CyberWire Daily - The current state of the zero trust.
Episode Date: July 29, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses the current state of zero trust with CyberWire Hash Table guest John Kindervag, the originator of the zero trust idea. Refere...nces: Jonathan Jones, 2011. “Six Honest Serving Men” by Rudyard Kipling [Video]. YouTube. Dave Bittner, Rick Howard, John Kindervag, Kapil Raina, 2021. Zeroing in on zero trust. [Podcast]. CyberWire-X Podcast - N2K Cyberwire. Dawn Cappelli, Andrew Moore, Randall Trzeciak, 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) [Book]. SEI Series in Software Engineering). Goodreads. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
John Kendervog is an old friend and colleague of mine.
He and I both worked at Palo Alto Networks for the same boss, Mark McLaughlin, the CEO at the time,
who, by the way, wrote the foreword to my Cybersecurity First Principles book that we published last year.
But John just happens to be the inventor of the zero-trust strategy idea.
He published the original white paper, No More Chewy Centers, Introducing the Zero-Trust Model of Information Security, back in 2010, which launched the entire Zero Trust movement.
When John and I worked at Palo Alto Networks together between 2017 and 2019, the Zero Trust
idea had just crested the peak of inflated expectations on the Gartner hype chart and
was starting its descent to the trough of disillusionment, just like every other new
tech idea that comes along.
But I've always been a believer
of the zero trust strategy from almost day one, so much so that I dedicated chapter three in the
first principles book to it. But here we are, 2024, 14 years since John's original white paper.
I asked John to come on the show to discuss the current state of zero trust in the industry today. So, hold on to your butts.
Hold on to your butts.
This is going to be fun.
My name is Rick Howard, and I'm broadcasting from N2K Cyber's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland,
in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas,
strategies, and technologies that senior security
executives wrestle with on a daily basis.
So, John, you and I ran into each other at the Rocky Mountain Information Assurance Conference
in Denver, Colorado, a couple weeks ago.
And it just so happened that on the
schedule for this podcast, I was doing an update on the current state of Zero Trust. And I said,
wow, this is fortuitous. I can get the founder, the main guy who came up with the idea in the
first place to give us a sense on where all this was. So I appreciate you coming on the show to do
that. No, it was great to see you in Denver.
I could hear your voice from the hallway.
I was like, I know that voice.
I know that voice. And so like, you know, a young child following the Pied Piper, I wandered that way.
When you published the No More Chewy Center's white paper back in 2010, you worked for a company called Forrester, a smaller version of Gartner in terms of revenue, but both are prominent research and
advisory firms in the tech industry. But I want to put you in the way back machine before 2010.
What were you thinking back then? What inspired you to develop the Zero Trust model?
Before I went to Forrester in 2008, I was a network engineer and a security
engineer and stuff. And I hated installing firewalls because firewalls had a trust model
where the internal interface was trusted, the external interface was untrusted. And by default,
you didn't need policy to move a packet from inside the trusted interface to the outside, the untrusted interface.
And I bristled about that.
And I constantly got in trouble because I was putting outbound rules.
And I kept saying to people, but, you know, somebody will get inside and, you know, they'll exfil data and nothing will stop them and you'll never know and everybody
told me oh that that's not possible that can't happen that's not how the vendor created this
and so i kept getting in trouble and when i got to forester you know they said what do you want
to work on and i said i want to explore this broken trust model So that was two years of primary research from 2008 to 2010 before
I ever published the first report. I'd actually built a couple of prototype networks. I had met
with dozens of people. I'd asked people to poke holes in it. I'd gotten advice. I'd gotten guidance.
And so it was great. It was a great place to do that because I don't think I
could have done that anywhere else but Forrester Research at that time in history because it was
very open to new ideas. And it was like being maybe at Bell Labs in the heyday or something
like that when you just got to do pure research. Get the freedom to think and write and make sense of it all, I guess, right?
Right, right.
So it was just the perfect time and the perfect place
and a great set of life experiences that led me up to that time.
And so it was just something that my leadership was excited about,
even though no one else was, right?
There were a lot of people who, when I published that,
made fun of me to my face.
That's not the way we've always done it was a common theme.
And I would say, yeah, the way we've always done it is working so well.
That's the way it is for all new ideas john okay they run up against the resistance
machine because that not the way we've always done that machine yeah no and i discovered that
you know and and um you know and then you get a few people who encourage you and maybe people
who don't even want to be known but uh they're encouraging and they're telling you this works.
And so it gives you the energy to keep going.
I know you're old and senile at this point, John.
Oh, thank you.
What was the origin of the name?
Why did you call it Zero Trust?
Well, because every interface had a trust level, right?
So internal was zero, external was 100, and every DMZ had to have a trust level between 1 and 99, and they couldn't be the same.
What John is talking about is the way we used to configure the old stateful inspection firewalls. There was this notion of the types of networks the firewall connected to, like the internal part of the network, where all the crown
jewels were located, the internet, where all the bad things were, and these things called DMZs,
demilitarized zones, in between networks that act as a buffer zone between the other two. We used
them to add an extra layer of security by isolating publicly accessible services from the internal network.
You know, like the web server or a file server for public information.
The interfaces that John is talking about here are the physical and logical connections through the firewall.
And he had to arbitrarily pick which interface was more trusted than the others.
Zero was the most trusted interface, 100 was the least trusted, and the DMZs were something in the middle.
So if you had two DMZs,
you'd typically set them up as 49 and 51, right?
And if you had a lot of different DMZs,
you'd just be picking these arbitrary numbers,
trying to figure out which one needs to be less
than the other one,
because that's how a policy is going to be created.
And I said, no, the trust level for all these interfaces should be zero.
There should be no difference.
And that's really where it comes from.
The trust level of each interface should be zero.
We shouldn't have trust in digital systems.
It's a human emotion.
It has no business being in digital systems.
You don't need trust to move from point A to point B.
There's no trust flag in TCP.
And so that's really where it came from.
So from the original idea, if you're trying to configure firewalls to make some sense of a policy, what would you say the core principles of zero trust are today?
It's been 14 years since you came up with the idea.
I know it's worked a little bit, but if you were trying to explain it to my grandma, John, what would you say Zero Trust is?
Well, I always say it's a cybersecurity strategy designed to do two things. One is stop data breaches, which are defined by legal and regulatory entities to mean
the exfiltration of sensitive or regulated data into the hands of malicious actors, and then to
stop other cyber attacks from being successful. And we do this by eliminating trust because trust
is a thing that if you dig out and deconstruct
every single attack, you'll find trust kind of at the bottom of it. Snowden, Manning, anything with
identity stuff, you know, it's because it's a trusted identity. Chelsea Manning and Edward
Snowden have been the poster children for describing something called the insider threat
for over a decade. Insider
threats are trusted employees, contractors, or even volunteers who have access to sensitive data
and systems, but betray that trust by destroying or manipulating the information or leaking it to
the public. Regular visitor to the N2K Cyber Wire hash table, Don Capelli, wrote a cybersecurity canon Hall of Fame book on the subject back in 2012.
It's called The CERT Guide to Insider Threats, How to Prevent, Detect, and Respond to Information Technology Crimes.
Manning was a U.S. Army intelligence analyst who leaked classified military and diplomatic documents to WikiLeaks in 2010,
and Snowden was a U.S. intelligence contractor who leaked classified
information to the press in 2013 about extensive surveillance programs run by the U.S. NSA,
the National Security Agency. In our Cybersecurity First Principles book, I make the case that a
well-deployed zero-trust strategy would have likely defeated Snowden's insider threat activities.
And trust is a word that we love. So people fight against that, you know. They fall in love with the
word and they don't under, you know, they try to, they try to anthropomorphize the network. We do
that all the time. We say John is on the network, Rick is on the network, but neither one of us are on the network, right?
And so we haven't shrunken down into subatomic particles and been sent over our Wi-Fi to this hosting service.
That hasn't happened.
And it rarely even happens in the movies.
Tron, Lawnmower Man, Wreck-It Ralph.
But remember, even in The Matrix, they got to plug in.
They got to plug in.
That's right. Yeah. So that's the fundamental thing. And the other thing about it is,
it's designed to resonate up to business leaders because it is a strategy.
Well, let me ask you this, John, because we're talking about core principles of your idea, zero trust.
And you're right that Rick can't be on the network.
John can't be on the network.
But would you agree to this, that at a high level, there's really kind of three things that we're worried about, right?
Identities that we manifest on the network, devices that connect to the network.
And I would add software modules that we use,
either open source modules that we use to write our own software
or software that we write ourselves or even third-party software that we buy and deploy.
Those are all things that we're trying to establish zero trust with.
Would you agree to that?
Yeah. And I would add the traffic that flows across from one thing to another, right? So,
you're writing policy against traffic always. And policy is binary. All you can do is allow it or deny it. And so generally the old school was we, we allowed all right. We, we,
we allowed everything by default. And, uh, so when you change that model and you say,
I'm going to deny everything by default and just turn on specific allow rules that allows you to
write much more granular policy to say who, what, which is which
asserted identity, you know, that you're asserting is on the network, right? John or Rick is being
allowed to access a resource via what the application that we're talking about, right?
via what the the application that we're talking about right and where is it going to uh which is i call it a protect surface the thing we need to protect but it's the you know the server the
resource the database whatever it is and then you know how are we going to look at that traffic
before we allow it to come on and so it's a very simple who what when where why and how principle
i call it the kipling method because rudyard Kipling gave us the idea of who, what, when, where, why, and how in a poem in 1902.
Back in 2021, I interviewed John for our Cyber Wire X podcast where he mentioned the Kipling poem.
I had never heard it before, so I looked for somebody on YouTube to recite it. It's called I Keep Six Honest Serving Men about Kipling's
young daughter, her endless curiosity, and how, as we all get older, we tend to lose that sense of
And that's our show. Well, part of it. There's actually a whole lot more,
and if I do say so myself, it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights
that make you smarter and keep you a step ahead
in the rapidly changing world of cybersecurity.
If you want the full show,
head on over to thecyberwire.com slash pro
and sign up for an account.
That's thecyberwire, all one word,.com slash pro and sign up for an account. That's the cyberwire, all one word,
dot com slash pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts,
my personal favorite, exclusive content, newsletters, and personal level-up resources like practice tests.
Within Duque Pro, you get to help me and our team
put food on the table for our families,
and you also get to be smarter and more informed
than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro
and sign up today for less than a dollar a day. Now, if that's more than you can
muster, that is totally fine. Shoot an email to pro at N2K dot com and we'll figure something out.
I'd love to see you over here at N2K Pro. And one last thing, here at N2K, we have a wonderful team
of talented people doing insanely great things to make me and this show sound good.
And I think it's only appropriate
you know who they are.
I'm Liz Stokes.
I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman,
Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive producer. I'm Brandon Karf,
executive editor.
I'm Simone Petrella,
the president of N2K.
I'm Peter Kilby,
the CEO and publisher
at N2K.
And I'm Rick Howard.
Thanks for your support,
everybody.
And thanks for listening. Thank you. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.