There’s been a strong theme of ‘for the greater good’ in Gerald J. Caron III’s career. Starting off as a computer programmer in the army in 1994, his last duty station was at the Pentagon in 2001, and it made sense for him to settle in Washington DC thanks to the way IT was evolving and booming in that area. He then joined the Department of State doing what he calls ‘ground-level work’, answering telephones at the IT help desk. Later, he continued to support the help desk in a System Administrator role, before shifting to a more infrastructure-heavy position.
Eventually, Caron became Branch Chief for enterprise management systems for the department, then division chief, then Director for enterprise network management. In this position, he led engineering and management of the network, buying bandwidth for all the embassies – 275 worldwide – to include 100 domestic sites. This also included perimeter security and patch management, supporting 109,000 users across the globe. Some of the sites covered by Caron’s team had very little infrastructure to work with, but they were still able to enable cloud access while maintaining a network success rate of 99.997% availability.
At the end of 2020, he went on detail at the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) and applied for the role of CIO – a position which he started in May 2021. Here, he services around 1,900 users, dealing with things like fraud investigations, fighting against waste and abuse, and being the oversight for HHS and its component agencies. From the very beginning, giving back and supporting people has been a major element of Caron’s career – a deliberate choice on his part.
“I’ve always looked for that,” he says. “That first help desk job gave me a taste for helping people, and I’ll always have an appreciation for good customer service.” This goes hand-in-hand with his passion for cyber security, keeping people and systems safe being a priority on a professional and personal level. Even outside of his role, he co-chairs two working groups, both focused on zero trust – something he’s busy implementing at OIG.
Zero trust
Zero trust is a concept which recognises that trust = vulnerability and aims to eliminate it through advanced security. Caron became interested in zero trust in 2015, when he attended a security event and noticed that far too many solutions were based around patching a bleed with plasters, rather than providing an actual solution. “There was lots of reactionary tactical stuff going on,” he explains. “I came away from that having decided we needed to think more long-term to prevent security issues from happening in the first place, which would require a different approach. You can only Band Aid something for so long before it falls off and the bleeding continues elsewhere. We’re dealing with some formidable adversaries, these days – ransomware and cyber attacks are running rampant.”
Despite always having worked on the operations side of things, Caron’s interest in cyber security increased and he continued to attend security-based events, soon hearing more about zero trust at conferences. “I thought it really made sense, because we’re trying to protect data. I started listening to John Kindervag, who’s considered the father of zero trust, and continued looking into it. I knew it was the way to go; it’s very strategic, it’s a real security architecture. It’s focusing on what we’re really trying to protect – not devices, but data. And not all data is created equal, so a one-size-fits-all solution isn’t enough.”
In 2021, zero trust is far more commonly heard about than it was back in 2015. The downside to this is that, in Caron’s experience, some vendors at conferences claim they do zero trust but it’s a diluted version that warps the definition. However, Caron was determined to do this right from the beginning. He put together a pictorial presentation for his team, he got certified by Forrester as a strategist, and became entrenched in the principles of zero trust.
Redistributing the peanut butter
“The way we were doing security before was what I call the ‘peanut butter spread’ approach,” says Caron. “We were trying to spread all the peanut butter evenly across the bread. You make sure you have every router switch, every endpoint on the right operating system, fully configured 100% correctly, make sure you’re 100% patched. With 109,000 users, multiple endpoints, networks, routers, and switches, that was hard to sustain. You’re in a constant loop of updating and configuring.
“But zero trust focuses on getting the protections around the data and gets rid of the castle-and-moat approach. If you use that system, once you’re through the moat and over the castle wall, you’ve got access to the whole castle – but what we wanted to do is build more walls to protect the crown jewels. It’s about identifying what the data is, where it is, making sure it’s categorised correctly, and putting the right protections in place. All these factors add up to what I call a ‘dynamic risk score’, and that dictates what the risk tolerance is and what access is allowed.”
Another simple analogy Caron uses for zero trust compares cyber security to a multiplex cinema. Generally, once your ticket is checked or scanned in the foyer and you’re told which screen to go to, there are no more check points. “I think of the movie as data,” says Caron. “What I do with zero trust is also add ticket-takers at the door of each movie, and you also need ongoing authentication because things change, so you have to check: is the projector on? Are the lights low? Is everyone in the seat they booked? Are the exit doors lit? The additional ushers increase security exponentially.”
There’s a lot of automation involved in zero trust because human error is all too real. It’s real-time, ongoing, automated, and taking action when needed. In future, Caron expects AI and machine learning to become a bigger part of that as the definition of ‘normal’ evolves, making it even easier to take immediate action and be more proactive about zero trust.
Implementing zero trust at OIG
All this self-education and prep work happened while Caron was at the Department of State. With OIG, he had to educate a whole new group of people on zero trust to make sure security wasn’t just a box-ticking exercise. “I looked at how they were doing cyber security and said, ‘Nope, we’re adopting this as our architecture’. I briefed everyone to give them a good understanding of what we were doing under the guise of also wanting to modernise, because building security into modernisation – rather than the other way around – means it gets baked into the culture.”
Caron introduced a capabilities maturity model with multiple categories, so that he and the team could identify the areas that were lacking and how security could be improved in each segment. Running inventory on these capabilities then allowed Caron to look at maturity and data loss prevention and dig deep into how that could also be made more effective. Having a great deal of knowledge at his disposal has the added benefit of making sure he’s fully armoured against any manipulation of zero trust that vendors might attempt. “I have an architecture, I have a framework, I have the concepts and the capabilities model, so the vendor has to tell me how they can fit what I do,” Caron says.
Understanding ownership
Currently, Caron has three priority projects on the go: creating a CMDB and getting hardware and software inventory; integrating products he already has; and baselining application and understanding of the data. Those are the stepping stones to take Caron and OIG to the next level of zero trust. For now, he’s already seeing the benefits of what has been implemented so far. It’s certainly a work-in-progress, but most importantly, it’s really allowed Caron’s team to understand what they do and don’t own.
“You don’t always own it – sometimes you’re the steward of it, getting data from another source,” Caron explains. “So really understanding what the data is and where it resides, that’s been a major thing for us. If you don’t know where or what your data is, how are you going to protect it?”
While the zero trust side continues to evolve, Caron and his team are also focusing on modernising other elements of their work. For example, there are a lot of legacy applications that are now being brought up-to-date, and Caron’s team is continuously learning from data analytics reporting on Medicare and Medicaid, and supporting and enabling better infrastructure for them. Again, it’s about the greater good. “The way I look at my job at HHS OIG, it’s not about IT – it’s about supporting HHS OIG’s mission,” Caron says. “IT is the enabler for them to accomplish their mission, so I always remind my staff that HHS OIG was not created for us, we’re there for them. As a taxpayer, to get good healthcare and protect around fraud in healthcare, that’s really important.”
The culture
Caron has a particular appreciation for the mission against healthcare fraud, as somebody who, one year ago, was diagnosed with cancer. Now thankfully cancer-free, it’s a personal way to feel good about and give back to the US healthcare system. This dedication to the mission is not unique to Caron – the entire company culture of his department is very much entrenched in the importance of what HHS OIG does. He describes the group as ‘close-knit’ and speaks with admiration of the way the Primary Deputy Inspector General rallies the troops on a regular basis.
“Every other Friday at 1pm, she talks to the whole organisation about the great things we’re doing and any company updates,” he says. “It’s very inspiring and creates a family atmosphere for us all. My previous agency was a lot larger with various missions – here, there’s a very focused mission where we’re all working towards the same goals.” This collaborative attitude also extends to relationships with partners.
Caron likes to do a lot of networking, learning as much as he can about vendors to ensure that they fully align with HHS OIG, and enjoys the collaboration that comes with the working groups he co-chairs. It gives a fuller picture of the market, and of what other people are doing with cyber security. “Being involved in those types of things has been really beneficial, because we’re all, ultimately, trying to solve the same problems. IT is IT, and I can’t stand being in a cocoon. There are so many smart people out there and it’s easy to get stuck in your own little culture and world. We were doing BYOD at my last agency and when I brought the concept here, they panicked about it, so I had to say, ‘hold on, do we really understand what this means, and the actual risks involved?’ rather than panicking just because it’s different. I still find myself doing a lot of educating and a lot of marketing for different concepts. The main reason things fail is because of lack of communication, and I don’t want that to be the case for us.”
The roadmap ahead
With zero trust at OIG ever evolving, there’s a multi-year roadmap ahead for getting it absolutely right. There are multiple projects all leading to an overall goal, so it’s now about prioritising those projects and putting key milestones in place for when OIG expects specific elements to be ready. After all, Caron has only been in his position since May, and much of that time has been taken up with the education of his team. Now, they’re in a comfortably stable position to prioritise their capabilities, get their ducks in a row regarding the right vendors at the right time, and solidify the strategy.
“It’s easy to get caught up in the day-to-day, but you have got to have that strategy of where you want to go and push forward,” Caron says. “It’s important that you and your staff understand where you want to push things. With strategic planning, if there’s a windfall of money somewhere, I know exactly what I can do with it. We’re not left hanging around trying to figure out where to direct that money – we’ve got a plan for it and can jump-start a new part of the project. It’s very important to do proper management to understand where you are at any one time. I like knowing exactly how I’m going to accomplish part of the strategy, and then figuring out the tactics to achieve that goal.”
