John Kindervag on the next step in Zero Trust

John Kindervag, now Forrester’s best-known security consultant, is the only speaker to present a keynote at all four Bright & Cloudy events since 2013. When in Utrecht, four years ago, the outspoken Texan announced that the traditional way of network security – with its trusted internal network and unreliable outside world – was no longer of this day and age, he at least caught everyone’s attention. But not many of those present from the very beginning could’ve predicted that his insights would change the ever so tempestuous IT security world.

No one can deny the consequences. Only security-professionals who spent the last four years stuck on an island aren’t familiar with the Zero Trust concept. Kindervag now travels the world for keynotes and conferences and consultancy work at the world’s largest multinationals and banks.

Zero Trust with Google and the American government

Last year, Google announced that the internet giant was going to completely overhaul its internal information security and structure it according to the Zero Trust principles. The central premise of BeyondCorp – Google’s version of Zero Trust – is classic Kindervag: the internal network is no more or less reliable than the public Internet. Security measures do not depend on the location of the network, but on the information about specific data and applications, users, and the associated access rules, also known as policies.

The US government is also convinced. In September of this year, a government commission report was issued following the theft of over 18 million personal data from the computers of the United States Office of Personnel Management (OPM). “If we’d had a Zero Trust approach, the hackers never could’ve done so much damage,” said representative Jason Chaffetz, one of the authors of the report. The report therefore recommends a stricter Zero Trust approach for all federal government agencies.

“The world has awakened”

“You can indeed say that the world has awakened,” says Joh Kindervag, as he looks out over the misty late morning of the Maarsseveensche Plassen. He says he’s looking forward to the keynote of über-hacker Kevin Poulsen, who will share more about the dark underworld of international cybercriminals during Bright & Cloudy later that day.

The most important development is that cybercrime has turned into almost daily news, Kindervag observes. “Hardly a day goes by without a colossal security leak being revealed somewhere in the world”. Kindervag considers the breach at American retail chain Target, at the end of 2013, as a turning point. “It concerned personal data of 110 million customers and 40 million credit card details. The damage that does is immense. Customers lose their faith in you and stay away. Target calculated that the breach, aside from lost sales, led to over two hundred million dollars in direct costs. The CIO and CEO were fired. The hacks at Home Depot, Sony and OPM also led to damages up to hundreds of millions of dollars. That’ll get the attention of the Board of Direction. But a little too late.”

Basic principles independent of technology

The basic principles of Kindervag’s Zero Trust advice are as elementary as they were when he first presented the strategy four years ago. This makes sense, he thinks: “A good security architecture does not depend on annual trends in new hardware and software.”

This is probably the biggest appeal of the Zero Trust principles. You can explain the handful of main principles with one single PowerPoint slide. The first rule is that every resource in the network, regardless of location, can only be accessed in a secure manner. That sounds obvious, but there are still numerous corporate networks based on the principle that the firewall on the periphery of the network, keeps hackers at bay. A ground rule that is crucial for the Zero Trust approach, is that employees (or the malware they accidentally install on their pcs) on the trusted internal network, can be every bit as dangerous as hackers on the Internet.

A second starting point is that access control to data or applications should work on a need-to-know basis 100% of the time. To do this, you will have to classify the data and set up specific rules per user (or group of users): who is allowed to access or modify what data, when, in what way and from what location?

It is not about whether or not people can be trusted

Once you’ve established and implemented these access rules, it is essential that you verify compliance with these rules at all times. So: Zero Trust. This premise is often misunderstood, Kindervag says. “I’m not saying that people can’t be trusted. That’s a philosophical discussion, and I’m not touching that. But it is pointless to ask whether or not packets of information on a network can be trusted. Trust, in this context, is a concept that can’t be used. It is your job, as a security agent, to log these packets, all packets, and inspect and verify whether or not the network traffic in question complies with all access rules and policies.”

The general principles of the Zero Trust approach must of course be made concrete with hardware, software and organizational measures. A supplier like Palo Alto Networks has positioned its next-generation firewalls and TRAPS endpoint security, with Zero Trust as the architecture for networks, data centers and the clouds. But Zero Trust is above all a design principle, of which the implementation must be completed by using specialized tools, platforms and expertise.

Rules of engagement

The tasks and responsibilities of the CSO or CISO and their staff have come into the spotlight in recent years, due to the increasing cybercrime threat. Hackers have a big advantage, Kindervag says. “They don’t do version control, audits, salary negotiations, or RFPs. They can move faster than your IT department. To effectively combat them, you’re going to have to be fast and agile, especially when faced with a data breach.” And according to Kindervag, that is where the shoe pinches. “First and foremost, you’re going to need the CEO’s mandate, tools and resources to investigate and put a stop to data breaches. The technology to discover data breaches in a timely manner is still lacking in many cases. Research shows that security leaks are repeatedly pointed out to organizations by external parties. It doesn’t happen a lot that an organization discovers a security breach themselves. How can you then expect them to act timely and effectively when the data is being stolen?”

Kindervag urgently advocates for so-called ‘rules of engagement’ for IT security departments: providing transparent clearances to employees, enabling them to immediately take countermeasures to help limit the damage. “We are still too often trapped in procedures that work on paper, but that in practice demand too much valuable time that passed before an IT department can take action. It’s a war out there.”

Automation of the counterattack is crucial

Kindervag also believes that the rules of policies should be so explicit that countermeasures can be increasingly automated. It is no coincidence that this is the idea behind the latest version of ON2IT’s Managed Security Portal. This allows you to link security alerts – based on explicit rules from policies – to automated actions. Why would you want to block a specific IP-address or isolate an endpoint when you detect suspicious activity? That also goes for when this suspicious activity relates to the most sensitive category of data, the so-called crown jewels, that every organization has.

“An order of magnitude of further automation of the way in which we implement our security measures is inevitable,” says Kindervag. He believes it is the future of Zero Trust.

“A good security architecture does not depend on annual trends in new hardware and software.”