Emily: You've worked across some of the most critical federal security initiatives - from the Department of Defense unified cloud modernization initiative JEDI (Joint Enterprise Defense Infrastructure) project (now known as JWCC) to leading FedRAMP High authorizations at Okta. How has the federal security ecosystem evolved over the past few years, and what are the biggest challenges agencies face today in securing their digital infrastructure?

Rob:

One of the major mandates for U.S. government agencies in recent years has been the shift from single-cloud to multi-cloud architectures. A high profile example was the Department of Defense’s JEDI contract, which was originally awarded to a single vendor, Microsoft Azure. That award was halted in court after challenges from competitors, and the program ultimately evolved into JWCC – the Joint Warfighting Cloud Capability – which explicitly requires a multi-cloud approach. This pivot reflects a broader recognition that the future is multi-cloud, not vendor lock-in. But the move comes with real consequences: where agencies once had to secure and operate a single IaaS environment, they now juggle two or three cloud providers alongside their on-premises infrastructure. Layer on top the diversity of orchestration platforms – VMs, hardware, Kubernetes, and now serverless – and the result is fragmented security controls. Each environment has its own identity model, logging, and enforcement mechanisms, making it far harder to apply consistent protections across the entire landscape.

Emily: What drew you to work with a commercial vendor like Edera, and how do you see the role of innovative private sector companies in solving federal security challenges that traditional approaches haven't been able to address?

Rob:

Edera is innovating in an area that has not gotten a lot of attention over the last 10+ years. I’ve seen the evolution from hardware, to VMs, to containers, and to serverless. What these all have in common is that they shifted away from tight hardware integration and opted to add layers and layers of abstraction on top. This has created huge learning curves, complex environments, and created a situation where we’ve had to re-invent the wheel for many of the most basic security measures. I feel like we’ve been going backwards for a long time. Edera has given me hope that we’ll start flattening out the runtime environment to a simpler and more centrally managed security stack. The private sector created the complexity, now it needs to flatten it out a bit. 

Emily: You've spent years focusing on identity and access management, but Edera tackles runtime security and workload protection. From your board advisor perspective, how do these two security domains complement each other, and where do you see the biggest gaps in how agencies currently approach runtime protection?

Rob:

My role at Okta is centered around helping teams get their products and services up to the Federal minimum security bar. Within that remit, I get to drive all areas of security, including IAM. Where IAM and workload protection collide is actually around Non-Person Entities (how the Department of Defense describes it) or Non Human Identities (NHI). As a top tier cloud service provider, we have to protect against current, but also new and emerging threats. Having strong policies around what an application can access, both from a network perspective and identity perspective is critical. This aligns very closely with what Edera is doing with the “Observe and Enforce” features. I could see this quickly moving to identity aware runtime protection. 

Emily: For federal agencies or contractors evaluating new security technologies like Edera's approach, what should they be looking for? What questions should they ask to ensure a solution will actually work within the complex compliance and operational requirements of the federal environment?

Rob: 

They’ll be looking for all most common federal requirements Specifically FIPS 140-3 and NIST 800-53. Agencies should be looking at new technologies as a way to eliminate entire classes of risks and introduce mitigating controls in a consistent way. With attacks like Salt Typhoon and other “live off the land” attacks, they should be endeavoring to make that impossible. Edera could eliminate those kinds of attacks entirely. The bigger challenge is modernizing the infrastructure that is susceptible to these attacks and compromises. Part of that will be having strong centralized policy management that can easily be updated with new and emerging threats that work on both current and legacy platforms. Hard isolation helps mitigate spread. Centralized policy management ensures nothing is missed.

Emily: We’re big into music at Edera. Who/What is one of your “must listen to” artists or albums?

Rob: 

I’m all over the map, but if I had to pick one artist, I’d pick Nine Inch Nails. They really tickled my political itch at their recent show. They also played a cover from another one of my favorite artists, David Bowie. “I’m Afraid of Americans.”

Emily: And, finally if you had to choose, Starbucks or Dunkin'?

Rob: 

Neither sells a Maple Latte. After living in VT for the last decade, I’m spoiled by good coffee shops, local roasters, and real maple syrup. Coffee also usually comes second to a good BEC (Bacon, egg, and cheese) on a kaiser roll. If you twist my arm, Starbucks has better breakfast. 

Emily: I’ll take it! I know this will be particularly devastating to our CMO Kaylin Trychon, who thought she had a Dunkin' vote in the bag with you living in New England. So, thanks for that!