The Zero Trust Origin story

0:00:00.0 Raghu Nandakumara: I said all interfaces should have the same trust and it should be zero. And that's really where Zero Trust comes from. It's just a pushback against how we were building firewalls which affected policy and there was no reason for it.

0:00:18.5 Raghu Nandakumara: We're back with a new season of The Segment, a Zero Trust leadership podcast. I'm your host Raghu Nandakumara, Head of Industry Solutions at Illumio, the Zero Trust segmentation company. To kick off season two, I'm joined by John Kindervag, a man who needs no introduction in the world of Zero Trust. John is widely considered to be one of the world's top cyber security experts. With over 25 years of experience as a practitioner and industry analyst, he's best known for creating the revolutionary Zero Trust model of cyber security. Now, as chief evangelist at Illumio, John is responsible for accelerating awareness and driving the adoption of Zero Trust Segmentation. Today, John joins us to discuss the Zero Trust origin story, where folks go wrong on their Zero Trust journeys, what AI and ML mean for the future of security, and so much more.

0:01:18.1 Raghu Nandakumara: This is The Segment. This is a Zero Trust leadership podcast. And to kick off season two, I think it's only right that we have as our opening guest, the godfather of Zero Trust. I'd say the reason we are actually even having this conversation in this podcast, Mr. John Kindervag, chief evangelist at Illumio. John, welcome.

0:01:45.2 John Kindervag: Hi, Raghu. Always a pleasure to talk to you and excited to be on this particular podcast. This is the most important podcast on the Internet.

0:01:54.5 Raghu Nandakumara: Absolutely. And I think the importance of it has just gone up a notch, John, with your presence on it. So, of course, we'll come on to talking about Zero Trust right back to your time at Forrester in due course. But before that, everyone loves a good origin story and you have a great sort of, I'd say, nickname or title as the godfather of Zero Trust. So how did the godfather of Zero Trust become the godfather of Zero Trust?  

0:02:25.1 John Kindervag: Accidentally, it was just purely an accident. I mean, I've had a lot of jobs. I grew up on a farm and so I've been working since I was a wee lad. And my first paid job, because when you work on when you live on a farm you have a lot of jobs, but you don't get paid, you get fed. But my first real job was as a typewriter cleaner and apprentice repairman. That is a career that I'm glad I didn't stick with because it doesn't exist anymore. Right? One person in the world needs a typewriter repairman, and that's Tom Hanks. He actually has his own typewriter repairman because he collects vintage typewriters of all things. So, I think life is one of those things where if you go on the journey you end up going in different places. And so, for a long time, I was a broadcast engineer because I liked technology and that was the most technological thing on the planet.

0:03:20.4 John Kindervag: Doing satellite uplinks, I did the satellite broadcasts for the Oklahoma City bombing for Reuters and all the international news feeds. In London, I did Sky feeds and all that kind of stuff. And you start to get more and more involved in technology and then the computer world happened. And I started doing computer animation. And what was fun about that was really building the computers more than animating the stuff. And so, I started building really high-end computers on my own. And then this thing called Doom came out. Do you remember the video game Doom?  

0:04:03.9 Raghu Nandakumara: I've wasted many afternoons at high school playing Doom and then falling sick from essentially the motion sickness of 3D graphics at that time.

0:04:13.2 John Kindervag: Yeah, so it was the first game that supported multiplayer capabilities on a network. And so, I convinced my bosses we needed a network in order to transfer files for video animation. But in reality, the files were still too big we had to transfer them on hard drives. He never knew that. But I learned to build ethernet networks so that we could play Doom. And so I owe all my success, I guess, to the folks in Grand Prairie at id Software who created Doom and figured out how to do multiplayer gaming. It wasn't online, of course, the online capability came later. But you would have land parties where people would get together and bring computers and play Doom, and then Quake and other things. So, you see how technology pushes things one way or another. In fact, I was talking to an old school Cisco guy and he said; "You can't believe how much code we had to put into iOS just to support the after-work Doom parties that were happening at companies all over the world." So, we can thank Doom for a lot of the advancements in computers and networks and ultimately cybersecurity.

0:05:32.7 Raghu Nandakumara: So how did you then kind of that move into networking and then, what was then the progression from moving into networking and then to network security?  

0:05:41.7 John Kindervag: When I started moving from broadcast engineering to networking, no one wanted to do security. It was thought of not only an afterthought, but, why would you want to do that? The future is in routing and switching. That's where all the exciting stuff is happening. And I didn't think that was particularly exciting. And somebody said; "We can't get anybody who will take our security job, installing firewalls and stuff." People thought that was stupid. Why would you need that? Well, I'll try that. So, it's just being there and finding an opportunity and just saying yes when somebody needed to get something done. I always try to say yes unless it's kind of impossible to say yes because of time or something. But, you want to give things a try and see where it's going to work out and be inquisitive. So, I was very interested in this thing called security, which really had a couple of products that had antivirus and it had firewalls.

0:06:48.2 John Kindervag: And that was it. And starting the process of installing firewalls really led to Zero Trust. Because in firewall technology, there was a concept of a trust model where the internet was on the untrusted interface and the interface going to the internal network was trusted. And because of that trust relationship, you didn't need a policy statement to move traffic from the internal or trusted network into the external or untrusted network. And I said; "this is insane. People are going to exfil data out of here." And they said; “No, they won't. You can't." And so, I would put it out by rule and then I would get in trouble. Take that out. That's not how the vendor says it's supposed to be done. And I'm trying to explain what we're trying to stop. And I said all interfaces should have the same trust and it should be zero.

0:07:40.8 John Kindervag: And that's really where Zero Trust comes from; it is just a push back against how we were building firewalls, which affected policy. And there was no reason for it. I know the guy who created that trust model and it was arbitrary. He just chose the term trust in his garage when he built a NAT Box, right? So, people don't think about NATing anymore because it's so automated. But at the time, just to turn an RFC 1918 address into a routable address was an incredibly complex thing. And a guy that I know on the West Coast created a software and he actually gave it to a friend of his who created a technology to NAT. And then that guy sold it to a big company and it became one of the early firewalls. And it was that trust model that we're still fighting 25, 30 years on as one of the biggest problems we have.

0:08:42.5 Raghu Nandakumara: I love how you describe that, right? And that sort of almost say light bulb moment, or common sense moment saying, why are we just kind of implicitly trusting what's on one side of the firewall versus saying the other thing is just arbitrarily untrusted? I want to ask you a question. This whole sort of security approach of trust but verify, or sort of however you want to summarize that, right? That’s really been kind of the foundation for how a lot of security strategy has evolved, at least till Zero Trust was conceptualized and has been adopted. But what was the foundation of that 'trust but verify' approach and the amount of investment that went into it to maintain it?  

0:09:28.4 John Kindervag: Well, the reality, as weird as it is, is that in the '80s, the great cybersecurity expert Ronald Reagan used that term in his speech with Mikhail Gorbachev. He said, they were signing, I think, a nuclear proliferation treaty or something like that. And he said, we're going to abide by that old Russian proverb. And then he says the Russian proverb in Russian. And I'm... My Russian, I can never pronounce it correctly, but it's something like prover and I know prover and I. And he said, and that of course means trust but verify which is the literal translation of it. But the essence of it in Russian is we're not going to trust you as far as we can throw you. And that's what he was telling Gorbachev. He said; "All right, yeah. We're signing this treaty, but I'm not going to trust you as far as I can throw you." But people didn't look at the backstory. They knew, "Well, Ronald Reagan says it, so we must do it."

0:10:19.5 John Kindervag: And I'm like, why? People would tell me that all the time. I'm doing this because Ronald Reagan said to do it. What? What does he know about technology? Nothing. Right? And so, and things just happen. And because no one is, is curious, intellectually curious anymore and asks why are we doing that? Who said that? Oh, well, let me look and see what actually happened. There's a YouTube clip on it. You watch that and you go, he is not meaning what you think you're meaning. And so that's where it came from. But there's so many things that become sort of sacrosanct for no reason at all, just because no one knows where they came from. And somebody said it once and then no one questions it. We have a real lack of intellectual curiosity in this world. And that goes for anything that I've ever said, half of which I probably can't remember.

0:11:15.6 John Kindervag: But yeah, you need to validate the things that everybody's saying and see if they're true. Right. I was the only person asking, what's the definition of trust? And that's a really hard thing to define, because up until the '50s, it was only used in philosophical conversations or religious conversations. It was a term of art of those two domains. And I said a number of years ago that trust is a vulnerability that became a saying of mine. And then I found out later, because more stuff got published to the internet that there was a guy named Morton Deutsch, who was a workplace theorist. And in 1958 he said the same thing. I didn't know it when I said trust is a vulnerability, but he defined trust specifically as the willingness of one individual to be vulnerable to another individual. That is what trust is. That's what he defined it in the workplace.

0:12:19.6 John Kindervag: And I think that's such a good definition. And it fits exactly with what I've been trying to say. And so, I'm thinking of a technical vulnerability, that trust is a vulnerability as much as not having your machine patched. It's like the fact that you trust something is insane because it's a digital system and it doesn't need a human emotion, trust, right? That's a human emotion that we've injected into digital systems because we're trying to understand them from a human perspective. We anthropomorphize stuff a lot. We say things like, John is on the network, Raghu and John are talking on the network and they're both on the network. And neither one of us are on the network. We haven't shrunken down into subatomic particles, and we haven't been sent over the public internet so that we can have this conversation.

0:13:07.5 John Kindervag: This conversation is pretty miraculous, right? I remember when the movie 2001 is Space Odyssey came out, again, long before you were born. We're watching that as kids and they're doing a video call from space down to the earth and like wow, is that even possible? A video call? How would that be possible? And so, for years it was impossible. And now the impossible is our daily life. And that is insane in that amount of time that we've seen that much advancement in technology.

0:13:44.7 Raghu Nandakumara: So, before we come on to Zero Trust right? I want to just spend a couple more minutes on trust. So over time organizations have spent so much time and effort in essentially creating and maintaining trusted infrastructure, right? Right from sort of the cabling they lay down in their data centers to the network devices, to then the compute that's attached to that, to then the OS and the applications that run on that, right? So essentially, and then the users that ultimately access that. Do you think that obsession with trying to maintain trust has really hampered both productivity and cybersecurity?  

0:14:28.9 John Kindervag: Yeah, because they become complacent. Right? So they, I was in Germany right before the pandemic. Germany, Switzerland. Some place that spoke German, and they were having a long discussion in German about trust, and they were trying to define it. And they came up with a word. And he says, Oh, it just means lazy. People are lazy, and they don't want to do anything different. So, they'll trust it, right? If I think this is a trusted environment, I don't have to do anything to it. I can be lazy about it. And I remember saying that to a CISO when he said he did trust with verify. I said, okay, I get what trust is, it means you're not going to do anything. But what are you doing to verify when he said trust with verify? And he said; "Oh, nothing, because they're trusted users. So it'd be rude to verify."

0:15:19.5 John Kindervag: Okay, so you're actually doing absolutely nothing in cybersecurity. That's wonderful to hear. And I've seen that over and over again, where there's almost literally nothing happening. And yet people are pontificating about all the important things they're doing when in fact, they're doing almost nothing.

0:15:39.9 Raghu Nandakumara: I love how you just expressed that trust breeds complacency. And taking that approach, ultimately, is no progress in cybersecurity. In fact, it may be a regression. So, let's kind of talk about Zero Trust now. And referring to sort of two, I'd say seminal papers that you published when you're an analyst at Forrester, no more chewy centers and build security into your network's DNA, the Zero Trust network architecture. Of course, the motivation behind those was beyond just that picture of a firewall with a trusted and untrusted interface and saying, this is really stupid. Talk to us a bit more about the motivation behind those papers, and what you are were seeking to capture when you published those.

0:16:24.5 John Kindervag: Well, when I was at Forrester, at the time, doing innovative research was really important. We had... I remember my first day of my analyst training class, Ellen, the lady in charge magnificently brilliant person, a physicist. She wrote up on the board our job description. And it was three words; "Think big thoughts." So, I worked at a place that incentivized big thoughts and thoughts that were disruptive. And that gave you the opportunity to go places that probably you would have been afraid to go in other organizations. So, I was tasked with a question; why isn't cybersecurity working? Right. And that question was asked in 2008. And after two years of primary research I published 'No More Chewy Centers'. In going around, I realized, Oh, all of these cybersecurity incidents, data breaches, they were all caused by the exploitation of this trust model which I consider, I always call it the broken trust model.

0:17:31.5 John Kindervag: Because it's not the trust model, it's broken trust. And so that culminated in two years of giving speeches and webinars and test marketing it and going out to experts that I know poke holes on this. There were a lot of people who said; “I don't like the idea, but I don't see anything wrong with it.” Some people said, "Wow, this is amazing." So there was enough encouragement to go, okay I'll keep going with that. And that's how all the research at Forrester went back in the day. And so, it's all about incentives in life, right? Charlie Munger, who was Warren Buffett's partner, the less known of the two of them, but he died a few weeks ago. And he said that all the time, everything's about incentive. Tell me how people are incentivized and I'll tell you how they behave.

0:18:22.0 John Kindervag: And we have a lot of perverse incentives in cybersecurity. We're so afraid to break things, right? We have this CIA triangle. You're familiar with the CIA triangle. What is it?  

0:18:34.0 Raghu Nandakumara: Absolutely.

0:18:34.0 John Kindervag: What are the three things I'm going to, you're going to get quizzed back.

0:18:39.0 Raghu Nandakumara: At least this is something I know, and this is thanks to all the CIS training I've done over the years. C for confidentiality, I for integrity, A for availability.

0:18:50.3 John Kindervag: Right. And it's supposed to be this equilateral triangle, right? Except it's not. What's most important there? Are they all equal?  

0:18:58.5 Raghu Nandakumara: That's an interesting question. So, when I speak about this, and I speak about this to customers and prospects, what I say is; “are they equal?” They obviously care about protecting their data, the integrity of it, but they're most afraid that; “oh well what if my application breaks?” So, they obsess about availability. So, it's you can't put in security unless you can absolutely assure me the availability is not going to be compromised. So, depending if you ask the application owner, their response will be, I care that my application functions and then I care about the other things.

0:19:27.6 John Kindervag: Yeah. So, I would say that availability is so important that it's now, I don't know, what is that? An isosceles triangle? Where you have a one really long hypotenuse that's availability, right? And then integrity. I'm not even sure what that means anymore because of hashing. And it's pretty easy to control the integrity of your data. But I joke that the C now stands for compromise. We have a lot of highly available compromised networks. because dwell time, we had this conversation a couple weeks ago, how much dwell time? What's the data on dwell time? How long are the bad guys in your organization before they get caught? Right? And it's, what were you saying the latest data was from IBM.

0:20:11.6 Raghu Nandakumara: From IBM's this year's data breach report, organizations take on average 277 days to identify and then contain cyberattacks.

0:20:23.0 John Kindervag: There you go. 277 days. So that if C stands for confidentiality, it's not a very, it's a lowercase C, right? It's actually that, that they're compromised there for 200 and somewhat days. That's almost a year for almost a year. The bad folks are in your house. I joke that it's like the trust model is this. If I'm sitting down watching TV with my wife and I see some dude getting beer out of the fridge, I go, "Honey do you know that person getting beer out of the fridge?" And she goes, "No, I don't." I said, "Well, he's able to get beer out of the fridge, therefore I can infer that he's supposed to be here. So, we should make up the guest room." Will you go get clean sheets and I'll go change the bed. That's what happens in these organizations. It's the wrong inference because you're able to get on the network. You should be here, not should you be here. And if you should be here, we'll put you on the network. That's the problem. And so, all significant security events and 100% data breaches are functionally an exploitation of this broken trust model.

0:21:35.6 Raghu Nandakumara: Absolutely. And I love the analogy you provided there. So you are at Forrester, you write these two bits of seminal research. And I know for a fact that when I was designing security controls for private cloud at a previous employer, one of our security practitioners literally came round to me at a workshop and put a paper in front of me and said, "Raghu, this is what we need in our private cloud environment." So, you wrote that. What was your expectation as to what practitioners would do on the back of that?  

0:22:10.9 John Kindervag: My expectation was pretty low. I think you realize in that role that you're just trying to get an idea out there that maybe will percolate. I didn't think that this Zero Trust stuff was going to take off the way it did. It certainly wasn't catching on fire early on. But then there were a few key people that I can't really talk about, few key designs that I worked on, and I realized, wow, there's more people reading this and listening to this and now wanting to talk about it than I realized. And then ultimately, I was standing at a big conference for one of the largest networking and cybersecurity vendors in the world, just a massive conference. And the number two guy at this whole company was giving a presentation on Zero Trust. And a friend of mine was standing next to me.

0:23:00.1 John Kindervag: He said; "You realize your whole career from here on out is Zero Trust." And I said; "No, it's not." I was covering SIM and doing a lot of interesting research on the future of encryption and other things. And he said; "No, it is." And it turns out he was right. So, I guess I got to give him a lot of credit too. He saw it before I saw it, but, it's something that really resonates up to the highest levels of any organization. So, I was on a call earlier this week with a foreign government and somebody... it was part of a ministry, that's related to cybersecurity. And they said; "Oh, when you come over here, we have to get you in front of the prime minister." That was his comment, right? The fact that this is a thing that the president of the United States has issued an executive order on. Governments like Australia and Singapore have issued directives to move in this direction. It is pretty insane to me, a kid from a farm in Nebraska, right? My entire life's goal growing up was to not get up at five in the morning and feed cattle. So, the bar was really low and I haven't had to get up and feed cattle at five in the morning for a whole lot of years. So, I'm very thankful for that.

0:24:16.1 Raghu Nandakumara: Well, that story, I think is why you are the godfather. Hey, your career going from henceforth is going to be about Zero Trust. So the question I have then is that when you kind of observed going after 2010 and the reaction to Zero Trust and some of the commentary around it, were you frustrated that the uptick was slow? But also to some extent, there was a lot of naysayers saying, actually this is impractical.

0:24:49.8 John Kindervag: No, I wasn't. First of all, I liked that the uptick was slow, because for a while I was the only person doing it. So I got to make all the mistakes myself and then write about those mistakes and tell you what they were going to be, so you don't have to do them. And I thought that was a valuable thing for someone in my position to do. So in step two of the five step model, if you read about that in the N stack report or anything, you'll see that came out of a big disaster that we had because we didn't know how the system worked. And somebody took out a server because they said it was old. That was the criteria. It was old and it brought down an entire network. And so, you have some of those disasters and it's better that I have them.

0:25:31.2 John Kindervag: Then they happen simultaneously all around the world and everybody's going, man, you screwed everything up. So, to be able to be the person who says, don't do this because it's dangerous, or do this because it works, is very gratifying. And then, you just time it. This is such a young business, we think that, people, oh, I've had somebody say to me once, I've had 30 years of cybersecurity experience and I kept thinking, oh boy, I bet all that SNA (systems network architecture) comes in handy. And I tell people I have six months of cybersecurity experience, right? I have the last six months, I have the next six months, and then everything else is war stories because this changes so much. So, if I'm doing things the way I did a year ago, that's probably wrong because everything has changed.

0:26:25.0 John Kindervag: A year ago we didn't see this revolution of generative AI that has come about. And we didn't see where it was going, and we certainly weren't thinking about the security implications of it, nor were we thinking about the opportunities that we can use this stuff in security. So now we have one new technology that's totally gotten everybody thinking about it. Everybody. I know this is recorded, but last night I moderated a panel on AI and cybersecurity. And one of the things that I pointed out was Henry Kissinger, who died recently at 100 years old, his final article that he ever wrote of all the things he has ever written was about AI and its ability to kind of end the rational way we think and do was essentially the essence of it. It's in the Atlantic. Everybody should go read that. It's a fascinating view from somebody who's seen the world and it's both beauty and ugliness up close for 80 years. And I thought it was a fascinating read.

0:27:40.0 Raghu Nandakumara: Yeah, and I love the expression of essentially my experiences the last six months and the next six months. And the rest is war stories, right? That allows us to stay fresh and stay relevant. I'd like to, before we move on, just talk, you spoke about learning. It allowed me to learn from the mistake so that everyone else doesn't have to. What were other significant mistakes in the Zero Trust strategy that you observed that you have now rectified or at least kind of rationalized in your own head that you feel has improved and made it more palatable, more adoptable?  

0:28:22.6 John Kindervag: The biggest mistake that I see, and it was always tempting, was to go too big too fast. Everybody is now trying to do it all at once for their entire organization and really codifying the concept of a protect surface. In the five-step model. The first one is ‘define your protect surface.’ And early on it was called ‘define your data.’ And there was some problems there, which is where people said; "Well, I want to use Zero Trust for other things than data protection." Its real initial goal was to protect data and make the network a powerful data security enforcement point. And so, as I got to think about it and I realized, oh, there's a lot of stuff happening in this industry that is kind of, I don't know, specious in a way, like attack surface mitigation. I look at the attack surface and I think, oh man, that's like the universe.

0:29:16.4 John Kindervag: It's constantly expanding. I mean, there was a big bang in technology and it was the creation of the computer chip, right? And everything that happened in 1957, I was with Jack Kilby who got a Nobel Prize for inventing the integrated circuit, which is the precursor for that. I was with him the day he won his Nobel Prize. So I got to meet him and talk to him about how that happened and everything. And from 1957, because Bob Noyce also invented a different version of the integrated circuit the same year. And they agreed to consider themselves each a co-inventor of the computer chip. But since that day in 1957, which isn't really that long ago, we've seen this big bang where everything is expanding and exploding. And so, once you have the internet, it just grows and grows. I'm old enough to have met one of the guys who did the original domain, I don't know what you would call it when you... It's kind of like the original domain registrars, I guess you would say.

0:30:22.4 John Kindervag: But it was just two guys going around with a physical notebook and writing down, "Oh, you want to be www, right?" The internet was so small they could keep it in a notebook and write it down on paper. It was a guy named John Postel. And, he's dead now, but Rodney Joffe, who's an old friend of mine, the two of them were just writing it down. I mean, that's insane. And that wasn't that long ago. The first password was done in 1961 at MIT, this is all very, very new in comparison to the history of the world. It probably took longer for the wheel to be adopted than it did for the first website to be created. So, we're behind that a little bit. And the innovation is so exciting that securing it is so far behind. It took... Buildings were being built for thousands of years until Hammurabi in his code wrote about how if a building falls down and kills somebody, we're going to execute the builder, and created what we think of as structural engineering and building codes, right? That's something we haven't done yet for the internet and for networks and held people accountable for not doing things the right way. Hammurabi did it. We need to find our Hammurabi somehow.

0:31:41.0 Raghu Nandakumara: Right. And so when you look at... Nowadays, when I think we've kind of gone from Zero Trust being this novel idea and the feedback being actually that's not really going to work. It's not really adaptable to now, the narrative being they agree that Zero Trust strategy is absolutely the right thing, but it's very difficult to adopt. When you hear that today, what is your reaction and what is your response to that?  

0:32:10.6 John Kindervag: I think a lot of people make it sound more difficult than it is and make it more complex. It's very simple, right? There's four design principles and there's a five-step model to do it. So, there's nine things that you got to know. It's designed to be very, very simple to do. I got a call earlier in the year from a friend of mine, general Greg Tohill, who was the first, he's a retired Air Force general. He was the first CISO of the U.S. federal government. And he is over at CERT now. He runs CERT and we all know what CERT is, right? Over at Carnegie Mellon. But he called me up and he said, John, "Why are people making Zero Trust sound so complicated?" And I said, and we call him General Zero Trust. So I said, "Gee general, I don't know.

0:32:55.0 John Kindervag: I have no idea why people are making it sound complicated." Because I read stuff that other people have written about it. And I go, wow, I'd be scared to do this too if I hadn't already done it. Right? And I've had arguments with people. I had an argument with a guy at a networking event about Zero Trust, and he knew who I was, but he wanted to argue because he's getting his PhD in Zero Trust. I'm like, what? Why would you need a PhD in that? Just go out and do it. Right? But he was arguing with me about it because of things that he'd heard or read in his coursework. I said, no, no, no, no, no, no, no, that's not right. And no, but, and I said, have you ever done it? Well, no. Okay, well then you should do it.

0:33:37.4 John Kindervag: This is experiential. Our whole business is experiential. We are not in an academic business. If packets don't move from point A to B in a safe and efficient way, then we have failed. And it doesn't matter what we've written about what packets should or shouldn't do, the fact that they did or didn't do it is what's important. And so I think the important thing is, open up your laptop. The idea of a laptop too is still crazy to me because my first computer was a K Pro 484, which was transportable, it was made of metal and it weighed about 25 pounds and you can move it from place to place. And it had a 14.4 bod modem in it, and it had a 40-megabyte hard drive. 40 Megs. Wow. That was state of the art. So, this has all come very, very fast, and you have to get out and do it. You wouldn't want a mechanic working on your car who's never worked on your car before, but they have a PhD in auto mechanics that would be disastrous. Oh, gee, I thought the spark plugs were supposed to be over here. It says they're here in the, in this book. Right? And you're like, so yeah, get your hands dirty.

0:35:02.3 Raghu Nandakumara: I really like that because it's... You are speaking from a place of experience of someone who's not only essentially crafted the theory of Zero Trust, but then has actually refined that through years of practice. And as you said, kind of making mistakes and then learning from that to adopt, to develop a more refined model that makes it easier to adopt. Right? And no doubt, as more and more practitioners deploy a Zero Trust strategy, right? That will continue to evolve over time. And what we think of as a strategy today, may not be it tomorrow. So moving on from that.

0:35:41.5 John Kindervag: Well actually, there's one comment there. Because remember, Zero Trust has two big areas, strategy and tactics. And so strategy of the big idea behind it. I don't think that that's going to change.

0:35:53.0 Raghu Nandakumara: Yeah.

0:35:54.8 John Kindervag: I think what you mean is the tactics, the way we do it, right? And one of my mentors who was an Air Force colonel who was the chief strategist, chief strategist of the first Gulf War, who taught me about strategy and how to think about it, said everybody confused strategy and tactics. They think they're being strategic, but they're being tactical. And that's a big thing to understand is what is strategy and what is tactics? Tactics are stuff, things that you do, right? So, when you're touching technology, that's tactical, right? That's the essence of it. It's tactics. We can feel it. Strategy are these ideas that have guiding principles to achieve a mission goal or a grand strategy. And so understanding that is pretty important. And the success of Zero Trust isn't related to the tactics. I was just using commercially available technology, but I was using it in a way that that leadership, whether that it was governmental leadership, military leadership, business leadership, could understand how you could develop cybersecurity systems that would achieve a mission goal or a grand strategic goal.

0:37:16.1 John Kindervag: And someone from the military wrote once that the biggest thing John brought to cybersecurity and Zero Trust was the concept of grand strategy, which no one had ever talked about before. And that's what people miss all the time. "I've been doing this forever. I've been using multi factor authentication." Sure, you have, but you didn't know why you were using it, right? And so it's answering that question, ‘why?’ And not just because I want to authenticate people, but because I want these certain business outcomes to happen in a way that grow my business in specific ways.

0:37:52.4 Raghu Nandakumara: Yeah, I agree. And words are important. You're absolutely right. I meant sort of the tactics may evolve over time, but the strategy is, the grand strategy is as kind of you've defined it, that should be fairly, fairly constant throughout. So I want to move on to something now that you touched on earlier, which is the focus from various governments globally and the US being the most prominent, but we spoke, you mentioned Singapore, Australia, the UK as other examples. So first off, what is it that has kind of triggered that movement to adopting a Zero Trust strategy and really codifying that? We've been having these massive cyber incidents, these cyber breaches, for a huge number of years. So what is it that's really forced the U.S. government as an example, to take Zero Trust so seriously over the last two to three years?  

0:38:51.8 John Kindervag: Well, it was the OPM data breach, the Snowden, the Manning, the Texeira stuff, stuff that was very damaging. And it made the government wake up and go, "Oh, cybersecurity is also counter espionage in a lot of ways." And so we've seen these movie plot scenarios, and now they're playing out. In real life, and we have to get in front of them is kind of how they look at it. There's a lot of work in quantum resistant encryption and that kind of thing where they're trying to get out in front of something that doesn't really exist, which is quantum computing. But they understand that once it does happen, it's going to be incredibly damaging in the short term if we aren't prepared for it. So I think one of the lessons of technology is to try to get prepared for the worst-case scenarios earlier on, as opposed to much later after it happens.

0:39:49.7 Raghu Nandakumara: So I know you've been involved, or very heavily involved, in the CISA NSTAC reports, the recommendations to the president around Zero Trust and identity. And I want to pick out two of the conclusions of the four conclusions. I just want to discuss or have your comments on two of those conclusions. And one of them, it reads that sort of the U.S. government risks Zero Trust becoming an incomplete experiment, a collection of disjointed technical security projects measured in years, rather than the foundation of an enduring, coherent and transformative strategy measured in decades. So, what is the challenge with these sort of these small pockets of experiments? Is the intention here now to have that sort of uniform approach to Zero Trust?  

0:40:31.6 John Kindervag: I think the intention is to get people moving in that direction. I talk about it as if we're all heading in the same direction, or all generally heading north, right, towards the North Star, if you're in the northern hemisphere. You head towards the Southern Cross if you're in the southern hemisphere. But if you're all heading in the same direction, even though there may be a lot of parallelization here, you'll end up in the same place, you'll eventually converge. And so that's what I think is exciting, is that we're all sort of heading in that same direction. That NSTAC report is sort of the North Star of where we should go. And we're actually not seeing quite as much fragmentation as I thought we would. We delivered that report in February of 20, February 23 of '22. Right?  

0:41:18.6 John Kindervag: And we'd originally delivered it on February 22nd. So we could say it was 2/22/22. And then there had to be a revision. So it became 2/23/22. But anyway, that's just a weird thing that no one else thinks is interesting. But me, but what we found is since that time, every single federal government agency has a Zero Trust program management office and a Zero Trust program director. And so that is a huge movement, you've got somebody dedicated, that this is their job to get done. And so you've changed the incentive structure in a year or so. And again, incentives are super important. To go back to Charlie Munger, people will behave according to how they are incentivized. And the incentives are in place. And so that means that the outcome is ultimately going to happen in the right way. Will it take 10 years?  

0:42:13.7 John Kindervag: Will it take three years? I don't know. I've been playing the long game on this for a long time, because I realized that, at least in my view, the internet is going to be around for a while. Right? So it's not going anywhere. We don't have to hurry up and fix it before it dies or something. It's not like at my age where I got to hurry up and fix things. Because, if I don't, I may not be around early. So the internet is going to outlive me. And Zero Trust is going to outlive me. But I hope that it gives people a North Star to move towards and to be able to figure out ways to protect their data and their assets and their applications and their services. It's not about how you do it generally as a conceptually as a reference architecture.

0:43:00.4 John Kindervag: It's about how you do it specifically for this one particular data type that you have in your organization. And then you move on to the next data type, or the next application. And you do it incrementally, you do it iteratively. And by doing it in these small chunks, taking cybersecurity, which is a big problem, breaking it down into the small consumable chunks. Now, you've also made it so it's not disruptive. If you screw up, you're going to screw up something that's so small that most people won't even notice. And to me, that's the advantage is you don't have to be afraid of it. Throughout my career, I knew it was going to be successful when I would do some of the early workshops and early discussions. And there will always be somebody who was just like hating on it hard, just hard, and almost to the point of wanting to provoke a battle.

0:43:51.0 John Kindervag: And I had to learn to stay calm and just calmly answer their questions and go through everything. But there was always a moment I could see the light bulb just click. And suddenly that particular person would become the biggest advocate of what they were just fighting against a few minutes ago. I saw that at a conference where I was just standing at a flip chart, and I was drawing something for somebody else. And somebody walks up and goes, that's complete and utter whatever, let's say nasty comment that they made. And I'm like, "Oh okay, well, what do you think?" And the guy who I've been drawing it for who had just said that, he said, he turned the page over, he said; "No, you don't understand." And he's like, because I just been having the same conversation. So it went from me, defending Zero Trust and showing this person why it worked to him showing somebody else why it works. Right?  

0:44:42.5 Raghu Nandakumara: Yeah.

0:44:44.8 John Kindervag: And so it was seeing those little light bulbs come on over time over and over again. And realizing that it partially was fear that I'm going to have to learn to do something else. My job is going to change. I don't like change. Partially, it was... And I heard this all the time; “That's not the way we've always done it.” And my answer was; “well, gee, the way we've always done it hasn't really been working too well, has it?” And then thirdly it's “I don't want to do anything new or more I don't want to work harder.” And if I could show them that I was going to make it easier for you to do it. There was one guy, he said to me, we argued for more time about Zero Trust than it took me to build the first Zero Trust network. And he said: "It happened so quickly.

0:45:33.3 John Kindervag: And it was so stable, that I just went on vacation right after that." It's that people couldn't believe I was going on vacation. I said, "Yeah, I can go on vacation, this is working." And if there's a problem, you can call me up, but you can intuitively figure out how to fix it. And that was a key moment – there's just been these points on a line where you go, Oh, the picture is starting to draw itself out through individual experiences with different organizations, who each had different problems, but they were able to apply the principles to the business problems and achieve success.

0:46:08.8 Raghu Nandakumara: John, I’m just going to... I just want to say, right, I think that those last almost five minutes or so, I think you so beautifully encapsulated why the strategy is important, the how you should approach it from a tactics perspective to make realistic progress towards that. And also the bit about once that aha moment, that light bulb, once sort of your opponents have that light bulb moment, they almost become your strongest advocates, right? And I think that if you don't listen to anything else in this episode, that those are the five minutes that you need to digest. So I want to move on to something else. And you again, you touched on it in this last bit about sort of culture.

0:46:48.2 Raghu Nandakumara: And I know your friend, George Finney, who wrote a book last year around Zero Trust, that I believe you wrote rather forwards to he speaks a lot about this about culture. So again, this is one of the other conclusions from the NSTAC report, which is to realize Zero Trust as a true strategy that meaningfully transforms cybersecurity outcomes over the next decade and beyond, the U.S. government must take a series of policy actions now to institutionalize a culture of Zero Trust. So, what does a culture of Zero Trust mean? What does it represent?  

0:47:20.8 John Kindervag: Well, I think the first thing that it means is that it brings people together to achieve this grand strategic goal using Zero Trust. So I remember I was doing an early Zero Trust workshop for a big company. I had 70 people from 17 different departments. All 17 departments hated each other. They were rivals inside the company. And they all hated me. And they hated that they had to be there. By the end of it, we had broken down a lot of those barriers. And we had figured out how to create a collaborative thing. And I always suggest that people create something along the lines of a Zero Trust center for excellence, where they bring in not just technologies, but leaders too.

0:48:07.3 John Kindervag: Because those leaders can make it, "Okay, I know I'm supposed to do this, but I'm scared, what if I do it wrong?" Will I get fired? But if you have a leader come in and tell you that you have to do it, that takes the burden off of it and gives you again, that correct incentive. So I once had the Chief Legal Officer sit in on a workshop, and everybody's like; "Why is this person here?" Well, that person's job was to protect the intellectual property of the company, the patents that generated hundreds of millions of dollars in revenue. And he had no idea how to do that. And so, when he sat through this, a three-day workshop, it's down to one day now. But at the time I was a little more verbose, I suspect, and trying to figure it out, quite frankly.

0:48:44.4 John Kindervag: And he sat through the whole thing. And then he said; "Okay, I'll be the champion, I'll find the funds, you guys go out and do it. And you can't get in trouble if you're doing something for the chief legal officer to protect the patents of your company. Right?" And so it's finding that air cover or whatever to do it. And so that's what the executive order from the president has given them. Like the U.S. federal government has the Zero Trust inter-agency exchange, which is a group of CISOs in the United States. The U.S. federal government who have come together to share best practices, they have created the culture themselves, because they needed to right, the fact that they had a common North Star, a common mission objective meant that they had to figure out the culture.

0:49:30.2 John Kindervag: And we're seeing that over and over again. The newly released Australian cybersecurity strategy document that came out has one mention of Zero Trust, but it says, we have to move towards creating a culture of Zero Trust. Right. So a lot of that comes from training, from experience, from doing some laboratory work, from talking to other people, and then mostly figuring out what you need to protect. So it creates some transformational outcomes, because now you go through an exercise of understanding what's important in your environment, what should you protect, so you know why you're doing it, and then you have to figure out how am I going to protect this once I know what to protect.

0:50:16.5 John Kindervag: In general, we've traditionally just been trying to throw as much technology at the problem as possible and hope that we catch something, right? If we just put everything out there, like I had one client, I have one client, or, I guess, in my previous job, they had 11 Hops to the internet, 11 Hops to the internet, all of them security technologies, trying to make sure that nothing bad happened. And the bad thing was, it was an unusable environment. Do you realize how long it takes to get anything done when you have 11 Hops? You're going through like three firewalls and two different IPSs and two different web content filterings. And a WAF here and there. It's just, it was unbelievable. And they knew it was unbelievable, but they didn't know how to solve the problem. Because they didn't know what they were trying to protect. And they didn't know exactly why they were doing it. They just thought if they could get more of it, it would be better. More is always better. Right.

0:51:17.7 Raghu Nandakumara: Yeah, absolutely 100%.

0:51:19.7 John Kindervag: That's true in barbecue. So it must be true in cybersecurity.

0:51:21.7 Raghu Nandakumara: It's probably easiest to answer the question, what couldn't go wrong? That's probably possible on one hand. So moving on John, before we wrap up, right? How do you see the relevance of Zero Trust to accelerate cloud adoption, right? It's a hot topic. Cloud security is kind of the hot topic in cybersecurity. And of course, right? The other thing that you already touched on earlier is the relevance of Zero Trust to generative AI, large language models in use by both organizations and potentially by attackers as well. What role does Zero Trust have to play in sort of in all of these?  

0:52:10.2 John Kindervag: Well, I think most importantly, in the cloud, when you understand that the cloud contains data or an asset or something in there, a workload, whatever you want to call it, that's important to you, that's regulated. And it's not generally protected. You hear all the time, that we have a shared responsibility model. But at Forrester, I think we came up with a better term, my friend James Staten came up with it. And he called it an uneven handshake. Yeah, they're providing some basic help for us. They're making sure the hypervisor is patched. And there are some tools that I could use to sort of manually to secure things. But in general, I'm not transferring the risk of security to the cloud provider. I'm just storing the data there. I'm just using their hypervisor for economic purposes, primarily.

0:53:05.2 John Kindervag: And so, I'm still in charge of securing that workload, whatever is contained in that workload. And a lot of people are starting to understand that now. And we've seen some significant cloud data breaches that are usually called misconfigurations. And that would be another discussion for a different day. But just the native controls that you have aren't sufficient against modern attacks, as I talked to people who are pen testers, some of them very legendary, but they don't have any trouble getting through the native cloud security controls, and it's hard to manage those controls in a ubiquitous way across multi-cloud environments, because each one has a different management construct. So management, right, the care and feeding operationally, of whatever you're doing in security, is the biggest cost that you're going to have.

0:54:06.5 John Kindervag: It's not acquiring technology, it's carrying and feeding it, right? You've got kids, you know this. Acquiring the kids was not that expensive. Carrying and feeding for them the long-term care, and it just keeps going on and on and on. And it's never done. Yeah, that's the bigger cost acquisition. Acquisition was easy. Operations, that's hard. And so we have to realize that. And so that's the first thing as it relates to the cloud. And then AI, yeah, it may be able to create some really sophisticated attacks. But there's big guardrails on the internet called TCP/IP and the OSI model, right? So they can't really go beyond that they can go, it's much more damaging, potentially culturally, than it is to networks, because actually, we'll be able to use AI types of technologies.

0:55:05.0 John Kindervag: And my favorite definition of AI that I've ever heard comes from a mathematician friend of mine who says; "AI is statistics plus if statements." And I really like that one, because it's so precise. So AI only works because we have really, really fast computers, and we can gain more of them together, so that we can do this. And it looks like it's intelligent, when in fact, it's just computational. But we can use those same technologies to figure out what stuff we can... Should be allowed and quickly respond to things that are attacking us. So it gives us an advantage against the attackers, as much as it gives the attackers an advantage against us. And especially when we create Zero Trust policy, which starts with the default deny, and then we explicitly allow certain traffic to happen.

0:56:00.9 John Kindervag: So John can only get to resources that I'm allowed to get to. And there's other things that I can't get to. And if I think I should get to them, I have to go to the help desk and ask for access to it. So I'm pretty locked down. And that's fine. That's the way it should be. But we give too much access to too many, too much data, for no reason at all. That's why Snowden and Manning and Teixeira were able to do these big data breaches, not because the security was inherently bad. But because they had access to resources, they should have never been able to touch or see. And certainly, they should have never been able to download an exfil.

0:56:42.9 Raghu Nandakumara: So, John, before we wrap up, the really the most important question of this podcast of this conversation. In the eponymous film, Kindervag, the real godfather, who plays you? And who's the director?  

0:56:51.4 John Kindervag: What? We don't want that film. That would be really, really boring. Ask my wife. I think that that's actually, I don't want anybody to ever play me in a film. That would be weird. I want people to focus on the ideas and not on the person. Right? Sometimes I want to get out of the way. I wanted George Finney to write the book Project Zero Trust. It started on my couch. And I've had opportunities to write books. But the reality is, if it all comes from me, then it's not as important of a message. But if more people adopt the message that aren't you, then it becomes a more powerful message.

0:57:35.8 John Kindervag: And the message is the important thing. So I'd like there to be a documentary about the success of Zero Trust, stopping ransomware or something. That would be cool. To show all the things that I've seen where people have sent me screenshots of, look, this ransomware truck tried to move around in my network, but it only ever got on one machine. And then it couldn't go anywhere else. And we were we found and so we just looked at the all the telemetry, all the pings trying to go out onto command and control. We're able to isolate it immediately and clean it up. That's the documentary. That's the movie that I want to see.

0:58:13.6 Raghu Nandakumara: Well, John, I might just know someone on Netflix who would commission that.

0:58:17.4 John Kindervag: Okay.

0:58:18.1 Raghu Nandakumara: Thank you so much, John. It's been such a pleasure to speak to you as always illuminating, informative, and a great load of fun. Thank you.

0:58:23.1 John Kindervag: Thank you, my friend.

0:58:27.7 Raghu Nandakumara: Thanks for tuning in to this week's episode of the segment. We'll be back with our next episode in two weeks. In the meantime, for more Zero Trust resources, be sure to visit our website, www.illumio.com and find us on LinkedIn and X using the links in our show notes. That's all for today. I'm your host, Raghu Nandakumara and we'll be back with more soon.

‍