In the lead-up to the Adapt 2024 conference in Washington on April 16, we sat down with two senior Axonius Federal officials – Brian “Stretch” Meyer, Senior Director of Federal Engineering, and Kevin Jones, Senior Director of Federal Sales – to talk about how Federal agencies are grappling with zero trust security mandates, and how Axonius is helping them leapfrog some of the toughest obstacles to the goal of achieving better security.
MeriTalk: There’s a lot going on in the Federal government – civilian and military – to accomplish policy mandates for zero trust security, IT asset management, identity management, and the list goes on. As the provider of the system of record for digital infrastructure for IT and security teams, can you share any thoughts on how agencies seem to be doing on these fronts?
Jones: We know that agencies are working hard to meet policy mandates. However, the government is still dealing with the challenge of trying to protect assets it cannot see. There are often many blind spots in these environments in terms of license usage, device count, cloud applications, ephemeral workloads, etc. Until we get grounded on an accurate source level of truth in a consistent and repeatable manner, we’re going to have a hard time enforcing any type of a zero trust architecture or policy.
MeriTalk: One big goal of the Federal zero trust effort has been to aim for a common security baseline among agencies by the 2024-2025 timeframe. Any thoughts to share on how government agencies are making progress there?
Jones: The goal of a consistent baseline is a crucial starting point and because the government is dealing with a vast array tools within each environments. For example, baselines may be entirely different between the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) and those agencies which opt to self-report. Part of the challenge is that the sands are constantly shifting below their feet. Technical debt from legacy systems, shadow IT, and remote system and user access all impact baselines day by day.
MeriTalk: How is Axonius helping agencies get further along the zero trust path?
Meyer: There are several core propositions that Axonius can answer in zero trust. As we know, effective zero trust requires a combination of tools working together. Existing tools can be powerful for their realm of responsibility, but the output – the data derived – still exists in a silo.
Axonius first shines a light into the entire environment, removing all the blind spots. Next, it correlates, normalizes, and provides a single, unified view from over one thousand different tools, including GOTS. This is the baseline from which to build, since we now have complete visibility into the network, the users, the data, servers, cloud applications, etc. As agencies progress in the zero trust journey with Axonius, they can track the progress of every tool, establishing where they overlap and where there are gaps. This also gives agencies a view into tool rationalization in order to minimize redundancies across the environment.
MeriTalk: They are separate programs but very much related on the path to zero trust, how is Axonius helping out agencies as they meet their obligations under the CDM program?
Meyer: The value prompt of the CDM program for asset visibility and management is exactly the same value prompt of Axonius. The program has been around since 2012, and they have been spending a lot of money attempting to create a home-grown version of Axonius. That’s not sustainable due to complexity and frequent change within the tools themselves, their connections in the environment and the ephemeral nature of asset inventory. Agencies should also consider the potential risks associated with proprietary information leaving the agency in the event of contract changeovers.
Axonius is the first commercial off-the-shelf tool to do what the concept of the CDM program was meant to do. Often, within days or weeks of deploying Axonius, agencies have much of the data required to report up as needed by using built-in queries and reports which map exactly the CDM requirements. This method reduces personnel costs while providing consistency at scale.
Axonius maintains all of those asset integrations, showing any gaps in coverage across critical tool sets such as endpoint security, what SaaS applications are being accessed, mobile data and many other touchpoints, natively pulling all required CDM data into Axonius. Because of this, several CDM group integrators have integrated us into their solution.
MeriTalk: What can conference attendees look forward to learning about on April 16?
Meyer: This event brings Federal leadership from civilian agencies and the Defense Department together to talk about how to move to better security. They’ll get the chance to chat with their peers and commiserate on challenges while also comparing solutions and better ways of working.
Jones: Take a look at the list of speakers. Industry and government peers are coming together with senior executives from top-level organizations to discuss a critical challenge that’s existed for more than ten years.
We look forward to seeing you there on April 16.