Willie Hicks, CTO of Public Sector at Dynatrace joins Carolyn and Mark to unpack the recent ATARC event: Improving the User Experience in a Zero Trust World. At this federal breakfast summit, sponsored by Dynatrace and Amazon Web Services, we heard from some of the most prominent technology leaders focused on Zero Trust including Nicole Willis, Jamie Holcombe, Mickey Iqbal, and more. Listen in as Mark and Willie give highlights and takeaways from the event. Be sure to follow the link in the show notes to see the full event On-demand!
Episode Table of Contents
- [00:30] Guest Speakers at the ATARC Event: Improving the User Experience in a Zero Trust World
- [07:55] Zero Trust Should Be a User Experience Enabler
- [14:41] OMB Is Pushing to Move Too Fast
- [20:05] How to Ensure Zero Trust Does Not Disrupt the Employee User Experience
Episode Links and Resources
Guest Speakers at the ATARC Event: Improving the User Experience in a Zero Trust World
Carolyn: So today we're reviewing top takeaways from ATARC 's Federal Breakfast Summit, Improving the User Experience in a Zero Trust World. Which those two things, user experience, and zero trust, are kind of a direct conflict for me, but we'll get to that. The conference was sponsored by AWS and Dynatrace, and it's available on-demand for our listeners at ATARC.org. Also, we have Willie Hicks, our Federal Chief Technologist at Dynatrace.
Willie, you were a keynote speaker at the event. I'm too biased to say you were my favorite so I won't say that. I mean, everybody was really good. Jamie was super exciting. Let me just review who our speakers were.
So our keynote speaker around zero trust was Grant Schneider. He brought a really interesting perspective because he's former white house. So he was the senior director of cybersecurity services. So former federal CISO, and now he's in industry at Venable. Then we had our next keynote around the user experience was the very entertaining Jamie Holcomb. He's the CIO at U.S. Patent and Trademark office. And then my favorite, Willie, Federal Chief Technology Officer here at Dynatrace. Then we had a panel that brought the user experience and zero trust together and how we reconcile those two and how they work together. And on that panel, we had Nicole Willis, Chief Technology Officer, OIG, at the U.S. Department of Health and Human Services.
Is User Experience Unrelated to Zero Trust?
Carolyn: Jamie came back on the panel. We had Mickey Iqbal, he's the Public Sector Solution Architect and Chief Technologist at Amazon Web Services. Willie on the panel. And then we had our moderator, Tom Suder, who's fantastic. He's been in this business so long that he had a lot of really good insights too.
Now that I've given our listeners the overview of who participated, first of all, I was thrilled to see that we had a packed room. We had a standing room only, and that was really, really nice to see. It was lovely to have people in person and to be able to interact with one another personally.
So, all right, let's get to the first question. Today, Mark, you're less of a co-host. I want to hear your opinions about what your takeaways were from that day. So around the user experience and zero trust, did you have any aha moments? What were your favorite moments? Tell me your feelings about the day.
Mark: Well you know, from my perspective, coming from industry and Dynatrace, I think we think of end-user experience as something different related to zero trust. So we think of it differently.
Carolyn: And at odds with each other.
Mark: Yes. Well, I get the feeling more and more, it's more how the end-user navigates the security protocols and processes to accomplish the end goal. Which is not their problem of zero trust, which would be the agency's problem.
How the End-User Navigates the Security Protocols
Mark: And so the agencies think of end-user experience in that light as opposed to we think of it in a different way as it relates to somewhat the same. But how end users are impacted by their interaction with applications on the internet and things like that. So I guess it's a little bit like that.
Carolyn: Did you get the sense that's how our government thought leaders that were speaking at the summit? Is that how they think of it? Or do you think that's more about how industry and we as end-users think of it?
Mark: I think that's how we think about it. I think they think about it in the former.
Willie: Yes. I definitely agree.
Carolyn: The government leadership. So Willie, talk to me more about that.
Willie: Yes. So I agree. I think it is interesting because I think our panel, and I got to talk to the panel a little bit afterwards as well. I think that Jamie from PTO standpoint and Nicole, just by kind of how they were, not just the keynote, but how we were interacting on the panel, they actually do get it.
For example, I got to have a great conversation with Nicole. It was one of those things where she was kind of talking about the service that she was trying to provide to the citizens. Because a lot of people who use HHS services and so forth, Medicare, Medicaid, those kinds of things, they might be older. They might be having a very difficult process to log into a system, to get access to a system, to get your basic information.
We’re Protecting the System, Not the User Experience
Willie: She seemed very sensitive to that, in understanding that we have to have a better user experience. And I think I got that from Jamie but at the same time, we talked about agencies as a whole and the government as a whole. There is an issue, not just zero trust. But even before this real big push for like Shields Up with CISA and all of the zero trust. We build these systems, we put up our authentication and all the things that we're going to do to protect the system, not really factoring in the customer, not really even thinking about it.
It's about protecting the system. The idea is about the system, not really about the customer, don't really care. We just want to make sure we protect the system.
At the end of it, we might be making the system so difficult that no one can even access it. Nobody wants to take the time, the 45 minutes it takes to set up an ID and jump through all the hurdles to get to an ID. So I think that from a larger standpoint, and just talking on the panel, they admitted that there are a lot of systems out there. A lot of public-facing, citizen-facing systems, and backend systems that need a lot more focus around the customer experience. And again, not just around zero trust, this is just in general about just the basic usability of the system, if that makes sense.
Zero Trust Should Be a User Experience Enabler
Mark: It does, you know, I can't remember if this was in a sidebar conversation after the event or if it was during the event, But they talked about multifactor authentication and how they were almost just forced to take the plunge. And somebody said, "We're just going to do it." At the end of the day, they're like, "Oh, wow. Okay, this word works. It's not that difficult. It's not that tough for end-users."
Carolyn: Well, and do you know what’s funny, is when I hear security, so zero trust is all about security to me as an end-user. And whenever I hear security, that makes me feel a little puke-y. Because I think that means that my experience is going to be really awful as an end-user, to your point, Willie.
However, Willie, you make the argument at the event that zero trust can and should make the end-user, my user experience, better and make the practitioner's experience better. So there's more than one end user. There's the end-user of the systems, then there's me trying to get into the systems, and can you talk a little bit more about that? And did you get the sense that our government speakers feel the same way? That zero trust really should be a user experience enabler?
Willie: Right. So, that's an excellent point. I do agree with that. And I think the panel as a whole agrees with that too.
Again, if you look at the principles, the mindset around zero trust, the mindset around architecture, architecting zero trust framework, it's an all encompassing type of scenario.
Understanding Your Customer’s User Experience
Willie: It's not just like we're buying MFA or you get single sign-on and this, this and this, and you've got zero trust. It's really a whole mindset. I think Nicole actually mentioned this. With everything they do, especially with zero trust, they're thinking about user experience at the beginning of the process.
So things like multifactor authentication as Mark already pointed out. When you have a robust multifactor setup, that is going to actually enable you to make your end user's life easier. Because once they log in, once they validate, whatever those multiple factors that they use to validate that user, once that I can trust you or you, and the device that you are on is a valid device, then now you can have access to this cloud application. Or you can have access to this internal system or that authentication token can be passed around.
There might still be a validation process, but it should be external. You shouldn't see it as the customer. It should all be kind of going on in the background. It's constantly validating you. So I think that idea was there, but also I did counter though, the point that, yes, it should be better. But how do you know it's better if you're not measuring it?
If you don't understand today your customer's user experience, how do you know it's gotten better when we implement these new systems? How do you know it hasn't gotten worse? How do you know that there really isn't a problem? I gave an example as part of my keynote.
Monitoring User Experience
Willie: I didn't mention the agency name, but several months ago I tried to set up a multifactor authentication for a system with some of my personal information on it. This was a government system. And after about 45 minutes of filling out a form, putting in my government ID, waiting for an identifying number to come back on my phone, which never showed up. Trying to go back and reestablish and start it over again.
Literally after 45 minutes and then the system telling me to call this number to try to do this manually. I was like, "I'll just go in and do what I need to do." So again, do I think either this agency that I was working with just didn't know how bad the customer experience was, or they just didn't care. And my hope is that it's just they didn't know.
Mark: I think that's probably it.
Carolyn: I think it might be a little bit of both. Because they have to have the security in place. They have to use those systems too.
Mark: Yes but they're typically technical people..
Carolyn: Yes. So is Willie.
Willie: Well yes, but I love the customer, so I always focus on the customer. No, but seriously, that's the one thing. To your point, it might be a little bit of both that and let me take that back. I know from experience, it probably is a little bit of both in that.
Making the User Experience Easier
Willie: There is this idea that, okay, we have to tolerate some bit of inconvenience to allow us to have a secure system. Now, I think what I went through was the extreme.
Carolyn: Is it?
Willie: Well, and unfortunately it might not be, but at the end of the day, there is this idea, you have to tolerate this thing. But I also made the point during the keynote that industry has solved some of these.
Like if you look at the financial sector, for example. I used the example of trying to set up MFA on this government system versus setting up MFA on my bank account. And when I was forced to do that, obviously they had tested this system 15,000 times. Because when I went in, by the time I was forced to go for my really insecure password and I should have better passwords. But I went from that password to having to set up my MFA, I was thinking it was going to be a long process. The bank was about to put me through this long process. It took me less than 45 seconds. It took me about a minute. Most of that time was me waiting for a response back on my phone.
As soon as that was over, now, literally whenever I log in, I get a text message on my phone. I hit a button, I'm logged into the system. Those kinds of things. And I think Jamie even brought up the point that at some point we need to get away from even multifactor and have more biometrics. It should become even easier like we have a thumbprint reader or something like that.
OMB Is Pushing to Move Too Fast
Carolyn: Yes. But I don't want anybody to kill me for my eyeball so they can break into my system.
Willie: Yes, you've been watching too much Netflix. I think that was that Thor, one of the Marvel movies?
Carolyn: I'm sure it's more than one. So there's an article that cites a study, the article is called How Federal Agencies Can Implement a Secure and User-Friendly Zero Trust Architecture. It states that nearly four out of five federal cybersecurity decision-makers, they know there's an urgency. They want to implement zero trust. However, 87% of them say the white house and the OMB are pushing to move too fast. Mark, I know you have an opinion about this. So talk to me about that pushing to move too fast. Are they? Should they be?
Mark: Yes, they should definitely be pushing. I think that the white house has to push fast because I feel like we're probably five years behind where we should be today to feel comfortable. If they don't push, then you're going to have agencies across the government be at different levels of maturity. They're going to be all over the place.
So you're going to have gaps and things like that. If you leave it up to the agencies to go at their own pace, it's kind of like the concept of, you don't need it to be a hundred percent perfect, but you need it to be 75% perfect. Then we'll work on the remainder of the 25% that's not perfect and get it there.
Done Is Better Than Perfect
Mark: So we have to push. It was almost like the way agencies adjusted when the pandemic hit, they didn't have a choice. And they had to deal with remote workforce. They had to do it. They had to digitally transform and modernize and it made them do things out of their comfort zone that I think that they have to do.
So there needs to be a push. I feel like when you hear experts across the government, talk about this, that it's just got to be a very modular, agile approach to doing it and billing it. So that has technology advances and changes and things change that they can pull things in and out. They can move things around and bring things in that work together and that kind of stuff to get to where they need to be.
Carolyn: Yes. Done is better than perfect because perfect never gets done, is one of my favorite quotes. And you just said something, I was going to ask you and Willi. So we think that the white house should push hard. Yes, they're pushing. If they don't, then we're never going to get started. Then you said something about a modular approach to do this well. So is that the sense that we got from our speakers at the summit, is that one of the solutions that we heard from them?
Willie: So I'm thinking, and the modular approach or what I took away from the conversation and also with what Mark was saying. I think it was Jamie who has kind of taken this approach of, we need to use kind of agile development methodologies in this process.
Minimum Viable Security
Willie: In the agile mindset, there's this idea of the MVP, the minimum viable product. This is really something that we see a lot of an industry, kind of getting that minimum built product out there to get into the market. Then start iterating through functionality and fixes and so forth as you find them and improve the product rapidly. Rapid improvement of the product.
I think what Jamie was kind of alluding to was this idea of minimum viable security, where you've got to start somewhere. We can't just plan and nothing ever gets done. But get the minimum viable out there and then start iterating through basically building that framework with a more agile type process. Also this would impact the end-user.
We talked about customer experience. Learning from these first iterations, what worked, what didn't work, how do we make it better? Obviously, you have to make it secure enough. You don't want to just leave the gates open. You don't want to put something out there that is insecure. But we're never going to reach a point where it's just Nirvana, everything's in place. Everything's secure. Nobody's ever going to get into our systems because that's just fallacy.
I mean, this is an arms race. As soon as we find some way to, secure a system, there are hundreds and thousands of hackers out there. State-sponsored ones, people living in their basements, whatever, all trying to break into these systems. So it's just kind of back and forth. So we've got to constantly iterate. We've got to constantly build on what's worked in the past and what didn't work in the past. That's kind of what I took away.
How to Ensure Zero Trust Does Not Disrupt the Employee User Experience
Mark: I think those are two things that work against each other. Because I have to imagine there's a tremendous amount of pressure on your average federal government agency, CIO and CSO, to do it right, to plan and make sure it's right. Because some of these agencies, they don't have room for error. We've heard this, not just on the panel at the event, but we've heard this from past podcast guests that some of these agencies, they can't fail. The attacker keeps coming at them and they have no margin for error.
Carolyn: But isn't that why we do like sandboxing and we set up staging servers and we run the scenarios? Let's fail and fail fast and do it in a safe environment that's not out in the wild. We've addressed this a little bit, but what are the steps to take to ensure that zero trust does not disrupt the employee user experience?
Willie: My personal take on it. This is kind of what I talked about in my keynote.
First of all, you've got to measure, you've got to observe, you've got to know what your experience is. So observation and testing. Something we are notoriously bad at unfortunately, and we've seen this time and time again where we don't do sufficient testing of a new product, to the user experience. Like if I'm implementing a new authentication system, whatever it might be, test it, have simulations run quality checks....