Transcript
Dana Morris
Alright. Good afternoon, and welcome to another episode of Hash It Out. I'm Dana Morris.
I lead product engineering here at Virtru. Today, I'm joined by a very exciting, guest, a first time appearance on Hash It Out, my new colleague, Tim Clayton.
Today, we're gonna be exploring, a topic that's pretty near and dear to our arts, which is, something called the Mission Partner Environments and how Virtru is helping, allied partners to collaborate more freely and to operate at sort of modern mission speed. And I think with that intro, I'm gonna kick it over and just say welcome to Tim.
Thank you, for joining us today. And, maybe we'll we'll kick it off with Tim just doing a quick intro of who he is, where he comes from, and a little bit more about his background.
Tim Clayton
Sure. Appreciate being here. So, my name is Tim Clayton. I'm traditionally I was, educated and and trained as a software engineer.
Did so for a couple of decades, as a contractor. My most recent, job before this was at AWS, where I was a senior solutions architect on our air force team and led a lot of the MPE efforts that they had there.
Dana Morris
So, Tim, like, let's talk quickly before we dive into the subject. Just, you know, what's led you to join Virtru right now?
What's exciting about joining, you know, the company? Like, what why why did you wanna come here?
Why why are you here at Virtru now?
Tim Clayton
Yeah. I I think it's an interesting kind of, connection of events.
So I was at, AWS for about five and a half years, and I kinda became the lead of our MPE efforts as I mentioned. And, on the DOD side, MPE as a as a mission, moved from the area of, Air Force Executive Agency to DISA.
And when that happened, you know, transitions in larger organizations is, you know, are are are more difficult. And so, I I knew that I wanted to continue on that mission.
MPE is a passion of mine, and I think it's it's probably the most important thing that the DOD kinda has on its plate right now. And every interaction that I had had, on any of our MPE efforts, it seemed that Virtru was involved in some way, shape, or form.
You know, the data centric security, of of of that piece of the of this tech stack seemed to always be at that intersection. So, you know, Virtru came up again and again and again.
I was involved in a in a in a workshop and and and a project at AWS where we were actually using Virtru, to build, a demo piece for AUKUS, which is a trilateral kind of data sharing agreement between The US, UK, and Australia. And Virtru was used there.
And it was kind of an interesting, again, connection of events where Virtru came up again. I was also involved with Project Olympus, and with, connecting some of the data with HighMast.
And again, Virtru was there again. And so we kinda became, a fan of what Virtru had to offer and the services that it specifically provided.
What you'll find is that in the DOD world, almost everything still uses network based security. Everything's network isolation.
Everything's air gapped, either through, you know, direct, physical air gap or through some sort of, encryption. And ABAC really is kind of a tack on, you know, the the idea of of, you know, zero trust is kind of, hey.
Let's do this in addition to what we're we're already doing. And I think Virtru is kind of a standout, differentiator there when it comes to saying, hey.
Zero trust is the core of what you do. Data centric security is the core of what you do.
And so I think the stars aligned. I saw I needed to make a shift.
And and then with, you know, we're gonna talk about a little bit about what about what happened in Brussels. Again, Virtru came on my radar again, and I think it just, signs pointed that direction.
And when the opportunity came, I find myself here trying to continue that MPE mission, that I think is so vital to the DOD efforts.
Dana Morris
Yeah. I think it's funny.
Sometimes the stars align, I think that you feel like they're aligning pretty well given, your share your passion for MPE and kind of where we're focused as a company. You said a bunch of interesting things there.
I think you mentioned things like data centricity. You mentioned AVAC or attribute based access control.
You mentioned the MPD or mission partner environment, several times, and then something called high mass. Why don't we take these in sort of a a quick order?
Maybe you could touch on quickly, like, what is the mission partner environment? Like, what is the core problem it's trying to solve and and why that's so critical?
And then we can kind of bridge to how that relates to high mass, which has been in the news a little bit lately, and then take it from there into some of the topics like ABAC and and data centricity.
Tim Clayton
Sure. There's a lot to cover.
So mission partner environment is a very specific, kind of concept. Originally, the idea of sharing data, obviously, has been around for a while.
About a decade ago in I think it was in 2014, the DOD CIO came up with the idea of the mission partner environment as a contract, as a support element, to some of the missions that were going on in the DOD. And what they wanted to do was establish a, a standard way for one entity to share their data with another entity.
And those entities could be, across the same mission. Originally, it was obviously within the DOD.
It was within, you know, it was kind of spurred off the idea of nine eleven. When you have all these elements, you had to share data.
But then we had another requirement to share with our allies, and all allies use different, identity providers. Some of those providers are, you know, third party, but most of them are terrestrial, which means that, you know, DOD is gonna provide their own identity, and they don't want to really own the other identities.
So they tried to come up with a paradigm where they could share that data. So NPE, was kind of divided into different, efforts.
Things like, APAN, SABRE, Project Olympus. These are these are one off originally kind of experiments that became, military exercises that, I think just recently have changed into the idea of mission support.
And that's something we can talk about in a minute about what was announced at, in Brussels. So traditionally, it's this idea of being able to share data effectively with people that you need to participate with, or allies that you need to participate with.
Dana Morris
Makes sense. That's a really good explanation. I think, maybe before we talk about Brussels, let's talk a little bit about, HIGHMAST operation HIGHMAST
And then, give me a second. I'll give a little background on it.
I wanna kinda pull on one particular aspect of that that's particularly challenging and kinda speaks to the the broader challenge, and then get your your thoughts on that. So, you know, operation of HIMAST, we've been involved with, The UK and The US, Department of Defense for a number of years now.
And HIGHMAST is kind of the culmination of multiple years of efforts as you're well aware, where it's a it's a UK carrier strike group that is going basically around the world, has a couple of other, support vessels that are from other nations participating. And as it's going around the world, it's crossing multiple areas of responsibility.
Right? Or AOR. It's crossing multiple combatant commands or COCOMs. So you think about leaving The UK and you go all the way around the world, you know, just leaving there and going through the Mediterranean, you're crossing through European command and central command and maybe through African command and then we're in the Pacific command, which we'll talk about later.
So, you know, one of the things that that, I think is interesting about that is is you mentioned the mission partner environment and that concept of sharing data. Can you maybe give a little bit of color, like, what is so challenging when you cross all those COCOMs?
And, you know, what's actually happening when somebody you know, that that carrier strike group is going through those areas. It's trying to collaborate.
Like, how, you know, how does that happen today and, like, how is it maybe changing?
Tim Clayton
Yeah. So in the DOD, policy for a long time has been very network centric.
So if you think about networks like NIPR, SIPR, JWICS, these are classification based. So there's this idea of you need a network that can that can contain and protect a very specific classification of data.
And so all the networks that connect to that are essentially colors of those classification bands.
Dana Morris
Mhmm.
Tim Clayton
So so they're not ABAC centric. Right?
They're not data centric. It's all, you know, layers of networks and encryption across those. And anytime you need to cross data between them, you have to use some sort of of CDS cross, you know, data to basically push data across a a diode of some sort.
And so, historically, this is difficult because all these networks exist. They're they're they want they want to get rid of them, but the way policy proceeds so slowly, in the DOD that it's difficult to get rid of them, without a huge shift, in how you're gonna protect the data.
So, if you're gonna move across all these different areas, they're gonna have different networks. They're gonna be different people operating those networks.
And so moving data across those things becomes extremely difficult to meet policy Because although they may be at the same classification, they may even they may even be, operating with the same people because they're moving across a different network, it has a you start moving through a whole different policy. So, data centric security is kind of a key to that.
It's gonna unlock the ability to have data that exist in two systems that can have the data interact and have those users interact with the data, but the users don't actually have to transit those network systems. And that breaks that paradigm just enough, that it's gonna enable a lot more.
So that's really the key there is that shifting into zero trust and data center security is kind of a core element of that zero trust. It really enables you to not worry about what network you're on, what identity you're providing, what classification you have, wherever the data is and it's tagged with that specific type of of data, attribute, then you're gonna be able to access it no matter where you are or where you need to be.
Dana Morris
Right. I think we'll we'll get to Brussels here in a second. I think it's a nice build up.
If you think about, like, operation HIGHMAST Mhmm. They're using data centric concepts.
So to your point, they're moving the classification from the network to the object, and then that object could be a PDF file. It could be a Word file.
It could be a geospatial image. It could be a video.
It could
Tim Clayton
be A chat message.
Dana Morris
Chat message, any of those things. And they're moving it down to that message, that object, that file, and then having the data be self describing in a way and and using cryptography, encryption to bind them together so that that becomes the unlock for that data to move.
Right? And so, you know, we went to Brussels, you and I were both there and you were there at the time at AWS and I was there with Virtru at the Mission Partner Environment Summit, that was hosted by the US Department of Defense but involved a whole host of other nations and partners. And High Mass was a big focus.
Right? They had the The UK there talking about what they were doing with High Mass and the success they were seeing where they were hearing their commanders talk about the agility that the data centric part of the exercise was unlocking for them. And one of their biggest frustrations was just that they had to use their legacy network centric for some aspects of their mission and the data centric aspect for other parts.
And they were asking why can't we just do it all with data centricity, which was obviously these are the areas, but but clearly there's a lot of work to get there. Maybe I do wanna hear from you in a second on what you took away from that summit because I'm sure just given your background, you maybe heard different things or took away different insights than I did.
I mean, for me, it was kind of my first experience of being in a room with senior leaders across areas of the US military and, you know, allied military, partners. And hearing the things that really stood out to me were one, that everybody was talking about the same standard.
There's a a document called, allied communication publication two forty or ACP two forty. That's a Five Eyes, document, Five Eyes being US, UK, Canada, Australia, New Zealand.
Right? That document describes data centric interoperability as a concept, and it documents how the trusted data format that Virtru is known for is a is a key part of that. That's how you get the attributes attached to the data.
And everybody was talking about that was news to me, and it was really interesting to see how broadly and quickly that's been adopted in the last two years, really. The other thing that stood out was just the sense of urgency around 2027 and, you know, definitely a sense of urgency across the whole community in terms of unlocking this modern mission partner agility.
Right? Agility is really the focus. Security has to be there, but agility, we need to move faster.
We need to be able to share data with new allies, new partners dynamically. We can't afford to take six months to spin up a network.
Like, that really stood out to me. I'm curious, like, what did you hear?
Obviously, I'm sure you heard some of that, but what else did you take away that was unique and interesting from that that summit?
Tim Clayton
v
Yeah. So policy is always the gatekeeper, to some of these technologies.
And and and and different agencies like DISA. Right?
They pay a lot of lip service to those policies. They're you know, obviously, they have to be risk averse, in many cases.
And while they're always saying, hey. You know, we're willing to change policy.
It seems to be much just lip service. Right?
They they don't they don't really move that quickly, unless there's a need. And so what happens is when you have something like high mass that is, obviously very enabling, very powerful, very high level visibility, throughout the government, suddenly there becomes pressure, from the top.
So what I heard there was, I I think, just a few things. Number one, you heard general Stanton say that they were going to move executive agency from the Air Force to DISA.
And the reason they're doing that is for this big announcement was they're basically, they're changing their perspective of MPE from this idea of, you know, an an experiment to the idea that they're really good they're focusing on mission support. And those two words, mission support, means they're actually supporting missions that are happening in theater instead of just talking about technology and data sharing as it's a a back end kind of, you know, check the box.
So that means that they have a mission need that's gonna have visibility. And then they said on stage that they obviously are going to have to change policy, to make some of this stuff happen.
That's more than just saying in, you know, in passing. It's kind of making announcement that they recognize that policy is a gatekeeper here.
And there's really kind of a few policies there. One is on cross domain, which has to come from the NCDSMO, or the cross domain authority.
And another one is about data centricity, and that's really about DISA. And the third one, because I came from a CDF, from a cloud provider, is really this this idea of, SCCA compliance and SRG compliance, but that's a whole another, topic.
And all these three things are kinda changing at the same time. And that's really this kind of inflection point.
You mentioned these dates. Right? These dates, 2027, 2030.
These are essentially modeling inflection points that, the intelligence community sees that they have to have certain missions have to be in motion at those times or we're already on the back foot. And so those things have to happen.
They see that the pressure's on, and so things are gonna change pretty quickly. And that's what that announcement was about.
It was about, hey, saying, not only are we saying it has to change, we're giving you a deadline. Right?
That by when those things have to change instead of just paying lip service.
Dana Morris
Yeah. That's a really good, insight, Tim.
Like, certainly, if you're not in that community, it would be hard to pull apart, like, the differences in the policy implications of what was being said. Yeah.
I think yeah. I think the data centric concepts were what was really interesting to me is, like, the product and engineering guy is just as I I hinted at this in my my first comments, but that change in posture around it used to be security and then agility. And I've seen in the last few years those words switched around.
Tim Clayton
Yep.
Dana Morris
It's agility and security. That may seem subtle, but it's a pretty important shift, I think, to your point about the need.
What's driving it is not is is really that need to be able to operate much much more agile than they could previously because the reality of modern missions, which don't always mean war fighting missions, just missions, right, in general. Even it could even be peacekeeping missions.
Tim Clayton
Yeah.
Dana Morris
You're often now interacting with partners that are not part of a coalition. They're not part of NATO.
They're not part of Five Eyes or AUKUS. And the traditional approach would have been, let's spin up a network and let's put in some CDS devices.
And by the time you went through all the approvals and did all that, it could be six and eight and twelve months later. The mission already happened.
Right? Like, it's already done. And and what you need is the ability to do that in minutes, not not months.
And that's where this idea of data centricity is quite powerful because if I tag the data the right way, the data can move, the policy attached to the data, but equally I can then entitle new partners to the same, like, mission or classification, and they would be able to see that data for only the time period they need to. And I can take it away later.
So I have this really good agility to add quickly and remove quickly and kind of operate at the speed of mission. Like, is that how you're seeing it as well?
Tim Clayton
Yeah. So, you know, when you when you look at a small network, let's just say, like, AUKUS or Five Eyes, obviously, those you have the same participants. Right?
In AUKUS, you have three participants. That's not gonna change.
Five Eyes, you have five. It's not gonna change.
But when you look at even something like NATO. Right?
The the the number of members in NATO is going to vary Mhmm. Over time.
And then if you're talking about a coalition that doesn't have that type of overlying classification. Right?
Those are going to vary. Our participation in endo pay comm, the one you're we'll we'll probably talk about in a minute. You know, that's going to vary greatly, and those countries aren't part of those coalitions.
So you have to have a system, a data centric system that doesn't strictly rely on classification tags. It has to rely on who's participating in the network at a specific time, and that means who's accessing the data at that time.
And so it has to be data centric. It cannot be network centric.
And that's really, again, another kind of shift that we're seeing here with ACP two forty. When NATO came out and said, hey.
This is what we're going to use as our standing. That's a huge, huge green flag, that something's going right in that, kind of arena and that, you know, whenever Virtru and and and the idea of this data central security is kind of granted, the kind of, the TDF is put into that as as code, as policy, suddenly, you've got a huge leg up on on on what's gonna make up that network and how you're gonna participate in that network.
So another big boon, I think, to to Virtru in that aspect.
Dana Morris
Yeah. And maybe before we touch on end of day comms, because I kinda wanna wrap up there, I think, because it's a pretty important topic to cover off sort of at the end, particularly with us, getting a presence here soon at a conference where we'll be more focused on the Indo Pacific.
Maybe let's quickly talk about how does the same, you know, principles or concepts maybe apply outside of the defense industry and the defense, you know, military kind of complex. Like, you know, when I think of things like know your customer, a good example might be, you know, banks.
Banks have to collaborate often and are equally they don't have a trilateral usually. Right?
They don't have, like, maybe an agreement other than a piece of paper. And often it's similar in that sense of you have a semi trusted partner.
Right? Like, they're they're still a partner. They're not inside your organization.
And so this ability to be able to share data where you keep control and you see what they're doing with the data, that sort of visibility and control gives you that agility, but also gives you, like, confidence that you should be you can share that data and not lose control of it. That's also a big part of this sort of what we see with the mission partner environment.
Right? And do you see other use cases maybe in the commercial sense where that same kind of problem would would come up?
Tim Clayton
Yeah. I see it in two ways.
So first of all, you know, despite claims the otherwise, most cloud providers don't really have an ABAC solution. If if they do, it's a it's an attachment or a third party tool built on top of something that they're tagging all their systems with.
It's truly not ABAC. It may be role based. It may be network based, but it basically uses tags to do those things.
So if you see kind of a a unified paradigm that's being used by the DOD or by an external agency, that's obviously gonna signal to the the community at large, commercial community, that this is something they can use as well. Everyone's going to use the cloud eventually.
They have to because of scalability. Mhmm.
And so having a tool that already has a proven kind of pathway to guaranteeing ABAC, is powerful. Second, a lot of these cloud providers, you know, when you talk about the DOD, the DOD can't run-in a secure, you know, bubble inside of of either a secret or a top secret or even a a a a classified region forever.
They they're gonna have to be able to put their data in other commercial regions. So this has become going to become a commercial standard, I think, at some point in the near future, where there's gonna be a data centric ABAC security, paradigm that you're gonna be able to follow to meet those requirements, whether you're talking about classification requirements, whether you're talking about HIPAA, whether you're talking about, you know, financing requirements, whether you're talking about data separation, some sort of clean rooms kind of concept where you can have different participants access the data they need whether they have that network access or not.
So I think I think there's gonna be a a kind of a shift to that as as data centric security becomes, more and more prevalent, whether it's virtual or not.
Dana Morris
Spot on, Tim. I think I often tell people, you know, my observation after doing technology, mostly enterprise before Virtru, but but I did have some experience with defense and intelligence in my past life at IBM.
And what I usually observed was there's a lot of these cases where maybe the government or the defense department is a laggard on specific, not technology trends, but on actual implementations. Meaning, like, for example, they might be running an operating system that's old because they have to roll it out to a million people.
But usually, what I've also observed on the other side of the coin is defense is often ahead of the rest of the world when it comes to broad changes, technology changes. You think back like DARPA net was the first Internet or you think about GPS.
Right? General, global positioning satellites was a defense focused, intelligence focused thing to start and it moved into the commercial space and now none of us can live without it. And mobile devices even, there was a lot of mobility back in way back in the early days, with the military and tough books and things and it became a trend to start moving things into smaller and smaller devices.
So I'm kind of of the opinion and and you're kind of sharing and I think which is data centricity is an unlock for a lot of workflows. And if you can start moving more of that classification and control to the object itself, you can actually share more data, get more value out of your data.
Tim Clayton
I mean, the DOD has hundreds, if not thousands, of different networks that are cost a lot of money to maintain. And they wanna flatten those networks and they don't have any way to do it.
So I think if you can find, you know, a a a type of tech stack that can present a solution to that to flatten those networks, then then that's gonna become a standard no matter what, as you said, because the as long as you can maintain the encryption standards and you can maintain the isolation standards, which, these days, tech is not the problem. It's all it's all policy.
Yeah. And so I and we see that policy slowly changing. And I think by 2027, a lot of that policy is gonna be shifted over to this new idea of if we can establish, you know, a good zero trust standard and data center security is kind of a key piece of that.
If we can establish zero trust, then there we we open a lot of doors and we unlock a lot of capability. And we honestly we we reduce cost of maintaining all those systems, pretty drastically.
So, scalability and and and and as you said, being able to move around, the the world, and control your your your data sovereignty ultimately becomes so so important. So I I think there's a lot of capability there that that I think Virtru can unlock, and maybe be a a thought leader in that space, in the coming years.
Dana Morris
Yeah. Timmy, sort of kinda coming full circle here. You mentioned 2027, and and we mentioned the the NPE Summit earlier in Brussels.
And one of the other takeaways I had was just how much focus there was on Indo Paycom or Indo Pacific Command. Couple of things that stood out to me.
One, I guess once it was pointed out, it became obvious to me, but I did not understand that Indopaycon covers 50% of the world Yeah. In terms of geography.
That's a huge, huge area of responsibility. And so what a big job it is to be the the commander of IndoPacom.
I'm not the borrower. I don't I don't end you in that role. But can you maybe explain a little bit about why is, you know, where does how is IndoPacom so central in the DOD, like, at a high level?
Like, what is so important about that? And what's kinda driving that 2027 focus?
Tim Clayton
Yeah. So, essentially, you know, the number one competitor with The US, now and probably in the near future is going to be China. Mhmm.
And and and it in in that arena, you know, we have a lot of allies, and I think we wanna keep that data flowing as best we can. And so the mission here is how do we provide information that we can share with those allies that are in the IndoPacom and they can share data with us in a way that keeps us on the forefront of of information.
And also finances. Right? Financing in those areas is gonna become ultimately important. While it's while the possibility of, you know, some sort of of altercation is high, it's probably not as high as a financial one.
Right? There's always gonna be an economic, issue before that. And so I think the establishment of how are we going to properly share information, intelligence information, and financial information and protect it all in that area, before those deadlines hit Mhmm.
Is really, really important. It becomes pretty much the primary mission that not just the DOD has, but really the entire world kind of has to try and build that protective, shell before anything else happens. And so that's why it's really important, and not just to us.
It becomes important to to pretty much the entire West. So, obviously, DOD has a focus on that right now.
Everything they're doing is about how do we create movements in the area, how do we share data in the area. And as I mentioned before, a lot of those allies are not part of our traditional data sharing kind of, partners.
So I think I think that's why it's important. We have a very serious deadline.
We know it's important not just for, you know, protecting ourselves, but for protecting our data and finances.
Dana Morris
Yeah. I think we'll we'll probably just close it up around that sort of general idea there, Taylor.
I think it's been a really good conversation. I mean, you know, what I what I take away is, like, IndoPacom is super unique and that it doesn't have an existing NATO or something else.
I mean, obviously, there's Australia and New Zealand, but outside of that, there's a whole not whole host of other nations. Absolutely.
Our partners, I mean, they're they're allies, but they're not part of an existing coalition. So it Indo in the Indo Pacific, theater becomes like this really interesting petri dish for lack of a better term, like, where where you really have, like, the most interesting use case of sharing data across allies that maybe you haven't traditionally shared data that's freely with, and data centricity becomes a super unlock for that.
It becomes like a real driver for it. So, I think we'll close it there.
I think really enjoyed the conversation. You know, we're actually gonna be out in Hawaii, what in two weeks, the October at the TECN Indo Pacific event with number 932.
So I would encourage people if they're gonna be there to stop by and see us. We're obviously gonna be interfacing with the Indo Pacific, command team and other other industry partners there.
And so I think it'll be a lively event and and one where we can kind of take this conversation further. But with that, we'll wrap it up.
Thank you for joining us today, Tim.
Tim Clayton
Awesome. I appreciate the opportunity, and I look forward to, having some fun here.
Dana Morris
Alright. And thank you everybody for attending, and, you know, tune in next time for another episode of Hash It Out.
/resource%20-%20BVU%20Authority/BVU-Authority-cover.webp)
/Gmail%20Confidential%20Mode.webp)
/resource%20-%20state%20of%20illinois%20case%20study/state-of-illinois.webp)
/shenandoah-case-study.webp)
