Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More
Continued from Part I
In Part II of VentureBeat’s virtual interview, John Kindervag shares his insights into how pivotal his experiences working at Forrester were in the creation of zero trust. He also describes his experiences contributing to the President’s National Security Telecommunications Advisory Committee (NSTAC) Draft on Zero Trust and Trusted Identity Management.
And, he advises CISOs and teams who are implementing zero trust one threat surface at a time to see all identities as machine identities first.
The following is the second half of VentureBeat’s interview with John Kindervag:
Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.
VentureBeat: How can organizations adopt zero trust to protect the fast-growing number of machine identities? How can machine-to-machine transactions be more compliant with zero trust and least privileged access?
Kindervag: Yeah, I think every identity is a machine identity. So this anthropomorphization that John Kindervag is on the network can’t be assumed. It’s just an assertion. So think about SAML (Security Assertion Markup Language). It’s an assertion that the packets being generated by this MacBook, the other end of that is John typing or generating the packets through his webcam and his microphone. [But] that assertion may not be true.
Maybe I am typing an email. Somebody comes in, puts a gun to my head and makes me get off the keyboard and they start typing. And I said this to somebody in a government agency: “What if somebody puts a gun to my head and they take over the keyboard? Do they become me? Is there a transference of identity to that individual? Because suddenly that abstraction breaks down.”
In the room where it happened
VB: How did the experience of contributing to the President’s National Security Telecommunications Advisory Committee (NSTAC) Draft on Zero Trust and Trusted Identity Management help identify critical areas where the government can improve its security posture on zero trust?
Kindervag: Well, it was a massive honor to, first of all, get appointed, asked and then appointed. What I found it to be was phenomenally collaborative. There was at least one meeting a week for a year, maybe, and periodic briefings.
What was really gratifying was how much stuff I had created had filtered down and gotten into the thinking of all these other people [and] organizations. So there weren’t a whole lot of differences. And the things that were different weren’t different enough to be structural, or they were just a different lens that we look at it [through].
So like at Forrester, we used to talk about lenses and apertures. Somebody would say, “You need to put a different lens on it,” meaning look at it from a different perspective, or, “You need to widen your aperture or narrow your aperture, focus in or pull out, get a bigger point of view.” And so it helped me see what other people were seeing and [which] things were the commonalities, and those things were the things that ended up in the report.
The report has the four design principles and the five-step model. It has my version of the maturity model. It has the CISA maturity model, which is about the technology being mature, not the protect surface. So those two things actually integrate. They’re not functioning at cross-purposes.
Forrester and the birth of zero trust
VB: Did you go to your management at Forrester and say, “Here’s the idea. Let’s write about it. Let’s do it.” And how did you get the green light to write such a revolutionary report?
Kindervag: Well, Forrester, when I got there, was just an amazing place to be. I walked in [on] my first day, and there was an onboarding of all the new analysts led by Glenn O’Donnell. And they wrote on the board think big thoughts. And they weren’t telling us what thoughts to think. They were saying your job is as researchers. You’re analysts. You go out and figure out what’s going on and you come to us.
I went to my research director and I said, “Here’s this thing that I’ve always been upset about, this trust model from installing firewalls in the past.” [And I was told] yeah, run with it. So actually, I did two years of primary research on that before I ever wrote the report.
There were some people along the way just giving me a little bit of encouragement, while the majority of people were saying, “You’re insane. You’re nuts. This is never going to go anywhere.” There were vendors calling up, trying to get the research stopped because, “Hey, this might kill our business if people go down this direction. We don’t want this.” And Forrester backed me up. I give them credit.
So that report came out, and over time it became, by the time I left, the number one read report — at least what they told me — that had ever been written [at Forrester].
I loved it there. It was great. I never thought I would leave. I thought I would be a lifer, but other people believed in zero trust more than I did. One vendor said, “Zero trust is going to be your career for the rest of your life.” And I said, “No, it’s not. Man, I’m doing all this other stuff. I did data security stuff. I did encryption research. It’s a fascinating, wonderful place to be.”
And he said, “No, you don’t know how big this is going to take off.” And so ultimately, he and some other people convinced me that I needed to move on to take this to a wider audience.
Bonus points for compliance
VB: What’s the one unintended consequence that zero trust has delivered that you didn’t anticipate?
Kindervag: The biggest and best-unintended consequence of zero trust was how much it improves the ability to deal with compliance, auditors, and things like that.
So a number of years ago, I got a call from the CIO of this big company where [I] designed their zero trust environment. [He] wants to talk to [me] within an hour. This is an emergency call. And those calls didn’t happen. They’re usually scheduled far in advance. Your calendar is booked up. You’re doing call, after call, after call. It can be a grind.
And so the account rep is freaking out — “What happened?” And so I get on a call with the CIO, and he says, “I don’t know how to tell you this, but we just had the zero trust network that you helped us design audited. We just had the audit completed, and I don’t even know how to tell you this.”
And I said, “Okay, just spit it out, man,” because I was ready, because … It occurred to me I hadn’t thought about how are auditors going to react to this? And he said, “We had zero audit findings. Ha-ha.”
He said, “First of all, they understood it. We had always been giving them these big Visio diagrams and all this stuff and they could never understand what we were doing.”
And secondly, they looked at it and they go, wow, clearly this was designed to meet a whole lot of compliance issues that we have.
And then the third thing was all the things that weren’t checked off in their check boxes, they went, ‘That’s not even appropriate for this type of environment and for this type of network.'”
So he said, “They gave me zero audit findings. The lack of audit findings and the lack of having to do any remediation paid for my zero trust network. And had I known that early on, I would’ve done this earlier. And I never had thought about that before.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.