In today’s episode, the Creator of Zero Trust, John Kindervag, joins Matt on the show to discuss implementing Zero Trust in your organization. While at Forrester Research in 2010, John developed Zero Trust, promising adequate and effective protection of an organization’s most valuable assets.
Today, John talks about the driving force behind Zero Trust, the concept of the Protect Surface, and Kipling Method Policies. Why is trust a vulnerability? Hear about Zero Trust, Shadow IT, and get John’s recommended resources.
· [02:20] About John.
· [05:29] How does John define Zero Trust?
· [07:45] Why is trust a vulnerability?
· [09:56] The Protect Surface.
· [12:32] Kipling Method Policies.
· [17:22] The roadmap to Zero Trust at scale.
· [22:56] It’s the inspection that matters.
· [28:26] Zero Trust in the Cloud.
· [31:33] Shadow IT.
· [38:54] Tracking specific metrics.
· [40:58] John’s resource recommendations.
"We can never stop cyber attacks from happening, but we can stop them from being successful.”
The Zero Trust Learning Curve.
Antifragile, by Nassim Nicholas Taleb.
On Grand Strategy, by John Gaddis.
Winning in FastTime, by John Warden.
ISMG: https://ismg.ioSecure applications from code to cloud.
Podcast Intro (00:00):
This is the cloud security today podcast where leaders learn how to get cloud security done. And now your host, Matt Chiodi,
Matt Chiodi (00:13):
If there's one topic that's hot right now in the security industry, it's zero trust. And unfortunately, that means there's also a lot of marketing hype around the term. So on today's podcast, I am super excited that we have John Kindervag. Now, for those of you who don't know, John is the creator of Zero trust, so if there's one authority to go to, to actually cut through all of the vendor FUD, it's John Kindervag. And I think you're going to love this conversation, so I encourage you to get the pen and paper out if you still use those, get your notepad out, get your computer out, and get ready to take some notes. Because John is going to dispel the myths, the rumors, and get down to how you actually step by step, there's a five-step approach to implementing a zero trust strategy in your organization, enjoy the episode.
Commercial Break (01:08):
John, thank you so much for joining us today.
John Kindervag (01:14):
Hey Matt, it's a pleasure and a delight to catch up with you over this podcast.
Matt Chiodi (01:22):
I'm really excited about this topic and as you and I were discussing before we started the recording, I usually have maybe eight questions or so for guests, but I have almost 16 for you. So let's see how far we can get here in the next couple of minutes.
John Kindervag (01:37):
Yeah, we might have to do a part two?
Matt Chiodi (01:39):
Thanks for the idea; we'll do that if we need to. For those that don't know you and this is actually a funny story; I remember when I first met you, we were both at Palo Alto networks and I didn't know that you were the creator of Zero Trust. And I had this conversation with you, and I actually said, I don't know if you remember this, but I actually said something about zero trust and how Google created it with their BeyondCorp. And you gave me a very kind response that basically said it wasn't Google, do you remember that conversation?
John Kindervag (02:15):
I do not, but I've had many conversations like that in the past.
Matt Chiodi (02:19):
Well, why don't you tell us a little bit about yourself, where you're at now at Onto at cyber security and your role there as senior vice president of cyber security strategy?
John Kindervag (02:29):
Yes, I'm John Kindervag, I am the person who created Zero Trust, I did it when I was at Forrester Research where I was for eight and a half years. I was a VP over there, and I actually wrote the original paper in 2010, it was called "No More Chewy Centers", but I did it after two years of primary research. So from 2008 to 2010, I was working on it, I was giving speeches, I was testing it. I did a lot of test market stuff to see how it was going over. I went all over the world and talked to people about it, to see what the flaws were, what I needed to rethink, and all of that kind of stuff. And eventually after I had done that work, at Forrester there's a pay wall, and one of the reasons people don't know that I did that work was because they never read the report because it costs money. And so after Google came out with BeyondCorp, I needed to get outside of the pay wall.
I went over to Palo Alto networks because it was in my opinion, at that time, and still today, the best technology stack for building Zero Trust environments. Most of the early Zero Trust stuff I built with Palo Alto networks technology, I went over there for four years to be the field CTO which was actually the first ever field CTO, I was like, what's a field CTO? And Renee Bolvenie the CMO, we just made that up right there and I Googled it and there were nobody else that was given that term. And now there's a bazillion of them, so I guess I pioneered a title too. I went over there for four years and it was a great experience, but I wanted to be able to make Zero Trust easier to consume as a managed service. And that's why I went over to this company Onto IT, Onto It is a Palo Alto networks reseller in the Netherlands, that's how it got started.
I got introduced to them by Renee Bolvenie, the CMO at the time of Palo Alto Networks, back when I was still at Forrester. And so I'd known those people for a long time, they built some innovative stuff to manage and automate these types of environments, their entire managed services based upon a zero Trust model. And it just seemed like the best place to get the next part of my Zero Trust journey on the road. So you have to kind of think about when you're involved in a big movement like this, where is it got to go? Where does the movement got to go? People say, how are you going to evolve Zero Trust? No, where am I going to help drive the movement is the better question. And, I'm driving the movement towards greater adoption, that's what I'm trying to accomplish.
Matt Chiodi (05:29):
So there is a ton of FUD in the market around Zero Trust. It's become, as you know, just insanely popular, at least as an idea to talk about; marketers love to throw it in with everything that they're talking about with their products. So as the creator of Zero Trust, how do you define Zero Trust?
John Kindervag (05:52):
Well, quite simply zero trust is a cyber-security strategy designed to stop data breaches, which is the exfiltration of sensitive data from your networks or systems into the hands of a malicious actor, and then by doing so it will also stop other cyber-attacks from being successful. We can never stop cyber-attacks from happening, but we can stop them from being successful, but it's really focused on stopping data, exfiltration, stopping data breaches, the movement out.
A breach isn't when somebody gets in, that's our idea in cyber-security, we were breached, no, you were intruded upon because legal and regulatory entities like GDPR and CCPA define breaches as when data that is sensitive or regulated is infiltrated from our systems. So the strategy is aligned to a grand strategy of stopping data breaches because having a data breach is the only thing IT can do to get a CEO fired.
And if there is a data breach in your organization, you had rules and policies in place that allowed it to happen. This is about reaching up to the highest levels of the business with a strategy that they can understand, so they can become the champions of it and drive it down technologically. Zero Trust the strategy part of it, and the tactical part of it are decoupled, because I realized a long time ago that the technologies were going to get better and better over time, or at least I hope so. But the strategy doesn't change, it shouldn't change unless some radical thing happens and that has turned out to be true.
Matt Chiodi (07:43):
Hmm, so why is trust a vulnerability? I can remember a long time ago, I won't say when it was, when I was a firewall admin at many multinational companies, and we had this whole concept of trust zones, right? There was low trust, medium trust, like low trust zones were like DMZs and things like that. Why is trust a vulnerability?
John Kindervag (08:10):
Because once you're authenticated in the system, the trust model allows you to get anywhere on that particular system. And those trust zones are arbitrary and they affect the rules. So, if you look at Snowden or Manning, what was their exploit technique? They just leveraged the trust model, right? So it doesn't take any new kind of malware to exploit trust, trust is also an exploit technique, so you just have to be on the network. And as a former pen tester, I know you can always get on the network. It's what you do when you're in the network that's important, and it actually goes back, and I didn't even find this out until last year after I'd been saying trusts are vulnerability for a long time. I finally found a report that was written in 1948, an academic document by a guy named Mor Deutsch.
And that was his whole thing, h defined trust as one individual's willingness to be vulnerable to another person. And I thought, well, that fit with what I'd been thinking for a long time. So trust is something that we don't need in cyber-security, it's a human emotion that's been injected into cyber-security for no reason at all. Digital systems don't have people on them; they have packets that are asserted to come from somebody else. So trust is a useless concept, and all it does is enable attacks and data breaches.
Matt Chiodi (09:53):
I love that, I was reading some of your blogs that you've put out there over the years and they are numerous, but one of the things that you talk a lot about is the protect surface. What is that? What is the protect surface?
John Kindervag (10:09):
Well, we have the concept of the attack surface, right? And the attack surface is a bit like the universe, it just continuously grows. When we hear about something like log4J or the vulnerability in the CPU, and you see, wow, now we've just increased the attack surface. And we talk about reducing the attack surface, but it's impossible to do that because all these other things happen, and whoever wrote log4J never thought that there was vulnerability in it, probably. They just were doing the best job they could at the time, and then somebody figured out, well, we can do this and that, and the other thing. So, the attack surface always expands, well, the way you solve the problem is you invert it and you invert it by focusing, not on the attack surface, but on the protect surface, what are we going to protect?
So if I shrink the attack surface down orders of magnitude to something very small and easily known, I get a protect surface. And this is something that I learned when I was a QSA, I'm recovering QSA for PCI, right? And I say, I'm in recovery, because PCI is a 12 step program, for those of you who've done it, you would know that. But in PCI, the only thing that was in scope was the pan, the personal account number; we were trying to secure a single binary string. And that was very, very refreshing to me, and I would go in to help and consult on some things and there'd be some complaints and our PCI assessor won't ‘descope’ anything. And I would go in there and talk to the person and the person would say you don't realize they're doing bad cyber-security practices in all these other areas.
And I'm like, yeah, I get it, but your job is to focus on this one thing, this one card holder data environment, that's the only scope of this assessment. And they would get frustrated because they wanted to fix everything, but that wasn't their job. And I realized that if you just took one problem, you could fix one problem, but you couldn't fix the whole thing all at once. So if you take a massive problem and you break it down into very small solvable problems, it's a ‘you eat the elephant one bite at a time kind of consumption metaphor.’
Matt Chiodi (12:32):
So I was looking at a blog that you did while you were at Palo Alto back in 2019, it was called all layers are not created equal. And in there you got a little bit philosophical and the first subtitle is "How the Principles of Journalism Help Define Zero Trust Policy. So I think, I don't know if this is where you kind of first came up with the idea of a Kipling method policy. Tell us what is that? Maybe bring it down a little more pedestrian for maybe those that have not read the blog yet.
John Kindervag (13:03):
Yes, I talk a lot about Kipling method policies, because it's a name that I gave to the way in which you write policy for Zero Trust. So Rodger Kipling gave us the concept of who, what, when, where, why and how in a poem in 1902, and I might be able to recite it here, you might get free poetry today.
Matt Chiodi (13:23):
This is a bonus episode for sure.
John Kindervag (13:25):
I keep six honest serving men; they taught me all I knew. Their names were what and why and when and where and how and who. And so that little poem that he wrote for his daughter to explain his job gave us who, what, when, where, why and how. And as I traveled the world for Palo Alto networks, I realized that this one concept translates every culture, every language, you didn't have to explain it, and everybody knew it. And so I could define a policy, I could say a ‘who’ statement, who should have access to a resource, and that would be identity, but at a higher level. So it would be instead of the source IP address that you would normally put in a firewall, because there's an old firewall guy that was the first main source IP address. It would be, say in Palo Alto Network's terminology, it'd be user ID.
So now I've defined a high level very granular specific thing called a user ID, and I can authenticate that with multifactor authentication. And of course that's what a lot of people think is Zero Trust, just the identity authentication part, but that's just the ‘who’ statement. And then the ‘what’ statement is by what application are you going to access the resource? So that's app ID in Palo Alto networks terms, so a layer seven replacement for port and protocol. And this is for you're writing it in a next generation firewall, which I call a segmentation gateway. And you can use the same construct in a lot of different technologies, but this is just an example. So now we've got the what statement, who, what, when we could have time limited rules, and we should, we should do more rules that are turned off when people aren't using them, but that's another story for another day. Where, is the location of the resource that the ‘who’ is accessing, so that's the old destination IP address.
Now we've got a higher level version of that. Why is left over for metadata around classification or anything else that we can do, I think there's a huge movement in data security, and if we had metadata around that, so if you're using DOP and you say, so, so and so is classified that could affect the way the rule is automatically created. And then the house statement is the criteria about how you're going to deal with the packet before you allow it to move on. So you would turn on IPS types of functionality or sandboxing or DLP or whatever in Palo Alto networks, terminology, that's the content ID.
So if all those things are true that we define and I actually created this in 2016, I started using it in my clients' work. If all those things are true, then we'll allow it or else it will automatically be denied. And so zero trust is a set of these very granular allow rules using this Kipling method, policy construct, and what it gives you is a very easy to create rule. I can create a grid and, I've had CIOs, I actually had a CEO write a rule once about what he wanted to have happen. So, anybody can write the rule, anybody can read the rule, it makes it really easy to audit it. And it just is a complete change from the kind of the nomenclature and the way we did it in the old days, which was very difficult to figure out how you were going to create policy in network technologies. But now we can do it in any technology that has a policy construct.
Matt Chiodi (17:19):
I love that response, now I will tell you that the first thing I'm thinking about is how do you scale this? And I know we talked about the concept of moving from the attack surface to the protect surface, and I know you've consulted with probably hundreds or thousands of organizations on this. If you're talking to a fortune 100 company, multinational, massive networks, how do you scale this? Like, how do you go from basically a full trust, the traditional model to zero trust? I would assume that this is not something that happens they go and they buy an NGFW, they buy this or that there's so much more to this than just the technology and the product. Maybe the question really is, what is the roadmap typically looking like to get to zero trust at scale? And again, we're talking fortune 100 type companies, what does that look like?
John Kindervag (18:15):
Yes, I mean, you eat the elephant one bite at a time, right? So it is a journey and I actually wrote a blog post called about the zero trust learning curve. Maybe you can link that to your readers, but I create a curve based upon the up and down access is the sensitivity of the resource. And the horizontal access is the time on the journey and the journey goes on forever, it's not a project, it's a journey. And so early on, what you're going to do is you're going to focus on, every protect surface contains a single what's called DAAS element. So DAAS is a term that I created, it stands for data, applications, assets, or services.
You're going to put a single DAAS element inside of a single protect surface and build out zero trust, one protect surface at a time so it's easily consumable. So you might have a data set like PCI, you might have an application like Sales force, it doesn't really matter. They're, all protected the same way, so I'm giving people a model, a design paradigm that they can then go and work from, and it's repeatable. So in the first step of the five step model, you are doing defining the protect surface, and that protect surface will only have one DAAS element. And so early on you'll do something that's low sensitivity, that if it screws up, you start all over again. The key here is to give people the opportunity to fail and learn, learning protect surfaces, and then you'll practice a little bit. You get to zero trust, the same way that you get to Carnegie hall, you practice, practice, practice.
So you focus on some things that are a little bit more sensitive, but still not mission critical. And once everybody has confidence in their way of doing it, you'll focus on the protect surfaces that contain your high value assets, your keys to the kingdom, the crown jewels, whatever you call them in your organization. I used to tell people to start there and then experientially; I learned that was bad advice, because it was easy to break a system. Because you were working with people who weren't around when the system was built, so they didn't really understand the system. And I remember once that I was working on a retail environment for a PCI, but we were putting it into a zero trust environment. And somebody was like, "Hey, there's an old server, I'm gonna pull this out," Well, it took down 5,000 restaurants worldwide, and he didn't know what it was there for. No one knew what it was there for, it was actually a polling server that pulled credit card information from these 5,000 restaurants, aggregated them and sent them to the backend database, but no one knew that existed.
And that's where the second phase, or the second step of zero trust, map the transaction flows came out of, because you need to understand how the system works. And so everything is sort of integrated to work together, so when you're doing those high value assets, you need to be very clear that, hey, if you break this, it could be a mission failure. So you need to use the five step model to find the protect surface, map the transaction flows then do architecture. This is why I don't talk about zero trust reference architectures, because each zero trust environment is bespoke or tailor made for each protect surface, you can't just have a generic architecture. And then the fourth thing is the policy that we've already talked about and fifth is monitor and maintain, that's the fifth step. That's what I do in my company, constantly monitor and maintain and create a feedback loop, so I can create a system that gets better and better over time.
Commercial Break (22:08):
Prisma Cloud secures infrastructure, applications, data, and entitlements across the world's largest clouds, all from a single unified solution. With a combination of cloud service provider APIs in a unified agent framework, users gain unmatched visibility and protection. Prisma Cloud also integrates with any continuous integration and continuous delivery workflow to secure cloud infrastructure and applications early in development. You can scan infrastructures, code templates, container images, server-less functions, and more while gaining powerful, full stack runtime protection. This is unified security for DevOps and security teams, to find out more, go to Prismacloud.io.
Matt Chiodi (22:56):
You've mentioned NGFW in next generation firewalls policies, and recently there was an executive in the industry who said this about zero trust. They said, either you're zero trust or your network security, you don't do both. True Zero Trust involves connecting users directly to applications without going over the network at all. Is that right? Is that off?
John Kindervag (23:22):
No, that's way of, I mean, you're always going over the network, right? It's always a network, if you're directly connecting people to an application you're going over a network. And what this individual misses is, it's not the connectivity that matters, it's the inspection that matters, so Snowden and Manning who I call the Beyoncé and Madonna cyber-security, because they're so famous they're one word people. They exploited trust and they had devices that had the right anti malware and point security, the right patch levels, they had robust identity systems and really powerful yet cumbersome multifactor authentication systems. And so there was no doubt about the identity of their packets on the network at the time that those data breaches occurred. It's just no one looked at the packet's post authentication to see what they were doing.
So it's not just about authentication, it's not just about connecting to a resource, it's about what's going on inside the packet, because, the packet is a layer seven construct and the bad guys are going to do stuff in those higher level layers. So if you connect everything inside of a VPN tunnel and I hear people say all the time, VPN is dead. VPN is just the encryption technology, and sometimes you should use IPS, sometimes you should use TLS, right? But what you need is a high level Kipling method policy inside the tunnel to control access in a granular level. And that's what people miss about zero trust, and here's what it is, when you see these vendors, they all try to redefine zero trust based upon what their technology can do.
So if all I sell is MFA, zero trust is MFA, if all I sell is a proxy, zero trust is a proxy. If all I sell is a next generation firewall zero trust is the next generation firewall. It is none of those things, it is a strategy, and so I'm doing two things to combat that FUD. The first is I've been serving on the president's end stack, national security telecommunications advisory council on the zero trust subcommittee. So this is a big deal, we have, I think the report, the final report has maybe been voted on, I'm not exactly sure at the time we're recording this. The final draft anyway has been has been made public on the website. And so we have given this report and when we all got together and there were experts from all kinds of vendors and the US federal government and all this stuff.
And the first two rules were Zero Trust is not a product and it's not multifactor authentication, and then the third rule was zero trust as a strategy. Those were the three things that we all agreed upon, everybody agreed upon. And so that's one place we're fighting it, and then the second place I'm fighting, it is in the cyber theory Institute. So I've co-founded the world's first cyber-security think tank called the Cyber Theory Institute, it's sponsored by ISMG internet security media group, and we have a zero trust council and that zero trust council has a whole bunch of thought leaders on it around zero trust. And we're defining, and giving people an authoritative non vendor spin place to come and get information about zero trust.
And so that's going to be something I'm very excited when we just started it, we're working on it right now. And it's very cool to talk to people that I didn't know existed in other domains. But who understand the value of zero trust from other perspectives, and so it's we're going change the landscape and take it out of the vendor hands. I understand that, I worked at a vendor, although Palo Alto Networks, let me just give a big shout out to Palo Alto Networks. They ever once asked me to change any of the concepts of Zero Trust to meet the limitations of the products; they actually just made the products better. And so I still remain a huge fan of the Palo Alto Networks technology stack.
Matt Chiodi (28:17):
Obviously, one of the things that I've focused on pretty exclusively over the last probably decade is all things having to do with cloud and cloud security. Where does a zero trust strategy come into play when we're talking about workloads that are not living traditionally, they're not on campus, they're not in a traditional data center, they're running in a public cloud like Azure or Google. Does that change things at all? Does it look different?
John Kindervag (28:46):
No, it doesn't look any different, it's still a DAAS element, and the thing that you care about, and you want to protect is a DAAS element. You put it into protect surface and you put the proper controls around it and you can do that in clouds or on premise, public private it doesn't matter. And that's a misunderstanding about clouds, I mean, I had one person tell me, well, "You can't do zero trust in the cloud because there's no network in the cloud." There's no network in the cloud? Really how do they move data around? "Well, there's not even servers in the cloud, John don't you understand? Have you never heard of server-less?" And I said, "I've heard of server-less, yes, but where do they store the data?" "DNA, it's in DNA!" and I'm like, "This is a CISO, right? Whoa, you've been watching too much TV or something because it's the exact same thing, you just don't own it."
Wright (Inaudible name 29:40) used to say, there is no cloud, it's just somebody else's computer, and that's a true statement. Now, the one thing about the native cloud that really, really worries me is the cloud security built into any cloud is pretty darn limited. My friend Richard Bird, over at Segzeda who's an industry guru around identity talks about the cloud is, we're making a drive towards mediocrity because we're adopting practices that we know have been broken for a long time. So when you look at a native cloud security control and I was just doing something for one of them and I was watching this video and we have robust security controls called ACLs or access controllers. I'm like stateless ACLs, hmm, does this feel like 1998 or 1997.
Everybody knows how to bypass that stuff, that's why you have to overlay the cloud with technologies that are more robust and more modern because the attackers know how to bypass it. So what happened is the cloud is based on Linux, Linux Torvalds should be the richest person in the world. He's not, but he should be, and Linux has IP tables and we pretend that that's a firewall, but it's just a way to create ACLs, ACLs, like we used to in routers in the old days. And we all learned that router ACLS were not robust enough, which is why the staple packet filtering firewall was created. And then we learned that wasn't even good enough, which is why the next generation firewall was created. So if you're not up at layer seven, you're not really doing real security, but you can do it in the cloud, it just won't be using the native controls that the cloud vendor offers you.
Matt Chiodi (31:33):
So one of the things that we've heard a lot about over the last 5-10 years is the whole concept of shadow IT. It's become very easy, especially, I'd say in the last two years with so many workers being remote, I need access; I need some kind of functionalities. So they go out SAAS application, it meets some need, they put their credit cards in and then they start to maybe put some company sensitive data in there. Where does Zero Trust come into play with shadow IT? These are apps that by their very name, IT and security either have no awareness of, or they're just not paying attention to. Where does that kind of fall into the big picture?
John Kindervag (32:16):
Well, it's not even a good assumption, but the first step is defining your protect surface. What do you need to protect? And you have to know the answer to that, where is your data stored? Now, if somebody is creating shadow IT stuff, And the reason shadow it happened is because we, in security and IT, we were the department of no, we need to do this, no. So people found a way to get around us, and we could have solved it by being more aligned with the business and thinking strategically and Zero Trust is designed to enable that. So that's the first thing, why did it happen? Sometimes I would hear things that were really not nice in meetings, I would be like "Really you're saying this to that business leader, this is about business, this is about increasing revenue."
How do you increase the revenue for your business, if you're not doing that, if you're not enabling the business, what's your purpose? Your purpose isn't to just shut everything down and make it unworkable, so that's the first thing. The second thing is if the data or resources defined in a protect surface, if someone is using a rogue to do it, and I always called it 'rogue' too, then you'll see that. And then, there's another side to zero trust, which is data security. I ran both data security and network security practices at Forrester, and so Zero Trust was always created to become a powerful data security enforcement point because data is the new oil, it is what fuels modern economies.
And so you need to understand how your data moves around. Now, this shadow IT user is probably using some sort of corporate resource somewhere, and so it's by understanding where they're using that and getting some sense of where that is. Some of the SAAS services that they could set up are, they could set up their own Gmail and they could move their own data into Gmail, because it's easier to use. Now I'm looking at DOP in a CASBY type of solution for Gmail to see if data that I have is in there. This is why data security is the next revolution; I think in cyber security, we have to get a handle around data security and data classification, and some of the other things around data.
So ultimately that's the key, but we can certainly reduce it because if somebody is building systems and they still need to access a resource, that's in a protect surface, then we will see that. And if there's no policy allowing that to happen, then they can't get it get into it. Can I tell a quick story here, so years ago a university built a zero trust test environment and they wanted to have it pen tested, and the pen tester could not get into this environment. And the pen tester said to the CISO, "Hey, I need domain credentials to test this, I can't get in." And the CISO said, "Sure, I'll give you domain credentials." Of course, even though the individual had domain credentials, they weren't attached to a policy.
See it used to be, if you got credentials, you could go anywhere because there were no policies. So if you had credentials, you got access to everything like Supernet and Snowden and Manning. But in this case, there were these granular policies assigned to each 'who' statement about what they were going to be able to use to access the 'where'. So it was the beginning of the Kipling method policy statement. And this person couldn't go anywhere, there were no policy attached to his domain credential, and finally, he got so frustrated that he said to the CISO, what are you trying to do? Are you trying to make me look bad? And the CSO said, yes, I am.
Matt Chiodi (36:54):
Oh, I love it, that's a great story, and you're right, I've been in previous roles, I've had that privilege of domain admin and that typically means you can get to anywhere and anything.
John Kindervag (37:08):
But why is that true? I mean, Snowden in his autobiography said I was the most powerful person in the NSA because I had admin rights. Well, that's insane; it's about giving the right people, the right access to the right data at the right time. And so like I will go in to the US federal government and oftentimes, well, they'll find out that I don't have any clearances at all. And they go, "Oh, that's weird, we'll sponsor you to get clearances, we'll be your sponsor." Nah, I don't need that, thanks. What do you mean? Everybody wants to have clearance, that's like the goal, right? Because you'll get more jobs and stuff, I said, yes, but you've got to understand that I do not need access to your data in order to do my job for you, which is usually high level architectural.
And that would be a violation of the first principle of zero trust, giving someone access to data that they don't need. And at that point they get it, they go, "Oh, I get it." So when I go to some of these top secret places, there's a guy carrying a pole that has a red light on top and he is yelling “Unclear, unclear!" And I love it because I feel like I'm in a Monty Python movie, bring out the dead, unclean. So yes, don't give me access to your data, I don't want it. I don't want to know about it, don't want to be in your database. I don't need to have access to any of that data, and that's the fundamental question, should you have access to this particular data set?
Matt Chiodi (38:53):
So we talked a lot about zero trust, and you talked about the five stages. In terms of metrics, if someone is, let's say they've started this journey and they're trying to track and measure their progress. Are there specific metrics that they should be tracking? Is there anything that you recommend that you have seen work well?
John Kindervag (39:16):
I have a maturity model that I have built. I built it at Forester and I have revised it a couple times since then, just little revisions where I look at the five steps, you know, define the protect surface map, the transaction flows, architect, the environment create policy and then monitor and maintain. And then I have a grid of five maturity levels, one through five for each of those five steps. And then I have up at the top a place, and this is just a visual, but you could automate it, and we have automated in our technology, but we name the protect surface, say cardholder data environment, and we label the data element, the DAAS element. So that would be PCI to Stand for the credit card data. And so you look at the maturity of each protect surface, one surface at a time. And I think that's on the Palo Alto Networks website still. So I will forward that over to you after this call and you can give it out to your listeners.
Matt Chiodi (00:37):
That would be useful, I think that's one of the things people are always looking for is just okay, I've decided I'm going to go down this route. I've allocated a budget, I've allocated resources, but how do I know if I'm actually making progress down this route? Am I getting a good return on investment? So I think once you share that I will put that in the show notes today.
So, John, one thing I know that I've seen consistently in research over the years is that leaders are learners, right? They have this constant desire to grow, I'm curious from your perspective; you've got a ton of eminence in the industry. Could you share a book recommendation, maybe some of your favorite podcasts? How do you stay current? How do you stay ahead?
John Kindervag (01:24):
Yes, I don't read a lot of security books because I think security is experiential. So I try to stay current by having experiences and working on projects and not being an academic, but the kind of things that I read are things that make me think in a different way. So I read all the stuff of Nassim Nicholas Taleb books like anti-fragile, that's been hugely influential because the fifth step of zero trust allows me to create an anti-fragile system in cyber-security. And so Taleb gave me the vocabulary and an understanding of what intuitively I was trying to create, but I didn't really understand it. So that's the kind of stuff that I look for, it's stuff that is outside of my wheelhouse. I'm currently studying system thinking and design thinking because that gets you to something like Zero Trust.
I don't know that there's a book that I could really recommend on Zero Trust because they're all too tactical. And they're not focusing on the strategy part, but I do focus on strategic thinking a lot, John Gadsen's book called 'On Grand Strategy.' I think it is a fascinating book. There's a book documenting a time that was very influential to me because I got to work with a man named Colonel John warden or Lieutenant Colonel John warden. Although, you would say Colonel, when you addressed him, who was the chief strategist of the first gulf war, and, I worked with him on a project in the nineties and he's the one who taught me about strategy.
So I was trying to bring big time strategic ideas to cyber-security and actually Palo Alto networks was the first people who let me talk about it and write about it and put it in presentations because our former CEO now Vice Chairman, Mark McLaughlin, is an ex west pointer, and he understood that. So there's a book called Winning in Fast Time, I believe, which is how you adopt military strategy for business purposes, is a really fascinating read. And it documents the time that I was working with him, so there's a lot of those kinds of things that I read. Because here's what I've found, trying to write a book on zero trust, is by the time I could get the book published, there'd be so many things that are new and it's really hard to do that. And it's also hard to write a book and do the work at the same time, because you're constantly refining it. So I tend to think that blogs and speeches and those things are better ways to do that.
Matt Chiodi (04:32):
So where can listeners learn more about you and Onto IT cyber-security? Are you on Twitter?
John Kindervag (04:39):
Mostly I'm on LinkedIn, if I'm posting, I'll post things that I've done I've and speeches and all that kind of stuff. So there's one that I just did last week, the week before, that's a good intro to Zero Trust and I'll send that link to you. It was for a future con and that got recorded as a virtual system, it was a virtual event. And then I do a lot of work with ISMG and Cyber Theory Institute, and you'll see more things from us in the future and I'm very excited to do that. So stay tuned for that, but you'll see a lot more stuff from us on Zero Trust. We're doing videos, we're doing research, we're publishing things, and I’m working on a course. So there's a lot of that stuff going on, so I finally found a place where I can do the things that I wanted to do, but do it without vendor spin.
Matt Chiodi (05:48):
I love that, well, John, this has been a great conversation. I'm looking forward to what you're going to be putting out with the ISMG Zero Trust Council that sounds very exciting. I think it's something we very much need in the industry, so thank you so much for your time today. There's just so much that we have packed into this last 40 or so minute, but I really appreciate your time, thanks for coming on today.
John Kindervag (06:10):
It's great to catch up with you and it's always a pleasure, thank you everyone for listening.
Thank you for joining us for today's episode, to find out more, please visit us at Cloud Security.