Zero-Trust Father: Figure Out Your Protect Surface First

Zero trust is a strategy designed to stop data breaches and other cybersecurity attacks, John Kindervag, author of the original zero-trust research, reiterated in the Industry Leaders Forum CxO round table this week. He suggested changing the focus from technology to “what you are protecting.”

When Kindervag joined Forrester Research in 2008, he wanted to bring strategy to cybersecurity because most people are confused about strategy and tactics. This lead him to author a research paper that defined a zero-trust architecture in 2010 called "No More Chewy Centers: Introducing The Zero Trust Model Of Information Security."

More than a decade later, many consider him the father of zero trust. Kindervag, who after eight years at Forrester and a four-year stint as field CTO at Palo Alto Networks is now ON2IT's SVP of cybersecurity strategy. But despite dozen years and a flurry of marketing around the architecture, zero trust remains mired in myths and misunderstandings.

“I work with all kinds of organizations around the world on helping them protect things using zero-trust modalities, and it's very common that they want to talk about products,” Kindervag said. “And I'll ask what are you trying to protect and they don't even know.”

Zero trust is not identity, proxies, or firewall products as some vendors claim, he said. “There are times when you use various technologies, once you understand what you're protecting.”

Adopting a zero-trust strategy is similar to how the U.S. Secret Service protects the President — they need to know where the President is and who should have access to them at any given time, he explained, adding that zero trust is a strategy “designed to protect things and designed actually to be resonant to the highest levels of your organization.”

Another issue with these architectures is that “it's hard to get people to talk about their zero-trust environments,” Kindervag added. “Zero trust is like the Fight Club — the first rule is you don't talk about it.”

Technologists typically need permission from public relations and legal teams to talk about the zero-trust environment, but those teams think it “puts a target on their back,” he said. “This is not true, however, as attackers generally don’t attack well-defended environments."

But he saw changes starting as a result of the Presidential executive order that intended to improve the country’s cybersecurity and protect federal networks. And the federal government released a strategy to move U.S. government agencies toward a zero-trust approach shortly after.

Another common misunderstanding regarding zero trust is that it is a binary thing that "either you're doing it or you're not doing it, and that's not true,” Kindervag said. “You want to do it in small, incremental, iterative, and non-disruptive chunks.”

What organizations should do is shrink the attack surface down to very small protect surfaces. “You take this large problem called cybersecurity, break it down into very small parts, and now small things are solvable,” he explained.

Zero-Trust Father: Figure Out Your Protect Surface First

Tags

AI Data Centers: Scaling Up and Scaling Out

Advanced Networks for Artificial Intelligence and Machine Learning Computing

DCD>Survey: Data center networking trends

Future-proof your datacenter with DDC S-Series