As federal agencies accelerate Zero Trust adoption, maintaining system integrity and meeting mandates like Comply-to-Connect (C2C) is more critical than ever.
This recent webinar focuses on how combining Zscaler’s Zero Trust Exchange with CimTrak’s real-time integrity monitoring delivers enhanced visibility, control, and continuous compliance across hybrid environments.
Robert Johnson, III (CEO, Cimcor) and Patrick Perry (Public Sector Field CTO, Zscaler) explore how this joint approach supports C2C, aligns with DoD Zero Trust Architecture overlays, and defends against configuration drift, insider threats, and advanced cyberattacks.
The webinar can be listened to in its entirety below.
Madeline Turner: Hello everyone, and thank you for joining us today. We will start in a minute or two as I see some more people logging in and I want to give everyone a chance to get settled. Thank you.
Good afternoon, everyone. My name is Madeline Turner and on behalf of Carahsoft Technology Corporation, I would like to welcome you to our Zscaler and Cimcor webinar, CimTrak enabling, Comply-to-Connect and Continuous Compliance for Zscaler. Before we start, I would like to review a few housekeeping items.
The audio portion of this webinar can be heard through your computer speakers and please note that all your lines have been muted to reduce background noise. If you would like to ask a question throughout the presentation, please feel free to do so using the Q&A pod at the bottom of your screen. We will set aside time at the end of the presentation to host a Q&A session and our speakers will answer your questions over the line.
If you are unable to get to your question, our Zscaler and Cimcor team at Carahsoft will follow up with you offline. This webinar is being recorded and a link will be sent out in a follow-up email for you to view. Carahsoft is a trusted government IT solutions provider, delivering software and support solutions to federal, state, local and education customers.
Carahsoft maintains dedicated teams to support sales and marketing for all of its vendors, including Zscaler and Cimcor. We are pleased to offer One Continuing Professional Education or CPE credit to those that attend today's webinar. In order to qualify for the credit, you must be present, registering your attendance by signing in with your full name and actively participating in the polling questions throughout the entirety of the webinar.
For more information on the CPE credits we are offering our CPE sponsor NASBA and the submission process, please feel free to contact us after the webinar. If you meet all of today's requirements, you will receive your certificate of completion within two weeks. At this time, I would like to introduce our speakers for today's presentation, Robert E. Johnson III, CEO at SimCore, Patrick Perry, Public Sector Field CTO at Zscaler, Justin Chandler, Senior Solutions Engineer at Cimcor and Mark Allers, VP of Business Development at Cimcor. With that, I would like to turn it over to Mark.
Mark Allers: Thank you, Madeline. I am going to get this going here. So thank you.
As federal agencies accelerate their zero trust adoption, achieving comply to connect and ensuring system integrity have become mission critical. Today, as you mentioned, we're joined by Robert Johnson, CEO of Cimcor and Patrick Perry, Public Sector Field CTO at Zscaler to discuss how combining CimTrak and Zscaler creates a stronger zero trust foundation. Again, my name is Mark Allers, I'll be moderating today's event as we progress through several Q&A questions here. If there's any additional questions, please submit them in the chat and we will answer them at the end here. So to set the stage relative to today's conversation, I have three slides and I promise not to kill you death by PowerPoint here, but I want to set the stage.
I call this the symptom slide. And the symptom is the by-product of a bigger problem in our industry. We look at the company growth for security spending for the last 10 years, and it's roughly 9%.
The CAGR for security breach is roughly 22%. So what does this tell us? It tells us three things.
The industries we know it is broken, number one. Number two, you can't spend away the problems. Number three, spending more money gives you a false insecurity.
And these lines are not converging, they're diverging, they're separating, so it's getting worse. And evidence to this problem is when we look at the largest 100 security breaches in 2024, and this includes Deloitte, AT&T, T-Mobile, Cisco, JP Morgan, Dropbox, Disney, Boeing, you name it. All of them had five of the major security categories of endpoint protection platform, SIEMS, vulnerability management, identity management, and threat detection and response.
And to further exacerbate this problem is when we look at this idea of just moving to the cloud, it's gonna be easier, better, and more efficient, and more secure. It actually is contrary to that point in time with IBM's new data breach report 2025. You take all three of these alarming statistics, and what we're faced with is really the definition of insanity, right?
We're doing the same thing over and over and over, expecting different results. So for the audience here, I'm gonna do a quick little summary as we have audience from both Zscaler and Cimcor. So Zscaler, it's cloud-native zero-trust security platform that securely connects users, device, and applications from anywhere around the world.
The bottom line, it eliminates implicit trust, reduce attack surface, improves user experience, and simplifies IT operations. Cimcor is an integrity assurance and compliance platform that detects and prevents unwanted and unexpected changes in real time to critical IT infrastructure and provides immutable evidence for integrity assurance. Furthermore, it actually can provide rollback capabilities in the event of unwanted, unexpected changes that are the result of either malicious or circumvented activities.
The bottom line is, drastically reduces risk, decreases detection time, increases resiliency, and enables continuous compliance. So what does this mean from layman's terms? Layman's terms, Zscaler, ensuring the right people have access to the right information at the right time.
This aligns very specifically to 800-207 and of the seven tenets, there's three tenets that are very specific to access. Cimcor, with its product CimTrak on the other hand, ensures the integrity and trust and resiliency of systems and devices throughout the network. Its alignment is tenet number five.
Bringing these two technologies together is what we're discussing here today between Zscaler and Cimcor of the Comply-2-Connect. So Comply-2-Connect has struggled for two decades because early approaches were too complex, they're fragmented, limited to point-in-time checks that couldn't continuously verify trust across diverse federal and DoD environments. Traditional NAC tools lack in real-time integrity, often cause false positives that disrupted operations and couldn't address insider or supply chain risks.
Agencies were also burdened by siloed tools involving siloed tools, evolving standards and the absence of an integrated way to secure access to verified systems integrity. In short, C2C was treated as an access control problem rather than a continuous trust verification challenge. A gap that modern zero-trust frameworks combined with solutions like Zscaler and CimTrak are now positioned to close.
So without further ado, I would like to open up the first question for both Rob and Patrick and it aligns with the strategic vision. Zero-trust adoption is a top of mind across the federal government. How do you see agencies progressing along that journey and where do Cimcor and Zscaler fit into that journey?
So Patrick, I'd like to ask you first, what are your thoughts?
Patrick Perry: Yeah, sure, Mark, and I appreciate it. Again, thanks for having me on this as well because I think this is a very important conversation at all levels from strategic all the way down to tactical, from technical all the way to over to business. So what I've kind of noticed across the government sector for the most part on these zero-trust journeys is obviously a lot of desire to change.
There was a big forcing function with lots of different situations, whether it was threats or whether it's the change of business operations with stuff like COVID. So there's a lot of hype, there's a lot of acceptance of this change. What I've also noticed, unfortunately, is some people still revert to old mindsets.
So how can I do zero-trust with what I have and what I already know what to do? So there's a lot of organizations that are really progressing fast. And the reasons, in my opinion, is that they took the leap of faith and the opportunity at hand to take risks and do things differently, realign their business, the processes, and bring in security and operations to align better to that.
But there are a few out there that are kind of stagnant, and the real reasons are they're kind of still holding on to old methodologies, whether they be stagnant approaches to comply to connect, as a case in point, which is a very perimeter-based kind of approach and having everybody right there, or whether it's even just bigger concepts of bringing things together and getting out of the mindset of managing, owning security by managing every little point in the environment, instead focusing on the data.
Mark Allers: Great, thanks, Patrick. Rob, your thoughts and ideas as we kick this off?
Robert E. Johnson III: Sure. I think we are seeing some momentum in the industry, and so that part's great. I just think it's momentum at really kind of an uneven altitude.
We think that many agencies and organizations, they're mentally past that point, that old-school line of thinking that Patrick was mentioning where it's the whole castle and moat line of thinking. They're evolving past that, and they're starting to accept and be open to segmenting by identity or by applications or by data or by network. They're getting there.
We think one of, they may not be there in terms of implementation, but philosophically, they're open to this concept. But the piece that's not part of the conversation, Mark, is that we aren't hearing enough about how you continuously trust and verify things as they change in these organizations. And I think that's where we see a lot of value with this connection with Zscaler, to take access and make it conditional based on identity, based on context, your device posture, using CimTrak as this ground truth of integrity, and identify, did something drift?
Did something get tampered with? Did something drift outside of some expected policy? When you connect SimTrack and Zscaler together, now we're creating this new dynamic system where we're expanding beyond a set of static rules to something that's far more dynamic and something that expands access when your posture is clean and contracts access, contracts to rules, reduces what you're allowed to in terms of policy when integrity is in doubt.
So we think the result of this collaboration, fewer surprises, fewer exceptions that will have to be taken and you'll have evidence you can show auditors without having to go through all the drama and the fire drills.
Mark Allers: Appreciate that response, which leads me into my next question is, you kind of alluded to it, but let me highlight it here. You referenced somewhat of a gap, right? What gaps do you see in the current zero trust strategies that this partnership helps with agencies to close?
Robert E. Johnson III: Well, we always, and that's directed to me, correct?
Mark Allers: Yep, correct.
Robert E. Johnson III: All right.
So I think the gap that I see is that we always talk about as an industry, who's accessing these systems and what systems that they're accessing. You know, the who and the where is always covered as standard fare table stakes and how we communicate as security professionals. But what you can't always answer is what changed?
That's the big gap. What's changed on that thing that we're connecting to? And so that means that integrity, that's the gap.
That's the missing link. And this pairing of Zscaler and CimTrak, that closes that gap. So if a system drifts away from an approved baseline, CimTrak can flag it, either auto-remediate it or have it pause waiting for approval.
And then we can work with Zscaler automatically to narrow down access until that trust is restored through some remediative action or some other method. So we're talking about continuous verification and that's impossible with that integrity, real-time integrity as part of the core equation. But if it's there, we're evolving to continuous verification, not just some quarterly attestation.
Mark Allers: So that leads me to a question for Patrick. Now, you know, given Comply-2-Connect has been a DoD priority for decades, right? But it's often seen as very complex and difficult to accomplish.
How do you see this connected or integrated these two platforms between Zscaler and Cimcor fill that void or fill that need?
Patrick Perry: Yeah, you know, as Rob pointed out on many different cases. So in the past, and to your point, you know, the DoD, I think first came out with the goal to get to this concept of Comply-2-Connect. I think it was like 12 or 13 years ago.
So we're not talking about a couple of years ago. You know, even it went as far as an NDA to put it into writing and mandate it. And that was still eight years ago in 2017.
So when you think of, okay, if it's that important to the government that they're gonna write it in to a mandate like that, you would think that, okay, hey, even in the DoD when we have this really complex programming and budgeting cycle, five years, we should be able to do this in five years. Yet eight years later, we're still not there. And so why?
You know, to your question. So why do we think? And I really, you know, we could go deep into the technology aspects of why, being, you know, just a geek at heart, you know, in trying to deploy these kinds of capabilities, you know, in ground truth environments and in operations, there's a lot of complexity, but it's not just technology complexity where you have to make different tool sets integrate with each other.
And what I like to refer to as a layer three API, because that's all they really work with each other at is some kind of layer three connection. There's also business complexities. It's spanned multiple stakeholders within the organization.
It wasn't just, oh, owned by one team that all nicely fit into one little section of your IT department. You're talking about three or four, maybe even five different IT departments. So you have to get all these guys working together.
You have to integrate the technology. You have to prioritize the deployment. You have to not impact operations with, again, a very complex thing that at every little step of the way, one wrong configuration turns into a rollback.
And so when you take all of these kinds of technology and business complications, you say, well, how can we do it better? Well, from the technology side, it usually means a couple things. One, how can I buy down technical debt?
How can I decrease administrative workload? How can I simplify my approach to integrate and onboard users? And then more importantly, how do I integrate capabilities together?
When you marry all these things up, you then also simplify the business problems. How do I, again, shrink my stakeholder blast radius? How do I integrate cost centers and decision-making?
How do I not impact operations while I'm evaluating, while I'm deploying and that kind of stuff? And when you really look at the value proposition of a Zscaler and Cimcor integration, you get all these kinds of things. You get, again, deeply integrated products where APIs and backside product development is where integration is really occurring.
You get common interface platforms in which you do your configuration administration, which rapidly and drastically buys down that technical debt. And more importantly, you bring in capabilities that kind of overlay within the environment and can be used in a, again, kind of what I like to refer to as a green fielding, a brown fielding environment, where you can bring people into this comply to connect, you know, ecosystem with a policy enforcement point in a really, you know, strong integrity validation process. And you kind of get the best of both worlds.
You get policy being enforced and getting after things, and you're getting your checks and balances that's guiding it. Not just this, hey, the system, you know, and I'll just say like a computer's operating system is probably not the best thing you should ask. Hey, are you okay?
That's not their business model is to tell you, no, I'm not. You need an auditing tool that validates that because, you know, we all want to do good in life. So we rarely want to tell people we're not doing good.
You need somebody else to come in and to kind of be that even keel partner.
Mark Allers: I really appreciate that comment. You mentioned two words in there, complexity and integration. Rob, we'll cover integration here in a little bit, the complexity and the how.
So what I thought we would do is let's just show you the how and how we minimize that complexity and show the integration that's bidirectional between Zscaler and CimTrak and let the audience actually just see what we've done and the complexity of this whole comply to connect into something that is very manageable. It's very scalable and it's easy to know, understand, use and implement. So I'm going to turn it over to Justin.
We'll take 10 minutes or so just to show you the different integration points and how we achieve the comply to connect. And then we'll come back and dive in a little bit more of the technical and operational. So Justin, I'll turn it over to you.
Justin Chandler: Thank you, Mark. I have prepared a couple of demonstrations today. And the first one I want to review is how we can actually monitor Zscaler's configuration.
You know, let's take a look at ZIA, something that actually maintains how everyone can access network systems, applications. Well, what if that were to change? A good change or a bad change?
All these things can affect how people access these systems or even affect your business. So the way it works is, well, before we connect, we're going to need some credentials to talk. So we ask for some credentials to talk to ZIA.
And in CimTrak, we ask you, what do you want to monitor? So typically people want to monitor all the configurations. You can exclude things maybe if you don't want to.
CimTrak will take a baseline of these things, get a good understanding on what does it look like now? How is this set up? Now these configurations have been gathered.
Now we go in and make a change and delete a user from ZIA. Now you can't access anything. Well, before finding out the hard way, CimTrak can alert you that this change has occurred, showing the admin users have been modified and that this user, Gordon Freeman, has been removed from the organization.
So this is important in two aspects of awareness, but also there are compliances like NIST 800-172 that calls out baselining, monitoring, and knowing what your configuration is. But there's something else we can do with Zscaler, and that's to automate security. So let's take a look at another example where CimTrak is tracking the hardening of systems and the compliance of systems.
In reality, if a system isn't hardened per a STIG or compliant, does it really belong on the Zero Trust Network? And this is something we're going to handle. In this case, now we're working with another ZIA scenario.
It's maybe an employee laptop. We'll enter some credentials again. We're going to have CimTrak set up a policy to track how hardened and secure and compliant is this host across many standards, just the STIGs, CIS benchmarks, maybe some NIST compliance.
But now there's an automation that comes into play. If CimTrak sees this scan fail, let's update the ZIA trust level of this device. And if it comes back to a passing score, let's go ahead and update the trust level again.
Well, where does that trust level come from and what does it do? Well, within ZIA, you can configure these trust levels to affect how the system acts on the network. For example, if CimTrak thinks a system is compliant and in a state of integrity, well, it's high trust.
It's good. If one of those things are bad, it's medium trust. If low, if both are bad, it's low.
Well, now with ZIA, we can take these trust levels and automate security. As CimTrak detects that change, it will automatically send a trigger to ZIA to update that trust level because this system's not secure. Well, in doing so, now when the user tries to access their applications, network systems, in medium trust scenario, look, it's isolated, can't do anything.
Gets the warnings, the watermarks and all of this. But with low trust, then you can just go ahead and block them entirely and give them a big warning. While ZIA solely reacts based on the trust level, ZPA has some alternative options.
Let's take a look at a Linux server that might be in a production environment, and let's go and hack the SSHD file, which can change how that system gets accessed, modified, maybe even allowing root access. Again, we need credentials to talk to ZPA, and I'm going to configure my production server is critical files I want to monitor. But yet again, now we're going to enable some automation.
Here I'm going to select, and I can integrate with access policies, isolation policies, client forwarding policies. This example, we're going to do an isolation policy. And if that change occurs, an unexpected change occurs to my baseline, I can update a rule in Zscaler automatically.
In this case, my isolation policy for the server. So we baseline again, we see what the files look like. We go on that host and go and modify one of the most important config files on the server.
Change is made, CimTrak detects the change like as it always does in real time with the full forensics, even giving you the exact side-by-side comparison of what changed. But also instantaneously after this change was detected, we went ahead and triggered Zscaler to update that rule. This Linux server happened to be my Splunk server all my engineers use.
Now the isolation rule has been enabled. Now when those users go access that host, they get these warnings. It's not their system that's messed up, it's the server.
And now because CimTrak automatically detected this, invoked Zscaler to isolate it, we're mitigating damage right away versus the six months it might normally take to figure it out in the first place. And you could use other options like client forwarding, maybe to route them to the secondary DR host in a HA scenario, or maybe removing access entirely. While your mind might be getting really creative right now, let me help you out.
CimTrak can monitor a lot of things in your infrastructure. These actions can be triggered by database changes, network device changes, firewalls, ESXi. What about Active Directory?
What if a new domain admin popped up last night? That's something else we have awareness to, identifying that there's a new domain admin that was created. He has the keys to the kingdom.
Again, something else we need the awareness to mitigate damage from, but can automate triggering these access rules in Zscaler to lock things down. And with that, I'll give it back to the team.
Mark Allers: Thank you, Justin. Love the oversight in the demo. I know there's a lot more complexity and a lot more feature functionality behind the scenes, but thank you for the kind of the 40,000 foot view.
Now I'd like to actually kind of transition a little bit out of the strategic into the technical. First question I have is for Robert. Can you explain how CimTrak's real-time integrity monitoring insurance compliments Zscaler's overall kind of strategy around secure access and authorization model?
What does that look like in practice?
Robert E. Johnson III: Sure. Well, in practice, it's a feedback loop. Data that was gathered by CimTrak results in that data being fed as a set of policy rules in Zscaler.
If we unpack some of the scenarios that Justin just quickly went through, let me reframe a couple of them. Many times, in fact, in one of your first slides, Mark, you said zero trust is the act of ensuring that the right person has access to the right resources at the right time. That was one of your first few slides.
Well, what I propose is what difference does it make if the right person has access to the right resource at the right time if that resource is no longer in a state of integrity, if it's been altered in some way that you don't expect? You're just accessing a compromised resource. So that's why this is important.
So we can make adjustments based on the status of that resource. That's a perfect example in terms of ZPA. Now, let's look at that same statement from a different angle.
What if it really is the right person, he accesses the right resource at the right time, and that resource is just fine, but it's an insider threat? It's someone that works for your organization, they currently have access, and they're accessing at the right time and the right resource. How do you understand what that resource has done?
If they have bad intent and start to modify things, alter things, change behavior, that is just slipping by all of our defenses. And currently organizations are left without an audit trail, any audit trail whatsoever of what was actually done. So CimTrak provides that visibility as well into what actually occurred.
Oh, go ahead. Oh, one quick, one third piece I wanna point out from what Justin showed is a scenario where we all know, for instance, federal systems need to be stigged. If I was to ask just a regular person, if a system's no longer stigged, should it be able to access your Zero Trust network?
I think most people would say, well, no, of course not. I think your follow-up question, well, okay, do it. And that's where it becomes much more complex.
How do you pull that off? How do you make sure, say that this system is no longer stigged or no longer meeting certain policy requirements, now prevent it from accessing that Zero Trust network via ZIA? That's very difficult to do.
And that's where the set of capabilities that Justin demonstrated really changes the game.
Mark Allers: It's interesting you brought up the topic of insider threat. You and I both read a document last night that's the IBM report that they publish every year. And just to note that insider threat is closely, it's in second place, but very close to first place of the top 10 considerations for security breaches, which is right behind supply chain.
So insider threat is absolutely one of the hottest topics to try to figure out. And what we're discussing here today absolutely addresses that issue. So my next question is for Patrick here.
So based on kind of the demo and what Robert just articulated here, what are your thoughts and ideas relative to kind of how this combined solution can kind of provide the verifiable evidence that DoD seeks for Comply-2-Connect kind of a solution or a solution to a problem?
Patrick Perry: Yeah. And I wanna start with saying Justin's demo really kind of told the whole story without us even talking anymore. So I appreciate him being able to really capture our ideas and our points visually.
I'm a visual person. So when I see things in action, I relate a lot quicker and then I get more excited. You know, when I just see words, unfortunately I was never very good at school.
Why? Because it was a lot more words than pictures. So Justin, I appreciate it.
But to your point, you know, security is only as good as it being proved it's good. You know, the worst thing your security apparatus wants to be is something that you just trust. And I don't, and this is not a play on the whole idea of zero trust, but the whole concept of is, hey, I've got to build out a security thing.
Everything briefs well. It's really good even to click all those buttons and have like some kind of feedback right away that says, yes, security function A is turned on and you are good. But what's validating that?
What's ensuring that validation is, or that that status is real, it's consistent. And when it changes, we have a next step. Security is a game of chess.
You never know what they're gonna do next, but you do know they're gonna try to win. Like you don't know exactly how, but you do know they even have quite a few prescribed steps. They have TTPs.
So how can we get ahead of this dynamic game of chess, cat and mouse, whatever you want to call it, by again, establishing a security posture, validating the security posture, adapting the security posture, revalidating the security posture. You know, everybody, I'm a big military guy, obviously, and I love military references. Most people have heard about, you know, John Boyd in the OODA loop.
And the whole idea there within the OODA loop is that when you are facing an adversary, which is not like normal service delivery, if I'm trying to deliver a SharePoint page, I don't have an adversary. When I'm trying to deliver a cybersecurity capability, I have an adversary. And when you are operating in an environment where you have an adversary, you have to constantly speed up your decision cycles and get and interfere with the adversaries' decision cycles.
And when you have a capability that, again, is integrated to this level and this depth, and again, is able to validate because it doesn't have an invested interest in showing just the good. It actually has more of an invested interest to showing what's changed and therefore possibly bad. This is where I think Cimcor and Zscaler are able to now prove to the department, not brief to the department, but actually deploy a capability and prove its efficacy in damn near real time.
And I think that's the modernization thing. Usually those kinds of things would sit in a lab for 6, 12, 18 months. We could probably do it now within a week.
We could have validated proof that there is a heightened security posture and it's actually being validated constantly.
Mark Allers: You brought up Zero Trust and you kind of pseudo hit on one of the three principles. Right, one of them is Never Trust, Always Verify, which this absolutely, this combined solution and the integration absolutely meets that requirement on a continuous kind of basis and provides that visibility that has really never been there before. And then kind of my second observation in this is when you look at principle number one, assume you've been breached, whether it's internal or external to the wire.
Let's just say an adversary is actually inside and past the wire. I've always kind of laid the foundation that what could he or she do? And it really comes down to two things, actually three.
One is they could do nothing, but they never do nothing. One is they could snoop around, try to exfiltrate data, which is absolutely a value proposition of Zscaler. Or two, they can add, modify, or delete something.
And that's the value proposition of CimTrak. And when you think of it in just those two contexts, that's all they can do. And you got two products combined to meet three of the seven objectives of Zero Trust to meet that requirement, whether it's internal, an internal adversary or external, it does not matter.
And I welcome any comments to that, but I try to simplify it because a lot of the academics will try to exacerbate the issue of the problem and make it sound really complex. It's not that complex when you put it in the terms of what can he or she do? And both Zscaler and SimTrack will identify both and provide paths to remediate, as you said, in damn near real time.
I'll use your words on that one. Next question is more along the lines of technical. So Rob, can you explain kind of the integration that has been accomplished both for ZIZPA in the context of both monitoring and measuring the integrity of Zscaler's own infrastructure, as well as the integration relative to integrity as well as compliance triggers?
Robert E. Johnson III: Sure, sure. Let's start with monitoring Zscaler's own infrastructure. So currently, of course you can make changes in Zscaler and whether in ZIA or ZPA, one of the issues that we learned from a Zscaler customer that we were working with was that due to 800-172, we realized they were taking screenshots of all the Zscaler configurations. And it's because they're required to. And because they need to have an audit trail of how things were configured for any security related policies, not just for Zscaler, but for all of the SAAS products that they happen to use. If those SAAS products were related to the security function.
So we added the capability at that point when we realized this is a real pain point to not just monitor databases and servers and cloud infrastructures, but we extended that model to be able to monitor all the configuration settings of ZPA, all the configurations of ZIA and let you be able to see, okay, this user was added to ZIA two weeks ago on Friday. These particular policies were altered earlier today. No wonder this particular segment isn't behaving as we expect.
So we do have that audit trail. So it helps in terms of not just a security function, but the little subtlety, and this goes outside of the comply to connect topic, but it also helps in terms of ops, because now you have visibility to what exactly has happened that may affect service availability. And Patrick kind of alluded to service availability earlier.
Ultimately, that's the objective of business and of the department is to maintain service availability. And we're all here to help support that service availability.
Mark Allers: So that's a great segue to the next question, which is, and I'll ask Patrick first on this, federal agencies are often operating in hybrid environments, right? Multi-cloud environments. How does this solution provide continuous visibility and compliance across on-prem cloud and even IoT and environments like that?
Patrick Perry: Yeah, I mean, in the end, the beautiful thing about Zero Trust, when you think of it as a concept, is that it's flattening organizations' understanding of how they administer environments. So whether it's, again, a computer that's being managed by somebody else, aka cloud, whether it's an on-premise, aka most people would call that like a data center or a LAN, or whether it's a remote, like Soho, individual remote employee. One of the biggest concepts of Zero Trust beyond the principles, before the principles, is the operational environment is really just connecting users and things to data.
So how do we simplify and look at it purely like that? To your point a minute ago, we can overcomplicate things really fast. I do think it's actually a byproduct of being a geek.
We get into the weeds, we like to tease out the details, and we like to talk about how things aren't going to work because that makes us comfortable with trying to fix it because we all like to fix things. But when you really break down just security, it's just three letters still to this day, confidentiality, integrity, and availability. And we can have seven principles, we can have four maturity models, we can have 152 activities in the DoD, we can have all these things in complex ways but when we boil it back down to the simplicity of what are we really trying to secure?
And it's a data transaction. You know, I really love my network, I'm a network person by trade, and I love to protect my network. But in the end, do we care about the network?
No, I care about a user connecting to data. So how do we simplify that? And when we do, we realize whether it's a cloud, whether it's on-prem, whether it's a local user, or it's a remote user, the transaction in its simplest form is still the same.
It follows the OSI model most of the time, not always for OT things, of course, and control systems, but at some point it's gonna get into the OSI model, that's the irony of the whole world. So if we just keep it like that, we realize that bringing again a platform approach, this is also, you know, one of these things that maybe 12 years ago when they tried to do comply to connect at the beginning, there weren't cloud delivered or SSE models, or these concepts weren't here yet, the things were being developed. You know, even basic auditing tools, you know, for integrity, there were some out there, but they were, again, they weren't built the same way.
Modern tools deliver modern opportunity. And it doesn't matter anymore if it's in the cloud, if it's on-prem, if it's a remote user, if it's a local user, modern tools just see them in its basic form of connecting an endpoint to a data source. And that's the beauty of these kind of capabilities in actually achieving the security aspect of that.
Mark Allers: So you hit on an acronym that I often talk about, and I'm gonna go off script a little bit here and ask Rob the next question. We talk about the CIA triad, confidential availability and integrity. As an industry, we know the C and the A very, very well, but when it comes to the I, the industry is very enamored with this old acronym called FIM.
Rob, can you just spend a couple of minutes and articulate the difference of FIM and what CimTrak does?
Robert E. Johnson III: Sure, sure. Well, FIM stands for file integrity monitoring. And that's usually the extent of what people are familiar with when they think of integrity.
But that's just a starting point. That's just files. Let's think about what our environments actually look like.
Is it just files? It's a lot more. It's yes, files, but for Windows, it's registry.
For cloud infrastructures, it's all the metadata that's in the cloud that contain the configuration information that drive that cloud infrastructure. It could be database schemas. What about that configuration in your network device?
Is that a file? No, that's some information, configuration information in this remote device. So our data is scattered everywhere and in a lot of places outside of just normal files.
And that's why Patrick just said modern infrastructures and modern tools. And that's really our objective is to monitor all the components to drive a modern day infrastructure. So for us, we're thinking, well, we wanna monitor some OT devices.
We wanna monitor SCADA devices. We're expanding CimTrak constantly to monitor new network devices, Cisco Meraki devices, Zscaler, for instance. The Zscaler configuration isn't on one of your systems as a file.
It's metadata that's in the cloud and it's complex metadata. So finding ways to unlock this information that's relevant to your business and allow you to manage it almost as code within CimTrak is critical and gives you that visibility into exactly what's happening.
Mark Allers: So let me dovetail right on that comment extending kind of that value proposition of FIM. And the thing that we hear about every day in every article now is artificial intelligence, artificial intelligence, artificial intelligence. How does that impact integrity?
What is that?
Robert E. Johnson III: Sure.
Mark Allers: You get my question?
Robert E. Johnson III: I do get your question. So I wanna preface, before I answer that, I wanna say, A, we're big fans of AI at Cimcor. So, and I think it's a very important part of the strategy because a lot of data is coming at folks.
AI is gonna help distill that. But I wanna point out that the way AI works is really a series of probabilities. That's ultimately what it is.
Even when you're amazed with the results of ChatGPT, it's simply predicting what the next word likely is. And that's why it can hallucinate, for instance. Well, at some point, even when you're seeing one of your threat detection and response tools saying, oh, we think you might have a virus based on our AI algorithm.
In the end, it's just, it thinks it might be something. That's why you always run into the false positives. If it was sure, you wouldn't have a false positive.
At some point, you have to just cut out all the ridiculousness. You need something in your infrastructure that says, is the system in a state it should be? Yes or no?
No, in between, or I think so. Or even think about this. If I tell you there's an 80% chance my system is in a state of integrity, is that useful?
What if I tell you that your system has a, there's a 95% chance your system's in a state of integrity. Is that useful? Even at the higher percentages.
Unless you can say with 100% certainty, yes, the system is as we expect, or not, it's not providing the value. And that's why we don't take that approach in terms of AI for the integrity component.
Mark Allers: So Patrick, how does this pertain to DoD? Is 95% acceptable on the battlefield? Is 80%, 50%?
Where's the threshold?
Patrick Perry: Yeah, I mean, I think, obviously- It's a loaded question, sorry. No, no, no, I love those, because I love to be able to respond confidently with the word depends. So, and it really does.
So obviously we could take more risk with a decision that has a lot more maneuver room after the outcome is realized. But there's others that you don't, because again, there's a difference between marching in the wrong direction for say a couple hundred yards and landing an artillery round on a friendly spot. Like, one has a little bit of wiggle room to respond, one does not.
So, unfortunately, everybody knows that. So I'm obviously not preaching to the choir or saying anything prophetic there. But how does AI now influence this, this constant concept of shortening the kill chain?
I think everybody who's read the book, probably kill chain, probably on the planet now. So they understand like one of the biggest goals in the military is to shorten the kill chain or even again, lower the amount of human in the loop kind of mindsets, where again, we automate all the way down to decisions, which awesome, sounds great. I think we're gonna constantly work there, we're gonna constantly grow.
But in the end, we constantly have to work then on high integrity of information. If information and the end points that we're getting information from have lower integrity, then we end up having a bad response. The worst thing, what I promote all the time is the enemy doesn't have to destroy your system, delete your system or stop your system.
They have to modify your system's way of thinking just slightly and have a totally undesirable effect that destroys the confidence in your decision making process. It is way more powerful than ever deleting a bit of information or stealing a bit of information. When you destroy the confidence in decision making of a military unit, you just basically crumble its military might.
And so there's nothing more important than the security of data in today's world, where we're trying to move data really fast and make decisions on data really fast. Without integrity and without security, we don't have that confidence anymore.
Mark Allers: I love that response. I might even ask our marketing team to take that excerpt right there and land it right on the front page of our website. That is absolutely spot on.
We're coming to the end of the hour here. I do have kind of a last question for follow-up for both of you. When we look at kind of looking ahead, what's in store next for Cimcor and Zscaler relative to what the partnership may bring, whether it's more operational or it's more strategic relative to integrations, what might those things look like?
Rob, I'll ask you first.
Robert E. Johnson III: Well, I think that there are many more opportunities to integrate with Zscaler. One area that we haven't covered at all yet, perhaps in a future webinar, is the fact that we can assess the security posture in terms of the stakes or CIS benchmarks. I think that that could provide a lot of great additional data to Zscaler's RISC-360 platform, because now we can make that more actionable and more dynamic.
So there are plenty more integration points there. And I think the other piece to unpack is that this is new capability that we're exposing here. I think we're gonna find there are many more use cases, Mark, on how CimTrak and Zscaler together can solve some unique problems, problems that we haven't even identified yet, because all the permutations that are possible now, for instance, we haven't spoken about what if a cloud infrastructure has been altered in some way?
How should we react now with Zscaler? You have the capability to do things about it. So there's lots of interesting scenarios that we can still explore.
Mark Allers: So one of the questions that, and Patrick, I'll ask the same question to you, and then I'll ask a couple of questions that have come in on the line here. Need me to repeat the question, Patrick, or you want me to repeat it again?
Patrick Perry: Oh, no, I remember it. And I remember it most because, unfortunately, we have a rule in the company that can't talk about future product and development and that kind of stuff. I'm not the CEO, so I don't have that flexibility to move it.
But what I'll share is kind of a crystal ball look from Pat's point of view. So when I look into the crystal ball, Rob already gave all some great examples. When you look at the depth and breadth of the two platforms, you can kind of see the trajectory of where things can converge.
So if you just look at even recent acquisitions from Zscaler on the front of a data fabric and other different capabilities, you can start imagining where a Cimcor and a Zscaler to bring these things together and even get more power out of them. Everything that we do on our side, we want to build a one plus one equals three proposition with our key partners. So Cimcor's ability to, again, elevate the capability we bring by, again, not only fact-checking us, validating things, but then deeply integrating automation.
Again, I would just offer there's no end state. The opportunities are almost endless when you think of merging these two different complimentary capabilities.
Mark Allers: So that leads me to one of the questions that's come in from the audience here. The integration with RISC-360. Now, I know the answer to this, but Rob, maybe I'll ask you, what's your thoughts on integration to RISC-360 for Zscaler?
Robert E. Johnson III: Yeah, that's a priority of ours right now that Zscaler is laying the foundation to allow third parties to integrate information. When that does occur, we hope to be first to actually provide useful data, because I think we can immediately impact the value of that RISC-360 model when we can tell you on an asset-by-asset basis, the status of a security posture from an integrity perspective and in terms of its compliance with the stakes.
Mark Allers: Thank you. And then another question that's come through here is, what was demonstrated today? Is it commercially available off the shelf ready to go?
Robert E. Johnson III: Yes, it is available today. It's ready to go. And we'd love to show you, of course.
Mark Allers: Okay, and one of the questions, where do we find more information? We will get more information out to those that have attended the webinar here today. Let's see, going through these one more.
Most of these questions have already been asked through the dialogue today. So what I'd like to do is, as we kind of wrap things up here, final comments by both kind of Patrick and Rob. I'll start off with Rob.
In summary of the integration and this whole kind of notion or integration for a Comply-2-Connect functionality for the DoD and government agencies, closing ideas, thoughts, comments, questions, concerns, what are your thoughts?
Robert E. Johnson III: You know, I think one of my thoughts and it's an evolving thought, but I've been coming to realize the way Zscaler has reshaped how you do networking essentially. And the way Cimcor is changing how you do work. For instance, you just simply do your work.
We're maintaining our audit trail and categorizing what's good or bad. We're moving to a state where we're promoting folks, just do your work, working your standard methodology. And we're laying the framework where we can identify unexpected things, bad things, unwarranted changes, and limiting East-West movement because the framework is there to do that.
So people, this actually reduces the impact and the labor for folks and organizations. We're asking them just to be normal, do your normal work.
Mark Allers: But let the heavy lifting be done by Zscaler and Cimcor on the back.
Robert E. Johnson III: That's right, because now we had a framework to understand when unexpected things have happened.
Mark Allers: And I'm assuming by that response, the capability of a lot of automation in which Justin showed a couple of things, but I'm assuming there's a lot more automation in the backend, both on the Zscaler and on the CimTrak side that can remove that human element of question in a lot of categories. Patrick, your final thoughts?
Patrick Perry: Yeah, I'm just gonna kind of double tap on a few things that's already said. Re-imagine what we're trying to achieve here because when you re-imagine it, the opportunity space grows. When we constantly look at problems the same way, our opportunities kind of usually keep looking the same ways.
So the theme has constantly been to modernize, you should be able to simplify, deeper integration and drive more business value with less effort. And the only way you're gonna achieve those three things is through a total transformational approach in the way that you look at your operational model, and then you deliver cybersecurity capabilities against it. If you do all these things together, you really kind of see the value proposition of modern capabilities to solve tomorrow's problems, not just today's.
Instead of constantly trying to seek an old capability to look at yesterday's problems.
Mark Allers: Thank you. I'd like to thank both Patrick and Rob, as well as Justin for giving the clear, concise demo. We really appreciate it.
And providing your insights and experience on this topic. And as we all acknowledge, Comply-2-Connect has been around for, as Patrick, you said 12 years trying to achieve this. Which leads me to kind of my last comment is, if anyone would like in the audience here would like to see or, you know, be privy to a one-on-one demo for this environment and have the Q&A and understand kind of what this might look like in your environments, whether it's someone that already has CimTrak and needs Zscaler or vice versa.
I kind of a pre-recorded video of this will actually be available on both sides here. So I would like to thank both of you two, as well as Justin for the hour spent here. And I'd like to turn it back over to Madeline over at Carahsoft.
Thank you very much, guys.
Patrick Perry: No, thank you. Appreciate it.
Madeline Turner: Thank you, Mark. And thank you again to our speakers for being with us this afternoon and all of our participants who joined us today. For those who met the CPE requirements today, you will receive your Certificate of Completion within two weeks.
We hope this webinar has been helpful for you and your organization. And as a reminder, everyone will receive a recording of this presentation in a follow-up email. If you have any further questions, please do not hesitate to call us or email us.
Thank you and have a wonderful rest of your day.
Mark Allers: Thank you.
