Access Management , Critical Infrastructure Security , Digital Identity
ISMG Editors: Zero Trust SpecialFather of Zero Trust John Kindervag Joins Editors
In the latest weekly update, John Kindervag, creator of Zero Trust and senior vice president of cybersecurity strategy at ON2IT, joins two editors at Information Security Media Group to discuss important cybersecurity issues, including whether we have advanced or regressed in security technology, implementing Zero Trust security in OT environments, and how federal agencies are progressing with Zero Trust adoption a year since President Biden's cybersecurity executive order was issued.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The panelists - Anna Delaney, director, productions; John Kindervag, creator of Zero Trust and senior vice president of cybersecurity strategy, ON2IT; and Mathew Schwartz, executive editor, DataBreachToday & Europe - discuss:
- Areas in which the security industry is advancing and areas in which it is regressing;
- The challenges of implementing Zero Trust in an ICS environment;
- The progress U.S. federal agencies have made in adopting Zero Trust one year since President Biden's cybersecurity EO was issued.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the April 22 edition discussing the complications of regulating spyware and the April 29 edition discussing which virtual currency criminals prefer.
Anna Delaney: Hello, I'm Anna Delaney and welcome to the ISMG Editors' Panel. And this week, we are joined by none other than the father of zero trust, and that is, of course, John, Kindervag - the creator of the zero trust strategy, and also senior vice president of cybersecurity strategy at ON2IT Cybersecurity. And we also have, of course, ISMG's brilliant executive editor of DataBreachToday and Europe, Mathew Schwartz. Hello, both and welcome, John. Great to have you join us.
John Kindervag: Hey, it's great to be here. Always fun to talk to you guys.
Mathew Schwartz: Great to see you again.
Kindervag: Yeah. It's been a while, hasn't it, Mathew?
Schwartz: Yeah, there's been a small pandemic in a way, but hopefully, we're getting through that.
Kindervag: I vote that it's over.
Delaney: I second that.
Kindervag: There we go. We have a quorum.
Delaney: John, I usually ask guests where they are in their virtual worlds but you look quite comfortable in your home studio setup. Is this as a result of the pandemic and home working? Or were you always so advanced in your setup?
Kindervag: Unlike everybody else who built their home working setup around their desk, I built it around my chair, because I figured I was going to be sitting in the chair. So everybody else has a desk and their chair moves around. My chair is stationary and special, and then my desk moves around. I inverted the whole paradigm so that I could always be comfortable in. After 30 years of leaning over a computer, that does a number on your shoulders and your back. So I lean back when I type now and lots of things to just try to survive the onslaught of technology illnesses that we haven't ever thought about. Our ancestors never had carpal tunnel syndrome. I grew up on a farm. That was not a common discussion that we had on the farm. I've got carpal tunnel syndrome. If you had a syndrome, it was from shoveling too much or throwing hay bales around or something like that.
Schwartz: Or getting your hand caught in something you shouldn't. John, I want to know, is that a mood light behind you? Are you are you suddenly warning us away here?
Kindervag: Yeah, I do have a mood light around. And I can do all kinds of things with it.
Schwartz: Look at that.
Delaney: Like a home office disco! Love it!
Schwartz: We like to inject a little chaos into these discussions. So, perfect!
Kindervag: Yeah, I can play it to music, I can make it do all kinds of weird things. I just thought, well, if I'm going to be here, I might just change it around and do different things. It can get brighter and darker and all kinds of stuff. I thought I'm going to get a background so that it sets it off a little bit. And you can see it and everything.
Delaney: You've got us in the mood, John. Speaking of chaos, Matt, which corner of Dundee are you showing us this time?
Schwartz: Oh, like I always use my local backdrop. I'm actually just a few miles south this time, in St. Andrews. This is the St. Andrew's Cathedral. I've given it a little bit of a digital collage kind of look while I was killing time the other day. So it's static, unfortunately! Obviously, I didn't get the Kindervag memo here, but it's my humble contribution to this week.
Kindervag: Do you live in Scotland?
Schwartz: I do. I know the accent gives it away.
Kindervag: I did not know you lived in Scotland. I love Scotland. I can't understand anybody who went there. But I still love it. It's great.
Schwartz: Getting better.
Delaney: I'm also in Europe this week. I'm in sunny Valencia. So I'm giving you a taste of Valencia. It's amazing because there's such a great perfume because there's so many lemon trees and orange trees. I rarely say that about a city that has a great smell but this one does. So, John, back to zero trust. It might be worth baselining zero trust for a moment. Has your working definition of the strategy changed as more organizations implement zero trust?
Kindervag: No, the strategy hasn't changed and won't change and doesn't need to change. There's been some terminology changes. For example, early on I used to talk about the first step of zero trust is defining your data, which was still asking the question - What do you need to protect? Now I ask: define your protect surface because we put data, we put assets, we put applications, and we put services. What we call DAAS elements, so that people who are in the OT environment, manufacturing, oil and gas can understand more easily how to consume it. And that's probably been the only major change strategically in there. Of course, zero trust’s strategy, tactics, and tooling are decoupled. The tooling is getting better in some cases and in some cases it’s getting worse. Oddly enough, I think we're in this weird time where people have forgotten the past. And we're going back to a world pre-2000. In a lot of the technologies, especially in the native cloud technologies, where we, instead of having next generation firewalls, protecting data, we're having stateless ackles, like we did in the 90s on routers. So I'm a little concerned that we're decrementing our security, based upon the technology that we're using, especially in the cloud.
Schwartz: That's a really interesting trend you're calling out, John. Just because having covered the space for a little while, it seems like a lot of the same mistakes, keep getting made, not just on a technical front, but almost on a soft skills front. We had a breach involving Okta recently, where they did a lot of things right, they found out something was wrong, they alerted their business partner to investigate it. And then they failed to follow through to make sure that their business partner had investigated in a timely manner. And I just wonder, are there some common culprits or causes you're seeing since, as you say, this does detriment zero trust? Is this new people coming into the market? Or new people entering the field? Is this new types of technology? They're all shiny, and people forget the basics? What do you think?
Kindervag: The first culprit is Linux, right? If you think about it, Linus Torvalds should be the richest person in the world. Because we don't have cloud, we don't have most of the things that we have without Linux. Linux has, what people pretend is a firewall called IP tables, which is really just a way to turn on an ACL - an access control list - that doesn't even maintain state. So we go back to the pre-CheckPoint days, right? When CheckPoint invented the stateful firewall, it was because hackers could bypass access control lists easily. Now we're saying, “hey, hackers, we're going back to the early 90s, so have at it, compromise every cloud environment. Because it's easy.” Secondly, we have a new generation of people who haven't been trained in some of the basics of what is TCP/IP? What is the OSI model? What is a network? How does a packet flow? What are the basics of our industry, and they get into the higher level stuff, agile versus waterfall versus DevSecOps, and all of the things that sound sexy without understanding the basics. And buildings fall down if you don't deal with the basics. You can have great modern architectures but if the foundation isn't there, they're going to fall down.
Schwartz: Excellent. Great analysis there. I think nothing is such a great educator as failure. And if you've just not been in the field for that long, maybe you haven't had these horrible things happen to you to the point where you internalize what you should have or could have done in order to deal with them. Well, switching gears just a little bit, Anna and I are going to tax him a little bit, but because you and I last saw each other at a notable event in my life, which was RSA 2020. Notable because it was kind of the last time I got to go outside and play in terms of the last really big cybersecurity event I was at, because it was right on the cusp of there being this, we thought at the time, maybe a health concern. And lo and behold, within a month or two we were just totally locked down. So we were having obviously some discussions about zero trust at RSA 2020. And we've got this year now, we've had this blink, nearly two years later. Is it worth looking at how some of those discussions have changed because I feel like with what's happening in the White House and a number of other different arenas, we've seen a massive increase in the sophistication of the discussion we're having and before you said there might be some steps forward some steps backward. But I would say, on the whole, we're in a much better place than we were before.
Kindervag: Absolutely! First of all, the pandemic, incentivized people to really take remote work seriously. And in order to seriously work remotely, you'll almost need some level of zero trust concepts built into your system, because you don't have that ubiquitous perimeter that you were dependent upon, even though it wasn't very effective, you still had confidence in it. And now suddenly, it's completely gone. So you have to think about what resource are the people accessing from home. And so that helped create that. Some of the technologies that just are really good in enabling zero trust remote access technologies and things like that became not nice to have, but an imperative. And I was talking to a group of people in the government, who were struggling to do remote access, and they were wearing gas masks in the office because they didn't know how bad it was, or how bad is this going to be. So we were in the government, we have gas masks available. So let's wear gas masks around, while we figure out how to do remote work. So if you were in that process of heading down a zero trust path, and you were thinking about it, it doesn't matter where the resource is located, I just need to have secure access to the resource with some Layer 7 policy in place. It made it much easier to transition into remote work during the pandemic.
Schwartz: People just had to get it done. They said, just make it happen today.
Kindervag: Right! I was at Palo Alto Networks at the time. Every single person had a remote access technology on their devices. It took us a week, right? There was just no time at all. For me, it was just completely seamless, because I'd always work that way as a remote worker or a traveling worker. I think that that's a very interesting thing. And we're seeing people not wanting to go back to the office. People at Apple are complaining that they don't want to go back to their office. So many people I know, are just saying, “I'm not going to go back to the office.” And executives are saying, “Well, you have to go back to the office, because we're paying a lot of money for this real estate.” And that's their justification. So we're going to see some interesting dynamic shifts in just every industry here coming up.
Delaney: John, you've got me thinking about manufacturing, because this seems to be one of the most targeted industries at the moment when it comes to ransomware attacks and other cyberattacks. How do you think OT is doing when it comes to implementing zero trust? And how do you think zero trust needs to be part of that conversation?
Kindervag: I was just at the big S4 conference in Miami, which was about OT, two weeks ago, and there's a lot of pushback of people saying, “Well, you can't do zero trust for OT.” I was on a panel with a number of luminaries and we're like, “Well, why can't you? Why can't you apply a strategy to this particular technological problem?” And the answer is you can and I've done it, but that is a business that's very entrenched in the old ways of doing things. And so it's hard for them to transition into new thinking, but it's happening. It's happening with great frequency. And it's important, because as I talk to people who are very knowledgeable about the threats to those environments. Colonial Pipeline, for example. There's a lot of Colonial Pipelines that are in the process of happening. One of the one of the governmental people that I talked to said, the malware and the tools to disrupt these industrial control systems, these critical infrastructure systems are already embedded inside of these environments and we're just waiting for these malicious actors to turn them on. They've already built in all of the stuff to take it down. And the only thing that's keeping them from taking it down is the desire to flip the switch. And that's a scary thought. So you see, in the news, attacks that have happened where the attacker was in there eight or nine months, and no one noticed. That's unacceptable, right? How can that be? And the answer is because you don't have the controls in the right place, looking at the right thing, you don't have enough street lamps. If you remember the old joke about the drunk guy looking for his keys, and the cop says, “Hey, I don't see your keys anywhere around here.” And he says, “Yeah, I lost them way over there.” “Well, why you crawling around in your hands and knees over here?” “Well, the lights so much better.” And that's what we're doing. We were just looking where the illumination is, and not adding enough streetlights. So you have to have more streetlights.
Schwartz: Colonial Pipeline, that was the billing server, right? The OT, I think didn't get hit, but they couldn't build customers for the product that they were giving them. And so they proactively said, we're just going to shut it down until we can charge our customers again. But you were talking about an attack surface, I think was your term before, not just the data but the message for OT is to think about this in the bigger picture.
Kindervag: The protect surface is what I was saying, Mathew, so we can invert the attack surface down the protect surface. For Colonial Pipeline, the billing systems should have been protected, the PLCs that run it have to be protected. So there's multiple things that you need to protect. Instead of worrying about all the attacks that are in the world, because that's too big of a problem, worry about the things that you have that you need to protect. And now you've taken this massive problem, and chopped it down into small chunks. And each chunk is solvable.
Schwartz: Speaking of chopping things down into smaller pieces, I suspect that might be your answer to my next question, which is just what are the big missteps you commonly see when it comes to zero trust? And I'm thinking about this as we go into RSA as well, because I think zero trust is going to be one of the big topics that we discussed there. And what would you advise organizations that are still pursuing this or should be doing better to make their life and their sanity nicer?
Kindervag: People seem to think it's a technological problem. And it's not, it's a strategic problem. And so they want to buy a product. So I'm often on the calls with people. And we bought widget X, Y, or Z, where do we put it? How do we use it? I don't know. What are you going to protect? Well, we haven't thought about that yet. Well, then you're going to fail. Because every zero trust environment has to be custom made, or I'll use an English word for Anna. Bespoke! Everything is bespoke. For the protect surface, I often use a tailor analogy. So you have to figure out what you need to protect, you design the pattern for it, you cut it out, and then you sew it. It'd be like, here, I've got my sewing machine, and I'm going to sew something up. And now I have to find the person who fits the garment. That's what we do in cybersecurity today, as opposed to say, let's find the person who wants the garment and tailor make it for them. There's a 5-Step Model that you use to do that. And if you follow that, you're going to be successful. And one of the things that I did since I've last talked to you Mathew, is I was on the President's NSTAC zero trust subcommittee. NSTAC is the National Security Telecommunication Advisory Council. It's got a lot of leaders of big companies who are on the NSTAC itself, and then they sponsor research. And so we did want a subcommittee on zero trust and trusted identity. I was involved, but also the federal agencies, who are some of the key stakeholders like CISA, NIST, DISA, DOD, and the NSA, and we all synthesized a report that's been delivered to the White House about this. And I really look at that as the authoritative document now because if you follow the things in that document, it has the 5-Step Model, it has the maturity model, it has the Kipling method policy construct, then you're going to be successful. But it's usually starting in the wrong place, starting at the technology, listening to a vendor who if you buy my product, you're going to have zero trust. It's not like you have zero trust, zero trust is a way of doing things. And if I can get people to understand that strategic value, then they will be more successful. And the key to it really is creating the right incentive structure. So I'm much more successful, if I can start by talking to the CEO, or a member of the board of directors or the CIO. But if I'm trying to move it from the ground up, it's harder because people are not incentivized to try new things. They're afraid. What if I do it, and it doesn't go right, I might get fired. But if this incentivization structure comes from the top down, then that worry goes away, and they can be empowered to be successful. That's the people part of the system.
Delaney: John, talking about government and incentives, it's almost a year to the day that the executive order was released. Biden's administration, of course, released the EO on improving the nation's cybersecurity and zero trust plays an important role in that. How are they doing a year on?
Kindervag: The discussions are happening and the plans are starting. It's like everything in a big government, things move much slower than probably everybody wants to. It's hard to turn a battleship. And that's what's happening. It's actually an aircraft carrier, right? It's not even a battleship. It's like, the world's biggest aircraft carrier, and we're trying to spin it around. So there's a lot of movement in that world, just like the NSTAC stuff that we're doing and a lot of thought leadership, and then a lot of planning that is starting. That's probably the right way to do it. We're starting to plan. The government does have an advantage over private industry and that they're generally required to know what their high value assets are, which we can then put inside of a protect surface and start step one of the journey a little bit more easily in the federal government. So that's the good news that they have over private industry, because the private sector often doesn't know or think about what they need to protect. They're so used to just buying technology, trying to protect everything. And as Frederick the Great said, if you try to protect everything, you protect nothing.
Schwartz: Frederick and I go way back, but also with the project methodology that you have there, I would think even in the government sphere, especially in the private sphere, with a project getting some wins, with each phase proving the value, as you go on, you have to almost probably keep selling it as you go, even though a lot of the people on board will be on board with the benefit of it.
Kindervag: Absolutely. And that's why I created a maturity model to track how well you're doing. So that you can see we're becoming more mature in this particular area, on a per protect surface basis. So maturity is a great way to track how well you're doing. I'm not a big fan of trying to say, well, we've reduced risk or something like that, because that's pretty ephemeral. But if I can say you're more mature, because you've done this, based upon specific definitions of maturity, then we can demonstrate success. And we can also plan for projects and greater successes. And this is something that I see in my own practice, where leaders will look at the maturity scores of various protect surfaces and say, hey, I want this particular thing to be more mature. Let's put a project around making this one area. It might be like protecting the Swift gateway if you're in the financial services thing. That's a pretty important thing. Let's make that more mature. And so now you have a project just to do that one thing, and then you can demonstrably prove that you succeeded.
Delaney: Talking on projects, what's next on the John Kindervag agenda? What exciting projects are you working on in the next few months?
Schwartz: Would you like to share with us John?
Kindervag: I think one of the most exciting things is I partnered with ISMG, who you guys know well, right? One of your subsidiaries or brands called CyberTheory, we've created the CyberTheory Institute, which is an independent think tank on various topics around cybersecurity. And the first thing we've done is the zero trust council. So we've got a lot of the top thought leaders involved. And we've been shooting really interesting videos about these topics. They're actually videos, we have dinner, and we have all these interesting people, Greg Touhill, who runs CERT; Tony Scott, the former CIO of the US Federal Government; Chase Cunningham, doctor zero trust, and people like that. We sit around and we have dinner and we talk about these things. And it's like, the audience can listen into these conversations. And they've been very successful with the clients who've underwritten them. I'm excited about that, because it's generating a whole new set of research. And then also for CyberEd, which is also one of your brands, I'm working on training materials around zero trust, and then tying it into some design thinking concepts, so people can understand how you get to these places by thinking as a designer, more than a cybersecurity person.
Delaney: A part of it is getting the message out, being the voice, helping with the education.
Kindervag: Yeah, there's a lot of noise in the market based upon vendor spin. If I'm an MFA company, then zero trust has to equal MFA. If I'm a proxy company, then zero trust has to equal proxy. And those things aren't true. We consume those technologies inside of zero trust. But again, it's the strategic side. The strategic side doesn't resonate with everybody. There are tactical and tool kinds of discussions we can have. But the strategic side resonates with business leaders. And that's what I'm trying to do is articulate the business value to this because that hasn't happened in cybersecurity. We're thought of as the Department of No. And we want to become the enablers of business, because in reality, we're no longer just overhead, we are part of the function of every single business. No business runs without the computer systems running. So for an airline, you can have the three Ps of the airline business - planes, pilots, and passengers. But if the computer is down, that plane doesn't get off the ground. And I grew up working for a little airline, Air Nebraska. Imagine flying Air Nebraska. It's as scary as it sounds. But we hand wrote the tickets back then, and everybody hand wrote tickets. They were in triplicate, and you pulled them off. And it was a very manual process. Well, you can't do that anymore. It all has to be computerized. And so I've been on planes where we're sitting there and the computer system goes down, and we can't take off.
Delaney: It's exciting times for zero trust. You must love watching this evolution, John.
Delaney: I have a final question for you. Buzzwords. We know this industry loves a good buzzword or term. What's this year's buzzword/phrase, five months in?
Schwartz: Good or bad, Anna? Or either?
Delaney: Either. Or one you love to hate, or vice versa.
Kindervag: You go first, Matt.
Schwartz: I'm going be an optimist. And it's only May. So hopefully, something horrible will come along that I can use when you ask this question again. But I did notice the theme of RSA this year, if I'm recalling correctly, is change. And I don't know is that low ball, is that high ball? I do think it's appropriate. Everything's changing so fast. And that includes what we're doing with cybersecurity at the societal level. It's such a big concept, but I'm just going to say change. That's my buzzword. Hopefully, it's a good one. Not a bad one.
Kindervag: Yeah, change is an easy buzzword because you can take it in. Of course there's change. The sun rose, the sunset, there was a change. So you're not going very far out on a limb with that one, are you? The buzzword for RSA this year, in my mind, is shark. Have they jumped the shark? I don't know, I kind of think RSA might have jumped the shark. If you remember that old term from, are you now irrelevant. Just last night, I was talking to a major CISO. And he's like, “Well, I'm not going to RSA this year. I called all my other CISO friends, and they're not going either.” So we're going to see has it jumped the shark? Is it on its last legs? Is it ready to go on the firepit and become barbecue? I don't know. It doesn't seem like people missed it in the last two years. So is it going to be successful or people going to show up? I don't know. I think that's the question coming up in the next two months.
Delaney: See ya next month! I was going to say something around cyber war, cyber warfare, hybrid war. And there's no clarification or consolidation of these phrases. So maybe that's not a buzzword or they're not buzzwords, but I wonder how that debate will change.
Kindervag: We're always in a cyber war, right? Cybersecurity is one of the three adversarial businesses. You have the military, law enforcement and cybersecurity. We all have emissaries and we're all in the same cyber war, because we're all directly connected to the world's most malicious actors. So when a nation-state attacks some company, they're sending a digital missile at that company. Now, they wouldn't do that kinetically, they wouldn't launch a missile at SolarWinds, for example. You wouldn't launch a physical ICBM at SolarWinds headquarters to take it down, but you will want launch a digital missile. So we're already in that cyber war. We just need to acknowledge that, because so many of the attackers are either nation-state attackers, or they're sponsored by nation-states. And whether we acknowledge it or not, that becomes the question is the acknowledgement not the reality that I think is the question that needs to be answered by people like you and your team over there. I have a whole thing I call cyber war with zero trust, because I believe we're all in a cyber war. And if you're fighting a nation-state that has unlimited resources, that's a hard thing to fight, if you don't have the right tools. So you look at the history of warfare, when you're fighting a war with Napoleonic tactics, and suddenly the machine gun is invented. That's a nasty outcome. We're often fighting with really old tools. We're fighting with muskets and they've got machine guns. And we need to up our game a little bit, I think.
Delaney: John, always informative. I think we've got a few more discussions ahead of us. You just dropped so many bombs at the end. I know Mathew's got questions.
Schwartz: You'll be hearing from me, John.
Delaney: This has been absolutely brilliant, though. Thank you, John. Thank you, Matt, for a great discussion.
Schwartz: Thank you!
Delaney: Thank you so much for watching. Until next time!