Zero trust creator John Kindervag shares his insights with VentureBeat — Part I

VentureBeat (almost) sat down with zero trust creator last week John Kindervag. Here are his insights into how zero trust adoption is progressing across organizations and governments worldwide and what he considers essential to its growth.

But first, what is zero trust?

Zero trust security is a framework that defines all devices, identities, systems and users as untrusted by default. They all require authentication, authorization and continuous validation before accessing applications and data.

The zero trust framework protects against external and internal threats by capturing and inspecting all network traffic, restricting and auditing access, and verifying and securing network resources. The National Institute of Standards and Technology (NIST) has created a standard for zero trust, NIST 800-207that provides prescriptive guidance to companies and governments implementing the framework.

The vision and insights of John Kindervag

At Forrester Research in 2008, John Kindervag began exploring security techniques focused on the network perimeter. He noticed that the prevailing trust model, which classified the external side of a traditional firewall as “untrustworthy” and the internal side as “trusted,” was a major source of data breaches.

After two years of research, he published the report from 2010 No More Chewy Centers: Introducing the Zero Trust Information Security Model. In it, he explains why enterprises need zero trust for better security controls, starting with a more granular and trust-independent approach. It is an excellent read, with insights into the hows and whys of creating zero trust.

Kindervag is currently SVP for cybersecurity strategy and ON2IT group member at ON2IT Cybersecurity. He is also an advisory board member for several organizations, including a security advisor to the offices of the CEO and President of the United States Cloud Security Alliance. He is one of several cybersecurity industry leaders invited to contribute to the President’s National Security Telecommunications Advisory Committee (NSTAC) draft on zero trust and trusted identity management.

Kindervag emphasizes that zero trust is incremental, protecting one surface at a time. He advises that companies don’t need to protect all surfaces at once and should take an iterative approach. That’s good news for CISOs and CIOs who don’t have the resources to protect all surfaces at once.

He also recommends that companies keep it simple by telling them that there are nine things they need to know to do zero trust: the four design principles and the five steps design methodology.

The following is an excerpt from VentureBeat’s interview with Kindervag.

VentureBeat: How do the organizations you work with overcome barriers to adopting and implementing zero trust? What do you think works to get people to look at zero trust as a philosophy?

kindervag: No confidence, because it’s a strategy that has tactics associated with it, but is disconnected from those tactics. [is] will depend on who the stakeholder I am talking to. So there is a different message for leadership, for a big strategic player like a CEO [or] a board member. I’ve talked to all those kinds of people. They have something else they need that we can solve with zero trust as a strategy.

The person who has to implement it is afraid of change. That has always been the number one objection [to] zero confidence. If I had a penny for every time I heard that, we wouldn’t be having this conversation because I’d be on my yacht somewhere in the Mediterranean, but everyone is afraid of change. But change is a constant in technology, so I have to show them how to do it easily. That’s why I developed the five-step methodology that started me at Forrester [and] maintained at Palo Alto Networks, and it is codified in the CISA NSTAC report.

I wanted to make it simple. I tell people there are nine things you need to know to do zero trust: the four design principles and the five-step methodology. And that’s about it, but everyone tends to make it really hard and I don’t really understand that. I like simplicity, and maybe I’m just not sharp enough to think at that level of complexity.

And so we take one, we put it into a single protection surface, and we take this whole issue called cybersecurity and we break it down into bite size chunks. And the coolest thing is that it’s not distracting. The most I can ever screw up is a single protective surface.

No trust: no technology

VB: There is an ongoing debate about where to start with a zero trust initiative or framework. What is your advice on defining and achieving zero trust priorities? Where can companies start?

kindervag: Well, you start with a protective surface. I have, and if you haven’t seen it, it’s called the zero learn confidence curve.

You don’t start with a technology, and that’s the misunderstanding of this. Of course the vendors want to sell the technology, so [they say] you have to start with our technology. None of that is true. You start with a protective surface and then you figure it out [the technology].

In the pillars that Pursue Cunningham designed in the ZTX framework, you look at the inside of step one, define your protective surface. Step two, ‘What stuff do I need?’ Step three… So they’re tapping into the five-step model and they’re completely designed to connect, but people are so focused on technology.

VB: What is your take on where zero trust is going in 2023 and beyond?

kindervag: I see greater acceptance of zero trust. So one of the things I’m trying to get people off of is… redefining it. We’ve defined it. It has been defined since 2010. Many suppliers don’t like the definition because it doesn’t fit their product, so they try to redefine it to [fit] whatever their product does. So if they are a multi-factor authentication (MFA) company, zero trust is equivalent to MFA multi-factor authentication. Well, I can prove that in two words: Snowden and Manning, the Beyoncé and Madonna of cybersecurity.

In this autobiography Edward Snowden said something along the lines of, and I’m going to misquote it, but paraphrasing, “I was the most powerful person in the NSA.” And of course he didn’t work for the NSA, but… [he] was the most powerful person because [he] had administrative rights. Why was that true?

[As for] PFC Manning: I got a call from a friend of mine who was involved in the plea deal negotiations between Adrian Lambo [the analyst and hacker who reported Manning’s leaks] and the federal government so that the chats Lamo did with Manning wouldn’t send Lamo back to prison, because Lamo really wanted to not go back to prison.

And this person, who was a former federal prosecutor, the go-between, said, “When I was first approached by Lamo, I asked how a private first class and forward operating base get access to classified cables in Washington, DC?” And he said, “It was at that moment that I thought of you and I completely understood what you were trying to do without trust.”

The way the networks work is finite. And zero trust is the same whether from a conceptual perspective it’s how we do it — whether it’s on-premises, in a cloud, hardware, software, virtual, whatever. That’s why it works so well in cloud environments. This is why people use it for public clouds and private clouds.

No product either

VB: Which of the recent innovations from cybersecurity vendors best align with zero trust goals? Which are most relevant to organizations succeeding with a zero-trust framework?

kindervag: There are innovations that will help if you start at the strategic level and progress to the tactical level. So the products are getting better and better, but to say that you could ever buy zero trust as a product would not be true. It requires a number of different products between different sets of technologies.

And the sellers are getting better and better. There are some really unique technologies that I’m really intrigued by. But if you say, “Well, I’m going to supplier X and they’re going to do everything for you,” it isn’t. It’s just not possible, at least not now, and who knows what in the future [holds]?

But that’s why I never said zero trust is a product. That’s why strategy and tactics are intentionally disconnected: Strategies don’t change. Tactics are always changing. The products are getting better and better.

Then they become more and more problematic. Let’s take Log4j. Almost every vendor used Log4j. Did they know it was vulnerable when they took that library and put it in their product? No, because things that look good now turn out to be bad later because someone does new research and discovers something.

And that’s just the process of innovation. And it is too [a] fact that we are in a hostile business. Cybersecurity is… one of the three hostile companies in the world. The other two are law enforcement and the military.

In Part II of our interview, John Kindervag shares his insights on how pivotal his experiences at Forrester were in creating zero trust. He also describes his experiences contributing to the draft of the President’s National Security Telecommunications Advisory Committee (NSTAC) on zero trust and trusted identity management.