Yubico Q&A with John Kindervag, creator of Zero Trust and Senior Vice President at ON2IT

Zero Trust has truly come of age in the last 12 months, but there are misconceptions relating to what it is, where to start on the journey, and how organizations can achieve a Zero Trust environment.

To further explore this topic, we recently sat down with John Kindervag, the creator of Zero Trust and current Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow at ON2IT Cybersecurity, for a Q&A to discuss the origin of Zero Trust, where we are now as an industry, and what the future holds. 

2021 quickly became another year of massive data breaches. While the security industry has amplified the call for Zero Trust, isn’t there still confusion in the enterprise about what the term is and what it isn’t? 

Yes and no. It’s easiest to establish what it is not: Zero Trust is not a product. If anything, confusion among enterprise buyers can be attributed to vendors conflating their products as the answer to Zero Trust. 

I believe most CISOs “get it”. I spent the last decade speaking with security leaders who helped me create the concept of Zero Trust. Zero Trust was established on the principle that no network user, packet, interface, or device—whether internal or external to the network—should be trusted. As a result, CISOs began focusing their cybersecurity strategies on the “protect surface”, which is orders of magnitude smaller than any “attack surface”. This answers the fundamental question of Zero Trust: “What do I need to protect?” I’m proud of the fact that Zero Trust strategic concepts have not changed since I created the original concept and many of those early security teams have transformed their security posture since then. 

But let me fully answer your question. The definition of Zero Trust is a strategic initiative designed to stop data breaches, which is the exfiltration of regulated or sensitive data into the hands of malicious actors. Data breaches get CISOs, and potentially their CEOs, fired. I doubt there’s any confusion there.    

Has the move to public cloud complicated matters for cyber security teams who are implementing Zero Trust? 

COVID only accelerated the move to the cloud. Organizations are so focused on moving fast that they’ve arguably become more insecure. 

Too many organizations are transferring the broken trust model that was designed for internal networks (and didn’t work there) and applying them to the cloud.  The cloud is not inherently more secure than your other IT environments. It may provide some uplift in that things like patching are taken care of automatically by the cloud provider. Additionally, cloud workloads are more scalable, and it may be much faster to get a new system up and running in a public cloud environment.

But remember, your organization is responsible for the security of all the data you put into a cloud environment. There is this myth that there is a “shared responsibility model” That’s not true. At Forrester Research, we called this the “Uneven Handshake.” Security is YOUR responsibility. If there is a data breach of your data, the cloud provider will very clearly announce to the world that it was YOUR responsibility to secure that data, not theirs. Please, the native security controls built into the cloud environment are very lightweight. All attackers know how to bypass those controls, so you will need other, third-party technology to build a secure cloud environment. This would include identity controls, next-generation firewalls, and cloud monitoring controls. If you think of the cloud as merely a hypervisor owned by a third party, you will get some insight into how to properly secure your cloud instances.

For security teams trying to apply Zero Trust concepts inside their organizations, where should they get started?

Zero Trust is a journey best taken one step at a time. Identity is also consumed within Zero Trust policy but it is not equivalent to Zero Trust. Identity is important and fundamental to understanding a packet, but just deploying Identity elements does not mean you’ve met the strategic goals of Zero trust. 

Identity is arguably the first line of defense to a strong cloud security foundation. Multi-factor authentication, protecting user credentials, and protecting devices are all essential components of a Zero Trust architecture. 

Arguably  identity is also one of the most challenging things to get right for security teams. The concepts behind identity management are far more advanced than what most organizations are actually capable of consuming from a cyber security perspective. In fact, most cyber security teams are really only looking for single sign on and federation right now so that’s a reasonable starting point but there’s a long way to go still when it comes to Zero Trust-specific identity concepts.   

Can you elaborate further on why you  state we still have “a long way to go still when it comes to Zero Trust-specific identity concepts” and what companies should be doing to make progress?

We must get strong validation of user identity by binding the verified user to a strong phishing-resistant authenticator (business fraud is at an all-time high). Identity access management policy systems need to be better aligned with Zero Trust policies that allow security teams to more easily and thoroughly manage the “protect surface”.  We must have continuous validation of identity based on verified/attested strong signals. We must find new ways of analyzing the behavior of the user and perform step-up strong authentication if the signals are weak. And we must make sure that all of the systems play nice with one another in the identity sandbox. And lastly, we must think about how malicious actors are going to try and subvert identity. These are all tough issues our industry needs to tackle head-on and we have not addressed them at scale. 

In fact, the issue of secure identity has a massive impact on the security of our supply chains. To that point, President Biden recently signed an executive order to create more resilient and secure supply chains for critical and essential goods. 

How do you think Yubico and YubiKeys can help companies with their Zero Trust strategic initiatives?

Having strong authentication is a foundational security component of a Zero Trust architecture. Yubico and YubiKeys help fill the gap, for example, where weak passwords have been used, by providing validated, phishing-resistant security keys   Having the user credentials bound to the service significantly increases the security posture.

To learn more about how to begin assessing where you are on your Zero Trust journey, or why strong authentication is a critical part of Zero Trust, tune in to our latest on-demand webinar with the CISOs of Hudson News and Allegiant Air, Zero Trust and the Critical Role for Strong Authentication.

Share this article: