Why in digital transformation you shouldn’t overlook the network, and zero trust

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Nearly every federal agency is talking about digital transformation, using the latest technologies to improve how they operate and what they deliver to constituents. An important part of modernizing puzzle is the network that delivers all the data. It’s got to be up-to-date and secure. For some insight, Bitglass Senior Solutions Engineer Ed Lopez, and former Transportation Department CIO Ryan Cote joined the Federal Drive with Tom Temin.

Tom Temin: Nearly every federal agency is talking about digital transformation using the latest technologies to improve how they operate and what they deliver to constituents. An important part of the modernizing puzzle though, is the network that delivers all of that data. It’s got to be up to date and secure. For some insight, we turn to Bitglass Senior Solutions Engineer Ed Lopez. Mr. Lopez, good to have you on.

Ed Lopez: Hey, Tom, great to be here. Thank you.

Tom Temin: And with former Transportation Department CIO Ryan Cote. Mr. Cote, good to have you back.

Ryan Cote: Thank you, Tom. Great to be here.

Tom Temin: All right, let’s start with a term you have put out, which is security architecture. Often you don’t hear security and architecture put together like you do with enterprise or network and systems architecture. So maybe let’s define the terms here a little bit. Ed?

Ed Lopez: The idea with regard to security architecture is its ability to be able to prevent, to detect, to mitigate and to recover from security events. Trying to provide within our architecture the tools that are necessary to accomplish these four major aspects of security.

Tom Temin: Ryan, let me ask you with respect to a large federal department, which is really many, many components, and often headquarters is the least of them, you really are dealing with multiple networks. And is there a way to kind of harmonize all that or rope all the cattle together so that they go in the same direction?

Ryan Cote: Yeah, that’s the goal. Ultimately, of course, while security architecture has many definitions. And ultimately, it comes down to it being a set of security principles, and methods and models designed to align your objectives, keep your organization safe as possible from all cyber threats. And then, as Ed said, a way to recover from them should they occur. So yeah, the ultimate goal is alignment across the organization standards. We’ll get into that, I think, a little bit with different cybersecurity frameworks and tools. But ultimately, you want best practices across the organization. And the most robust security architectural framework, you can have an ability to be nimble and responsive to all threats, because they’re constantly evolving.

Tom Temin: So you really have to take an incremental approach, maybe, to modernization. Is that the way you would put it?

Ed Lopez: There is a need for an incremental approach. But there’s also a need for, as you mentioned, vehicles like the White House executive order in May, which indicates basically an imperative that we need to move towards these things. I know you’re going to have later questions about the executive order. But the thing is, this was a stimulating action. This was a call to arms that basically said, Look, we need to move towards a zero trust environment, towards software sourcing, towards the ability to support encryption and multifactor authentication. These are all things that were put into the EO. Fortunately, I’ve had a lot of opportunity to work with Department of Transportation over this past year when Ryan was CTO. And one thing I will absolutely say is that Ryan and his team were way ahead of the curve on this. They understood the issues with regard to cloud migration, they understood the issues of being able to put operational efficiency into their security posture. And that was, quite honestly, a great thing to work with, particularly with DoT.

Tom Temin: Ed Lopez is senior solutions engineer at Bitglass. And we’re also talking to that former CIO of transportation, Ryan Cote. And so given the executive order then, Mr. Cote, what if you were still in the government? What would you do first to get good with it? Because it does mention zero trust specifically. It might be the first executive order to use that language.

Ryan Cote: So as Ed said, we were a little bit ahead of the curve on this. And I’d like to say I saw it coming. But of course, we didn’t see the executive order coming. We just knew zero trust was where we wanted to be. And a solution like that was where the future is taking us. And so we were lucky enough, or fortunate enough to have taken steps to get there. If I were still there, the most obvious requirements are just complying with the executive order itself and getting back to [the Office of Management and Budget] with the plans that they required, the assessment and the different tiers, the logging tiers below zero through three and see where we’re at. It’s hard sometimes to just feel like you’re being driven by checking boxes, but in this case, it’s helpful. It’s good that the executive order had some teeth, it had some deadlines, it had some dates you had to meet. And although it’s it’s hard in government, because there’s never a shortage of work. It’s hard to keep piling on more work, and more requirements, but it’s good that there were deadlines in there and again, I think all the agencies and departments, CIOs are striving, working as hard as they can to meet those deadlines. And ultimately, that just leads to better type of practices throughout the government that are cyber hygiene. Again, if I were not at Transportation, for instance, if I hadn’t already implemented the technology for zero trust, that would be my first move. As any federal CIO in any department or agency, I would just go get a solution, put it in place and just go. There’s just no point in waiting. Even if you get it a little bit wrong at first, and you have to spend some time turning knobs and tweaking it to perfection, you just have to get started. And so that’s where I would focus now is just plant your flag. And go.

Tom Temin: We can tell you’re up to date, because you said turning knobs instead of moving alligator clips around on a breadboard. So I guess that puts us almost into this century. But maybe if you would just discuss the importance of this as not so much zero trust in its own right. But as an enabler of digital transformation, modernization, and all of those good things.

Ed Lopez: It’s funny, I have an interesting view on this because I’ve been in cybersecurity for over 25 years. Before it was zero trust, we used to call it least privilege. It was something that has been around for some time. And my point of view is that over these past couple of decades, as we become more and more networked, we have been trying to do these types of things, but we’ve been dealing with it, I would say with operational inefficiency. What I mean by that is we dealt with our bricks and mortar, then we have to deal with remote users. Well, okay, I got to set up a VPN thing over there. Oh, I have to start looking at certain internal apps, that’s yet another console I have to look at. oh, my cloud apps. Now that’s yet another console I have to look at, and you’re trying to choreograph all of these elements together, and it becomes very, very difficult. What zero trust is really about is the ability to orchestrate this, the ability to have a point of reference, a single pane of glass management if you would, the ability to be able to coordinate on the same page. For example, we’ve been dealing over the past year plus with COVID-19. Well, COVID-19 to employees, federal or not, was akin to a prison break. I mean, people fled out of the cubicles and out of their sights. And suddenly that VPN that was supposed to be handling 5% of my people is now trying to handle 100%. And I’m now trying to figure out how do I adjust to where this is. We have to ultimately recognize that zero trust is about our ability to broker communication from users, from devices wherever they may be, to the cloud apps, to the private apps, to the internet, those elements that we need to get to, and it can’t be site specific the way it was anymore. This idea of perimeter is definitely not disappearing, per se. You still have to have firewalls into buildings. But the thing is, how people communicate, how they use these networks and data has changed. And the adoption of zero trust, I found it very positive that the executive order particularly outlined a zero trust requirement.

Tom Temin: And Ryan, can all this be done in less than six months?

Ryan Cote: My answer? Absolutely, I think it can be done in a matter of weeks. In fact, of course, assuming once you get past acquisition, which in government, as everyone knows, is 90% of the battle. Once you find your solution and get through the acquisition process, but actually get the tool and the engineers in house, we at Transportation were able to actually deploy this in less than 30 days from the day that engineers walked in the door to the day we turned it on, and began defining the protect surface and mapping transaction flows and architecting the network, creating policies. We were there in less than 30 days. So it absolutely can be done when there’s a will.

Related Stories


Sign up for breaking news alerts