In 2003, John Kindervag, godfather of zero trust and renowned cybersecurity expert, was fired from his job.
“I actually got fired from a job for putting outbound rules on firewalls because that’s not the way the manufacturer suggested that you do it,” Kindervag said, adding that his workplace didn’t want to do anything that would go against what vendors recommended.
Kindervag, now chief evangelist at cybersecurity company Illumio, said the termination was the “best thing” that ever happened in his career. Just a few years later, Kindervag joined Forrester as a senior analyst of security and risk management. It was there he authored a paper on zero trust, a framework in which companies ditch the assumption that a device or user can be trusted and instead treat them like a potential threat. Zero trust challenged former ways of thinking and helped originate what has essentially become cybersecurity’s golden rule today.
King of the Forrester. IT Brew caught up with Kindervag to discuss why it was important to introduce a new security model in the industry 15 years ago. Reminiscing on the early years of his career, Kindervag recalled plenty of bad firewall policies and a security model that trusted internal operations, with no rules on outbound traffic.
“I said, ‘Well, guys, what if somebody gets in and they’re gonna steal data, and we won’t know?’ and people thought that I was completely nuts for saying that,” he said.
The disconnect caused Kindervag to study the concept of zero trust for roughly a decade before joining Forrester, where he was encouraged to explore the unconventional ideas in security.
“We had a motto: Think big thoughts,” Kindervag said. “It was a great opportunity to be at a place where they allowed me the freedom to explore ideas that other people thought were, quite frankly, incredibly stupid.”
With years of primary research, Kindervag chipped away at forming the framework, building prototype zero-trust environments and previewing the concept during public speaking opportunities.
“I got a lot of great feedback and some good ideas, but nobody could say, ‘Well, this won’t work because of X, Y, or Z,’” Kindervag said. “There was no technical reasons that this wouldn’t work.”
Zero to hero. While zero trust is championed within the cybersecurity industry today, Kindervag said he was met with a tough crowd when his report on the concept was published in 2010.
“The first reactions to zero trust were, ‘That’s a dumb idea. You’re an idiot. It’s never going anywhere. Why’d you write this report?’” Kindervag said.
People and organizations praised Kindervag behind the scenes, but he said it wasn’t until the 2015 Office of Personnel Management data breach, which exposed the data of 21.5 million people, that the industry woke up. A subsequent investigative staff report on the breach recommended the Office of Management and Budget provide guidance to government agencies about zero trust. Additionally, former Rep. Jason Chaffetz, who was chairman of the Oversight and Government Reform Committee at the time, penned an article endorsing the model.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“You started seeing it all over the federal government and when the federal government starts to do it, everybody else in the world says, ‘Oh, okay, well, we need to catch up,’” Kindervag said.
Duncan Greatwood, CEO of Xage Security, pointed to the advent of cloud computing as another factor that increased zero-trust adoption.
“People stopped thinking that all of their important stuff was inside the company, so inside the perimeter or inside the castle wall,” Greatwood said. He added that the increase in cyberattacks involving lateral movements was another driver.
15 going on 30. Today, Kindervag said his job is far from over. He’s now focusing his time on educating people about zero trust so that organizations can continue to embrace the framework. Last year, a Gartner survey found that 63% of global organizations have either fully or partially implemented a zero-trust strategy.
“There’s a lot of people who want to do it, but they’re scared to do it because they misunderstand it,” Kindervag said. There is a lot of misinformation about zero trust, largely from vendors looking to “redefine zero trust based upon the product they’re selling,” he added.
Greatwood said zero trust is “mainstream at this point,” but he thinks some companies struggle with implementing it in their entire organization.
“There’s been a lot of adoption of zero trust with respect to remote work…but then as you go deeper into the organization, we’re often seeing situations where zero trust has not been so widely adopted deep within the internals of the company,” he said.
Anetac security platform co-founder and CEO Timothy Eades has a different take on the beloved security framework. He said IT infrastructure within organizations is growing more fragmented and distributed, making it essentially impossible to deploy the framework over so many independent services. For IT pros entrusted with cybersecurity, that can make zero trust a hard goal to reach.
“Zero trust is an ambition,” Eades said. “It’s a North Star, so it’s something you can steer towards, but you don’t get upset if you never achieve it.”
However, Kindervag is no stranger to naysayers. He said technologists tend to come around to the idea of zero trust later than corporate leaders because they focus too much on the technology as opposed to the actual idea of zero trust.
“We want people to be strategic thinkers [and] to be system thinkers, so that they can understand the value and how this is going to make their job easier over time.”