Dr. Z, Former CIO of DHS, Navy and DoD talks Zero Trust
Dr. Z, Former CIO of DHS, Navy and DoD talks Zero Trust
Episode Table of Contents
- [02:48] What is Zero Trust?
- [06:33] How the Pandemic Changed Things for the Government
- [11:13] The Best Demos Always Include Technical Discussions
- [15:10] A Very Different Environment Outside Zero Trust
- [23:30] Continuous Diagnostics Mitigation
About Our Guest - Introducing Dr. Z
Carolyn: I'm super excited to have with us today, Dr. John Zangardi, president of Red Horse Corporation, former CIO of Department of Homeland security, US Navy and DOD. We got the man here today, Eric.
Eric: We do. We do. What are we going to talk about?
Carolyn: Well, good morning, Dr. Zangardi.
John: Good morning, Carolyn. And I'm sorry you're up so early. Are you getting enough coffee to keep you happy?
Carolyn: Don't I look a little amped right now?
Carolyn: I just want to know, before we reveal the topic, I was thinking about this interview last night, and I was like, "I wonder what Dr. Zangardi's nickname is." Then I was like, "You know what? It's going to be a superhero nickname, and it's going to be Dr. Z." Can I just call you that?
John: You can call me whatever you want. That's fine. My call sign used to be Z Man and it was abbreviated over time to Dr. Z.
Eric: Where does that come from? I want to tease that one out. Where does that one come from?
John: Okay. It's really simple. When you fly planes, you get a call sign. I was a Navy flight officer way back when, and pretty much anyone who has a last name that starts with Z ends up with a call sign called Z Man.
What is Zero Trust?
Eric: And what did you fly?
Carolyn: See, you're a superhero. I knew it, Eric. And not only that, but we are here to talk about zero trust, so how perfect is that? Dr. Z is going to talk about zero trust. I'm telling you, Chase Cunningham's got nothing on you, because you got the name.
Carolyn: Let's hit it. I want to just jump right in. I mean, you've been CIO. We listed them. I'm not going to list them again. But as a CIO, how do you think about zero trust and what are the benefits of zero trust?
John: Yeah, zero trust is an interesting concept. When you think about trust, what is trust? And if you think about it in economic terms, which we were talking about before this started, you can quantify trust as [inaudible 00:03:02], so twist it a little bit. Zero trust is more than a line of defense or a perimeter. The old moat around a castle doesn't work. I mean, there's holes in it. The Maginot Line didn't work for the French way back when.
John: Really, the case is always verify, never trust. Don't automatically trust anything inside or outside the perimeter. Verify everything before allowing it to connect.
John: The basis, in my view, of zero trust is identity. We know from a history of breaches and all that is that one compromised credential could potentially impact millions and cost a lot of money. Trust, verification, continuous evaluation, or authentication are just bedrock principles.
The Benefits of Zero Trust
John: When you think about the benefits, to me, zero trust, when you look at it as business and security, though, I think business and security benefits are hand in hand. It gives you greater network and enterprise visibility, data protection, support for cloud migration, which is key.
You protect your enterprise data. If you're a business, you protect your customer data. If you're government, you protect the citizens' data better. That means less disruption operations. Think about reputation. The OPM breach is still out there. People refer to it. One breach can lead to real harm to your reputation corporately. But it also protects intellectual property, classified information and the associated financial costs that go with that.
John: The other benefits are visibility into who's accessing the network. What devices? What are the activities of the users? Think insider threat. And I also think it will reduce the time to breach detection, which means you're talking about predictive and behavioral analytics. And I think that leads to a better implementation or application of security policies for forcing compliance and ultimately what every CIO dreams of is reduction in risk.
Eric: Not a passing fad.
Zero Trust: Not a Passing Fad
John: I don't think it's a passing fad. It's going to take a long time for a lot of government organizations to get there. I mean, if you think of the problems government has to move in this direction, they're tied to things like medical debt, dealing with legacy. Those things have to be resolved. Until government gets to a point where those old or legacy [inaudible 00:05:34] move out of the business model for them, it's going to take time to get there.
John: [inaudible 00:05:39] 15 years when we were talking about cloud and the movement of the cloud and everyone wanted to go really [inaudible 00:05:44], there were things that we had to resolve. FedRAMP didn't exist. Impact levels on the DOD side didn't exist. What did it mean for different levels of classified or unclassified information on how it could be stored? What are the right mitigations? All those kinds of things have to be thought through. And anytime you make a change, it just takes time, if you know what I mean.
Carolyn: I was just going to say, you said not a passing fad. I've been hearing about zero trust for 10 plus years.
Eric: I think the term was coined in about 2010. Z Man, how has the pandemic changed things, right? We've had COVID, we've got a rapid move to the cloud, but how has the pandemic changed things for the government as it relates to zero trust in your opinion?
How the Pandemic Changed Things for the Government
John: I think [inaudible 00:06:35] inflection point for the government to begin getting more serious about it. If you really think about what COVID did is it accelerated the move from working in an office every day, right, where you could define your perimeter more simply, to a much more disaggregated or distributed network, right? People are at Starbucks, they're at home. They could be at their aunt's house working for all we know, so you have this very distributed thing. The context of behavior, date and time and geolocation and devices has changed. I think COVID represents a tremendous inflection point.
John: If you never trust and you always verify as the bedrock of zero trust, you're rejecting the notion of insiders and outsiders.
John: Which I think if you look at someone working from home or Starbucks, it's increased the size of the network. Who is inside and outside? Because you have this huge network. And think about internet of things. This is coming downstream, which is going to be powered by 5G. You've got more devices connecting to the network, creating more endpoints and more vulnerabilities. I believe remote work, increased IoT is going to drive us more to zero trust. I think it's inevitable, but I think it will take time as people began to think it through.
Carolyn: Is it possible? I mean, with all the different endpoints and different people using company devices sometimes?
Change Is Best Delivered Incrementally
John: I'm going to cover two different points. Let's first talk about culture. Government is notoriously resistant to new ideas. I'm not implying that they don't want new ideas. But there's a lot of processes and policies, law that can slow things down. But there's other reasons. If you move off on the transformational idea, there's loss of control, there's uncertainty or risk, a large network. For example, DOD has about 4.5 million users. Think of the complexity of that network. It's globally dispersed. It goes to disadvantaged users all over the world. There's an uncertainty or risk there as you begin looking at that and beginning to understand what it is.
John: But I've always believed that change is best delivered incrementally. Now, there are folks out there who will disagree with incremental change. But having worked a lot of big programs in the Department of Defense, the big bang theory of rolling something out usually fails. And people resist those kinds of changes. I think the movement to zero trust needs to be conducted in a way that counteracts some of the natural tendencies of government and people in terms of a loss of control or under-certainty or risk.
John: But there's another piece to it, and I kind of hinted to it in the other question. There isn't a box out there. If you want to buy Microsoft Office or something that you can go, "I want my box of zero trust," and everything you need is in that box that you can just drop on your network and bingo, life is good. I'm simplifying to a large extent, but it won't be that simple to deploy.
The Cultural and Technical Side of Delivering Successful Implementations
John: While I was in DOD, there wasn't really huge discussions about it. There were some initial thoughts with it. When I moved to DHS in around 2018, I started briefing the leadership of the Department of Homeland Security on what zero trust was and how we wanted to go about beginning the transition.
John: In about 2018, I briefed the Deputy's Management Advisory Group on zero trust, what it means and how we were going to move out on it. And I assigned my chief technical officer to begin developing a plan that would incrementally look at bringing it into areas that were first simple to deploy it, right? Because you want to build a confidence that you can deploy it and it shows benefit in terms of protecting your data and the user experience. There's kind of like two pieces here. There's the cultural piece, but there's also a technical piece where you have to think through your network and plan and make sure that you drive and deliver successful implementations.
Eric: With that being said, how did you as a CIO look at partnering with industry, right? We're not building a zero trust box from scratch, as you say. The government isn't building it. What got your attention? How did you interface with vendors? Bringing this capability, this concept online incrementally, how did you approach that?
The Best Demos Always Include Technical Discussions
John: Okay. I'm not going to mention any vendor names here.
Eric: No, please don't.
John: Because there's a lot of great vendors out there. But I want to start with something basic that almost has nothing to do with zero trust. When you go in to talk to a government member, you need to do a little research. What are their concern items? Oh, they're calling me in here to talk about zero trust. Well, you don't want to go in with a 30 page PowerPoint slide deck that numbs them into disbelief. I think going in to talk to the customer involves a little more subtlety and involves a shorter PowerPoint brief that's a little bit more focused on technical that maybe brings a demo, that shows something a little bit more concrete.
John: Let me put a little meat on this. Whether I was in the Department of Navy, DOD or over at DHS, I would do trips with my CIOs to visit companies in Silicon Valley. Whether it was on cybersecurity or whether it was on artificial intelligence or whether it was on anything, the best briefs were always inclusive of a technical discussion rather than the business development side.
John: In fact, when I would talk to my CIOs and go, "What would you like?", they would tell me what technologies they would like, but they would say, "Hey, please make sure that it isn't a business development push, that they come in and they talk through what it is they're delivering."
A Forthright, Technical Discussion
John: And what's important in that is you don't want to polish it so much that it appears just, "Gosh, there's no problems." It's important to talk about the challenges and bring forward, "Hey, here are the honest things that you will encounter as you do this." I think that's an important consideration when industry comes in and talks to the government. It's a forthright, technical discussion, not powered by PowerPoint.
Eric: And what about past reference success stories or reference cases where, "We just did this for ..." Pick a large Fortune 50 company. "We just did this. This is what we ran into. These are the benefits we brought to them"?
John: That's absolutely a fantastic thing. Assuming that what you did there is representative in many ways of a government deployment, it would be great. Because that's one of the questions we typically ask. Well, the first question we always ask is, "Are you FedRAMP certified?" If you're not, that's a problem. But number two, if you could tell us where you've deployed it, how it was deployed and what was some of the goods and bads of that customer experiences as it was being deployed, it could be a winning story.
Carolyn: And you say that you would talk to Silicon Valley CIOs. Did you have regular meetings with them multiple times a year?
The DOD and DHS' Current Focus
John: When we went out to Silicon Valley, we talked to industry and we were focused on particular technology. It might've been the CTO. It might've been the CIO. In some cases, it was either. But what was important there was to gather from them what the technology was, the benefits of it and their honest assessment of what they were doing. That was really key. The technical side of it really appealed. I've been in meetings where a lot of the CIOs will literally walk out of the room because it was all sales.
Carolyn: Where's the DOD and DHS focused now?
John: I've been out of DOD for quite some time and I'm not completely sure where they are, but I'm assuming they're moving out. In DHS, I know that Brian Teeple, who was my chief technical officer over there was leading the charge to develop incremental implementations of zero trust. And we were initially looking at how we can ensure that documents, whether it was a Word document or a PowerPoint document or Excel, could be protected and we could limit access to it. We could control access to documents.
John: One of the things that people worry about in government is, "Hey, if we're working on a budget that's pre-decisional. We want to have the ability to make sure that it doesn't get leaked and create stories that aren't real." And when I worked in the Navy, we used to put the budget effort, the slide deck that supported it on the SIPRNet so we could cut that out.
A Very Different Environment Outside Zero Trust
John: If you move to a zero trust environment and you limit people's ability to access those files, you create a very different environment in terms of the user experience. There are more unclassified terminals than there are, for example, SIPRNet terminals. In the Navy, there is approximately 600,000 unclassed terminals on at MCI. I may have the number off a little bit. I think it's about 35,000 on SIPRNet, so you get a sense of how much easier it would be to work in an unclassified environment if you can control how those documents are distributed, and controlled. This gets right back to insider threat, which zero trust helps you with, right? Who accessed what? When did they access it? What did they do with it? Right?
Eric: Okay, outstanding. You talk a lot about the data side of the house, protecting the data. How does user behavior risk tie into the adaptive trust architecture in your opinion?
John: Well, I think they're hand in hand. One of the things that we need to achieve as we move forward is continuous authentication and understanding where all the users are accessing devices or where they're accessing data. In other words, we know who's accessed the data and we can trace it back.
John: So if there's a breach, we have a better place to start. This allows a security officer, a CISO, to be more informed and be able to respond more quickly if there's a breach or a threat. And if you could create a dashboard of where you think there are some risks associated with people accessing things that they typically don't access, you can immediately go and respond to it.
How to Facilitate Situational Awareness
John: Begin investigating it and go, "Oh, okay. Well, this is unusual behavior that we're seeing here related to this data or this application. But was it justified?" You can start asking those questions and maybe get ahead of things. And I think that's really the key.
Eric: And would you expect to see that at the component level, let's say, TSA or ICE, or I mean, I'm assuming you'd want it at the DHS level, ultimately.
John: If you look at DHS and if you understand and network, so you would want in all of the components and at the DHS HQ. So it would be something in my view that will be fully deployed throughout the entire network, HQ and the components.
Eric: So similar to CDM where you have that enterprise dashboard, you can see what's happening in your environment?
John: Yeah. It would be very similar to that. I think it would be really helpful that if the CISOs are looking, each of the CISOs and the components in HQ are looking at the same dashboard, it would really facilitate situational awareness and that response time.
Eric: So then you get into scale issues. How do you, scale? How do you look at federation of data, of information, but ideally, that single common operating picture's what you want?
John: Eric, you're getting back to some of the difficulties associated with rolling out zero trust in a government environment.
What We Need to Modernize Organizations
Eric: Yeah, it's big.
John: Redesigning applications, redesigning how the data's stored. I mean, go back to cloud. And I remember some of the initial discussions, "Well, we have to do rationalization." "No, we just don't want to do a lift and shift." I mean, those were things that we had to work our way through in order to be more effective in moving things as part of a cloud migration. I think the same thing's going to have to happen on the zero trust piece. I think it will be an incremental build. You won't be able to do that big bang. Because I know this from DHS, DOD and Navy, there's a lot of legacy out there.
Eric: Yeah. Do you see the modernization act helping with that?
John: I think anytime that money is made available to help organizations modernize, it's a valuable tool. We looked very hard at the TMF when we were at DHS. And one of the concerns I had with TMS is the payback period.
If you take the money, you have to pay it back I think within five years. Well, one of the problems you encounter in government budgeting is where does the money come back? Well, there's an assumption of savings and where do most savings come from in IT? Manpower, right? Personnel costs. Those costs become very difficult to capture. It's not a procurement line, not a sustainment line, or a manpower line. So now you have to make the case for capturing those dollars.
The Risk That's Embedded in TMF
John: This is the same thing that happened during the cloud rollout. There was assumptions on, hey, these are the power savings you'll capture. Because you won't have as many data centers, so therefore you're not using as much power because of HVAC, electrical, all that kind of stuff. And here are the manpower savings. Well, the problem was no one knew what they were.
In fact, many buildings weren't even wired. We had no sense of how much power was being used because there was no metering. The problem with TMF is in the future after you deploy this thing, how do you capture those dollars? If you can't capture them as a savings, they become a bill and a consequence of that bill is a detriment to something else. And that's a risk that's embedded in TMF.
Eric: We spend a lot of time talking to government, current and former government employees, and it's never that there's a lack of desire to modernize or to increase the capabilities of the government. It's always the, how do you do it? How do you recoup costs over here so that you can invest over here? How do you get legacy applications and systems offline, or how do you get new ones online so that you can sunset legacy? The desire is always there.
Dr. Z’s Recommended Approach
John: Oh yeah. I have encountered that consistently. I think people have great intentions. It's in the execution. And like I said at the beginning of this conversation, government's complicated. I mean, as you think through a government budget and all the pieces that go into making it and figuring out what's where, moving the dollars around to capture savings, it is significant to make it work.
John: Now, we've made it work. We have to be careful that you don't create a future bill that, hey, it's good now, but five years from now, it's not so good. I think a better approach would be a revolving working capital fund where you make strategic decisions based upon a working capital fund within each organization and you plow savings back into that. You have to have the buy-in of the CFO. If you don't have to buy-in of the CFO and other leaders who control the dollars, you will never succeed.
Carolyn: You say government is complicated. I'm going to go with the General McChrystal's, "Government is complex." I mean, you broke my head at 600,000 unclassified networks just in the Navy. Is that really what you said?
Eric: Just in the Navy?
John: Users, users.
Carolyn: Users, okay. Still.
John: [crosstalk 00:22:01] devices. That's a lot.
How Government Is Implementing Remote Work
Carolyn: Dr. Z, you've talked about our resistance to change. I kind of want to go back to the COVID topic for a minute because man, we didn't have a chance to even think about change. It just exploded on us. I guess I want to go back to how government is handling the remote work part of it. I know we talked about that we're thinking about it, but give me a little bit of rubber meets the road. What are we doing to implement?
John: Well, I'll give you the example from DHS. Joe Harris, who was my operations guy when I was at DHS and I had a lot of conversations that stemmed from snow events. And if you really think about it, is a snow event all that different from COVID? Well, in one aspect, maybe it's a day or two and COVID is forever, it seems. But really it is about people working remotely.
Maybe they're not at Starbucks. They're probably mostly at home, but a network has to support that. And one of the decisions we made after a snow event, we need to make our network more robust that it can handle the capacity associated with a snow event. And COVID happened after I left DHS. But I believe that because we put in place those procedures to build capacity for a snow day, they were pretty much well-positioned for that.
Continuous Diagnostics Mitigation
John: Now, there's other pieces that go into that, security and all of that. And I think CDM, Continuous Diagnostics Mitigation, is a key part of getting those systems out there. But Paul Beckman, when I was at DHS and Alma Cole worked very intently on putting in place an inspection procedure for all our stocks so we could standardize how they do things. We were looking at a consistent set of tools that could be deployed across the whole enterprise. Those kinds of actions really facilitated a better ability for the DHS network to respond. Now, I'm not saying it was perfect and I'm sure there are people there who would say, "Yeah, you could have done more," and that's always the case with any implementation of IT. You could have done more, but I think those things positioned us well. Thank God for snow, right?
Eric: Well, I think in defense of DHS, it was a long snow day. In fact, it's still snowing, and it was a global snow day. It snowed everywhere.
Carolyn: What I just heard Eric, I mean, my pet word, my personal quest this year is to understand resiliency.
Carolyn: And I just heard you say that you were building resiliency into the system.
Resiliency and Redundancy
John: Resiliency takes a lot of forms. I mean, resiliency and redundancy are very similar. We had an outage once at one of our data centers. It was caused by a local exchange carrier. We thought we had redundancy coming out of it. But it turned out as you started tracing the path back through a local exchange carrier in the south, it went over one wire and that one wire was cut and we lost it. So it didn't matter.
John: The redundancy came out and joined the local exchange carrier and when that was busted, we were in trouble. So we had to build in additional redundancy to make sure that that data center never went down if that indeed happened in the future.
John: To get to resiliency, it really requires a lot of thought. It means understanding the architecture and always looking at the architecture to make sure that you haven't lost things as it ages.
Eric: But I think there's even more. I mean, looking at how do people work remotely with things like lack of daycare. I mean, we experienced a lot here. We've talked about this before on the show. IT would have spent years and millions of dollars studying how to do what they just did when COVID hit. They just got it done.
A Great Prompter of Action
John: Sure. Emergencies is always a great prompter of action.
Eric: It brought the best out in us.
John: Yes, it did. I think Americans traditionally respond very well to crisis, right? We always have, and that's in our history. I think it's in the American blood to lift our heads up and have that stiff upper lip when confronted with adversity.
Carolyn: And to help each other. We helped each other in our personal lives. We helped each other out at work, and yeah, we've shown a lot of resiliency and compassion.
Eric: Yeah, we made it happen.
John: Yeah. But I think it's part of our character. And I remember growing up, my dad was the last of 11. He passed this year. He almost made it to 100.
John: I remember his eldest sister, who was much older than him, talking about the depression. And one of her jobs was going down to the railroad tracks and picking up pieces of coal that fell off the trains. The locomotives to bring home so they could heat the house, right? That was built into her from a kid. But I think that's part of what America is. It's that resiliency. How do you respond to hardship and keep a positive attitude?
How Dr. Z Is Keeping a Positive Attitude
Carolyn: How are you, Dr. Z? How are you keeping a positive attitude right now?
John: I'm eternally an optimist. You know the story. People look at a glass as either half full or half empty. I'm happy. I come to work every day. And I think work is one of the best ensurers of happiness.
If you're not busy, you start thinking about things that you don't need to think about. You start going, "God, I'm so unfortunate." I think it's really critical during COVID that we get our economy back on track and people engaged back in the workforce. Because I think when you're working, you're earning money, you're being productive, you're meeting and talking to people, you become a happier, more optimistic individual.
Eric: Well, you're much more connected to society. There's more than just sitting in your office or your room every day.
John: Mostly I sit in my basement, Eric, and I consider myself fortunate that my wife doesn't move me out to the garage.
Eric: Thank you for the conversation on zero trust. We learned a ton today and so did our listeners. We really appreciate it.
Don't Forget to Subscribe and Leave Us a Review
Go smash that like button, give us a review, and we will talk to you next week.
Thanks for joining us on the To the Point Cybersecurity Podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast. And don't forget to subscribe and leave a review on iTunes or the Google Play store.
To The Point Cybersecurity was recently named one of the 30 top Federal IT influencers 2019 & 2020 because of fantastic guests. We are always looking for great thought leaders to interview. Please email me with guests you would like to have on the podcast firstname.lastname@example.org
About Our Guest
Dr. John Zangardi, President Redhorse Corporation; former Chief Information Officer, Department of Homeland Security.
John Zangardi is an internationally recognized IT, cybersecurity, and data analysis leader and executive. John is a regular conference speaker and has had the honor of testifying before US House and Senate committees on topics such as IT modernization, cybersecurity, supply chain management, and space.