When John Kindervag came up with the Zero Trust security model at Forrester Research, he pitched it as a strategy to protect organizations from cyberattacks and data breaches like the one that hit the sensitive U.S. Office of Personnel Management. I was there. Data about people with top-secret security clearances was stolen.
Kindervag, who now works as chief evangelist at Illumio, said the concept resonated with senior business leaders and government officials, but it was implemented using off-the-shelf technology that had always existed. He said it was intended to be done.
“Strategy and tactics are intentionally separate from each other, but we don't want the strategy to change,” he said. “We want a strategy that will stop data breaches and fail other cyberattacks, and that will be better implemented over time and as technology advances.”
Fundamentally, Zero Trust security treats all users and data equally no matter where they are, eliminates traditional network boundaries, and assumes that no user or device can be trusted until proven otherwise. . Contrary to what some technology suppliers claim in their marketing messages, this is not tied to any specific technology or product.
“There's always confusion because people sometimes don't receive the correct information given,” Kinderberg said. “A lot of people spin zero trust to mean everything they're selling right now, but that doesn't apply to us.
“While Illumio provides the primary segmentation technology used within a zero trust environment, it is not everything and does not make it a ‘zero trustee’ as I would like to call it,” he added.
Zero trust is a journey
The rapidly growing technology and cybersecurity landscape means that zero trust is a journey, not an end state. Kindervoog says organizations can struggle with this because they want to make zero trust a project they can do themselves.
Organizations also make the mistake of trying to implement Zero Trust for everything they own, even though there are assets that aren't valuable or sensitive enough to require adequate protection.
“You need to look at what high-value things you have and use zero trust concepts to protect them. It becomes protected,” he explained. .
Citing the example of the massive data breach that hit Target in 2013, Kindervag said if the US retail giant had adopted Zero Trust, it would have focused on protecting its credit cardholder database and customer records. He said that it is necessary to protect all data held by a company.
“So by letting people focus on the things that matter most, they can successfully protect those things and later incorporate other things into their zero trust environment,” he added.
When starting Zero Trust, Kindervag advised organizations to start with the opposite of the attack surface, the learning protected surface, to significantly reduce the size of the attack surface.
“For Target, it's credit card data, and it's easy to examine because we can use a formula called Luhn to look at the packets, identify the data, and protect it with low-fidelity DLP.” [data loss prevention] It’s a solution,” he added.
Kindervag said network segmentation technology is useful for creating micro-boundaries around protected surfaces and placing controls such as granular permit-only rules that limit what can be done within the protected surface next to the assets being protected. Said it was helpful.
“Network segmentation is the cornerstone of Zero Trust,” he added. “If your network is flat, it doesn't matter what you're doing; your environment is too large for MFA to handle. [multifactor authentication] or a perimeter firewall. There would be too many dark places for an attacker to hide. ”