Podcasts
CSO Perspectives (Pro)
Ep 116
CSO Perspectives (Pro) 7.26.24
Ep 116 | 7.26.24

The current state of zero trust.

Show Notes
Transcript

Rick Howard: John Kindervag is an old friend and colleague of mine. He and I both worked at Palo Alto Networks for the same boss, Mark McLaughlin, the CEO at the time, who, by the way, wrote the foreword to my Cybersecurity First Principles book that we published last year. But John just happens to be the inventor of the Zero Trust Strategy idea. He published the original white paper, "No More Chewy Centers, Introducing the Zero Trust model of Information Security" back in 2010, which launched the entire Zero Trust movement. When John and I worked at Palo Alto Networks together between 2017 and 2019, the Zero Trust idea had just crested the peak of inflated expectations on the Gartner Hype Chart and was starting its descent to the trough of disillusionment, just like every other new tech idea that comes along. But I've always been a believer of the Zero Trust Strategy from almost day one, so much so that I dedicated Chapter Three in the First Principles book to it. But here we are, 2024, 14 years since John's original white paper. I asked John to come on the show to discuss the current state of Zero Trust in the industry today. So hold on to your butts.

Samuel L. Jackson: Hold on to your butts -- butts -- butts.

Rick Howard: This is going to be fun. [ Music ] My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland in the good old US of A, and you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] So John, you and I ran into each other at the Rocky Mountain Information Assurance Conference in Denver, Colorado, a couple of weeks ago, and it just so happened that on the schedule for this podcast, um, I was doing an update on the current state of Zero Trust, and I said, wow, this is fortuitous. I can get the founder, the main guy who came up with the idea in the first place, to give us a sense on where all this was. So I appreciate you coming on the show to do that.

John Kindervag: No, it was great to see you in Denver. I could hear your voice from the hallway. I was like, I know that voice.

Rick Howard: You know that guy.

John Kindervag: And so like, you know, a young child following the Pied Piper, I wandered that way.

Rick Howard: [chuckling] When you published the "No More Chewy Centers" white paper back in 2010, you worked for a company called Forrester, a smaller version of Gartner in terms of revenue, but both are prominent research and advisory firms in the tech industry. But I want to put you in the Way-Back Machine before 2010. What were you thinking back then? What inspired you to develop the Zero Trust model?

John Kindervag: Before I went to Forrester in 2008, I was a network engineer and a security engineer and stuff, and I hated installing firewalls because firewalls had a trust model where the internal interface was trusted. The external interface was untrusted. And by default, you didn't need policy to move a packet from inside the trusted interface to the outside, the untrusted interface, and I bristled about that. And I constantly got in trouble because I was putting outbound rules, and I kept saying to people, but, you know, somebody will get inside and, you know, they'll exfil data, and nothing will stop them and you'll never know. And everybody told me, oh, that -- that's not possible. That can't happen. That's not how the vendor created this. And so I kept getting in trouble, and when I got to Forrester, you know, they said, what do you want to work on? And I said, I want to explore this broken trust model. So that was two years of primary research, from 2008 to 2010, before I ever published the first report. I had actually built a couple of prototype networks. I had met with dozens of people. I had asked people to poke holes in it. I'd gotten advice. I'd gotten guidance, and so it was great. It was a great place to -- to do that because I don't think I could have done that anywhere else but Forrester Research at that time in -- in history because it was very open to new ideas, and it was like -- it was like being maybe at Bell Labs in the heyday or something like that when you just got to do pure research.

Rick Howard: Oh, yeah. You get the freedom to think and write and make -- you know, make sense of it all, I guess, right?

John Kindervag: Right, right. So it was just the perfect time and the perfect place and a great set of life experiences that led me up to that time. And so it was just something that my leadership was excited about even though no one else was, right? There were a lot of people who, when I published that, made fun of me to my face. That's not the way we've always done was a common theme. And I would say, yeah, the way we've always done it is working so well, you know? So, well, but --

Rick Howard: But that's the way it is for all new ideas, John, okay? They run up against the resistance machine because they -- the not the way we've always done it machine.

John Kindervag: Yeah, no, and I discovered that, you know? And then you get a few people who encourage you and maybe people who don't even want to be known, but they're encouraging and they're telling you this works, and so it gives you, you know, the energy to keep going.

Rick Howard: I know you're old and senile at this point, John, but --

John Kindervag: Well, thank you, I am.

Rick Howard: Right. What was the origin of the name? Why did you call it Zero Trust?

John Kindervag: Well, because every interface had a trust level, right? So internal was zero; external was 100, and every DMZ had to have a trust level between 1 and 99, and they couldn't be the same.

Rick Howard: What John is talking about is the way we used to configure the old stateful inspection firewalls. There was this notion of the types of networks the firewall connected to, like the internal part of the network where all the crown jewels were located, the internet where all the bad things were, and these things called DMZs, Demilitarized Zones, in-between networks that act as a buffer zone between the other two. We used them to add an extra layer of security by isolating publicly accessible services from the internal network. You know, like the web server or a file server for public information. The interfaces that John is talking about here are the physical and logical connections through the firewall, and you had to arbitrarily pick which interface was more trusted than the others. Zero was the most trusted interface; 100 was the least trusted, and the DMZs were something in the middle.

John Kindervag: So if you had two DMZs, you'd typically set them up as 49 and 51, right? And you'd, you know, if you had a lot of different DMZs, you'd just be picking these arbitrary numbers, trying to figure out which one needs to be less than the other one, because that's how a policy is going to be created. And I said, no, the trust level for all these interfaces should be zero. There should be no difference.

Rick Howard: Wow.

John Kindervag: And that's really where it comes from. The trust level of each interface should be zero. We shouldn't have trust in digital systems. It's a human emotion. It has no business being in digital systems. You don't need trust to move from point A to point B. There's no trust flag in TCP. And so that's really where it came from.

Rick Howard: So from the original idea, if you try to configure firewalls to make some sense of a policy, what is the -- would you say the core principles of Zero Trust are today? I know, you know, it's been 14 years since you came up with the idea. I know it's worked a little bit, but if you were trying to explain it to my grandma, John, what would you say Zero Trust is?

John Kindervag: Well, you know, I always say it's a cybersecurity strategy, right, designed to do two things. One is stop data breaches, which are defined by legal and regulatory entities to mean the exfiltration of -- of sensitive or regulated data into the hands of malicious actors, and then to stop other cyberattacks from being successful, right? And we do this by eliminating trust because trust is a thing that, you know, if you under -- if dig out and deconstruct every single attack, you'll find trust kind of at the bottom of it. Snowden, Manning, anything with identity stuff, you know, it's because it's a trusted identity.

Rick Howard: Chelsea Manning and Edward Snowden have been the poster children for describing something called the insider threat for over a decade. Insider threats are trusted employees, contractors, or even volunteers who have access to sensitive data and systems but betray that trust by destroying or manipulating the information or leaking it to the public. Regular visitor to the N2K Cyber Wire Hash Table, Don Capelli, wrote a cybersecurity canon hall of fame book on the subject back in 2012. It's called the Cert Guide to Insider Threats, How to Prevent, Detect, and Respond to Information Technology Crimes. Manning was a U.S. Army intelligence analyst who leaked classified military and diplomatic documents to WikiLeaks in 2010, and Snowden was a U.S. intelligence contractor who leaked classified information to the press in 2013 about extensive surveillance programs run by the U.S. NSA, the National Security Agency. In our Cybersecurity First Principles book, I make the case that a well-deployed Zero-Trust strategy would have likely defeated Snowden's insider threat activities.

John Kindervag: And trust is a word that we love. So people fight against that, you know? They fall in love with the word, and, you know, they try to anthropomorphize the network. We do that all the time. We say, John is on the network. Rick is on the network, but neither one of us are on the network, right? And so we haven't shrunken down into subatomic particles and been sent over our Wi-Fi to this hosting service. That hasn't happened, and it rarely even happens in the movies. Tron, Lawnmower Man, Wreck-It Ralph, but remember, even in The Matrix, they've got to plug in.

Rick Howard: They've got to plug in, that's right.

John Kindervag: Yeah, so that is -- that's the fundamental thing, and the other thing about it is, you know, it's designed to resonate up to business leaders because it is a strategy. So --

Rick Howard: Well, let me ask you this, John, all right, because we're talking about core principles of your idea, Zero Trust, and you're right that you -- that Rick can't be on the network. John can't be on the network, but would you agree to this, that at a high level, there's really kind of three things that we're worried about, right? Identities that we manifest on the network, devices that connect to the network, and I would add software modules that we use, either open-source modules that we use to write our own software, or software that we write ourselves, or even third-party software that we buy and deploy. Those are all things that are -- we're trying to establish Zero Trust with. Is that -- would you agree to that?

John Kindervag: Yeah, and I would add the traffic that flows across from one thing to another, right?

Rick Howard: Yeah, yeah.

John Kindervag: So you're writing policy against traffic, always, and so -- and policy is binary. All you can do is allow it or deny it, and so generally, the old school was we allowed all, right? We allowed everything by default, and so when you change that model and you say, I'm going to deny everything by default and just turn on specific allow rules, that allows you to write much more granular policy to say who, what, which is which asserted identity, you know, that you're asserting is on the network, right? John or Rick is being allowed to access a resource via what? The application that we're talking about, right? And where is it going to, which is, I call it a protect surface, the thing we need to protect, but it's the, you know, the server, the resource, the database, whatever it is. And then, you know, how are we going to look at that traffic before we allow it to come on? And so it's a very simple, who, what, when, where, why, and how principle. I call it the Kipling method because Rudyard Kipling gave us the idea of who, what, when, where, why, and how in a poem in 1902. [ Music ]

Rick Howard: Back in 2021, I interviewed John for our Cyber Wire X Podcast, where he mentioned the Kipling poem. I had never heard it before. So I looked for somebody on YouTube to recite it. It's called, "I Keep Six Honest Serving Men" about Kipling's young daughter, her endless curiosity, and how as we all get older, we tend to lose that sense of wonder. Here's Jonathan Jones reciting it.

Jonathan Jones: I keep six honest serving-men. They taught me all I knew. Their names are What and Why and When and How and Where and Who. I send them over land and sea. I send them east and west, but after they have worked for me, I give them all a rest. I let them rest from nine till five, for I am busy then, as well as breakfast, lunch, and tea, for they are hungry men. But different folk have different views; I know a person small. She keeps ten million serving-men, who get no rest at all. She sends them abroad on her own affairs from the second she opens her eyes. One million hows, two million wheres, and seven million whys. [ Music ]

John Kindervag: And it's something that resonates across every culture, every language. They all have it. So -- so by being able to adopt a simple way of thinking about policy, then -- then we can start to control things more easily because policy has been so hard to construct for so long that we just said, ah, well, I'm going to give up and allow everything to come in. And it was that frustration that everybody had, you know?

Rick Howard: What do you say to the people that are confused by the idea Zero Trust implies you don't trust anything, but clearly, you have to trust something. You have to trust the identity that you're giving access to the digital resource. So that seems confusing to some people. What do you say to that?

John Kindervag: Well, I think, you know, of course, I've spent way more time than almost anybody else studying the word trust and thinking about the word trust. So, you know, originally trust is a word that's used almost exclusively in philosophy and religion. And then in 1958, a guy named Morton Deutsch starts looking at it in workforce management, and he says that trust is the willingness of one person to be vulnerable to another person, and I've always talked about trust as a vulnerability. I didn't know about Deutsch until after that, somebody pointed him out, which is one of the great things about what I do is I'll do something, and somebody will show me something that I hadn't seen before. And so what we're trying to do, because, you know, trust is that vulnerability, we're trying to validate a traffic, a, you know, resource, an identity, so that we can have confidence to allow that connection to happen, right? So I always replace the word trust with validation and confidence because trust is a pretty binary thing, right? Once you say, well, I kind of don't trust so-and-so, I mean, then that just, you know, it's over, right? You can't have a little bit of trust. It just is not something that works that way, but you can say, I have a certain degree of confidence because I've been able to validate a certain thing to be likely to be true

Rick Howard: John is talking about degrees of confidence, and when I hear that phrase, "degrees of confidence," my brain transforms that into uncertainty. And when I think about uncertainty, I think about risk because risk is just a measure of uncertainty about some future event. So in a Zero-Trust environment, when an entity like Rick tries to connect to an asset, we are completely uncertain about the validity of that identity. But there are certain things we can do to decrease that uncertainty, like some kind of two-factor authentication and limiting what the entity has access to. And by the way, that's not a one-time check. In a Zero Trust environment, we want to continuously check that our confidence, our certainty about that identity, is within the range of our risk tolerance. And we want to challenge that identity, that device, that software component, every time it tries to do something new.

John Kindervag: So I think that's right, right? That's how I understand it too. The going-in proposition is you don't trust anything, but there are certain actions you can do to improve our certainty that that identity is who they say they are, that that software module is the correct software module, that that device can be trusted. There are things you can do to increase our confidence, that those guys are valid, right? So the going-in model is no trust, and then you do things to increase the trust over time.

Rick Howard: Yeah, I just think that the word trust causes so much trouble --

John Kindervag: Yeah.

Rick Howard: -- that I try to get people to move to confidence.

John Kindervag: You can't. You can't do that, John. You came up with the idea. No one's -- you can't change the idea now, right? No, no. I'm just saying that it's not a, in the digital world, there's no trust. That trust isn't even a thing, right? So when people say, oh, you're saying people aren't trustworthy, I say, no, people aren't packets. And that's the thing, we're trying to, again, make it more human. Kind of like, I don't know, have you seen the movie Inside Out or Inside Out 2 about all your different emotions?

Rick Howard: Sure. Yeah.

John Kindervag: Well, you know, that's anthropomorphization. I don't think there's a whole bunch of little people living in my head pulling levers. Maybe I'm completely wrong, but I recently had to have a CT scan, and they didn't see any of them in there.

Rick Howard: Okay, well, that's some -- that increases my confidence that you don't have little people --

John Kindervag: And there you go, right? So -- so we try to put things in language that we as human beings can understand, but from a computational perspective, they're -- they're actually -- they can cause problems because I've had people say, well, I'm not going to do this because I trust all the people in my company. Oh, well, that's lovely. I mean, you know, even places --

Rick Howard: That's a trust model, but okay.

John Kindervag: Yeah, well, it is, but I mean, you look at Snowden, right? Snowden was on a trusted system, right? Trusted system with the right patch levels, the right endpoint protection, the right -- you know, he had robust identity systems, powerful multi-factor, you know, CAF --

Rick Howard: And he was trusted, right? And he was a trusted employee with background checks and all that.

John Kindervag: That's right. And so what was the -- no one looked at his packets post-authentication. So what was the actual attack vector? It was the trust model.

Rick Howard: So that's one of the core principles of your Zero Trust strategy is that you don't just check once. You are continuously checking to make sure.

John Kindervag: Right, and you're not just checking only identity. Identity is something we consume in policy. So the policy has to have lots of different signals because you need to have a lot of different validated signals so that you have confidence in the connection happening, right? And we kind of do that in human beings, right? Because you've been in a place where, you know, somebody has been introduced to blah, blah, blah, and then you get a bad feeling about them. Well, that's a signal, right? And you're going to go, oh, man, you know, okay, I'm not really going to trust that person. And sometimes those gut reactions are worthwhile, but that's a signal coming to you to help you make a decision that's ultimately binary.

Rick Howard: Yeah, so you get that gut feeling, that's a signal that decreases your confidence.

John Kindervag: Right.

Rick Howard: So you're going to want to do other things to bring it back up, right? So that's what you're talking about.

John Kindervag: Right, or I'm going to want to get out of there, right?

Rick Howard: Yeah, you're -- yeah. You're so uncertain now, you have such a bad feeling, that we need to disconnect that, whatever it is, until we make sure. Well, let me ask you this, John, you've been thinking about Zero Trust for 15 years, going on 15 years now. Is there one or two misconceptions in the industry about what Zero Trust is that you'd like to clear up that you -- that you always have to talk about somewhere? Is there [inaudible 00:21:42] that you want do?

John Kindervag: Four of them that I'm always talking about. One is we've already talked about it, Zero Trust isn't making a system trusted, right? We're doing all those things, validating, so that we can have confidence in a connection to happen. Second thing, it's not just identity, right? A lot of people think it's identity. No, it's -- consumes identity.

Rick Howard: Well, it's identity and access management, right? It's one thing to -- right? Yeah, okay.

John Kindervag: But I mean, in terms of just the raw identity, the raw identity is consumed in the policy that allows or denies the access. And then the third thing is that you can buy it as a product as opposed to it being a strategy that, you know, is going to go on, and it's a process. It's a journey, you know, and at least I've got people to adopt that terminology, Zero Trust journey. And we worked together at Palo Alto Networks where I was doing a lot of this stuff and had a lot of great support from leadership on that, including you, and I want to thank you for that.

Rick Howard: You're welcome.

John Kindervag: And then the fourth thing is that zero trust is complicated. It's not. It's actually pretty easy, but you know I got -- you know Greg Tuhill [assumed spelling], right?

Rick Howard: Sure.

John Kindervag: Yeah, so Greg called me up end of last year. He said John -- and, oh, by the way, for the listeners, Greg Tuhill, he's a retired Brigadier General from the Air Force. He was the first CISO of the U.S. federal government, I believe. He was the first head of CISA and now he runs CERT at Carnegie & Mellon. And he called me up, and he said, "John, how come I'm reading all this stuff and they're really making Zero Trust to be complicated?" He said, "I don't think it's that complicated. Why is this happening?" I said, Greg, you probably know more about it than I do on why this is happening. And he said, yeah, well, I think a lot of people want to make things sound complicated so they sound smarter. And I said, you know, that's probably true because I'm not smart enough to make it complicated. I've got to make it simple so that I can understand it. And so I think a lot of stuff that I go, well, no, that's just not true. But I, you know, sometimes people have to find out on their own, and I always encourage -- you know, I'm always willing to talk to anybody about it. So if you have a question and you want to clarify something, yeah, let's do it. Let's talk about it.

Rick Howard: So I agree with all that, right? But there are challenges for doing Zero Trust, especially if you're not a big Fortune 500 with lots of resources. So how does a small organization start to adopt the Zero Trust strategy with no resources?

John Kindervag: Well, I mean, you know, we talk about the five-step model. Define the protect surface. What are you going to protect? And then map the transaction flows, how does it work? And then put some kind of control. Everybody's going to have some control in place. Write policy, step four, and then monitor and maintain. It's a very simple policy. You know, and Zero Trust was designed to be scale-free. And so I've done it for companies of 30 people, and they just, okay, this is my important data. This is what I need to protect. Okay, well, here's the best way for you to protect it at the cost that you have available to you. And so, you know, we can figure out how to do that. You know, I'm not vendor agnostic because then I can neither confirm nor deny the existence of vendors. But I am pretty vendor neutral, right? If you already have something, we can probably -- a lot of it is just fixing the policy, quite frankly.

Rick Howard: And identifying the things you want to protect, right? Your attack surface, right?

John Kindervag: Yeah, that's always the -- the thing. People buy things and then they go, what do I do with it? What are you trying to protect? And they haven't thought about it. So if I can get people to just think about what they need to protect, then they'll get that.

Rick Howard: When you and I were working at Palo Alto Networks together, the idea of Zero Trust had just kind of reached the peak of inflated expectations, you know, off the Gartner Hype Chart. And then as we were there, okay, as vendors claimed, all the security vendors claimed they could do Zero Trust with their device, security practitioners started to lose faith a little bit in the idea, as all new ideas go race down through the trough of disillusionment, right? But I think we're starting to come out of that now, okay? People, like you said, are starting to realize that this is not a vendor solution, it's a strategy. It's a journey, and there's a couple of bullet points that shows that we are coming out of that, and people are realizing that it's a strategy that they should be adopting. And one of the ones I'd like to get your comment on is President Biden's Executive Order 14-028, Improving the Nation's Cybersecurity, and it requires federal agencies to develop plans for implementing the Zero-Trust architecture. Are you tracking that, and do you see that as a positive thing?

John Kindervag: Oh, I think that's absolutely a positive thing. Everything's about incentives. [ Music ]

Rick Howard: So John, we're at the end of this. What's the Twitter takeaway? If you're going to have to write a Twitter line that takes everything we've talked about today and gives it to the audience, what should we take away from this conversation?

John Kindervag: That Zero Trust is being adopted because it works. Don't wait, start now, start anywhere. It doesn't matter where you start. You just -- you know, it's inertia. You've got to get moving in one direction because a body at rest will tend to stay at rest. A body in motion will tend to stay in motion. So just get it moving, and you'll find that it's a lot easier to do than you think. That was more than 180 characters, but still.

Rick Howard: That's close enough, okay? You know. Well, John, thanks for coming on the show and helping us figure all this stuff out. It is such an honor to have you on the show, the founder of the entire idea, and I'm so fortunate to have a chance to have met you and to work with you and to get you to come on my show to explain it to my audience. So thank you, sir. I appreciate that.

John Kindervag: The honor is all mine. I've learned so much from you. And first of all, it was great working with you. Second, it's better to be able to call you a friend. So I enjoy that, thank you. And third, for anybody in the audience, this man can go through more slides in a single speech than any other human being that you have ever seen. It is just a marvel to behold.

Rick Howard: I don't know what you're talking about. I deny all of that, John.

John Kindervag: Yeah.

Rick Howard: Well, thank you, sir.

John Kindervag: Thank you. [ Music ]

Rick Howard: And that's a wrap. I'd like to thank my friend, John Kindervag, the originator of the Zero Trust idea and the chief evangelist at Illumino for coming on the show and setting us straight about the current state of Zero Trust. CSO Perspectives is brought to you by N2K CyberWire. Visit thecyberwire.com for additional resources that accompany this episode. I've added some helpful links in the show notes to help you do more of a deep dive if that strikes your fancy. And check out our book, Cybersecurity First Principles, a reboot of strategy and tactics for a deep dive on a lot of the topics covered in this podcast. And by the way, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. And you can also fill out the survey in the show notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com, and here at N2K, we have a wonderful team of talented people doing insanely great things to make me and this show sound good. I think it's only appropriate that you know who they are.

Liz Stokes: I'm Liz Stokes. I'm N2K CyberWire's Associate Producer.

Tre Hester: I'm Tre Hester, Audio Editor and Sound Engineer.

Elliot Peltzman: I'm Elliot Peltzman, Executive Director of Sound and Vision.

Jennifer Eiben: I'm Jennifer Eiben, Executive Producer.

Brandon Karpf: I'm Brandon Karf, Executive Editor.

Simone Petrella: I'm Simone Petrella, the President of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and Publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.

All: And thanks for listening. [ Music ]

CSO Perspectives (Pro)
Podcast Info
HOST(S):
Rick Howard
Hash Table logo
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Mondays (in season)
Credits: Edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound, and original score
Creator: CyberWire, Inc.