Podcasts
CSO Perspectives (public)
Ep 94
CSO Perspectives (public) 7.29.24
Ep 94 | 7.29.24

The current state of zero trust.

Show Notes
Transcript

Rick Howard: John Kindervag is an old friend and colleague of mine. He and I both worked at Palo Alto Networks for the same boss, Mark McLaughlin, the CEO at the time, who, by the way, wrote the foreword to my Cybersecurity First Principles book that we published last year. But John just happens to be the inventor of the Zero Trust Strategy idea. He published the original white paper, "No More Chewy Centers, Introducing the Zero Trust Model of Information Security" back in 2010, which launched the entire Zero Trust movement. When John and I worked at Palo Alto Networks together between 2017 and 2019, the Zero Trust idea had just crested the peak of inflated expectations on the Gartner Hype Chart and was starting its descent to the trough of disillusionment, just like every other new tech idea that comes along. But I've always been a believer of the Zero Trust Strategy from almost day one, so much so that I dedicated Chapter Three in the First Principles book to it. But here we are, 2024, 14 years since John's original white paper. I asked John to come on the show to discuss the current state of Zero Trust in the industry today. So hold onto your butts.

Samuel L. Jackson: Hold onto your butts -- butts -- butts.

Rick Howard: This is going to be fun. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] So John, you and I ran into each other at the Rocky Mountain Information Assurance Conference in Denver, Colorado, a couple of weeks ago, and it just so happened that on the schedule for this podcast, I was doing an update on the current state of Zero Trust, and I said, wow, this is fortuitous. I can get the founder, the main guy who came up with the idea in the first place, to give us a sense on where all this was. So I appreciate you coming on the show to do that.

John Kindervag: No, it was great to see you in Denver. I could hear your voice from the hallway. I was like, I know that voice.

Rick Howard: You know that guy.

John Kindervag: And so like, you know, a young child following the Pied Piper, I wandered that way.

Rick Howard: [chuckling] When you published the "No More Chewy Centers" white paper back in 2010, you worked for a company called Forrester, a smaller version of Gartner in terms of revenue, but both are prominent research and advisory firms in the tech industry. But I want to put you in the Way-Back Machine before 2010. What were you thinking back then? What inspired you to develop the Zero Trust model?

John Kindervag: Before I went to Forrester in 2008, I was a network engineer and a security engineer and stuff, and I hated installing firewalls because firewalls had a trust model where the internal interface was trusted. The external interface was untrusted, and by default, you didn't need policy to move a packet from inside the trusted interface to the outside, the untrusted interface, and I bristled about that. And I constantly got in trouble because I was putting outbound rules, and I kept saying to people, but, you know, somebody will get inside and, you know, they'll exfil data, and nothing will stop them and you'll never know. And everybody told me, oh, that -- that's not possible. That can't happen. That's not how the vendor created this. And so I kept getting in trouble, and when I got to Forrester, you know, they said, what do you want to work on? And I said, I want to explore this broken trust model. So that was two years of primary research, from 2008 to 2010, before I ever published the first report. I had actually built a couple of prototype networks. I had met with dozens of people. I had asked people to poke holes in it. I'd gotten advice. I'd gotten guidance, and so it was great. It was a great place to -- to do that because I don't think I could have done that anywhere else but Forrester Research at that time in -- in history because it was very open to new ideas, and it was like -- it was like being maybe at Bell Labs in the heyday or something like that when you just got to do pure research.

Rick Howard: Oh, yeah. You get the freedom to think and write and make -- you know, make sense of it all, I guess, right?

John Kindervag: Right, right. So it was just the perfect time and the perfect place and a great set of life experiences that led me up to that time. And so it was just something that my leadership was excited about even though no one else was, right? There were a lot of people who, when I published that, made fun of me to my face. That's not the way we've always done was a common theme. And I would say, yeah, the way we've always done it is working so well, you know? So, well, but --

Rick Howard: But that's the way it is for all new ideas, John, okay? They run up against the resistance machine because they -- the not the way we've always done it machine.

John Kindervag: Yeah, no, and I discovered that, you know? And then you get a few people who encourage you and maybe people who don't even want to be known, but they're encouraging and they're telling you this works, and so it gives you the, you know, the energy to keep going.

Rick Howard: I know you're old and senile at this point, John, but --

John Kindervag: Well, thank you, I know.

Rick Howard: Right. What was the origin of the name? Why did you call it Zero Trust?

John Kindervag: Well, because every interface had a trust level, right? So internal was zero; external was 100, and every DMZ had to have a trust level between 1 and 99, and they couldn't be the same.

Rick Howard: What John is talking about is the way we used to configure the old stateful inspection firewalls. There was this notion of the types of networks the firewall connected to, like the internal part of the network where all the crown jewels were located, the internet where all the bad things were, and these things called DMZs, Demilitarized Zones, in-between networks that act as a buffer zone between the other two. We used them to add an extra layer of security by isolating publicly accessible services from the internal network. You know, like the web server or a file server for public information. The interfaces that John is talking about here are the physical and logical connections through the firewall, and you had to arbitrarily pick which interface was more trusted than the others. Zero was the most trusted interface; 100 was the least trusted, and the DMZs were something in the middle.

John Kindervag: So if you had two DMZs, you'd typically set them up as 49 and 51, right? And you'd, you know, if you had a lot of different DMZs, you'd just be picking these arbitrary numbers, trying to figure out which one needs to be less than the other one, because that's how a policy is going to be created. And I said, no, the trust level for all these interfaces should be zero. There should be no difference.

Rick Howard: Wow.

John Kindervag: And that's really where it comes from. The trust level of each interface should be zero. We shouldn't have trust in digital systems. It's a human emotion. It has no business being in digital systems. You don't need trust to move from point A to point B. There's no trust flag in TCP. And so that's really where it came from.

Rick Howard: So from the original idea, if you try to configure firewalls to make some sense of a policy, what is the -- would you say the core principles of Zero Trust are today? I know, you know, it's been 14 years since you came up with the idea. I know it's worked a little bit, but if you were trying to explain it to my grandma, John, what would you say Zero Trust is?

John Kindervag: Well, you know, I always say it's a cybersecurity strategy, right, designed to do two things. One is stop data breaches, which are defined by legal and regulatory entities to mean the exfiltration of -- of sensitive or regulated data into the hands of malicious actors, and then to stop other cyberattacks from being successful, right? And we do this by eliminating trust because trust is a thing that, you know, if you under -- if dig out and deconstruct every single attack, you'll find trust kind of at the bottom of it. Snowden, Manning, anything with identity stuff, you know, it's because it's a trusted identity.

Rick Howard: Chelsea Manning and Edward Snowden have been the poster children for describing something called the insider threat for over a decade. Insider threats are trusted employees, contractors, or even volunteers who have access to sensitive data and systems but betray that trust by destroying or manipulating the information or leaking it to the public. Regular visitor to the N2K CyberWire Hash Table, Don Capelli, wrote a cybersecurity canon hall of fame book on the subject back in 2012. It's called the Cert Guide to Insider Threats, How to Prevent, Detect, and Respond to Information Technology Crimes. Manning was a U.S. Army intelligence analyst who leaked classified military and diplomatic documents to WikiLeaks in 2010, and Snowden was a U.S. intelligence contractor who leaked classified information to the press in 2013 about extensive surveillance programs run by the U.S. NSA, the National Security Agency. In our Cybersecurity First Principles book, I make the case that a well-deployed Zero-Trust strategy would have likely defeated Snowden's insider threat activities.

John Kindervag: And trust is a word that we love. So people fight against that, you know? They fall in love with the word, and, you know, they try to anthropomorphize the network. We do that all the time. We say, John is on the network. Rick is on the network, but neither one of us are on the network, right? And so we haven't shrunken down into subatomic particles and been sent over our Wi-Fi to this hosting service. That hasn't happened, and it rarely even happens in the movies. Tron, Lawnmower Man, Wreck-It Ralph, but remember, even in The Matrix, they've got to plug in.

Rick Howard: They've got to plug in, that's right.

John Kindervag: Yeah, so that is -- that's the fundamental thing, and the other thing about it is, you know, it's designed to resonate up to business leaders because it is a strategy. So --

Rick Howard: Well, let me ask you this, John, all right, because we're talking about core principles of your idea, Zero Trust, and you're right that you -- that Rick can't be on the network. John can't be on the network, but would you agree to this, that at a high level, there's really kind of three things that we're worried about, right? Identities that we manifest on the network, devices that connect to the network, and I would add software modules that we use, either open-source modules that we use to write our own software, or software that we write ourselves, or even third-party software that we buy and deploy. Those are all things that are -- we're trying to establish Zero Trust with. Is that -- would you agree to that?

John Kindervag: Yeah, and I would add the traffic that flows across from one thing to another, right?

Rick Howard: Yeah, yeah.

John Kindervag: So you're writing policy against traffic, always, and so -- and policy is binary. All you can do is allow it or deny it, and so generally, the old school was we allowed all, right? We allowed everything by default, and so when you change that model and you say, I'm going to deny everything by default and just turn on specific allow rules, that allows you to write much more granular policy to say who, what, which is which asserted identity, you know, that you're asserting is on the network, right? John or Rick is being allowed to access a resource via what? The application that we're talking about, right? And where is it going to, which is, I call it a protect surface, the thing we need to protect, but it's the, you know, the server, the resource, the database, whatever it is. And then, you know, how are we going to look at that traffic before we allow it to come on? And so it's a very simple, who, what, when, where, why, and how principle. I call it the Kipling method because Rudyard Kipling gave us the idea of who, what, when, where, why, and how in a poem in 1902. [ Music ]

Rick Howard: Back in 2021, I interviewed John for our Cyber Wire X Podcast, where he mentioned the Kipling poem. I had never heard it before. So I looked for somebody on YouTube to recite it. It's called, "I Keep Six Honest Serving Men" about Kipling's young daughter, her endless curiosity, and how as we all get older, we tend to lose that sense of wonder. [ Music ] And that's our show, well, part of it. There's actually a whole lot more, and if I do say so myself, it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the thecyberwire.com/pro and sign up for an account. That's thecyberwire, all one word, dot com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus you get a whole bunch of other great stuff, like ad-free podcasts, my personal favorite, excusive content, newsletters, and personal level of resources, like practice tests. With N2K pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends. I'd say, that's a win/win. So head on over to thecyberwire.com/pro and sign up today for less than a dollar a day. Now if that's more than you can muster, that is totally fine. Shoot an email to pro@n2k.com, and we'll figure something out. I'd love to see you over here at N2K Pro, and one last thing: Here at N2K we have a wonderful of talented people doing insanely great things to make me and this show sound good. I think it's only appropriate that you know who they are.

Liz Stokes: I'm Liz Stokes. I'm N2K CyberWire's Associate Producer.

Tre Hester: I'm Tre Hester, Audio Editor and Sound Engineer.

Elliot Peltzman: I'm Elliot Peltzman, Executive Director of Sound and Vision.

Jennifer Eiben: I'm Jennifer Eiben, Executive Producer.

Brandon Karpf: I'm Brandon Karf, Executive Editor.

Simone Petrella: I'm Simone Petrella, the President of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and Publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.

All: And thanks for listening. [ Music ]

CSO Perspectives (public)
Podcast Info
HOST(S):
Rick Howard
Hash Table logo
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Mondays (in season)
Credits: Edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound, and original score
Creator: CyberWire, Inc.