Sara Mosley, technical director for the Bureau of Diplomatic Security's Cybersecurity and Technology Services, works with the U.S. State Department to help identify threats and potential compromises. In her role, she advocates for a Zero Trust approach that focuses on protecting critical data rather than trying to secure everything equally. She recommends balancing security measures with mission needs to prevent users from circumventing security protocols.
Sara Mosley, technical director for the Bureau of Diplomatic Security's Cybersecurity and Technology Services, works with the U.S. State Department to help identify threats and potential compromises. In her role, she advocates for a Zero Trust approach that focuses on protecting critical data rather than trying to secure everything equally. She recommends balancing security measures with mission needs to prevent users from circumventing security protocols.
In this episode of WE’RE IN!, Sara underlines the importance of collaboration between IT and security teams to adequately protect data and address relevant threats in anticipation of the September deadline for federal Zero Trust compliance.
Listen to hear more about:
00:00:00] Blake: Well, thank you so much, Sarah, for joining me on the podcast. It's great to have you.
[00:00:04] Sara: Thank you very much for having me. It's a great opportunity.
[00:00:06] Blake: So tell me a bit about how you support the state department, an agency that, as we all know, has such a critical national security mission.
[00:00:13] Sara: So currently I'm the technical director, supporting the integration contract that, uh, Diplomatic Security, Bureau of Diplomatic Security, Cybersecurity and, Technology Services has. In that role, the responsibility kind of spans across the enterprise security operations center, red and blue teams, you know, there's threat teams.
[00:00:35] Standards and configuration security baselines. So from, uh, the perspective of the work, the mission that CTS has, my role is to make sure that it all kind of comes together and there's a good execution of the strategies into future years.
[00:00:54] So, ultimately for our, um, kind of customer base and for the State Department, what that means is that we're helping ensure that we identify all the threats and, and, compromises.
[00:01:07] Blake: And, and in CTS of course referring to the, uh, Directorate of Cyber and Technology Security for those listeners outside the D. C. Beltway area here, but that, that's in this isn't your first helping secure the State Department and and the, uh, it's global, worldwide IT infrastructure.
[00:01:24] You'd previously served as senior security engineer, as I understand it, and, and lead network architect for the State Department's Office of Information Assurance. You've also supported, I think, various other federal agencies, the, uh, FDIC, CISA. What can you tell me about some of those experiences?
[00:01:40] Sara: I love learning. So I like to take different roles and responsibilities that help me actually grow. And so starting with actually the Diplomatic Technology group, which has Information Assurance in there. So DT is, you know, our former IRM, Information Resource Management group.
[00:01:59] Um, I started as Chief Network Architect, you know, so building and maintaining the department's worldwide telecommunications infrastructure, the routing and all of that, and kind of grew from there into some of the cyber security disciplines that were affecting Department of State and, and working very closely from an operational perspective.
[00:02:21] So that was like a very, very much an operational, like in the weeds. And then moving to DHS CISA, which is known as CISA now. More on, on the policy and the guidance side. So kind of took my experience from state and helped develop some of those types of, uh, recommendations that most agencies are looking for from SISAP, and then moved on to FDIC, where, you know, as the, the chief of their security architecture group, shaping how they see architecture, folding into their, their services. And then back at state now, on the security operations side, which gives me that breath. And, and I think what that helps is understand all the different aspects of missions for the different groups and be able to bring a perspective of, how to bring in the right stakeholders and, and making sure that whatever we are developing or providing as a service actually meets the requirements as well as, ultimately it's about protecting the department's environments, right? Network. So ultimately that's where we want to get to.
[00:03:37] Blake: And so with your experience in both network architecture and then, you know, mentioned SOCs, you know, security operations centers and security architecture for the uninitiated, for somebody non technical, what's the balance would you say of, of like designing in security? Sys is leading this big secure by design push. Versus just other general people want to accomplish the mission in a certain way and aren't thinking about security. How have you straddled those worlds in your various roles?
[00:04:02] Sara: I think that that goes back to education, awareness, involvement. Definitely I, I can tell you there's been a, a significant push to make sure there's awareness. Actually, one of the things our group does is also the awareness aspect, the security awareness piece, right?
[00:04:19] So it's, it's getting, even just the typical user base, understanding what are those security, I guess, flags that they should be looking for, right? So what are those things that they need to be aware of to make sure that they're securing, their data, they're securing their environments, right? That, that's a cultural shift and, and a, you know, shift in mindset that security is this group that's sitting onto the side versus security is everybody's responsibility.
[00:04:50] And, and I think we're, we're starting to see that shift. We have seen that shift quite a bit because everybody's getting awareness training, but to what extent does that really mean in their day to day job? And that's, I think, changing, especially with within the personal space when you think about like all the things that have happened with the PII breaches and, and things like that, right?
[00:05:12] I think More people are aware that they need to be responsible for, for their data and what, for what they're doing, right? So it, it has changed over the past but I think we still have some more work to do.
[00:05:24] Blake: Absolutely. No, it is interesting to see how that media conversation around cybersecurity has sort of shifted now. It's almost, people almost expect to see breaches in the headlines nowadays, sadly. For better or worse, often worse, but at the very least, to your point, that can definitely help beat the drum of awareness a little bit.
[00:05:41] Now, you mentioned kind of a security mindset in adopting that, and as I understand it, you have a quite deep experience in the zero trust world. Dare I turn to a buzzword, so to speak. But, it's kind of a Obviously Zero Trust from a government context carries with it some specific requirements, but it's also something of a philosophy almost. How would you describe that Zero Trust mindset and how can organizations hope to adopt it?
[00:06:05] Sara: I totally agree with you. I think it Is a buzzword, that's being used, uh, especially with the vendors. The reason why I'm a big advocate of zero trust and I've been working in that field for a while is because I truly believe that we cannot protect everything.
[00:06:25] And, and with Zero Trust, the mindset, the, the framework, and like you said, a framework, really, it's a strategy, right, to get to a point where you are protecting what needs to be protected. Um, We always give the, example of, you know, the cafeteria menu does not need to be protected.
[00:06:45] In the same, um, type of manner as like your HR data, your human resource data, right? Your personal data. What we're doing today is exactly that, right? We're protecting them in on the same network in the same way. And that is what's I think not feasible. You can't scale like that, especially when you talk about an agency like the Department of State or worldwide, we're probably one of the most attacked organizations in the world. And so when you start actually getting into the, the reality, we cannot protect everything. That cafeteria menu may be compromised, but does it really matter, right?
[00:07:28] Blake: I mean, if the adversaries know that you're putting ketchup on your pancakes, that's pretty, that's pretty scandalous. That's, that's, that's pretty scandalous. But no, point well taken. It is, you know, you do have to have those sort of priorities and consider what you most want to protect. Amid all these bevy of frameworks and guidelines and, you know, keeping up with modern technology, when you are working with security teams, how do you help them? Make those choices and prioritize, like you said, the menu versus something else.
[00:07:57] Sara: so that's a really good question because oftentimes, it's not just security teams, it's, and again, I just want to make sure, it's like, we have to work with the teams that are rolling out IT, and, and so what we do is we try to bring in the IT team, That's it. that are rolling out, you know, it's just, you know, your typical, you know, um, types of applications and things like that, alongside the security teams.
[00:08:26] Looking at this from the perspective of prioritizing what really matters, when you look at, again, the kind of the Zero Trust concept, it's all about data. It's about protecting data. When we bring these teams in, we're looking for them to provide us with what they believe is the data that is sensitive, that shouldn't be, shouldn't be, um, compromise and needs to be protected.
[00:08:52] And also from the security side, what are the threats, what, for that environment, we need to understand and prioritize what are those threats that we, you know, we actually, can, uh, conclude that may potentially happen. Maybe threats that just don't even apply. So we may apply controls, security controls that are really not as useful if you're not looking at it from that threat perspective.
[00:09:19] So I think bringing in the threat perspective is so important, uh, to that conversation to make sure that everybody is, understanding really what. End goal. What is our end goal? What is, what are we trying to actually achieve?
[00:09:33] Blake: And to your point earlier, there are no shortage of threats facing the State Department, especially, unfortunately. I'm almost like, can you really discount any threats in that environment? I feel like it's just the whole works almost.
[00:09:43] Sara: It depends on the environment. You'd be surprised. I think every, um, environment is a little bit different and so you really do have to look at what it, for example, a cloud environment, right? If we have cloud, Assets, right? Versus, the production network, development network, you've got all these different environments and for each one, you got to really think through, what would they be looking for? What would the bad actor be looking for? And ultimately it goes back to the data, right? Where's the data reside? So they may be using like a completely disposable, Internet facing environment to get into something else, right? What is the tactics and how are they trying to actually move laterally between those environments?
[00:10:27] So, yeah, I think we think about all of those things and and how that may change what those controls are. And also, I gotta say, we have to balance it with With what the mission needs are. I mean, at some point, security actually could hurt the, the, the mission's ability to move forward.
[00:10:47] And what happens is that at that point, mission owners, tend to go around us, right? And so not having a scenario where, you know, we're making it so difficult for the mission to actually do what they need to do is important. We always have to balance that. So we have to understand that there's always going to be a risk.
[00:11:06] There's no scenario where you don't have risks, right. It's just that how do you balance, you know, and the risk acceptance piece.
[00:11:11] Blake: No, that makes a lot of sense. It's like, of course you could stay secure if everybody just kept their computers off all the time, but then it would be hard to accomplish the mission when that's when that's the case. So somewhere between there and bringing your phone to work and logging on to TikTok is probably the happy medium.
[00:11:28] Sara: It's, it, Yeah, it's, it's funny you should say that because a long, long time ago, when I was actually into blank technology, we, we had a, a frame of a PC, you know, those old PCs, and it was, um, on the wall, it was just a blank frame, and we basically labeled it DS approved commercial computer, because that is, yeah, because it's not, there's nothing there, so,
[00:11:52] Blake: Won't find any hackers in there, that's right. It's a poster on the wall, that's really funny. So there's a pretty important September deadline looming for zero trust compliance in the federal space. What can you tell me about that and its significance?
[00:12:07] Sara: There's been progression along the way, but that deadline is ultimately OMB Memo M2209, right, which is, the Federal Zero Trust Strategy. The memo, specifically calls out the end of the fiscal year, which is September 2024, all agencies have made. Progress towards Zero Trust and there's basically the five pillars of Zero Trust and they outline specifically for each pillar what the requirements are.
[00:12:39] I think the significance is gauging where agencies are by the end of this fiscal year in September to see whether they've been able to check off basically each one of those things that were mentioned and I gotta say that memo entailed and they kind of explained at the beginning is that it's really supposed to be the foundational elements of Zero Trust.
[00:13:02] Zero Trust is a journey. You'll never achieve quote unquote Zero trust completely. You're not 100 percent done. It's always evolving because your threats and attacks are always evolving. It's more about has there been progress? Have those specific things that have been identified in m2209 been accomplished and have, have agencies made progress towards those things?
[00:13:25] Blake: So with that context in mind, can federal agencies meet the deadline? I know it sounds like it's a bit of a moving target, so maybe that's not a black and white question, but do you think people are demonstrating that progress?
[00:13:37] Sara: Personally, so I've, I've read a lot of, um, different articles and actually Gartner had a, had an interesting presentation on this as far as the progress and how agencies are really lagging behind in terms of zero trust and I actually would say, that there's been more progress made than probably, um, being, touted at this point.
[00:13:58] I think almost all the cabinet level agencies have a plan they have from a cultural perspective and a training perspective have started progressing in terms of changing people's mindset, you know, and, and changing how they look at security. I wouldn't say that they, All are going to meet and there's basically 10 FISMA report questions that are now zero trust specific.
[00:14:24] They're OMBs measuring where agencies are and, you know, I think there's going to be some level of progress, but maybe not to the extent that's outlined in
[00:14:35] 2209 for every agency.
[00:14:37] Blake: Right, right. And FSMA, of course, referring to the Federal Information Security Management Act of 2002, kind of the bedrock of a lot of federal law around this, around this, this area. Looking outsIde of the federal space though, Zero Trust does have implications for the private sector and, and a lot of organizations, and not just in terms of applying the framework, but also, you know, actually offering security tools for, for enterprises. What role does the private sector play?
[00:15:03] Sara: A couple of different roles, right? So, private sector from the perspective of organizations that are trying to protect their environments. I think that, when they look at the, the cyber protection, security kind of threats and, and where things are, there's been an also an adaptation of how do we address it using something like a zero trust framework, right?
[00:15:26] So having the private sector also buy in is so important because you can have federal mandates that cannot be satisfied because the, the, the private sector is really not bought in. I think that's one of our challenges with IPv6, you know, it's, you know, IPv6 memo came out when, 2008,
[00:15:49] Blake: Right.
[00:15:49] Sara: And, and we're still talking about, yes, you know, we're going to do IPv6, right? from the perspective of that buy in, it's so important to have the private sector part of that conversation and, and the buy in and urgency to, move to this framework. Then there's the other part, which is the vendor space.
[00:16:10] I have some, I guess concerns with how Zero Trust is being used to sell, not necessarily, it's more, just, an approach for, for how they're sell, um, products. Vice truly looking at How the, the vendors are, are integrating Zero Trust concepts into what they're selling, right?
[00:16:32] So just to give you an example, from a, vendor market perspective, the integration piece isn't there, right? So if you want to actually, have Zero Trust capabilities, you almost have to basically buy into one vendor's, right, solution set. Now, there are, there have been some partnerships between vendors, from identity to device to, you know, to network, but ultimately when it comes down to it, there's a huge integration burden that agencies and, and any entity would have to, to be able to actually, especially heterogeneous environment where they have multiple different vendors to be able to kind of put it all together.
[00:17:13] And I think the interoperability portability is where, we're lacking, and that's where we don't see, like, the vendor market as much gaining momentum.
[00:17:24] Blake: That makes sense. I mean, the very design of the vendor ecosystem almost is. It runs contrary to Zero Trust Principles in some sense that you have tool sprawl, you have multiple vendors, you have a lot of, it's just, it feels, I can see how that would be a challenge and that actually segues into my next question which was, what are some of the biggest practical challenges standing in the way of applying these Zero Trust Principles?
[00:17:46] Sara: Yes, so the integration obviously being a big one, even I think DOD, who's kind of at the forefront of this, has stated that just some of the challenges with kind of being in that heterogeneous multi vendor environment. But also I think there are cultural challenges, as well.
[00:18:04] There, you have and, and staff that are used to how they do things, including your security. Security SMEs and security operators, right? And when you look at how you need to change for Zero Trust, which is going from a network mentality, network security mentality, to now I need to understand the data.
[00:18:28] I need to understand how, where the data is flowing and where there may be anomalies with the data patterns. When you start looking at that, definitely there's a resistance to moving in that direction. However, I would say because of the cloud and because of remote there's almost been a mandatory shift in terms of you have to look at the problem set differently.
[00:18:56] You can't look at security as here's my network boundary and I'm just going to protect my network boundary and I'm done. Whether they like it or not, they're being dragged into this, but I think we still have that cultural piece that needs to happen. As well as the maturity of the product.
[00:19:11] You know, like when you talk about, continuous authentication, continuous authorization within a zero trust world. That's one of the big things zero trust tenants, right, to continually authenticate, so not, you know, a specific user is not going to be authenticated once and then do what they want to do.
[00:19:30] The market, I think, is still Kind of trying to reconcile between what the application is doing versus what your identity provider is doing. That's where the kind of the handoff, the handshakes are not necessarily as mature, as where providers are. I think we need to be at this point in order to execute something like a continuous authorization, continuous authentication.
[00:19:56] Blake: I'm glad you mentioned continuous authorization because I was, again, for those outside the Fed space or network architecture technology experience here, what does that concept mean and how does it fit into the federal government security goals?
[00:20:10] Sara: Basically, first of all, what does it even mean, like, to continuously authenticate? Most users are used to opening up their laptop, logging in, and connecting to their network, and then they can do their work, pretty much all day. They could go into multiple applications, they could, you know, work on their different files, right, they can, access different
[00:20:32] Blake: Are you talking about making me log in multiple times now, Sarah? Hold on.
[00:20:36] Sara: Well, not, not necessarily, but here's the difference is, I'm a user, I'm not necessarily connected to a specific network. I could be, sitting at home. I could be sitting half you know, way around the world. When I log in, what is it? What is it? First of all, that I should have access to.
[00:20:54] Let's say there's like five, five applications I need to access, right? But then after I log in, my credentials should determine what I have access to in those applications. Not just that I have access, let's say to my mail, to some HR application but what data? In a human resource application, I should see my data, right?
[00:21:17] But I shouldn't see everybody else's. And let's say I'm an administrator. Or maybe I'm an HR expert, I want to go and look at some of the records, somebody's file, I should actually be challenged. I shouldn't be sitting there as a regular user and be able to access multiple records without really having that access.
[00:21:37] And that could be a separate challenge. In that case, yeah. But, doing your basic work, maybe it's, you know, Suddenly your location changes. And so there's this, flag that goes up and, you need to be reauthenticated because you just moved. It seems like, you know, you're not sitting at home anymore.
[00:21:52] You're sitting somewhere in internet hotspot, right? So it's like that those types of things should trigger a mechanism for getting re authenticated and revalidated. So yeah, there's a balance between kind of usability and security there's work being done on this. I just, I, it's not there. I don't think there's a huge investment in trying to get to the point where you're, Truly re validating, re authenticating the users,
[00:22:21] Blake: Right, which then the users start to rebel against, etc, etc. But no, that was a great answer. Definitely, I think hit the nail on the head. It's like if I'm in the HR app, I want to just send my colleague a thank you note. Yeah, but are you, do you really need to go see your colleague's addresses and things as a, just a user and not an HR professional?
[00:22:37] Probably not, right? So yeah, that makes sense that you'd have some of those guardrails up. Now, on the investment front, of course, AI, you know, talk about buzzwords, eclipsed zero trust as a buzzword these days, it seems, but it is obviously, there have been leaps and bounds made in advancing AI technology and just even week by week, it seems.
[00:22:56] How do you see Gen AI and some of these large language models affecting your work in the next, say, 12 months?
[00:23:03] Sara: significantly, I think, you know, from, there's two different perspectives, right? how is it going to increase probably the threat space, right? Like the attack space, because it's just going to be so much easier to create your little scripts and to basically be able to do your hacking or, whatever types of things that you see happening. It's gonna definitely grow exponentially. And we have to look at it from the perspective now, how do we protect against things like that, right? To be able to, to not only identify that there's these maybe bots or other types of attacks that are happening that are AI generated.
[00:23:44] And then there's also the, the perspective of using AI for actually exponentially growing like our knowledge base and our visibility, right? And I think we're looking at both of those as potentially being impacted quite a bit in the next year or so and how do we leverage our existing tools to be able to do a better job of, first of all, identifying threats and identifying things like that, but also being able to automate a lot of things.
[00:24:15] Taking some of that, that AI capability and being able to have it do that collection of the data and orchestrating of the data and prioritizing like this threat looks more important than this one, so that we can give our analysts. a, Here's the critical high priority and here's, you know, maybe what, you know, the, the bots can take care of, you don't have to worry about it.
[00:24:39] So I think it's both of those, but we definitely see that as, significant tool, as well as a significant threat, right? So on both sides.
[00:24:49] Blake: I know, I always like to ask people which they think is going to be the, like, which is going to win out, right? Is AI going to be more of a benefit for defenders or for attackers in the near term? I honestly don't know where I fall, which is partly why I always ask it. What are your thoughts? You think the hackers. are going
[00:25:03] Sara: Oh, absolutely. Because that's something that it's another tool just in their toolbox, right? That they can, they can, take on and they can just generate things right away. Versus, if you're on a react. And that's why I think, you know, what we're trying to do is kind of get ahead of that curve, right? You know, what's the next like quantum. is another one that's coming up, right? So,
[00:25:23] Blake: That's a, that's a whole can of worms.
[00:25:25] Sara: And you know, AI is accelerating that too, right? The reality of quantum was like projected for, you know, late 2020s, right? Now they're talking about in a couple of years, right? Because of AI. We got to consider all of those things as we're looking at what is our cyber defenders going to need, right?
[00:25:46] What do they need in order to be able to detect and, protect against those things? So that's, that's kind of where I'm focused on is trying to get all of those pieces of the puzzle together and, and be able to make sure that we're ready for it when it happens.
[00:26:02] Blake: Well, that's no small task, and I do really appreciate you taking time out of your busy day to talk with us about some of these fantastic and really fascinating security issues. Now, Sarah, there is one question that we always ask of our guests on the podcast, and that's the fun fact, if you will, that what's something that we wouldn't know about you just by looking at your LinkedIn profile.
[00:26:22] Sara: Oh, a lot. I don't put a lot in my LinkedIn profile, but,
[00:26:27] Blake: Spoken like a true security architect, right? Yeah,
[00:26:30] Sara: yeah, minimize. Um, I think probably, one of the main hobbies or, or, like things that I actually love doing is traveling. I love traveling. Going around, I mean, being with the State Department, I got the travel bug.
[00:26:46] So since, you know, early 2000s, I've been all around the world trying to experience different, cultures, different countries, understanding the bigger world that we live in, right? So it's probably something you won't get from, from my LinkedIn profile.
[00:27:04] Blake: Well, thanks again, Sarah.
[00:27:05] Sara: Thank you very much for having me.