Emily Wearmouth [00:00:01] Hello and welcome to another edition of the Security Visionaries Podcast, the place where we grill experts on a wide range of cyber data and other related topics. I'm your host, Emily Wearmouth, and today I have two expert guests joining me, John Kindervag and Neil Thacker. So let's get some introductions out of the way. I'm going to start with you, John, because you have one of the most impressive informal titles I think we've ever had on the show, The Godfather of Zero Trust. You picked up the title at Forrester, where, for the listeners benefit, John gave the name to the principle of what we now know as zero trust as a data security approach. I think for an analyst, The Godfather title is probably the pinnacle of a career. So in recent years, he's been working as an evangelist for a number of security vendors, and he's now the chief evangelist at Illumio. So welcome to the show, John.
John Kindervag [00:00:47] Hey, thanks for having me.
Emily Wearmouth [00:00:49] Neil Thacker is a voice that regular listeners might recognize because he joined us on our pilot episode back in September. He's a practicing and very busy CSO, but he still makes time to be one of my go to experts on governance, compliance, AI, all sorts really. Neil is here to give us the view from the trenches as a practicing CISO he'll hopefully be able to give us some doses of reality as to what really goes on when principles and ideologies get into business. So can you guess what we're going to be talking about today? Yeah, it's the topic on everybody's lips zero trust. And we're going to dive right in. And I think it would be remiss having got The Godfather onto the podcast. John, can we start off with you? I want to ask you to give us a brief explanation of zero trust, but in particular, I'm keen to hear what prompted the initial conception of the zero trust approach when you were at Forrester.
John Kindervag [00:01:36] So, before I got to Forrester, I was a practitioner. I was a security engineer and network engineer, security architect, pen tester and firewalls, from the beginning, I had this trust model where interfaces were given a trust level 0 to 100. And so zero, the, least trusted interface went to the public internet, and 100, the most trusted interface went to the internal network. And then every other interface had a different number. But that could be neither zero nor 100 and couldn't be the same as each other. And those trust levels determine policy. So, for example, you did not have to have an outbound rule if you were going from a high trust level to a low trust level. And I would always try to put those in because I was worried about data exfiltration and I would get in trouble, because that's not the way the manufacturer says you need to do it. I'm like, well, logic dictates that, if somebody gets in, they're going to get out. And, having a door that, you know, only needs to go one way is silly. And so zero trust is my reaction to that broken trust model. That trust is a human emotion. And and it needs to get out of the digital world. It has no relationship to packets. People aren't packets. You you can't apply the concept of trust. So get rid of the the word trust. That's the easiest thing to do. Replace it with validation where validating signals so that we have confidence in allowing access to a resource.
Emily Wearmouth [00:03:14] And I know we're all talking about zero trust now, but it's been a little while since you came up with the initial idea. So what was the reaction like back when when you first came up with it?
John Kindervag [00:03:22] Well, it was less than enthusiastic. In fact, people told me I was completely nuts out of my mind. This would never go anywhere. Other things that I would not say on a public podcast. So, you know, then 11 years later, 2010, I wrote the first report. 11 years later, the president issued an executive order on it mandating all, U.S. federal government agencies adopt it. And it's now become this global movement. So that's something I never thought would happen. And I was told explicitly by lots of people that that would never happen, and that I was literally one of the craziest people on the planet.
Emily Wearmouth [00:04:00] Why do you think it has caught on?
John Kindervag [00:04:03] Because it makes logical sense, and also because a lot of early adopters who were having really big difficulties securing their network, tried it out and told other people and told other people and told other people that it works. And so, it proved itself in the trenches. I mean, I did two years of primary research before I published the first report. I built prototype environments. I worked with government agencies. So I never had any doubt that it was going to work, that it was the right strategy. Because zero trust is a strategy, first and foremost, that resonates to the highest levels of any organization like the president in the United States. And then can be tactically implementable using commercially available off the shelf technology. So I always knew that I needed to make sure that the strategy was decoupled from the tactics. Strategies don't change. Tactics get better and better over time. Right. Yeah. So Neil and I go back a long time to, a hotel in London. Right, Neil?
Neil Thacker [00:05:13] Yeah. I think we first met in 2012. So that's scary that's 12 years ago now. And I heard about the term. I heard about your definition of zero trust. And we had a discussion. I think it was over lunch during the conference. And, yeah, we were talking about how what zero trust can be, can be applied. And in those days, yeah, it was firewall, it was IPS. I remember talking about IPS and looking at context around IPS and these tools or these, these new features that were being implemented like, real-time network awareness, where it was trying to take different variables of trust. Exactly. To your point, right, in terms of how you how you define policies and how you should be adjusting policies based on the trust levels. But it was interesting because at that time that in that hotel, Tom cruise was staying. And it's probably it's putting a great analogy, right, in terms of there was people around the hotel, in the hotel, staying at the hotel or having conferences at the hotel. And then on the top floor, Tom cruise had about 6 or 7 rooms that were knocked into each other. So he had his gym and obviously his place where he was staying, while he was filming Mission Impossible. And I think that's a great analogy, right, in terms of zero trust and the fact is that people were in that hotel, but there was zero trust applied to those individuals, right? They were not allowed to go onto those floors. There was very tight security to completely restrict access to those areas. So yeah, that was the first time we met. And I've been following you ever since. For the last 12 years, as organizations, take on and adopt zero trust.
Emily Wearmouth [00:06:39] Neil, can I ask and be honest, what was your initial reaction to the zero trust concept? Did it immediately sing as something amazing and workable and holding all the answers? Or was there any skepticism to start with? How did it go down initially?
Neil Thacker [00:06:54] I was a fan of the principles. I was absolutely a fan of the principles. Having experienced this for many years. It's not just about relying on an IP address, for instance, to secure access to services. There's many different conditions that have to be met. Always been a big fan of the kind of the five W's. When you start building anything, you have to better understand the who, what, where, when, where, how and apply those principles. This is the Kipling method that has been used for many, many years outside of security as well, of course. So I've always been a big fan of utilizing those things, but also how we better understand the policies that we're implementing. I was always challenging my team at the time, a team of security operations in terms of whenever they put a policy or condition in that they understood what it was actually doing right, what benefit it was giving to the organization. And when we were talking about things such as insider threat, or an external threat, we have to consider that. And in these cases, there has to be a form of zero trust. I was a big fan of the principles, but of course, looking at how we could implement through, elements of people, process, and technology too.
Emily Wearmouth [00:08:00] And John, now that you've seen it out in the wild for a long time and it's sort of your baby has gone off to, to school, what does it feel like to see, essentially, we're seeing vendors interpret zero trust in lots of different ways make the term suit their purposes. They haven't necessarily built to your ideology that they've taken your your branding and stuck it on, a lot of things that they're already doing perhaps, or have have manipulated the meanings to suit them. How does that feel?
John Kindervag [00:08:29] Well, you know, sometimes it can be a little bit frustrating, but I look at those people as force multipliers for the concept, because there's a lot of other things out there that people will end up, coming to, and they might hear about it from something, and maybe that will sound good and maybe it won't. Eventually they'll realize, oh, that's just one piece of the puzzle, right? But there's a lot of other things that they can look at. There's guidance from NIST, there's guidance from CISA. I was appointed to serve on a presidential subcommittee called the NSTAC, the President's National Security Telecommunications Advisory Council Subcommittee on Zero Trust and Trusts identity access. What, doesn't that sound like a government, committee? But we published a, a report to President Biden in February 2022. And that was a collaborative report that included, you know, people from private and public sector. And that's unique because everything else is kind of one perspective. And so that was collaborative. I would say that report is something that everybody should read because it's authoritative on what zero trust is. Right. And so it's also the basis for the Cloud Security Alliance Zero Trust working group that I'm a part of. And so if we use that as the foundation then every body can start moving towards building it. We spent way too many years talking about what it is and not enough time doing it. And so I hope the next phase of zero trust is just do it right. Take that Nike motto and just do it.
Emily Wearmouth [00:10:12] So one of the things that I've heard vendors use of the term zero trust being criticized for, I've heard it being said that zero trust is just the latest way to talk about and sell what is essentially identity and access management. I'm going to ask both of you. I'll start with you, John. Is that fair? Do you think that it is being used in that way, and if so, why is that problematic?
John Kindervag [00:10:32] Well, it's being used in that way, but it's wrong. Right. Identity is an important signal that we can consume. So identity is consumed in policy in zero trust. But it doesn't equal zero trust right. So of course the identity vendors smartly jumped on that. But now we're seeing so many, compromises of identity systems. Not only are some of the big identity vendors being compromised themselves, but we have MFA fatigue where you just keep hitting yes, yes, yes, because you get in an MFA loop and you just don't care anymore. We see lots of ways to get around identity. Identity is always fungible, right? Always, always, always fungible in digital systems. It's fungible in human systems as well. But certainly in digital systems it's highly fungible, meaning that it's easy to get around or manipulate. And, you know, if you look at it, I always disprove the concept that identity, is zero trust with two words. Snowden and Manning, I call them, they're the two most famous people in cybersecurity. I call them, like the Beyonce and Rihanna of of cyber. Right. Because they're one word people. And they were trusted users on trusted systems. They had the right patch level. They had the right endpoint controls. They had really powerful MFA, much more powerful than we use in the in the private sector. But they're really hard to use and really cumbersome and, and create a lot of friction. But no one looked at their packets post authentication and asked, what are they doing on the network and, and on the what's colloquially called the high side network of the federal government. Once you get authenticated into that network, you get access to everything on that network. So I was talking to a lawyer involved in the Manning case, and he said when that first crossed my desk, I asked, how could a PFC in a forward operating base in Iraq have access to classified State Department cables in Washington, DC? And he said, I finally understood zero trust after reading all of the evidence put before me. So, yeah, identity is consumed in policy. It's not that it's unimportant, but it's also not maximally important. This is about building a system, not deploying a technology.
Emily Wearmouth [00:13:02] So Neil what might some of the other factors be? And and just to, backtrack slightly on on what John was saying there, I've always thought of zero trust or it's often used as shorthand is verify then trust instead of trust them verify. But it sounds like we're talking about verify and then verify something else. And then a little bit later verify again.
John Kindervag [00:13:19] If you're going to use that trust but verify thing it's verify and never trust if you need another thing there. Right. Yeah. But trust but verify. If you look at the history of that Ronald Reagan never said it. He was he was using a Russian proverb and he said it in Russian. You know, my Russia, I never have been able to say that phrase, but it was something like overnight, not proven. I and as, my Russian friends point out, you know, the whole point of that is it just rhymes, right, in Russian. And, and then he said, and of course, that means trust but verify. And it was a joke and everybody laughed. So it was a literal joke that Ronald Reagan made, and we took it seriously. So I would talk to people. What? Sure cybersecurity strategy and it will trust but verify. Well, why do you say that? Because Ronald Reagan said it. Yeah. That great cybersecurity expert Ronald Reagan says it was. That was a time before there was the first malware was ever created, I think, you know, so it was just insanity that people would just go on these tangents because someone else said it. It's the madness of crowds.
Emily Wearmouth [00:14:26] Yeah, absolutely. So so what are Neal, what are some of the signals that you're looking at as a CISO that help you make those decisions around access?
Neil Thacker [00:14:33] I mean, I agree, identity is one part of that is a critical control. But you then have to ensure you have, for instance, device coverage because device is a another element of that. It's around which network or and if we're talking about cloud services, well if you're using a network there's potentially then you're using the internet. It's around compute. It's around aspects of activity. It's the application you're accessing. There's elements around or so of course the activity itself and then storage and and data. So there's so many different elements or components of that. I mean these are somewhat defined in multiple frameworks that they have to be. Each one of these has to be a consumption and or a level or a confidence of trust. Right. In terms of building this out. And I think that's where organizations have to really start looking at this. And I'll give an example. I did a talk and I was talking about the different levels of maturity, of the adoption of zero trust. And it was somebody in the audience that sort of put their hand up and said, well, I have zero trust because I have a VPN and I have access control, I have ACLs. And my response was, well, yeah, okay, you have you had perhaps one, 1 or 2 fundamentals here, but you have to consider those many other components, right. And that should play a part of this. I completely agree with with John. And this is absolutely critical that we move beyond just identity as being that that control to determine trust for our organizations.
John Kindervag [00:15:51] Well, no determine, confidence or not trust. I got to get you off the t word. A four letter word in zero trust, man. It's a four letter word. Here's the thing, though. That's missing, right? You mentioned the Kipling method. Who what, when, where, why and how. And in fact, you mentioned you left out why when you were saying that, I was like, we didn't do why? Why is the first question. Why are we doing this? Well, why do we do cyber security? What's a cyber and why should we protect it? First of all, we've misnamed the the the business we're in. But secondly, the only reason to do security is to protect something. Right? And so, zero trust is all about the fundamental concept is not the technology, it's the protect surface. What am I protecting? That's what we start in the five step model. And that's documented in the NSTAC report. So I created a simple five step journey that everybody can follow. Define the protect surface. What are you protecting. The things you're protecting are known as dash elements stands for data applications assets or services. You put one type of DAAS element into a single protect surface and then you build your protect surface out, or your zero trust environment out one protect surface at a time. So in this way zero trust becomes three things incremental. You're doing it one at a time, iterative one after another. And then non-disruptive. The most you can screw up is one protect surface at a time. The biggest problem I see is people trying to do it all at once. And that is impossible. It's too big of a challenge. After that you map the transaction flows. How does the system work together as a system? You know, the NSA just came out with new guidance on segmentation and the importance of segmentation within zero trust just last week. And they called out data flow mappings is one of the key elements along with micro segmentation, macro segmentation and software defined networking. And so you need to understand how the system works. And then step three you can figure out what's the right technology. We've been taught to start with technology because well that's how vendors sell, right? They sell technology and we need them. Right. Because they provide the things that we push policy to, but they in of themselves do not provide security. You have to understand why you're doing it. And then step four is creating the policy. And step five is monitoring maintaining it. Make sure you just don't leave it and constantly, look at it and let it build itself up and get better and better over time.
Neil Thacker [00:18:29] And it's a cycle, right? It's that you repeat that. And I think that's where definitely technology can assist in terms of identifying new, attack surfaces that you then have to protect, right? You protect surface needs to constantly expand or as we as you uncover again, more assets.
John Kindervag [00:18:45] Well, I hope it doesn't cost my protect surface doesn't constantly expand. I hope it stays relatively I mean, it'll get bigger in terms of the amount of data being stored in a particular, say, database, but I don't want to add more elements to the protect surface. Right? I want I'm trying to disconnect, or decouple or segment the surface away from the rest of the attack surface. So I don't even have to care about that, right? I mean, if you look at the NSA guidance that came out, they start with talking about they mentioned a retailer breach, and then they give a footnote to the Target breach. And, you know, everybody likes to say that the Target breach, which happened in 2013, which I think is the beginning of cyber security in the modern world. I break the world into BT and AT. We're in the year 11 AT after target, right? Because Target was the first time that the CEO was ever fired because of something that it did, which was allow a data breach. And if there's a data breach that happens in your organization, you had policies in place that allowed it. You're not just a random victim. You are a unwitting coconspirator from having bad policy. So they mention that and they talk about the HVAC thing and the HVAC that wasn't the problem. The problem was that Target put the HVAC control system on the same network as the cardholder data environment, which is a clear violation of of the PCI, DSS. I mean, I'm a recovering QSA. I was part of the first generation of of QSAs that that went and got that certification for PCI. So never, ever, ever would you have knowingly put a system like that on the cardholder data environment? That would be a clear violation.
Emily Wearmouth [00:20:32] You talk about before Target and after Target. I think that's a really nice way of splitting the world up. In this after Target world. We are seeing zero trust, and it's through things like Biden's executive order. We're seeing zero trust, not just be, a term or an ideology that's being embraced by the technology community. It's a conversation that's happening right up to board level within organizations. And I'm wondering, how much do you both think that's useful? Because, you know, businesses are thinking about the right things and how much of it is is creating more challenges through misunderstanding, or perhaps an expectation that there is a technology that can just solve this out of the box.
Neil Thacker [00:21:08] So I'm a member of a group, the Cyber Collective, and we have about 300 members. And I asked them for some questions. So actually posed to, to John. And actually one of those questions that came out was around looking at the net zero trust architecture. And now we're seeing more, more emphasis on this in terms of zero trust and looking at how to build an architecture to apply zero trust. And one of the questions that came in was around, how do we see this and transitioning? How are how are we seeing and adding value to our businesses by by adopting ZTNA and especially around looking at how we're moving beyond networks. So the principles are the principles becoming more or less effective as we as we move away from networks. But when I say networks, I say traditional networks not we know networks are still existing in cloud services, etc. but that's how I'm hearing this discussion, perhaps even at board level, how organizations are perhaps all going through a a transformation either through network or security transformation. And I think it would be good to, to perhaps understand that a bit more in terms of that. Are we in this stage of evolution in terms of this?
John Kindervag [00:22:12] Well, cybersecurity is absolutely a board level topic, and I've talked to lots of board members. I've talked to generals, admirals, I've talked to, high level people in governments all over the world. And they get it more easily than technologists do because technologists are stuck in their technology bubble. They understand the strategy. There's a couple of things that happen. One is boards need to know about this stuff, because I have seen many times when, other executives try to hide from boards and CEOs cybersecurity problems because it'll make them look bad. And then there's a data breach and everybody gets fired. Quite frankly, Neil, I wouldn't be a CIISO today, because you're the guy who gets thrown under the bus, and then they back it up forward and backward over time. And then then maybe you end up in prison. We don't know who's going to end up in prison. But certainly there's been some fraud convictions and other things that have happened to the CISO community. It's a dangerous place to be because you exist for the purposes of being fired for something that you may or may not have had control over because you didn't have budget. You didn't report up to the CEO, like all CISOs should report to the CEO. So the CEO gets unvarnished information. But, also, the other thing is like NIST, NIST is not a cybersecurity, standards organization, right? So you in the UK should never do NIST. It has no value to you because you're not part of the US federal civilian agency system. NIST is only there to provide guidance to US federal government civilian agencies. And quite frankly, there's a lot of things I don't care. Right? Right. Because they're designing for typically small agencies who listen to them. The big agencies don't care. The DoD doesn't care. And so, you know, that's why I would focus the listeners over to what we're doing at the Cloud Security Alliance, because we're decoupling it. And we're not saying that there are standards. There should be no standards in cybersecurity. We don't need standards because standards provide interoperability. And interoperability comes from APIs now. So standards all it all they do is inhibit, innovation. And so I would say standards are now a really bad thing. This is the problem with standards bodies is there's so much compromise that they're not really valuable to, to end users.
Neil Thacker [00:24:43] Yeah. I guess my point is it's looking at like, taking out the best of perhaps some of those things, like learning examples around this. I think with something I'm seeing is around and it's quite, quite interesting aspects of when we look at things such as the zero trust architecture around policy enforcement point. Right. I think for many organizations today, they're trying to standardize on policy enforcement points, utilizing the principles and ensuring that they can see value in that. Right. But, yeah, I agree, you have to take the best of what's out there. But also in the majority of time, it's what you're learning yourself. It's what your organization is doing that's unique. That actually kind of makes a difference, right? That's the for me that's that's the that's that's the recommendation.
John Kindervag [00:25:23] Well, I'm going to use a British word for you since you're both British. Every zero trust environment must be bespoke for the protect surfaces protecting. So I'm sorry you can't we can't go back to the 90s and have reference architectures where all we have to do is change the IP addresses to our IP addresses in and the packets will just flow. That's the way we used to do things back in the old days. And that's a very 20th century concept and that's what people want. Just show me what to do. And it never worked because we built these networks for the business. And the business said, gee, you gave me a bunch of round holes, but I got square pegs. And we said, luckily, the vendor gave us a free, pocket knife so you can whittle the corners and make it fit what we've built, because we're the most important. And the business, you know, had because of that, a very low opinion of it. And cyber security is an inhibitor of business and said, hey, I got a credit card, I'm going to go to the cloud. I'm going to do shadow IT, all that stuff, which they should have done because we were being dopey, you know, we were trying to force them into our world instead of aligned to their world. And I saw that when I was doing some of the primary research around Zero Trust, I did a research project where I had IT leaders and business leaders stack rank the some of the most important things, and I got a whole list of things from different people. And the top three priorities for business leaders were increase revenue, increase profitability, and stop data exfiltration. Stopping data exfiltration was the only technological thing that made the list. Those were the three bottom priorities of IT leaders. Their's were like antivirus catch rate right back in the time, how many phishing percent of phishing in my phishing tests did I stop all that kind of stuff? And they didn't care about increasing revenue and increasing profitability and stopping data exfiltration, which are the grand strategic things of a business, right? If you're not increasing revenue and increasing profitability and stopping data breaches, then you're not doing your job. And so we get too much into the minutia and we don't understand the mission.
Emily Wearmouth [00:27:42] I see my producer starting to wave at me on timing. And I've got a question I definitely want to make sure that we ask you, John, if you could go back in time, would you still call it zero trust?
John Kindervag [00:27:52] Absolutely, I would. Absolutely trust as a human emotion. And when people say you're saying people aren't trustworthy, I'm saying, no, I'm not. I'm saying people aren't packets. John is not on the network right now. Neil and Emily and I are not on networks. Our asserted identity is asserted to generate packets from some device, and we're not on the network. So quit anthropomorphizing what we're doing. This isn't Tron, Lawnmower Man or Wreck-It Ralph. This is the real world. So absolutely I would. And everybody who pushes back, I mean, I say, you don't even know what trust means. Define it for me. And they can't because it's a human emotion that for centuries was used only in philosophy, religion, human interaction, never in business. And I know how it got into technology. It was an accident. Somebody's coding something in their garage in the middle of the night, and they just called it a trust level. But no, get rid of it. It the only people it has value to are the malicious actors who are going to exploit it, because you don't need it to move a packet from point A to point B. Was that enough of an answer for you in there?
Emily Wearmouth [00:28:59] It was absolutely. I'm passionate to which I'm learning is how you answer all questions. John. Thank you. Thank you, both of you, for.
John Kindervag [00:29:07] Can I ask one question to Neil before we go?
Emily Wearmouth [00:29:09] Absolutely. Please do.
John Kindervag [00:29:11] Did you get to see Tom cruise in the hotel? I never saw him.
Neil Thacker [00:29:14] No. We never. No, we never actually got to see him in the end. No, there was there were. I think there were a few attempts made from the people in the conference, but nobody got the opportunity.
John Kindervag [00:29:23] I know I tried to wander around to and ran into big, burly people who said, go that way.
Emily Wearmouth [00:29:30] Access denied.
John Kindervag [00:29:31] Zero trust, baby.
Neil Thacker [00:29:34] There you go.
Emily Wearmouth [00:29:35] Thank you both for joining me today. I mean, this is a hugely interesting topic. It's gonna it's been around for a while now, John, and I think it's going to be around with this for a little while longer. You've been listening to the Security Visionaries podcast. I've been your host, Emily Weymouth, and if you enjoyed this episode and who wouldn't enjoy this episode, please do share it and make sure to subscribe to the Security Visionaries podcast to.
John Kindervag [00:29:56] Give it the like. Right?
Emily Wearmouth [00:29:58] Give it the like. Yeah, absolutely. Like and subscribe. And take a look through the back catalog because we've got some really interesting topics that you might also enjoy. So thank you both John, Neil and I'll catch you next time.