Episode 47

Application Management for Federal Government

Andrey Zhuk, Federal Security Architect at CTG joins Tech Transforms to unpack the topic every agency is talking about: cybersecurity mandates. Listen in to learn more about Andrey's recent eBook breaking down who mandates affect, why they are important, and how agencies can successfully meet requirements.

Episode Table of Contents

  • [00:24] Introducing Our Guest, Andrey Zhuk
  • [08:48] The Rate of Change in Cybersecurity Mandates
  • [18:43] Break and Inspect
  • [28:26] Show Progress on Cybersecurity Mandates
  • Episode Links and Resources

Episode Links and Resources

Transcript

Carolyn:

Welcome to Tech Transforms, sponsored by Dynatrace. I'm Carolyn Ford. Each week, Mark Senell and I talk with top influencers to explore how the US government is harnessing the power of technology to solve complex challenges and improve our lives. Hi, I'm Carolyn Ford. Today, I get to welcome back Andrey Zhuk, who was actually our first guest on Tech Transforms. Hey, Andrey. How are you?

Andrey:

Hi. How are you, Carolyn? Nice to be back.

Carolyn:

I'm really excited to have you back. Let me tell our audience a little bit more about you. Andrey is Federal Security Architect at CTG. Did I get it right?

Andrey:

Yes. I lead the cybersecurity practice here. Yes.

Carolyn:

some of the key mandates for:

Carolyn:

First, I want to start Andrey with the ebook. I better give a full disclosure. Dynatrace sponsored the ebook. The focus is on what observability or APM can do. Or how it can help the federal government meet some of these mandates. Before we get into the mandates, I just want to go to those two terms. Application performance monitoring, or APM, and observability. Two terms that get thrown a lot around a lot. What do they mean? What is the difference?

Andrey:

For the longest time, the whole field of application performance monitoring was just called APM. It is, as the tools became more sophisticated, that the terms such as observability came into play. We now started capturing more data like metrics, traces, and logs to describe ... Those are the called the three pillars of observability. Essentially, it's an APM tool that is more mature and captures more sophisticated metrics and performance analysis observations.

Andrey:

Actually, if you look at the classical definition of observability, it is a measure of how well internal states of the systems can be inferred from knowledge of its external outputs. We observe how the system behaves and tell you, how is it operating? What are the internal states of the system? That's essentially it. But in the field, in practice, I know there are a lot of terms in the industry. We had things like software intelligence, intelligent observability. I think some of the other vendors have other terms about it, but APM is what customers use on the ground.

Andrey:

Frankly, they kind of roll their eyes when I approach them and I'm like, "Well, it's now called observability." Like, "Look, Andrey. We're looking for a tool to help monitor performance of our applications." Now, especially in the time where the government is undergoing digital transformation, it's not just the three-tier architectures. Where maybe there's a load balancer with some web servers in front of it, and then another load balancer going to another couple of boxes that do application logic, and maybe a database in the backend.

Andrey:

Those days are gone. Now, the government is going to ... Actually, not just the government. All over the industry. We're going to microservices architecture where the frontend, those web servers that are serving the webpage, within pieces of different webpages, there are now not three or four BP servers, but thousands of microservices. Going back to not just a couple of mono-block application logic servers that execute the entirety of application code. But say, if you are asking for something to figure out a solution to query X. It maybe only launched those microservices responsible for answering that piece of the application logic. You don't have to run the entire stack.

Andrey:

What I'm getting at is now the frontend is thousands of services, the middle, the application logic can consist of tens of thousands of services. And then, the databases, whereas before they were just on-premises BP Oracle boxes, for example. Or Microsoft SQL. Now, they are usually cloud-native like Cassandra or DynamoDB or Google Cloud BigQuery. They're now cloud-native tools. The legacy APM tools, which often would just measure things like delay jitter on the network or response time of a packet. That's not sufficient. You need to actually capture metrics, traces, and log, which are the three pillars of observability.

Carolyn:

APM is not enough anymore. Do we still have, dare I ask ...

Andrey:

Correct. APM is a legacy term that's still used interchangeably.

Carolyn:

Right.

Andrey:

But observability is the proper term to use.

Carolyn:

But it's widely-accepted at this point that if you say APM, what you really want is observability. Dare I ask, do we still have government customers that are using those legacy APM tools?

Andrey:

Absolutely. There are vendors like Riverbed and NetScout for the legacy APM tools that mostly focus on application performance based on monitoring network traffic. That would be jitter, packet delay, latency, that kind of stuff.

Andrey:

Those tools, they're still used, but now as our speeds and feeds, again, are going up there ... Just monitoring network is not really a feasible way to capture performance of the application. You need to be actually on the system to be able to capture these metrics, which is what a modern observability tool like Dynatrace does really well.

Carolyn:

Thank you for that shameless plug. Let me have you unpack or sum up the benefits that you just mentioned for government agencies to have these observability APM tools. Why do they need them? You said it, but ...

Andrey:

Let's do it.

Carolyn:

Can you give it to me in bullet points?

Andrey:

Yes. If you want to do the high-level business level, the bullet points would be application debugging and distributed profiling, root cause analysis, IT services and infrastructure monitoring, behavioral analysis, business analysis, and the runtime application self-protection. That's called RASP.

Andrey:

Those are the generic terms. But if we take it back to federal government, number one, a use case would be cloud migration. As we are migrating apps from on-premises to the cloud, sometimes we want to capture, what are the resources being used? Maybe we over-provisioned it and it's costing us money. Or maybe we have customers that say, "Well, after we moved to the cloud, the performance went down." But did it really?

Andrey:

With observability tools, you can do a good job of being able to get ready for cloud migration and profile what you're using right now, versus what you'll be paying for in the cloud and provision for that accordingly. Also, be able to tell whether it's a user issue or whether it's really a problem with the new cloud infrastructure. That's use case one.

Andrey:

Use case two, and I think this is now becoming very important because of the executive order, is software supply chain risk management for DevSecOps. For the longest time, software has been developed in these ... Every three months, you would have a release cycle. That's going away now. We are now moving to what's called continuous integration and continuous delivery. CI/CD. That's the buzz word right now. That came from the whole agile development framework.

Andrey:

en I went to college in early:

Andrey:

And so, with CI/CD, you usually use tools ... Jenkins would be one of the big open source tools, which essentially allows developers to submit code, get it all revised, checked, compiled. And then, sent out usually to some sort of cloud infrastructure, using the infrastructure's code to deploy the code, and then monitor for performance. Then, you get feedback from the customers about performance or any issues with the code. You let the developers know again, and they update the code only to upload it back again to wherever it's being deployed.

Andrey:

And so, it becomes this continuous improvement methodology, but that's where you need an observability tool to actually be able to capture performance and any metrics, traces, logs of how is the application actually performing. What's the quality of experience with the customer, for example? What are some of the business drivers? What are the buttons on your webpage that the user is clicking? That kind of stuff. And then, take it into account and bring it back to developers, so they can update code and update it as quickly as they can.

Carolyn:

Is that teaching ... What I caught was the user experiences pain and gets it back. I'm the user. I don't want to experience pain.

Andrey:

Correct. Correct.

Carolyn:

With the observability, are you catching it before it gets to me?

Andrey:

Yes. You ultimately automate quality control, you automate deployment, and you automate operations. That's only looking at three things.

Carolyn:

You just said two mandates. Supply risk management. No. That's the wrong term. Help me.

Andrey:

Actually, let's dive into it.

Carolyn:

Should we go into them? Okay.

Andrey:

Because I think that's the meat of it.

Carolyn:

I do too.

Andrey:

th,:

Andrey:

paradigm. How back in the mid-:

Andrey:

, during COVID, it was August:

Andrey:

is culminated in actually May:

Andrey:

But on January:

Andrey:

se mandates? Cybersecurity EO:

Carolyn:

Can I just? Before you dive into the mandate ...

Andrey:

Absolutely. Sorry.

Carolyn:

I'm going to go shameless plug for CTG.

Andrey:

Thank you, Carolyn.

Carolyn:

Listeners, this is why you need Andrey. This is why you need CTG, because this just makes my head swim. You haven't even listed them all, but you know what they are, you know who they apply to. I hope you're going to tell me, we're going to get to this, how you prove that you are meeting the mandates. If that's part of it.

Andrey:

Yes. Absolutely.

Carolyn:

I interrupted you, so back to you.

Andrey:

urity Executive Order for May:

Andrey:

For example, we now have firewalls that can detect if IoT is compromised by profiling what's normal for, say, a refrigerator that's connected to your network. That's the stream. It looks a certain way to the firewall, for example. But if it's infected or it's compromised, it's traffic pattern will change. But the same can be applied to weapon systems somewhere deployed in Ukraine, for example. That's number one. The executive order applies to OT and IT.

Andrey:

Number two talks about how federal government needs to improve information sharing between federal agencies and private sector. There's a lot of the cyber research that gets done and a lot of threat hunting happens in the commercial sector. But also, NSA is probably one of the biggest hacking institutions in the world. And so, being able to have synergy between the two will improve the overall state of cybersecurity for us as a nation as the United States.

Andrey:

Now, we get to number three. The most important section. It's the Zero Trust section. The way the Cybersecurity Executive Order is written, they like to call it, "Cybersecurity modernization." But Zero Trust is that paradigm of, "Never trust. Always verify." Perimeterless future. What's key is continuous evaluation of user behavior as the user or machine user is accessing a resource. There's a policy decision point that continuously monitors what's happening and tells the policy enforcement point, the PEP, whether you block or limit the access to a resource.

Andrey:

In the original May:

Andrey:

Actually, let me ... Well, I can't share my screen unfortunately. But basically, the product areas you need to focus on are identity credential and access management devices. This actually ties in with application performance management, because it ultimately talks about being able to inventory what you have, so you know what it has to protect.

Andrey:

Then, we talk about Zero Trust networking and there are two aspects to it. There's the north-south use case, where users are accessing resources. Think of a VPN. You would log into the VPN only to get into your resources, but then you could move laterally, which is bad. And so, the new updated north-south Zero Trust access systems prevent lateral movement. The next piece is east-west networking. That's actually more we're getting to more of the observability area. The data centers these days are incredibly complex and powerful pieces of infrastructure.

Andrey:

We have east-west traffic bandwidth of approaching a terabit. Just think about it. We used to have connection to the ethernet that was fast. We had 64k modems. Now, we are approaching terabit. In fact, IEEE, the Institute for Electrical and Electronics Engineers, now it has Standard 802.3 that goes to a terabit. You can't just break and inspect with legacy APM tools, the traffic that goes east-west at those speeds.

Andrey:

Moreover, most applications assume Layer 2 operation. You're on the same subnet. You don't want to hop to another subnet and have a Layer 3 hub like a router. That's where we have technologies like VXLAN that virtualize Layer 2. You can't break and inspect anymore, because if you break and inspect, you'll probably break the application. Moreover, whereas before we talked about breaking and inspecting, now federal government actually advises against bulk decryption.

Andrey:

Because that can be more of a compromise than a single key getting compromised. Essentially, we have these opaque areas of communication between all these workloads in an application, with no way of monitoring what they do. We need an observability solution that sits at the host to actually be able to provide security, host-based microsegmentation, and also report on anything that's going on with those workloads. Because east-west communication is opaque.

Andrey:

Even though, yes, we can say, "Well, Andrey. There are technologies to look at encrypted traffic without breaking and inspecting." There this thing called JA3, Julie Alpha three, signatures. Actually, the initials of some guy that wrote the PhD of how you can actually ... Even though encryption creates a random stream of data, it's still quasi random. By profiling it, you can still make some inferences about what it is that's being transmitted over those encrypted channels. But anyway, that's still very expensive. Yes. You need a tool to be able to monitor performance and security of these less communications. The ties into ...

Carolyn:

You said that the legacy APM stuff ... Legacy APM, traces, logs ...

Andrey:

Traces, logs, and metrics. That's what makes observability.

Carolyn:

But they can't do the east-west stuff?

Andrey:

Because it's too fast and it's mostly encrypted.

Carolyn:

Got it.

Andrey:

It's a lot, guys. It's really is a lot. This is why we come in and we actually have several sessions. We start with just giving the high level. Let that settle down. Let it all permeate and sprout. And then, we go into different capabilities. For example, just for section three, let me just summarize as bullet points. We have identity, devices, Zero Trust networking, application workloads, data protection. That talks about encryption. Using encrypted algorithms. Using unified systems for key management.

Andrey:

There's a huge piece about data labeling and categorization and also having continuous monitoring of users accessing the data. Finally, there is visibility and analytics slash automation and orchestration. I'm using the NIST terms for this, even though it's basically security orchestration. That's the term. You need to address all six of those product areas, and each one has a myriad of capabilities.

Carolyn:

Do any of these mandates tell the agencies how to address them? Or they just say, "You got to do this."

Andrey:

al to everything we do. OBM M-:

Andrey:

You have to have continuous evaluation, user behavior analytics, granular attribute access control, adaptive authentication, support for modern open standards. You can be reading that and you're like, "I don't think my identity tool like an Okta or Ping supports all those." Well, right. That's why you need some other tools.

Andrey:

Actually, what's interesting. Some tools, especially in an observability space, they play into other areas of technology. For example, an observability tool can do a good job at overseeing machine accounts doing whatever it is they do and providing a continuous evaluation of what's called non-user entities. NUEs. Whereas, traditional identity resources focus on living, breathing, heartbeat users.

Andrey:

ummarize, yes, Carolyn. OBM M-:

Carolyn:

Well, before you move on from number three. You mentioned that you might have tools that do some of or part of ... Would the observability tool tell you if you're meeting all the requirements? Could it give you a checklist?

Andrey:

Yes. Yes.

Carolyn:

Okay.

Andrey:

Again, that varies per vendor. Right now, it's actually becoming quite a problem. My background, I spent a lot of time at a cloud security startup called Skyhigh Security. We were on the forefront of securing the cloud. When you have, for example, AWS, GCP, and Azure, they all have their native tools for running reports on how you're compliant with, for example, NIST 800-53.

Andrey:

Sure. That's great if you're just in Azure, but most federal government data centers are full hybrid model. We still have a humongous presence on-premise, because the cloud actually is becoming too expensive in a lot of cases. We have data centers on-premise. Maybe running some reclaim like VMware Cloud Foundation. We have Azure, AWS, Google.

Andrey:

Each one offers their own dashboard. We have these millions of dashboards, and we can't tell what's going on. With observability solutions, we can have a tool that unifies all these metrics about performance and security and it gives reports in a one unified single pane of glass way.

Carolyn:

Okay.

Andrey:

Observability solutions have been becoming more critical, but they're becoming more critical for section four of the executive order, which talks about improving software supply chain.

Carolyn:

Do all of these have money behind them?

Andrey:

remember mandates. I remember:

Andrey:

In fact, we are already seeing a lot of it being fought on the battle of between Ukraine and Russia. The fact that Russia has been trying to hack us, and yet we still have power on and lights on is a testament to our cybersecurity capabilities. But ultimately, cybersecurity is very important. To give you a little anecdote. If we step back, unfortunately if you look at IT budgets in general, 90% of them are infrastructure and only 10% are cyber.

Andrey:

right now. But if you read M-:

Andrey:

There's some more verbiage there. But to summarize, essentially agencies are being told to put together a wishlist of products they need money on and submit it up the chain to get money. We've actually seen this. I didn't believe this at first, but I started briefing all these things to agencies back in April. We'd have this talk like we're having right now. Except maybe a little bit more formalized.

Andrey:

They're like, "What are some of the vendors you recommend? Maybe you have two alternatives. Okay. We'll do a bake-off." Come July, without doing proof of concept, we started getting fresh orders for ... In this case, it was Zero Trust networking tools and endpoint solutions and some SIM stuff. Even a couple observability tools. An Air Force customer just made enormous purchase for Dynatrace to fulfill these specific requirements. It's coming. You just have to put together a wishlist, and then money will come.

Andrey:

happening. That's what OMB M-:

Carolyn:

What does that mean? Show progress? How do they prove that they've shown progress?

Andrey:

ments that are specified at M-:

Andrey:

I don't know, but there's a lot of money being spent on fulfilling these requirements. We'd be hit up by agency leaders all the time to have these talks we're having right now. Just, "Hey. I'm looking for a new networking system. I want to make sure it fills the capabilities." "I'm deploying a new application. We just refactored our app. How do I verify the supply chain security?"

Andrey:

There are other tools that don't ... Not just the observability, where they do more of what's called shift left infrastructure code. That's CI/CD pipeline integration. But we also have vendors that they essentially crowdsource information about suppliers. Even people that supply chips, toilet paper ... Chips would be microchips. Electrical plugs. You would be able to run your supplier through this scorecard system, and it would actually output a rating whether a vendor is risky or not. Stuff like that.

Andrey:

Another one is endpoint. Endpoint is huge. Again, we are now living in an era of encrypted communications. A lot of the legacy intrusion detection prevention systems are no longer efficient simply because we have too much data. It's all encrypted. We're operating at 100-gigabit speeds, while now having a terabit standard. Endpoint is big because we've been using all these antivirus systems for longest time that just do basic virus signature matching. Now, we need a way to use machine learning to be able to identify risky behavior before we have a signature. This is actually an interesting security case, even with observability solutions.

Andrey:

Traditional security ... Seeing things like, "I see a bad guy on the network." That's becoming a little more difficult to detect. But what if somebody is mining crypto inside of your infrastructure on some server? Or using it as some sort of launchpad for launching an attack? Well, now with observability solutions, you can actually have this out-of-band security through performance heuristics, where you can tell, "This is our previous state and now we're seeing some workloads act abnormally to what we expect them to look like."

Andrey:

That may be a red flag that, "Hey. Somebody is doing something nefarious on that machine." It's not a traditional form of security, whereby you're not looking for signatures, but you're rather monitoring for change in behavior. Or observability data as it were.

Carolyn:

cybersecurity for next year.:

Andrey:

Absolutely.

Carolyn:

Okay.

Andrey:

What's interesting. Even though data is at the foundation of Zero trust and everything is a conduit, if you read any analyst reports and the NIST guidance, they tackle data last. The first key to implementing Zero Trust system is focus on identity. Identity modernization would be the first thing to do. The next usually are the low hanging-fruit. You need to know what it is you have on your network, what software you have on the network to protect.

Andrey:

You have to categorize it. That fulfills the devices and application and workloads requirement. Once you know what's on your network, then let's modernize the network. That's step number four. And then, once you know what's in the network, then you can talk about thinking about how to actually protect and monitor these applications. That's step five.

Andrey:

Step six is actually taking care and making sense of your data, which is implementing some governance ... I'm sorry. Scanning and categorization systems to actually know what it is you have, what kind of data you have. The last part is very difficult, because it's telling you to clean up your attic. In that, ivariably, there'll be spiders coming out the corners, and nobody wants to take responsibility for the data.

Andrey:

To summarize, start with identity. Then, focus on building an inventory of devices and applications in your environment. Number three is the network. Because that's usually the refresh life cycles for networking gear. You can get gear with open APIs that can act as policy enforcement points. For example, a switch can actually block a user from doing whatever they're doing based on their observed behavior. And then, number five. We talked about observability systems. Six would be data.

Carolyn:

Is Zero Trust the foundation for all of these mandates that we've been talking about?

Andrey:

Zero trust is the new philosophy of security. It's the overarching idea that we have to continuously ... There's no longer a perimeter. We have to continuously monitor every piece of our infrastructure to make sure it's within our security norms. For the world of applications, an APM and observability system is what's needed to be able to monitor these applications and machine devices.

Carolyn:

I think it was step two or three. To quote Willie Hicks, "You can't secure what you can't see."

Andrey:

Exactly.

Carolyn:

Also, a key point that you made. You keep saying, "Continuous." This is not one-and-done. Obviously. This is, "Figure it out and it never ends." Or we'd be out of jobs.

Andrey:

It's called the Kipling questions. Who, what, where, how, and why. Those are the things you need. The Rudyard Kipling poem. The Six Most Interesting Things, I think it's called. Who, what, why, where, how. Those are the questions we have to continuously ask of any user entity, whether machine or human, as it's doing whatever it's doing.

Carolyn:

Well, I have to admit. As you were talking, I was like, "Man. Willie Hicks, our chief federal technologist.

Andrey:

I love Willie.

Carolyn:

I know. Willie's awesome. I was like, "I wish he were here, because he would love this." And then, I'm like, "Nope. He and Andrey would geek out so bad."

Andrey:

Yes. Yes.

Carolyn:

This conversation would be all day long. But before we close, I just want to ask you ... Well, you've got your I voted sticker on.

Andrey:

I voted. Yes.

Carolyn:

I know.

Andrey:

Cover the CTG Federal logo here.

Carolyn:

CTG Federal. You're in Virginia. Right?

Andrey:

Yes. I'm in Vienna.

Carolyn:

It would be rude for me to ask who you voted for, because that's not cool. Let's go to one of our Tech Talk questions. Let's see if your answer's different this year ... Oh. We weren't doing these when we first talked. Okay. Tech Talk questions. Quick answers to questions. Just kind of fun. If you could wave your magic wand in technology, what would you wish for? Anything.

Andrey:

General purpose AI, which we'll never probably have. Not in our lifetime.

Carolyn:

General purpose AI. What does that mean?

Andrey:

In the field of artificial intelligence, we talk about ... Most AI we have now is narrow-focus AI. I think it's called AIN. Basically, we can easily tell what's the license plate on a truck passing through our weighing scale. But as we now know, with self-driving cars, they're not that close as what we were talking about. Because how can you tell this is a human that's telling you stop? Or that's a baby or a dog? The sample size of variations is huge. For me, that's having AI go to ability. Not to be self-aware, but more advanced.

Carolyn:

Really? Would you want it to be that advanced? It's kind of scary to me.

Andrey:

I think it would simplify a lot of things.

Carolyn:

Okay. Tell me something cool to read. This is totally selfish. I just need a reading question.

Andrey:

Actually, believe it or not, I've been reading Ray Dalio's Principles. That is Ray Dalio, the hedge fund manager of Bridgewater Associates.

Carolyn:

Okay. Okay.

Andrey:

Some say that if you know the show Billions that the main character in Billions is based on Ray Dalio. He's just better-looking. The actor.

Carolyn:

I don't know if that sounds like a trash novel though.

Andrey:

No. Principles, it's more of a self-help book.

Carolyn:

Okay.

Andrey:

It's about building companies' foundational principles for business success.

Carolyn:

I'm looking for something way trashier. Like sci-fi stuff. If I want to know about that book, it's another episode and I'm going to have you break it down for me. All right. Well, Andrey, before we go ...

Andrey:

Actually, I have a trashy one. WeCrashed. That's about the WeWork. WeWork, there was the failed IPO. The founder walked away with $1.2 billion. It's a great show on Apple TV. WeCrashed.

Carolyn:

WeCrashed. It's on Apple TV? See, that's what I'm looking for.

Andrey:

Jared Leto plays the main guy Adam Neumann and ... What's her name? I forgot the girl's name. Anne Hathaway is his wife.

Carolyn:

Okay.

Andrey:

It's a great show. But the beauty of this show is it shows you how a conman can become a billionaire.

Carolyn:

I'm in. I'm definitely in. Before I close this out, is there anything that you want to leave us with? Do you need any more shameless plugs for Dynatrace?

Andrey:

Contact CTG and we'll hook you up with a solution that probably involves Dynatrace.

Carolyn:

I highly recommend it. I don't know how agencies can navigate this space, honestly, without trusted partners like CTG. Well, thank you very much, Andrey, for joining us again. Thanks to all our listeners.

Carolyn:

Share this episode, smash the like button, and we will talk to you next week on Tech Transforms. Thanks for joining Tech Transforms, sponsored by Dynatrace. For more Tech Transforms, follow us on LinkedIn, Twitter, and Instagram.

About the Podcast

Show artwork for Tech Transforms
Tech Transforms
Tech Transforms talks to some of the most prominent influencers shaping government technology.

About your hosts

Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is a passionate leader, doer, adventurer, guided by her father's philosophy: "leave everything and everyone better than you found them."
She brings over two decades of marketing experience to the intersection of technology, innovation, humanity, and the public good.
Profile picture for Carolyn Ford

Carolyn Ford

Carolyn Ford is passionate about connecting with people to learn how the power of technology is impacting their lives and how they are using technology to shape the world. She has worked in high tech and federal-focused cybersecurity for more than 15 years. Prior to co-hosting Tech Transforms, Carolyn launched and hosted the award-winning podcast "To The Point Cybersecurity".