In a world where cyber-attacks are ever-changing, cybersecurity has to adapt accordingly. Joining us today to delve into the world of cloud security for federal agencies is Sandeep Shilawat, Vice President of Cloud and Edge Computing at ManTech. Sandeep has extensive experience in both Commercial and Federal technology markets. We’ll get to hear his predictions on where the cloud world is heading, as well as what the Federal Authority to Operate (ATO) process will look like in the future. We learn the benefits of cloud compliance standards, as well as how FedRAMP is leveling the playing field in federal cloud computing. We also touch on the role of 5G in cloud computing, and why its presence will disrupt going forward. Join us as we pick Sandeep’s brain for some insights into the present and future of federal cybersecurity.
“Visibility has become [the] single biggest challenge and nobody's dealing with cloud management in a multi-cloud perspective from cradle to grave.” — @Shilawat [0:09:03]
“I think that having a managed cloud service is probably the first approach that should be considered by an agency head. I do think that that's where the market is heading. Sooner or later, it will probably become a de facto way of doing cloud security.” — @Shilawat [0:19:43]
**NOTE: Generated via ML. Expect crazy stuff to be translated by an imperfect algorithm that may have never actually been said by the host or guest :-) ***
[00:00:15] MC: Sandeep, thank you for joining us today.
[00:00:17] SS: Thank you, man. Thank you for inviting me. Appreciate it.
[00:00:21] MC: So, one question I love to ask guests is just how did you get into cybersecurity? What was your career path? Tell us a little bit about that?
[00:00:29] SS: Yeah, I know why you ask this question. I come from an application development background. There are two categories of people I have seen enter the cloud security world, one that comes from the networking background, the other one comes from the app dev background, they all bring their own perspective. But this is like a melting pot of those two kinds of categories of folks. I was an app developer and then became an app architect. And at the enterprise level, we had to do a lot of infrastructure work. So, at one of my earlier firms I released first off, 2008, 2010, the private cloud wave came in the service catalog. That's the first time, my foray.
Strangely so, actually, we were working on one of the financial firms, and that used to do software as a service in 2008, for credit ratings, because the logic of running this credit rating was very industry-specific and that's the pattern they had. So, we had to actually do the API calls to get the ratings. That's how we came in and I don't know whether you remember this, player software used to be a cloud, and Amazon, and these compete. So, we worked on that, and then we realized, at some point, security is got to be a lot better. That was obvious to us. But at some point, we will have a primary goal of protecting this perimeter-less world that is emerging.
So, that's my first foray into cloud security. Subsequently, the rest is history. 2015, I came into federal cloud computing, and then kind of compliance and security became the topmost thing that you look at, and now security is in everything. So, I'm glad I got into this.
[00:02:16] MC: It's a good field to be in for sure, for sure. So, you're at ManTech now. Tell us a little bit about ManTech, what you guys do, and maybe a little bit about your current role.
[00:02:25] SS: So, ManTech is a systems integrator, serving Federal Industry, Fed safe DOD, and intelligence. ManTech is a 50 plus-year-old company. So, it's been in the business for a while. ManTech, mainly, our tagline is securing the future. So, security is on top of everybody's mind here. Our company also has another tagline, bringing digital to the mission. So, while we are a mission-driven company, a lot of these agents’ missions is what you would see, our employees adopting. We have around 10,000 plus employees, and more than half of those employees are veterans, which 90% of our workforce is cleared.
We are a company undergoing a digital transformation as we speak, like most of the companies in the industry. My role at ManTech, I am actually working in innovation and capabilities office that was formed in July of 2020. We have five horizontals that we identify technologies, focus areas, we call them. I lead our data at the edge technology focus area. My business title here is Vice President Cloud and Edge Computing.
[00:03:41] MC: Awesome. Now, one thing I noticed from stalking your LinkedIn profile was that you were the chair of the Washington Executive Cloud Council. Tell me a little bit more about that organization and your role there.
[00:03:55] SS: Yeah. So, here's a funny story. JD, who's the CEO of Washington Exec. and we have known each other for like many, many years, but we always talk about it, and he is not a cloud expert, but he is very good at identifying the right areas. So, he has been asking for a couple of years, “Hey, you work on Cloud, what is the big deal with cloud computing and cloud security? I hear a lot about it.” And we spoke and I said, “You have so many councils, why don't you think of cloud council?” And he immediately responded back, “Is that something you can create and run?” I’m like, “Why not.” But unfortunately, pandemic hit, so we kind of slowed down. But the idea kind of prevailed.
So, we founded the council this year. We are 20 plus members, most of them are thought leaders. We are very federally centered. So, we are the vendors, we’re the integrators and we have small businesses with products et cetera. And small businesses with services as well. So, most of the integrators, most of the CSPs you can think about the big three, and a lot of new innovative products, CEOs are part of the council. It's a very vibrant community. It’s growing. We bring in a lot of keynote speakers from DOD, DHS, and other agencies. We speak about it. We follow chat room rules.
So, we can have a free and frank conversation. And then we kind of lead each other's thought processes with each other. And we mutually try to influence the industry and direction, and understand this direction as well. So, it's a newly formed council. It's almost a year old. We at Washington Executive, I think they all started a cloud Exec of the Year award after the foundation of the council. Now, there are two awards, I think, one for the publicly traded companies and for the private companies. There is one for cloud exec for government as well. So, I think, it’s kind of forming and shaping, a lot of opportunities coming in and influence those. That's most of what I can say about the cloud council at this point.
[00:06:01] MC: Yeah, those organizations, I think they're actually really powerful. I've been part of in the past InfraGard, which is a kind of a public-private partnership between FBI, DHS, and the private sector. And I think the knowledge sharing that happens there is really, really invaluable.
[00:06:17] SS: Absolutely. I think that gives you a platform to vet and validate, because it's such a new field, and everything new comes up every day, especially from security side, if you're not looking at the newspaper. Now, look at CNN headlines, and you will find why this is important. So, I think, while everybody is an entity for profit, and they are there for their individual goals, I think as a collective fabric of thought, it’s a very important process. This council and many other councils in the industry, I do believe that.
[00:06:49] MC: So, one of the things I was looking at on ManTech’s website, as you guys have a number of different offerings, but one that caught my eye was Fernglas. Tell me a little bit more about that offering. What does it look like? What's the service that are provided in that?
[00:07:03] SS: So, you have been in the industry as long as I have been, right? So, when we came to federal world, we had a framework for cloud adoption. We used to call it Launch Ramp. There's a trademark framework. When you work for agencies like NASA, there are such a diverse set of applications that you need to migrate. And if you go to CSPs, cloud service providers, they have their own cloud adoption frameworks. You need something that will detach from – they are great framworks, by the way. They do great justice to how cloud should be adopted, but they have a very different focus.
If you are a service provider and integrator who has to migrate this diverse set of apps, you need to take that and take your lessons learned and build a different way of doing it. That's what Launch Ramp was. It was more like a guiding framework. But after many years of providing that to industry, it's also on the marketplace. We realize that, while it is very guiding, it is not very prescriptive. While working with the clients on the ground, we need to be more prescriptive, accommodate their tools, and bring in new technologies that are coming into the market.
So, we came up with the idea of having a multi-cloud management platform. ManTech always believed that world is going to be multi-cloud, hybrid cloud, open cloud. I think it's multi-cloud now, hybrid cloud is kind of everybody's opening up to that world, that's going to be hybrid cloud. I think it's also going to be an open cloud world where you see some CSPs reducing egress costs and stuff so that they're allowing the data exchange between the clouds. I think, that's the world we're heading to.
You are also aware that there is a significant dearth of talent in the industry, especially with Federal Industry, the kind of clearances we need, which is leading to this very complex, multi-cloud world. I wrote a lot about operational complexity of multi-cloud environments. But if you look at the various service or various agencies, visibility has become a single biggest challenge. And nobody's dealing with cloud management in a multi-cloud perspective from cradle to grave.
So, we took our launch framework and created a multi-cloud management platform. And we named it Fernglas. Fernglas is a German word for binocular, so that you can far out, you can see it, and you can manage it. It is an open architecture-based framework, meaning a platform which will allow you to plug and play your tools and give you a single pane of glass with the visibility. You can say, I have 15 cloud vendors, this many are GAO, this many are commercial, this many are AWS, Google, Azure, and then it will allow you to see violation costs, security issues, and any other stuff that you're interested in.
So, that's our offering to the market. It came out this year and we are implementing a bunch of our clients as we speak. Essential element to that, we used to call previously as OMAPF, open mic services and press framework, we now actually merged it with Fernglas, as Fernglas DevSecOps, which basically gives you a very unique approach to cloud migrations. While you know, most of the agencies will tell you like, let's do a lift into it, migrate first, modernize later, then there is another approach, we say, modernize first and make it – enable for what you call future-proofing and then migrate later. But in both cases, I think we thought about it is taking more time. Time to cloud is very high. So, we came up with a very unique approach, modernize while you migrate. That is where I think, we use our Fernglas frameworks to help agencies and companies with their DevSecOps approaches and cloud migrations.
[00:10:49] MC: So, one of the things that you and I were talking about prior to the start of the podcast was just the whole concept of compliance, compliance frameworks, and things like that. I know that, for public sector, there's a number of compliance mandates out there. There's FISMA, the Federal Information Security Act. There's FedRAMP, there's different impact levels within FedRAMP. I guess my question to you is, is given your experience and what you've seen with working with dozens of different federal agencies, how does maybe either Fernglas, or how have you worked with different federal government agencies around those pieces?
So, let's maybe focus specifically on FedRAMP, because it's specific to cloud. Why are they important? And how does an agency go about achieving those different FedRAMP levels? How does that work? Have you guys worked with agencies around that?
[00:11:40] SS: Good question. I think that's probably the question of the day. I think for your audience's purposes, let's break it up a little bit, and maybe elaborate. FISMA is an act, right? It's an act to protect data built by US government. And then there are provisions in that act. FedRAMP, and FISMA. FedRAMP is a program that is run by GSA. It actually creates standards about cloud service providers are to comply with. FISMA applies to all of the data, and FedRAMP applies specifically to cloud services.
Both are built on NIST 853 standard. So, it's very important to understand that. And then impact levels that are actually very specific to department of defense. They are impact level, they go up to six, and they are all built on FIPS 199 standard. So, while throwing a lot of these acronyms around, it essentially means, there is a baseline of standards that you need to comply to be called secure. And those Security Act of security are supposed to be managed within something called RMF, risk management framework.
So, when cloud came in, there was no common standard available. So, FedRAMP was the standard built. There are three FedRAMP levels low, moderate, and high. Most of the big CSPs have FedRAMP High certifications now. Why are the standards important? The standards actually a common baseline of how to see cloud security, what prism to use. And they can give you a level of comfort while going to – especially for federal agencies, when they're migrating to cloud, that whatever they're getting into is compliant to a certain level of standards, especially if you have classified agencies going in, they need to know which kind of personnel are handling it. If it is US only.
So, there are community clouds that had been built, we call GAO Clouds, that actually meet certain standards on serving our agencies. And FedRAMP actually provides you that platform. So, it's a very, very useful program. And fortunately, I have been involved with FedRAMP, from early 2014, 2015, which FedRAMP was very new. There was hardly anybody onboarded. So, we had this challenge at agencies where you would have a service that were not FedRAMP certified. We would actually create a package similar to FedRAMP, and demonstrate that those controls are applicable. And we had a very templated process of going through that.
But subsequently, I think, probably five, seven, eight years later, there are a lot more services that have been onboarded on FedRAMP. Many of them are FedRAMP high. So, I think there is a broader acceptability and broader compliance from CSPs for the federal standards. So, agencies have, as you can observe, a lot more comfort going to cloud and the speed of migrations from agencies have increased a lot. So, I think from that end, I do find it very important from FedRAMP perspective.
Impact levels, of course, is a next level of compliance. It’s a fifth standard. So, there are some hardware-related requirements that need to be complied upon from security perspective. And most of the CSPs are either caught up or catching up with those standards. I think it's important. Some of them are aisle two, some of them are aisle four, but there are very few that are aisle six. So, again, a long way to go a big investment but gives you a common baseline to work with.
[00:15:08] MC: Prisma Cloud secures infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs and a unified agent framework, users gain unmatched visibility and protection. And for our federal customers, Prisma Cloud is now FedRAMP moderate. To find out more, go to prismacloud.io.
[00:15:38] MC: I think that, I remember early on, you had a previous employer working with GSA, during some of the early days of FedRAMP. Let's just say it was not as straightforward as it is today, right? Let’s just put it nicely.
[00:15:51] SS: That's really nicely put.
[00:15:51] MC: It's a nice way to put it. But like most things, it's been through multiple iterations and multiple different cycles. I mean, I know, there's like a low impact rating now for those applications that don't have I think, PII and things like that in there. So, GSA has done a lot of good work to really push these standards out. And from my experience at Palo Alto Networks, we've been through this process now with a number of our products, right? So, our Prisma Cloud platform is now FedRAMP moderate. And that was, I think, a good inner undertaking for us as well, right? Because not only does it –
[00:16:29] SS: An expensive undertaking.
[00:16:30] MC: It is an expensive undertaking, but I think it is a good learning process. I think it just matures, not only the organization, but obviously the product itself. So, I agree with you. There's a lot of value in these. And I think, prior to FedRAMP, like you said, there was no guiding standards for federal agencies around cloud and cloud security. So certainly, it's not perfect, but I think there is definitely a lot of value that's coming out of these different levels.
[00:16:57] SS: So, a lot of good work done by the FedRAMP program itself, Baljinder, Ashley, they have contributed a great bit to this. So, kudos to those folks, creating a level playing field in federal cloud computing with FedRAMP.
[00:17:11] MC: One of the questions, Sandeep, I've had a number of thought leaders on from the kind of the public sector or federal space. One of the things that I often hear is that as agencies are moving to the cloud, they're struggling with visibility, right? They've got all the different – they’re not just in one cloud, they're in two, they're in three clouds. Talk with me a little bit around managed cloud security services. So, I think this is an area where I've seen some agencies do it on their own. They go out and they try to manage on their own. And yet there are others that are maybe considering some kind of managed cloud security service. What are your thoughts on that in terms of federal agencies, in terms of that approach?
[00:17:57] SS: That's an interesting question. I think earlier, you asked me about Fernglas and the standards, right? And I'll kind of flip it over and address that. So, the reason we built Fernglas was the single biggest problem was visibility, right? For every reason, one cloud account is actually like a data center. You can build all kinds of stuff on that. So, every agency, I was looking at one agency other day, they had like 153 Google accounts, I think 270 Amazon accounts, and probably few hundred Azure accounts.
Now, if one account can lead to a behavior like a data center, we talk about like six, 700 accounts here, of three different vendors with a variety of services. And each account can have thousands of resources. So, the level of complexity, we look at millions of cloud resources available for use and abuse. The other part of the equation is talent. Do we have or is it feasible to build a talent pool at the speed of mission?
Remember, adversaries are not waiting for you. The cyberattacks are proving that they are relentless. They're going after everything. And let's agree, that process of getting talent on-boarded, while many agencies and public sector organizations are working to get this talent onboarded fast enough, I think there is a significant gap in innovation. So, what are the options left on the table? One of the key options is to take those trusted partners and have that service done.
So, I do think that having a managed cloud service, is probably the first approach that should be considered by an agency head. I do think that that's where the market is heading. Sooner or later, it will probably become a de facto way of doing cloud security. Because remember, the cloud attacks are changing. One day, it is SolarWinds. Other day is Lock4j, then there is some sort of ransomware hack. They keep changing and the complexity of this multi-cloud world operationally, it is actually growing proportionately. Such a highly complex environment needs to be handled by a very dynamic ecosystem.
And I think, with a public-private partnership, I think having a managed cloud service, security service specifically, I think, is very important. I think the industry should closely look at it. I think partners like [inaudible 0:20:37], those know the business of cloud security. There are other partners who have millions and billions and trillions of cloud security events that they collect, they analyze, right? And some of these vendors are spending literally multiples billions of dollars just on cloud security. I think use that. I think that would be the right approach. I don't know whether there's one single answer to this, but I think managed cloud security service should be part of that portfolio of solutions and should be on top of it. That is my opinion.
[00:21:07] MC: So, I know that at ManTech, you guys work with multiple different federal agencies. And one of the biggest things that I've seen in my experience is that depending upon the application, or what they're trying to do, agencies oftentimes struggle with getting the ATO, or the authority to operate. It can be a challenging process, to say the least. I guess my question for you, Sandy, is, how is ManTech helping federal agencies to get those at ATOs faster, especially when it comes to public cloud? Does Fernglas come into this here? Or is there other things that you guys are doing or have done to help federal agencies?
[00:21:46] SS: Yes, I think you put it mildly, the ATO process takes a long time. It’s a very intense process. I think it is an intense process, because there's a lot of manual work involved, right? Compliance with the controls, and authority to operate is the responsibility of the agency’s CISO and CIO. They have to sign off on, “Hey, this application can run in my environment.” That is authority to operate.
Now, many of the challenges come through the changing ecosystem. While there is a general understanding that the application should go in, the devil is always in details. What environment you're operating on? What kind of data are you handling? And is this how you're supposed to do it? And you would see that there are a bunch of poems that get generated through that process, scanning. But as I said earlier, think automation, I think Fernglas has something what we call continuous security, continuous compliance.
I was talking to Paul Puckett the other day, and he has a better word for this. He calls it continuous risk management framework. I think that's a better way of putting it. Essentially, what it means is, you don't want to know at the end of the quarter, how many controls did I comply? How many vulnerabilities are there? You want to know that on real-time basis. I think industry has realized that and they're building tools and services that will give you what I like to call continuous ATO, which basically, not a one-time event, but on a real-time the CIOs, the CISOs would know, what is the state of their environments?
Going through that process need not be this complex. I think there are tools like Prisma Cloud, right? Those tools are actually going to give you real-time information, should you do implement them. So, I think there is that adoption process pending. But I do think that there is a significant progress that is being made. We run our own – I ran beside Fernglas. We have something we call compliance as a code, which basically we generate, not only run the compliance, we also generate ATO-related documentation that goes auto-generated and available. I think, if you are somebody who uses Prisma Cloud, it generates a dynamic compliance report on a real-time basis that can be used as evidence. So, I think a lot is happening. It's a very, very vibrant field coming up, and I do think sooner or later, you're going to see – I don't think so we will get to real-time compliance in a documentation sense anytime soon. But I think the deals will come around from this year-long process to probably weeks or days’ worth of a process. And that's a real possibility, in my opinion.
[00:24:28] MC: Yeah. I love how you mentioned automation, and so much of the existing ATO process is manual. And I know that there is a lot of efforts going on right now to help address that, to speed those. And as you mentioned, when you think about things like some of the innovation that cloud brings, things like infrastructure as code, like TerraForm, automating the build of those environments, I think there's a real advantage that many federal agencies probably are not yet taken advantage of. But being able to define the infrastructure once in code, and then being able to basically certify it that way, there are so many efficiency gains that I think are still out there that can possibly be made.
[00:25:14] SS: But that is good news. So, I speak on the cloud council with many of these agency leaders on a very routine basis. And all of them actually recognize that this is a topic to be dealt with. And most of them have a plan to deal with it. So, I do see a light at the end of the tunnel. But as you said, as long as it stays manual, I think you're going to have this very intense process, the moment it goes to an automation, where I think you will see significant efficiency benefits for the industry and for the agencies.
[00:25:45] MC: So, I'm curious, I know you work with both civilian agencies, as well as Department of Defense. How would you compare kind of cloud adoption between the civilian agencies and Department of Defense? What does that look like from your experience?
[00:26:00] SS: So, I think there is an easy way of saying this and there's a more complex way of saying this. Let's go with the easier way. I think the standards to be adopted on fed side are more comparable to the work we do in commercial world. So, while there is FedRAMP, I think most of the clouds have FedRAMP. There is no added standard. There are no various constrained requirement terms of personnel, in terms of hardware. But the moment you move to the DoD side, there is a class of workloads. There is a class of workload that directly can correlate to what federal agencies are doing. So, there is an easy path there.
But then there are some classified workloads, that mandate future-proofing that has some specific requirement. I think that process is kind of evolving. If you see fed agencies have moved rapidly to cloud in last three, four or five years. And with emergence of many of these programs we are seeing now, you see DOD is kind of putting their bets onto the cloud services as well.
So, I do think what occurred into fed around 2016, 2017, the arena for cloud migrations, I think it's happening in DOD and IC field now. I think, now you will see a significant wave of migrations occurring. I think there is a culture thing as well, right? I think we strongly believed, due to the technologies of those days, the physical separation of these was very essential for functioning of the compliance standards we had, which is why many of these standards exist. But with the new technologies, and the amount of things we can accomplish, I think software as a service, I think should be an acceptable idea for many of these higher standard compliance workloads.
Similarly, I think multi-tenancy should be an acceptable idea. I think we need to draw our comfort. And again, these technologies also have to prove themselves through maturity. So, I do see on the DOD, IC side path ahead with these big programs coming up. But again, I think there are going to be some workloads that are going to stay private, there are going to some workloads that are going to be hybrid.
So CSPs and the industry has to keep an open mind to that, because that's the world we need to head to. It's not a checkbox exercise that everything goes to public cloud. I think there is a deliberate analysis needed for workload, which is where I think some of this framework like launch ramp would help you to go through the process of analysis and then making a very deliberate choice, what you want to do with that workload.
[00:28:38] MC: So, one of the other areas that I know that you have some expertise in is 5G, right? So, this is something that we've heard a lot about, over the last two to three years. And I guess, one of the things I'm curious about is, is when you think about 5G, and you think about cloud, are you seeing a lot of containers like Dockers, Kubernetes, that are being used in 5G networks? Are those two things synonymous? Or is there still a lot of kind of diversity in those workloads?
[00:29:05] SS: So, I think, first 5G, why it is part of the conversation. I think 5G has three angles to it. The high bandwidth, the fact that it has latency, ultra-reliable low latency, URLLC as they call it. And third is I think, MMTC as they call it, massive machine-type communications. So, these are the three angles that 5G comes with. And then there is of course layered cyber angle to it.
We have come to realization as US government that we are behind into this and our adversaries have taken lead into this arena. But if you think about the three topics, I told you about, I think they have a natural convergence with cloud computing. This is an amorphous convergence of these technologies. I think the important part about networking is I think, currently, like we had data centers locked in with vendors and we can name them, and then cloud came along and kind of broke that model, business model. I think 5G does the same. I think currently cell towers and radio access networks, [inaudible 00:30:12] they call it, are actually very locked into the telco providers. 5G comes in and breaks that model.
One of the key ways it breaks it is separating control plane from user planes. And the technology that uses to manage that is the container technology. So, you would see emergence of significant amounts of vendors that are coming up with security controls that are managed through containers, they're managing networking through – so, I think there is a lot of value containers add to the 5G technology. But 5G technology in itself is actually a field significantly disruptive. I think, soon, you'll hear conversations around 6G as well. We are in experimental mode, we provide labs to our federal customers to come in and experiment with. That’s the area. I think, there is an idea of telco cloud that is coming up. So, I think you will see a significant growth occurring in 2022, 2023. And as that happens, good news about 5G is cyber is inserted as a part of the technology. It’s not, okay, let's patch on cyber on this. That's good news. But I think, a lot to happen on 5G field in coming months and years.
[00:31:22] MC: So, Sandeep, it sounds like you guys have a lot going on at ManTech. Are you guys hiring?
[00:31:29] SS: Oh, we are hiring. We are hiring big time. I think we are hiring all – in fact, right now, I'm looking for a cloud architect in my team, and we have probably a few hundred openings on our careers website. We have hot jobs, we have regular release of hot jobs going on, you should go to the careers websites on mantech.com, and you will see hundreds of openings for people to join. Make your pick, technology, emerging technology, stable technology, and you have it.
[00:31:58] MC: I love it.
[00:32:00] SS: We’d love for you to visit that and join ManTech.
[00:32:02] MC: That'd be great. So, Sandeep, if people want to learn more about you, they want to connect with you, what's the best way for them to do that?
[00:32:11] SS: Yeah, so best way to connect with me is LinkedIn. That's my first preferred way of connecting. I also am on Twitter @Shilawat so you can follow me on Twitter. But LinkedIn is my preferred way of connecting with folks.
[00:32:24] MC: It's awesome. It's awesome. Well, Sandeep, I've really enjoyed the conversation. We've covered so many different things from compliance standards, to 5G, to containers, and it's been a really enjoyable conversation. Thanks for coming on the program.
[00:32:36] SS: Thank you for inviting me. Very excited.