One plus one still equals two, but when two providers of services vital to executing on the Federal government’s zero trust security migration mandate are the ones leveraging each other’s strengths, then the equation yields an extra boost through force multiplication.
That’s one of the top-line findings from officials with Appgate – a Zero Trust Network Access (ZTNA) solution provider – and Rackspace Government Solutions, a managed security and compliance platform provider, who teamed up in September to announce plans to begin offering Appgate SDP as a service to Federal government entities through Rackspace’s FedRAMP Joint Authorization Board-approved environment.
The joint effort means that Federal government agencies will be able to rapidly and confidently leverage an industry-leading Zero Trust Network Access solution in securing their diverse hybrid IT environments.
We sat down with Mike Eppes, Director, Public Sector Sales, at Rackspace Government Solutions, and Ned Miller, Senior Vice President and General Manager at Appgate Federal, to talk about how the partnership is going, and what it can bring to Federal agencies who are under orders to migrate over the next several years to zero trust security architectures.
MeriTalk: Tell us a little bit about the product offering and what it can provide…
Miller: The solution that we are bringing to market jointly with Rackspace Government essentially aligns to the White House executive order for zero trust. The zero trust definition that we follow is also aligned to National Security Agency and Defense Department (DoD) definitions. Appgate is leveraging our background and heritage in working with the DoD as we expand into the Federal civilian market. We believe the way that we’re packaging this solution for our Federal civilian customers under the FedRAMP program will offer some unique benefits based on our experience working with DoD. We add a tremendous amount of value in the arena of secure access.
As a result of the workforce moving toward the concept of work anywhere, anytime, anyplace, we’re helping customers rationalize their portfolio to align to the White House Cybersecurity Executive Order and the zero trust mandates.
The unique value proposition that Rackspace and Appgate bring together is we will be providing Appgate SDP, our market-leading ZTNA solution, as a service through Rackspace’s FedRAMP offering. As you know, zero trust eliminates the concept of implicit trust, and our joint solution delivers comprehensive security monitoring, granular risk-based access controls, system security automation, and continuous verification. We’re giving our customers an easy way to acquire very sophisticated technology to help them achieve their governance objectives.
MeriTalk: If I’m a Federal civilian agency, and you are offering this as a service, and it’s through FedRAMP, you’re making the road for me a little bit smoother to get to that next technology set that I have to confront, right?
Miller: That’s right. Customers have to rationalize moving from modernizing their VPN infrastructure to state-of-the-art zero trust capabilities as defined by the Cybersecurity and Infrastructure Security Agency (CISA) in their zero trust maturity models. They’ve outlined three different areas in terms of maturity as customers move up this scale to an optimal level.
We apply the concept of least privilege access to every access decision, not just at the point of time that a user logs in and gets their credentials but continuously throughout an interaction. Then we allow or deny access to resources based on contextual factors like user behavior, device health, etc.
Making the solution available to consume via the FedRAMP environment, as well as checking the boxes required for identity access controls addressed within the Rackspace government model, makes it easy for the government customer and users, both to acquire and deploy.
Eppes: What we provide is almost a circular thing: There’s a zero trust product that is built and actually consumes that zero trust product. In other words, Appgate SDP is built on top of an infrastructure and a platform that itself is based on a zero trust model. Appgate would not able to truly offer zero trust if we ourselves at Rackspace were not zero trust-based.
When you talk about time to value and mission, Rackspace exists to allow organizations to focus on what matters the most. In this case, Appgate’s ability to deliver a zero trust solution, or a part of that architecture, has a massive impact.
The value we provide Appgate is that they get to focus on what they are good at, and not have to worry about the rest of the zero trust infrastructure. And not that we cover every single bit of it – we’re not doing a lot of endpoint management, for instance – but if you look at the principles, we’re providing a lot of it out of the gate.
When Appgate said we need to help agencies accelerate zero trust deployments, we didn’t have to go build the code; we’d already built it. We have had it assessed for FedRAMP.
MeriTalk: We often hear that every vendor is going to say, ‘I’ve got your zero trust solution,’ and many people say it’s not quite as simple as that. How does that work with what you are offering? What part of the solution are you offering, if not the whole thing?
Miller: From my experience, and I’ve been working in the zero trust arena for quite some time now – probably when zero trust was first coined by the Defense Department (DoD) a decade or so ago – the reality is you have to put your consultant hat on and look at the existing infrastructure that an agency has. There’s no such thing as a zero trust black box.
As others, including agency executives, have indicated, it’s going to be a multi-year process to get to the outcome. But, with the components that exist today, organizations do not need to throw out everything they have and buy this new widget.
We encourage customers to look at the overall reference architecture they have in place today, overlay the guidance from the authoritative sources – whether it’s DoD or CISA, or NIST [National Institute of Standards and Technology], or some combination of all three – overlay what they’re considering as the maturity model as it relates to specific use cases. Then they should identify the gaps that accentuate the highest risk areas and align them to their high-value assets. These steps should help them determine the path forward for what their technology investment profile should look like.
For example, do they start with an aging VPN infrastructure that is not scaling and is high risk based on a new class of vulnerabilities? Or do they start with a new secure access solution? Or, if they have a more mature system, maybe they’re starting higher in the stack and need components that are SD-WAN related or secure gateway related.
As you look at how Gartner and Forrester have defined the maturity of zero trust, they start to introduce terms like Secure Access Service Edge (SASE). If you look at SASE as it compares to what our government authoritative sources have done with respect to reference architectures, there are, depending upon your view, six or seven different components to SASE reference architecture that make up an overall zero trust approach. So, it’s a maturity model and use case based on risk, which is very well known across our government CISOs and their operators in terms of how to evaluate what their current state is and get to the desired future state with zero trust.
MeriTalk: Agencies come in all sizes, and some are further along toward zero trust. What’s the conversation like with agency tech officials with your solutions in terms of savings on money, time, and hassle?
Miller: When we engage with CIOs and CISOs, they ask, “why Appgate?” So, we tend to cover exactly those three tenets – are we saving them money, are we improving their operational efficiency, and are we improving their efficacy from a cybersecurity posture standpoint?
And the answer is yes in all those categories, but the way that we prove that is in the outcome, so we talk about the best value, but it’s aligned to the outcome and the risk that the executive believes that they have. We talk a lot about the concept of time to value and our relationship with Rackspace Government is all about that time to value for the customer.
There are a lot of features, capabilities, and outcomes that we address related to zero trust use cases, but the single most critical part of the conversation with the C-suite is around that time to value.
They have limited budget, as we all know, and may have limited resources in terms of skilled assets that are up to speed on state-of-the-art technologies like zero trust solutions. And then they have ongoing sustainment requirements for the existing infrastructure as it relates to mission. So, when we talk about time to value, as long as we can align to their desired outcome related to their mission, we can reduce risk and improve their overall operational efficiency, ideally reduce cost, and make it easy for them to acquire and deploy, so interoperability is key.
Then we start discussing where we can actually create that interoperability, and we have that ROI [return on investment] conversation almost immediately. Because the C-level suite, they’re students of the game; they understand what zero trust is, and as they evaluate the vendors, what they’re looking for is can you improve those three things? Can you save me money, make me operationally more efficient, and improve my overall cybersecurity posture efficacy.
MeriTalk: Anything to wrap us up?
Miller: When I talk about time-to-value benefits, the top use cases are remote access – so alignment to TIC 3.0, VPN replacement modernization, and cloud hybrid deployments. Secure access has a narrative in any of these use cases. Then there is supply chain, specifically around third-party access, which is a big issue for government; DevSecOps, which is a core competency of ours – that’s how we cut our teeth on the DoD side – cloud migrations, and critical infrastructure or IoT sensor grids.
Those are the areas that zero trust is beginning to permeate, and we want to help customers onboard their zero trust capabilities in those use cases. That’s what we do.