back to the data piece, like, if I think of, you know, mandates to to accomplish Zero Trust by 2027, data is the one that scares me, oh yes, in a lot of cases. And it's funny, it's, I'm still, I still have my laptop open. I'm still looking at the OV one from the diss trust reference architecture under Data, Data authorization point. It's like, yeah, who gets what and when, and data loss prevention, but data capabilities, data tagging, like, I'm fully aware that there is, here's, here's the the paradox I want to just offer up to the table, right? Data is getting produced at a faster rate than humans can tag it. Okay? So great. So AI ml, we hear that hand waving in a lot of cases, and I've actually seen some solutions that have a good scenario around that, right? But what about the classified space like, are we comfortable taking AI ml, feeding? Huge amounts of data through it, and then saying, but will you tag it like? And by the way, it's not like, there's not a zettabyte backlog relative to the whole tagging issue and a granularity issue after we get around to what's the methodology and the taxonomy, you know, the binomial nomenclature that we're going to do around this individual tagging piece, right? That's the piece, because until you've done the tagging, I can't associate the risk to the data until I have to tag, but the tagging piece is the one that that kind of worries me the most. You know what? I mean,
Ryan McArthur
you could have a whole conversation on AI ml, on how, like, for even talk about cloud authorization. Look at Cloud authorization, how AI ML is gonna have to try to move up the stack on that, yeah, like, if you're trying to just an AI, an AI solution going up through cloud authorization, how that gets assessed on its own. Like, the assessment model from a DOD perspective, or from a Fed, Fed ramp perspective. Like, I don't know that that has been fully, fully like, how do we do that? Like, I know that that's been going they're going through each one of those. They're assessing how that's going to go through. But I'm not aware of a of a full AI solution that's been a ticket back. I think there's some, a couple. There's a couple that have been working their way up, up the stack. But it's not a full, mature model that you're having tons of solutions that are just going into Aisle Five, and the cost that's associated with putting an AI model into into an impact level five, or an impact level four, or a Fed ramp pi, because of the just the pure GPU that's required to put it there. So then you talk about the classified space, which is a completely air cap cloud that now you have to put all that in behind it. So I would say those, there's that piece. And then I would say that the better nuance spaces is where you have cloud service providers that are baking AI and ML into their cloud solution sets and then having those assessed as authorizations. Those are ones that I think have a better chance of getting through the authorization space in a more streamlined fashion, because it's just, it's sprinkled in as a capability. So if you look at some of the things that even we're doing, it's a sprinkled in function versus it's the front end. It's just it. It's not a chat GPT, it's not a an open AI, it's not, it's not by itself. It's a sprinkled in functionality that works with it. And it's assessed as a as as a system. Versus, it's all by itself. You know, the authorization space. You know, it's cumbersome for a for, you know, if you look at DISA like they're they're doing 125 cloud service providers at any given time, and everybody's running through one shot. You know, you look at Fed ramp, fed ramps just now getting through, they got rid of the jab recently, and now you've now, they're moving to a whole new contract. And I think we're still trying to figure out what that's going to look like, but how AI and ML and everything is going to go through, from how it supports Zero Trust, how it supports all the companies that are trying to lean in on how we get after data tagging, how we get after identity, how we get after dealing with end points, how it makes endpoint detection better, how it gets after policies better. Holy crap. Let's talk about a
Tom Tittermary
challenge with the data authorization. I be i have this cute, coy thing that I say about it, where it's like the words white and house are either wildly relevant to federal or not relevant at all, depending upon which word you put these spoken emphasis on, right? The White House that's relevant, right? A White House that's just some house in your neighborhood, right? So I take those both, and I put them in blank text and I stick them in, you know, is that about? It's worth of documents? And I say, hey, AI tell me what's critical and what's not. It just, it gets to be a really interesting conversation in some cases, yeah,
Rich Johnson
yeah. This topic came up at the at the army table last week, was in terms of, where do we tag that data, even, do you tag it way out at the edge, where at the sensors that are collecting the information the first part, or do you send this stuff across a network completely in the open, untagged at all, and then try to try to analyze it and figure out what it is on the back side, going back to your White House example. So obviously, you have a lot more context and meaning at the edge where the sensor was collecting it, but now I have to have a lot more intelligence at the edge and compute to be able to start to then process and tag all this data before it even leaves and goes upstream to all these massive repositories, which
Ryan McArthur
makes the device bigger, makes Yeah, yep, yep, makes it rough challenges, which then goes back after your tactical problem,
Rich Johnson
yep, no, it's and we haven't talked about ot IoT, all those kind of other fun areas for for Zero Trust. So that's a whole other topic for for another day. But yeah, so how are we doing time wise? Tom, I think
Tom Tittermary
we've I think we've hit the boundary of what people would be willing to listen to in one session, and we'll take feedback. I'm sure there's a place that folks that are listening could be able to give feedback, but I think it's a really good point. I think it's a perfect place for us to to wrap up today. So I want to thank Tom G Tom janellis. I want to thank rich Johnson. I want to thank Ryan McArthur, again, this is Zero Trust given. And hopefully this this reaches you sometime in the near future. If you have any comments, you have topics you'd like us to touch on, we'd love to hear any kind of feedback you have. I think the structure that we're shooting for going forward is you're going to get an episode that's just Conrad, because I know you're going to demand it, and I'm just going to put that on everybody. And that's going to happen. There's. To be other individual folks are going to bring in, potentially somebody from DOD, potentially somebody from the integrated community. But really what I'd like to do is I'd like to bring in the other people that are that we're working with to fill out the village Zero Trust. So you know, Host Based vendors, identity vendors, data authorization vendors, log vendors, and I want to have that conversation with them on, since we're on the P, E, P side, how can I leverage them, either from the PDP or the log side, to get people further down the road. But again, I want to thank all the guests today. My name is Tom titermary. This has been Zero Trust given, and we'll catch you next time.