Last Updated on August 3, 2021
After ten years building momentum and proving itself in businesses and government agencies worldwide, Zero Trust is finally getting the serious recognition it warrants. President Biden’s emphasis on “Zero Trust Architecture” in his May 2020 Executive Order on Improving the Nation’s Cybersecurity is only the latest and largest in a series of successes for this game-changing cybersecurity approach.
To find out how Zero Trust works and what makes it such a formidable defense against even the most sophisticated cyber-attacks, a recent episode of The Virtual CISO Podcast showcases John Kindervag, Senior Vice President of Cybersecurity Strategy at ON2IT Cybersecurity and progenitor of Zero Trust. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
The Zero Trust “grand strategy”
Interestingly, Zero Trust focuses more on preventing data exfiltration than on preventing intrusions. Per the executive order, “The Zero Trust Architecture security model assumes that a breach is inevitable or has already occurred or has likely already occurred. So, it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
“The question is, how are you going to define ‘breach’ versus ‘intrusion,’” reframes John. In cybersecurity, we say, ‘The breach happened; somebody got into our environment.’ That’s going to happen all the time. ‘Breach,’ I would argue, has been redefined on us by legal and regulatory entities like PCI, CCPA and GDPR to mean that data that is sensitive or regulated has been exfiltrated from our networks or systems in the hands of a malicious actor. So, we need to start making a distinction about intrusions versus a breach. We can assume intrusions, probably. You have to have knowledge of breaches.”
“In [ON2IT’s] Zero Trust as a service, we have four buttons,” John relates. “You can click on one to see the number of intrusions and another to see the number of breaches. And we say our goal is zero breaches, because I’ve defined the grand strategy of cybersecurity to be stopping data exfiltration.”
“I have this four-stage model: strategic model, grand strategy, strategy for Zero Trust, and tactics and operations,” John explains. “So, Zero Trust is ultimately a strategy. The tactics will change over time because technology is going to get better. But the strategy won’t necessarily change unless there’s some major disruption, like we’ve reinvented the internet…”
Is a successful ransomware attack a data breach?
John Verry raises a great point: “Ransomware is not necessarily exfiltration. But I think we might call that a breach or an incident of note or something of that nature. Does your model differentiate ransomware from data exfiltration?”
“As of now, no CEOs have been fired for ransomware attacks; a couple of them maybe have resigned,” John Kindervag notes. “But I look at the grand strategic actors as the CEOs and the boards of directors, and they typically get fired over data breaches.
How Zero Trust stops ransomware
“Ransomware is an easily solvable problem if you have Zero Trust because there’s no rule that allows a resource with the ransomware malware on it to make an outbound call to setup a command-and-control channel. So, it’s a policy problem.
“During these latest rounds of ransomware attacks, I was getting screenshots from people saying, ‘Look, this was stopped because the attempt to go outbound was blocked.’ Just having outbound rules that say, ‘You can’t go here unless we know where you’re going,’ stops, I don’t know, 99% of ransomware, probably,” emphasizes John.
When a wide spectrum of attacks are nullified before they can get off the ground, even the challenging task of risk assessment becomes somewhat less critical, as John Verry observes.
“You can’t stop every attack,” John Kindervag observes. “But you can stop attacks from being successful. A successful attack means the attackers won, and they got something. … This is just a wild guess on my part, but I think I know that the attackers are stealing data as they’re doing these ransomware attacks. So, I wonder if the ransomware attack is just the smokescreen for the data breach.”
Ready to start moving to a Zero Trust cybersecurity architecture? This podcast with Zero Trust originator John Kindervag is the ideal place to begin.