Zero trust's creator John Kindervag shares his insights with VentureBeat — Part...

VentureBeat sat down (virtually) last week with zero trust creator John Kindervag. Here are his insights into how zero trust’s adoption is progressing across organizations and governments globally and what he sees as essential to its growth.

But first, what is zero trust?

Zero trust security is a framework that defines all devices, identities, systems and users as untrusted by default. All require authentication, authorization and continuous validation before being granted access to applications and data.

The zero trust framework protects against external and internal threats by logging and inspecting all network traffic, limiting and controlling access and verifying and securing network resources. The National Institute of Standards and Technology (NIST) has created a standard on zero trust, NIST 800-207, that provides prescriptive guidance to enterprises and governments implementing the framework.  

John Kindervag’s vision and insights

While at Forrester Research in 2008, John Kindervag began exploring security techniques focused on the network perimeter. He noticed that the prevailing trust model, which classified the external side of a traditional firewall as “untrustworthy” and the internal side as “trusted,” was a significant source of data breaches.

After two years of research, he published the 2010 report No More Chewy Centers: Introducing the Zero Trust Model of Information Security. In it, he explains why enterprises need zero trust for better security controls, beginning with a more granular and trust-independent approach. It’s an excellent read, with insights into the how and why of zero trust’s creation. 

Kindervag currently serves as SVP for cybersecurity strategy and ON2IT group fellow at ON2IT Cybersecurity. He is also an advisory board member for several organizations, including a security advisor to the offices of the CEO and president of the Cloud Security Alliance. He’s one of several cybersecurity industry leaders invited to contribute to the President’s National Security Telecommunications Advisory Committee (NSTAC) draft on zero trust and trusted identity management.

Kindervag emphasizes that zero trust is incremental, protecting one surface at a time. He advises that enterprises don’t need to protect all surfaces simultaneously, and should take an iterative approach. That’s good news for CISOs and CIOs who don’t have the resources to protect all surfaces simultaneously.

He also advises enterprises to keep it simple, telling them there are nine things they need to know to do zero trust: the four design principles, and the five-step design methodology.

The following is an excerpt from VentureBeat’s interview with Kindervag. 

VentureBeat: How do the organizations you work with overcome barriers to adopting and implementing zero trust? What are you finding works to get people looking at zero trust as a philosophy?

Kindervag: Zero trust, because it’s a strategy that has tactics associated with it but is decoupled from those tactics, [is] going to depend on who the stakeholder is that I’m talking to. So there’s a different message to leadership, to a grand strategic actor like a CEO [or] a board member. I’ve talked to all those kinds of people. They have a different thing that they need and that we can solve using zero trust as a strategy. 

For the person who has to implement it, they’re afraid of change. That’s always been the number one objection [to] zero trust. If I had a nickel for every time I heard that, we wouldn’t be having this conversation because I’d be on my yacht somewhere in the Mediterranean, but everybody is afraid of change. But change is a constant in technology, and so I need to show them how to do it simply. That’s why I created the five-step methodology that I started at Forrester [and] kept on at Palo Alto Networks, and it’s codified in the CISA NSTAC Report. 

I wanted to make it simple. I tell people there’s nine things you need to know to do zero trust: the four design principles and the five-step methodology. And that’s pretty much it, but everybody else tends to make it very difficult and I don’t really understand that. I like simplicity, and maybe I’m just not sharp enough to think at that level of complexity.

And so we take a single one of those, we put it into a single protect surface, and we take this whole problem called cybersecurity and we break it down into small bite-sized chunks. And then the coolest thing is it’s non-disruptive. The most I can screw up at any one time is a single protect surface.

Zero trust: Not a technology

VB: There’s an ongoing debate about where to start with a zero trust initiative or framework. What’s your advice on how to define and achieve zero trust priorities? Where can companies start?

Kindervag: Well, you start with a protect surface. I have, and if you haven’t seen it, it’s called thezero trust learning curve.

You don’t start at a technology, and that’s the misunderstanding of this. Of course, the vendors want to sell the technology, so [they say] you need to start with our technology. None of that is true. You start with a protect surface and then you figure out [the technology].

In the pillars that Chase Cunningham designed in the ZTX framework, you look inside of step one, define your protect surface. Step two, ‘Which things do I need to use?’ Step three… So they interlay up to the five-step model and they’re totally designed to tie together, but people are so focused on technology.

The zero trust learning curve that John Kindervag created to illustrate the relationship between the sensitivity or criticality of the protect surface, and the time organizations invested in their zero trust journey. Source: The Zero Trust Learning Curve: Deploying Zero Trust One Step at a Time, Palo Alto Networks Blog. April 1, 2020. Written by John Kindervag

VB: What’s your view of where zero trust is going in 2023 and beyond?

Kindervag: I see greater adoption of zero trust. So, one of the things I’m trying to get people away from is … redefining it. We’ve defined it. It’s been defined since 2010. A lot of vendors don’t like the definition because it doesn’t fit their product, so they try to redefine it to [fit] whatever their product does. So if they’re a multifactor authentication (MFA) company, zero trust equals MFA ultifactor authentication. Well, I can prove that wrong with two words: Snowden and Manning, the Beyoncé and Madonna of cybersecurity.

In this autobiography, Edward Snowden said something to the effect of, and I’m going to misquote it but paraphrasing, “I was the most powerful person in the NSA.” And of course, he didn’t work for the NSA, but [he] was the most powerful person because [he] had admin rights. Well, why was that true?

[As for] PFC Manning: I got a call from a buddy of mine who was involved in negotiating the plea deal between Adrian Lamo [the analyst and hacker who reported Manning’s leaks] and the federal government so that the chats that Lamo was doing with Manning wouldn’t send Lamo back to prison because Lamo was very much not wanting to go back to prison.

And this person, who was a former federal prosecutor, the intermediary, said, “When I was first contacted by Lamo, I asked how does a private first class and a forward operating base get access to classified cables in Washington, DC?” And he said, “It was at that moment that I thought of you and I completely understood what you were trying to do in zero trust.”

The way the networks work is finite. And zero trust is the same, whether from a conceptual perspective how we do it — whether it’s on-premise, in a cloud, hardware, software, virtual, whatever. This is why it works so well in cloud environments. This is why people are adopting it for public clouds and private clouds. 

Not a product, either

VB: Which of the recent innovations by cybersecurity vendors are best aligned with the goals of zero trust? Which are the most relevant to organizations succeeding with a zero-trust framework?

Kindervag: There are innovations that are going to help if you start at the strategic level and move down to the tactical level. So the products get better and better, but to say that you could ever buy zero trust as a product would not be true. It requires a number of different products among different sets of technologies.

And the vendors get better and better. There are some really unique technologies out there that I’m very intrigued with. But if you say, “Well, I’m going to go to vendor X and they’re going to do everything for you,” they’re not. It just isn’t possible, at least not right now, and who knows what the future [holds]?

But that’s why I never said zero trust was a product. That’s why the strategy and the tactics are purposely decoupled: Strategies don’t change. Tactics always change. The products always get better and better.

Then they become more and more problematic. Let’s take Log4j. Almost every vendor used Log4j. Did they know that it was a vulnerable thing when they took that library and put it in their product? No, because things that look good now turn out to be bad later on because somebody does some new research and discovers something.

And that’s just the process of innovation. And it’s also [a] fact that we’re in an adversarial business. Cybersecurity is … one of three adversarial businesses in the world. The other two are law enforcement and the military.

In Part II of our interview, John Kindervag shares his insights into how pivotal his experiences working at Forrester were in the creation of zero trust. He also describes his experiences contributing to the President’s National Security Telecommunications Advisory Committee (NSTAC) draft on zero trust and trusted identity management.