Father of Zero Trust John Kindervag: ‘It’s a culture, it’s a strategy’

The only way to defeat the soaring epidemic of hacking and scams on firms is to implement Zero Trust rules, says the principle’s creator John Kindervag.

In May 2022 US President Joe Biden signed an executive order to improve the nation’s cybersecurity and protect federal government networks. It specifically calls out a directive for federal government agencies to develop a plan to advance towards a Zero Trust architecture.

Kindervag developed the Zero Trust model in 2010 while working as a principal analyst at Forrester Research.

“The first rule of Zero Trust is the same as the first rule of Fight Club, you don’t talk about it”

A Zero Trust architecture is a broad framework that promises effective protection of an organisation’s most valuable assets. It works by assuming that every connection and endpoint is considered a threat. The framework protects against these threats, whether external or internal, even for those connections already inside.

In a nutshell, the Zero Trust security model ensures data and resources are inaccessible by default and that users can only access them on a limited basis under the right circumstances, or in Zero Trust parlance: least-privilege access.

The cost of cybersecurity attacks is rising

Kindervag was in Dublin recently during a visit to Vodafone’s operations. He partners with the mobile giant to provide Zero Trust as a Service to businesses and organisations large and small around the world.

The visit was timely when you consider the impact of the hacker attack on the HSE’s network last year when the health organisation was hit by a ransomware attack.

A little realised fact is that all businesses in Ireland are under some kind of cyberattack most of the time. A whopping 95% Irish small and medium-sized businesses experienced a cyberattack over the past year, according to research commissioned by Typetec and conducted by Censuswide earlier in the year.

Not only that but nearly 90,000 Irish SMEs have had data stolen in the past 12 months, while over two-fifths permanently lost data in the same period, according to research on SME business owners in Ireland carried out by Censuswide in association with Datapac and cybersecurity and backup specialist Datto.

New figures from FraudSMART, a fraud awareness initiative led by the Banking and Payments Federation (PBFI), reveal that businesses have suffered an average loss of €14,000 as a result of invoice fraud stemming from the confusion in the market caused by KBC and Ulster Bank exiting the market, giving fraudsters ample cover to dupe unsuspecting firms. In some cases individual companies lost up to €50,000.

Many attacks stem from unsuspecting executives falling prey to fraudsters. In reality, businesses are leaking cauldrons of data when you think of the myriad devices from smartphones to laptops as workers embrace hybrid working. Could Zero Trust methods be the answer?

“Zero Trust business strategy is designed to prevent data breaches and to make other cybersecurity attacks unsuccessful,” Kindervag explained. “It does that by focusing on what you need to protect. If you have a network perimeter as the basis of your cybersecurity then you are trying to protect everything. But, as Frederick the Great said, if you try to protect everything, you protect nothing.

“So what we do is we focus on specific data sets or specific sensitive assets and we put them into what’s called Protect Surfaces. This is the inversion of the attack surface; we shrink the attack surface down by orders of magnitude to something very small and knowable.”

Prioritise what must be protected

In essence, a business needs to decide to protect specific things more closely than others. “It could be something like a credit card database and that’s what we are going to protect in this particular instance. By doing that we can put the right controls around it, with the right policy and the right monitoring to make sure that only authorised people and validated traffic is able to go in and out of that particular protect surface. It reduces the ability of an attacker to access that important information and to do something malicious with it.”

When it comes to SMEs protecting vital data sets, Kindervag says it has to be baked into the company culture that there are somethings that must be protected at all costs.

“It’s a culture. It’s a strategy. It can resonate to the highest level of the organisation, it can be tactically implementable and it can be delivered as a service.”

Another aspect of Zero Trust is that it helps mitigate the possibility of human beings making mistakes.

In the case of the HSE or other high-profile cyberattacks, the Achilles Heel was often an unsuspecting employee clicking on a link.

“It’s about giving human beings guardrails so they don’t get into a situation where they get in trouble. From a technological standpoint we can use the technology to protect individuals so that they use their data or assets in a proper way. But they will get stopped if they use it improperly; so they don’t end up in jail.”

The tech tools that provide these guardrails include next generation layer seven firewalls, email gateways that protect against phishing and more.

“It’s really dependent on the very thing you are trying to protect. Almost every technology has a place in the ecosystem if it contributes to uplifting the security of a particular protected surface.”

In essence, under Zero Trust a business may put a strong security layer on everything, but it must prioritise the most important assets that must be protected at any cost and deploy the appropriate defences.

The problem of course is doing Zero Trust at scale. The methodology is however being widely adopted across the chief information officer (CIO) world as well as SMEs and organisations that have valuable data assets to protect.

Kindervag believes that by providing Zero Trust as a managed service to organisations that scaling question can be answered. “We are seeing a wide adoption. It is such a hot topic right now.”

One of the major concerns of the cybersecurity world is the shortage of talent. “It is hard to find people and even in our company we’re having trouble finding people; there’s just not enough people to provide the infosec engineers. But Zero Trust is not being taught in schools. It’s not being taught in universities because they are not scaled to it. Zero Trust is really like a lot of cybersecurity and experiential events; you can learn about it academically, but until you experience it you’re probably not going to really understand it.”

More businesses are adopting Zero Trust but don’t advertise the fact, he says.

“The first rule of Zero Trust is the same as the first rule of Fight Club, you don’t talk about it,” Kindervag concludes.

“And so a lot of the big Zero Trust environments I’m not allowed to talk about. We’re at the tip of the ice-berg but there’s a lot more below. And you can tell by the President’s executive order, that didn’t come out by chance. That’s because all of the cybersecurity-focused agencies have been pushing Zero Trust for a long time.”

John Kennedy
Award-winning ThinkBusiness.ie editor John Kennedy is one of Ireland's most experienced business and technology journalists.