John Kindervag, the mind behind the zero trust model, joins Rick Howard for an insightful discussion. They delve into the origins of zero trust, sparked by frustrations with traditional security methods. The conversation shifts to the evolution of this framework, highlighting the necessity for a trust paradigm shift to combat modern threats. Kindervag underscores the importance of differentiating identities, devices, and software in network security. The duo also navigates the practical steps for transitioning to a zero trust strategy, emphasizing a deny-all approach to safeguard critical resources.
Zero Trust redefines cybersecurity by eliminating implicit trust, requiring organizations to adopt a 'deny all' policy to minimize risk.
The framework emphasizes the need for rigorous identity management and traffic flow monitoring to create precise access policies.
Deep dives
The Birth of Zero Trust
The Zero Trust model of information security was first introduced in a 2010 white paper titled 'No More Chewy Centers' by John Kendervog, a former network engineer who was inspired by the limitations of traditional firewall trust models. Before coining Zero Trust, he recognized that the conventional approach allowed excessive privileges based on internal and external trust assumptions, leading to vulnerabilities such as data exfiltration. With two years of research and prototype network builds leading to the publication, Kendervog emphasized that trust is not a necessary factor in digital systems, suggesting that all interfaces should be viewed with zero trust. His innovative approach to security aimed to reshape how organizations think about trust and its role in protecting sensitive data.
Core Principles of Zero Trust
Zero Trust is fundamentally a cybersecurity strategy aimed at preventing data breaches and other cyberattacks by eliminating implicit trust in any identity, device, or connection across networks. Kendervog explained that data breaches often stem from abuses of trust, citing high-profile insider threats like Edward Snowden and Chelsea Manning as examples where trusted individuals exploited access to sensitive information. The model encourages organizations to adopt a 'deny all' policy by default, which allows for more granular control over who or what can access resources, effectively minimizing risk exposure in the digital landscape. This shift in mindset not only addresses security at a technical level but also resonates with business leaders, emphasizing the strategic importance of security in organizational readiness.
The Operationalization of Zero Trust
In practice, the application of Zero Trust revolves around identifying and managing key elements such as identities, devices, and traffic flows within the network. Kendervog asserts that by questioning the identity of users and monitoring the traffic that flows across your network, organizations can construct precise access policies that secure sensitive areas while maintaining operational efficiency. The 'Kipling method,' which asks who, what, when, where, why, and how, serves as a foundational principle for developing these policies. This robust examination and categorization of network interactions help ensure that necessary access is granted only under strict conditions, reinforcing the tenets of the Zero Trust framework.
Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses the current state of zero trust with CyberWire Hash Table guest John Kindervag, the originator of the zero trust idea.