EP#54 – John Kindervag – Trust Is a Vulnerability: 5 Steps on the Path to Zero Trust

How do you quantify trust? Is it something that can be digitized?

In the world of cybersecurity, trust is a vulnerability.

What we need is Zero Trust. 

That’s why I am so excited to speak with my latest guest, John Kindervag, Senior Vice President of Cybersecurity Strategy and Group Fellow at ON2IT Cybersecurity, who pioneered the concept of Zero Trust a decade ago — even if the world is only catching up to it now. 

What we talk about:

• What makes Zero Trust different from traditional security models
• How Zero Trust easily solves the ransomware problem
• The 5 steps to get to Zero Trust

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (Intro/Outro) (00:00:00):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:00:25):

John, thank you for joining me this Friday afternoon. How are you today?

John Kindervag (00:00:29):

I’m doing great, John. I’m having a great day. It’s Friday. So, I don’t know when this shows, but Friday is always a good day, isn’t it?

John Verry (00:00:36):

Yeah, I couldn’t agree with you more, especially after this week. So let’s start super simple. Tell us a little bit about who you are and what you do every day.

John Kindervag (00:00:47):

So, I’m John Kindervag. I am a Senior Vice President at a company called ON2IT. ON2IT is a managed service provider. We do now as of this week, zero trust as a service. And ON2IT was a channel partner of Palo Alto Networks, is a channel partner. I got introduced to them back in 2011, 2012, when I was still at Forrester because they were the first company that ever built a go-to-market around zero trust.

John Kindervag (00:01:17):

So, the hat I’m wearing is from the first ever zero trust conference that ON2IT put on in 2012. It’s the first piece of swag that ever had the word zero trust on it. Never thought that it would be such a movement, but every day I work on zero trust environments. And I had a great opportunity at Forrester for eight and a half years to think differently, to think outside the box. And then I was able to spend four years at Palo Alto Networks as a field CTO to show proof that it could be built, and now making it easier to consume by delivering it as a service. So, it’s the three phases of the zero trust journey in my mind.

John Verry (00:01:54):

It sounds good. And your expertise in zero trust is why you’re here today. But before we get down to business, I always like to ask, what is your drink of choice?

John Kindervag (00:02:02):

Diet Mountain Dew.

John Verry (00:02:06):

Did you use to hack for a living at some point? Because Diet Mountain Dew is definitely one of those things I’d expect [crosstalk 00:02:11]. If you were going to show a video of a [crosstalk 00:02:13], right?

John Kindervag (00:02:13):

Yeah. I was a penetration tester for part of my career. I realized there were people who were a lot better at it than I was. So, I managed penetration testing team for a while, then I became an analyst. But each one of those was a great learning experience. What’s cool about cybersecurity is it doesn’t matter how long you go to school for something like this. Until you’ve experienced it, that’s where you learn how to do it.

John Verry (00:02:41):

Absolutely.

John Kindervag (00:02:41):

Your MBA or your masters or your doctorate has to be in the field sitting behind a computer screen, freezing in a data center, whatever the thing is that you need to do. That’s where you learn about this. And that’s what makes it such a great business to be in.

John Verry (00:02:56):

I agree completely. I agree completely. So, again, let’s start easy. So zero trust, what exactly is zero trust?

John Kindervag (00:03:04):

Well, zero trust looks at the trust model where we have trusted versus untrusted systems, networks. It goes back to the old days of a firewall where you… Well, and still the way of firewalls are really designed. The untrusted side went to the internet where all bad things are. The internal network was the trusted side. And then you set up policy based upon those trust levels. And what I realized both deploying all these technologies, and then later on as an analyst is this cross model was the fundamental problem. Trust is a hard thing to define. But it is a human emotion we’ve injected into digital systems for no reason at all.

John Kindervag (00:03:44):

And so, it turns out trust is actually a vulnerability. The only vulnerability that is also an exploit at the same time. You don’t need to create malware to exploit trust. All you have to do is be on a network. So, the only actor who gets value from trust in digital systems are the malicious actors who are going to exploit it. So, every single data breach, every single… Or probably almost every single negative security event is fundamentally at its root cause a problem of trust. It is an exploitation of this broken trust model.

John Kindervag (00:04:17):

That’s true with ransomware attacks, right? You trust that if this device is sending out a call to the external network that because we trust that device, that’s a good call. But no, that call is actually the command and control call out to the internet to then retrieve the symmetric key for the ransomware. So the fact that you allow that outbound connection, you are yourself allowing the attack to happen. And it’s because you trusted that system internally, and you didn’t have a rule that said, “This system only needs to go to these resources.” And so, we have to have these very specific sets of resource rules. These very granular rules, and that’s what zero trust does. It’s a set of very specific allow rules tied to some sort of identifier that’s highly validated.

John Verry (00:05:09):

Gotcha. Can you think about it as simple as in the concept of blacklisting versus whitelisting? Can you think of zero trust as almost be more explicit whitelisting of authorized access?

John Kindervag (00:05:21):

Oh, absolutely. Those are what the granular rules are, allow rules. Almost always a zero trust environment a particular protect surface that we’re protecting has only allow rules in the policy statement of whatever technology is being managed. There’s very few of deny rules that you need to build. Sometimes you have to build a deny rule because you have of users that have to get access, and then you need to take one person out of that group so you can deny that particular user from accessing it. But typically, you figured out how to aggregate identities to access the resource within what I call a protect surface.

John Verry (00:06:00):

Yeah, that’s interesting. It’s an interesting idea. So quick question for you just on that, because I used to be a firewall jock at one point. If you think about a firewall, a firewall processes rules from top to bottom. And then typically, at the bottom, you have a catch all rule. So, if you were saying, “Hey, this firewall is configured consistent with zero trust,” would it be a bunch of whitelist with the last rule in case one of those whitelist didn’t get hit would be deny all other than the whitelist?

John Kindervag (00:06:25):

Yeah, yeah, there’ll be a denial rule. But typically, you aggregate the rules, there’s ways to aggregate the rules based upon the protect surface. So the concept of protect surface is the most important tactical concept of zero trust. The idea that we’ll take the overall attack surface, which is the world, the entire internet, and serve it down into something very small, and understandable call to protect surface. So, if you’re doing PCI, for example, then the cardholder data environment becomes the protect surface. So, you just have one single thing that you’re protecting. And so, now the problem is very small.

John Kindervag (00:07:05):

So typically, we take everything, we look at it from this big view of a binary view of our entire environment, and then our entire network or whatever. And then we got a problem, buy new technology, fix it, do it again, do it again, do it again. And you eventually run out of money before you run out of problems. But if you break the problem down into individual small pieces, I’m just going to secure and protect the cardholder data environment. That’s certainly something that’s easily doable. And eventually, you’ll find that if you have this protect surface mentality, you have a finite number of protect surfaces in your organization, and you can build zero trust out incrementally, and iteratively, and non-disruptively.

John Kindervag (00:07:46):

And so, we build our rule packages to be here’s the seven rules that you need for this cardholder data environment. Instead of the rundown the… Because like one of my friends, I was talking to him at a big bank. He just joined as a CISO. Day one, they needed a firewall rule change in a traditional layer three or stateful packet filtering firewall. And he looked at the rule, he says, “Well, I have no context on whether this is a good rule or not, but I guess I’ll approve it because it’s my first day. You know more.” And then he said, “Why don’t you just show me the console?” And he used to be a firewall guy. And he kept going, “Scroll up, scroll up, scroll up.” And they got to the first rule, and the first rule was allow, allow, any. And so, he was like, “Well, there is no firewall in our entire bank. This is a global bank. There’s no firewall here.” They were like, “Oops.”

John Verry (00:08:40):

For anyone that’s not a firewall jock, as we said before a firewall process rules top to bottom. If the first one is allow all, none of the other rules ever gets seen. They never get touched. So, quick for you, define the protect service. I know from being an advocate of your approach that, that is the first step in your approach. But before we go there because I do want to walk through those in a logical way. I’ll ask you a couple questions ahead of that. So, is it a little bit humbling right now for you as somebody who has been credited with originating or innovating this idea more than a decade ago that suddenly it’s such a hot topic. So, why do we suddenly see… Although you’ve been on the soapbox for 10 years promoting your idea, suddenly NIST is behind it, Microsoft’s behind it, Department of Homeland Security is behind it, the NSA is behind it. And most recently, the executive order explicitly mentioned zero trust. Why now? Why is it suddenly something that’s been around for 10 years? Why is it suddenly getting so much attention?

John Kindervag (00:09:38):

Well, because change is hard. A body at rest tends to stay at rest. A body in motion tends to stay in motion. And once you get… It took 10 years to get the momentum because Sisyphus is pushing the rock. The rock is heavy. It’s only me, right? And eventually there will be more and more people coming to help me push the rock, but I have joked for a long time that trying to get case studies of all the people I’ve designed zero trust environments for is the hardest part of it. Because they view, their PR and legal teams views zero trust as a huge advantage against attackers. So they don’t want people to know that they have a zero trust environment. So, I would have, will you go on stage with me, or do a case study? Sure, I’d love to do that. And then we get canceled. And so, I would joke that the first rule is same as the first rule of Fight Club, you don’t talk about it.

John Kindervag (00:10:33):

But there were all these people doing it on the back end, and especially in the government. So I was told by a government official a number of years ago that they had deployed it in one particular area. And they were really amazed by how well it was working. And he said, “We’ve determined that this zero trust model is our best chance of maintaining our network in the event of a sustained nation state attack.” And so, the first time you saw that really hinted out was after the OPM data breach. US Congress, the Oversight and Government Reform Committee of the US House of Representative issued the OPM data breach report where they said that all government agencies to adopt a zero trust model. And then the chairman of that came out and wrote a bylined article and said, “Zero trust would have profoundly limited the attacker’s ability to access such sensitive resources.”

John Kindervag (00:11:33):

So, it’s been known for a long time that this is effective. But if you’re somebody who has to do it you’re like, “I don’t like change.” No one likes change. So it took a while for the incentives to happen. And now the biggest incentive, the president of the United States issuing an executive order has come through. And suddenly all the people who were telling me that I was completely insane, and zero trust will never take off have big zero trust messaging, and practices, and all that kind of stuff. So, it’s humbling. It’s gratifying.

John Verry (00:12:00):

And it’s a little bit… Yeah, it’s kind of fun to poke them now and say, “Yeah, I was right all along, guys. I told you. Told you so.”

John Kindervag (00:12:10):

So, John, what I did is I spent two years researching this. It’s not like this is an idea, and then at Forrester you get to write something like it’s a blog post. You have to have primary research. You have to do interviews with people. You have to have people try poke holes in it. And once you get to that stage where they will allow you to publish it, you know for certain that this is a good idea. It’s not like you can just publish random stuff like you can on Twitter, or whatever that are just your opinions. These become more than that. So, I went to experts all over the world. Here’s my idea. What do you think of it?

John Kindervag (00:12:51):

I remember the moment when I realized the trust model was the fundamental problem because I’d hated deploying firewalls that had trust models in them. I’d done a lot of research on trust, whether you had direct trust or transitive trust, those are really the two types of trusts. And I realized it was a problem. But I had this interaction with a CISO in New York, when I was doing the research, and I said, “I’m doing research on cybersecurity strategy, and what’s your cybersecurity strategy?” And he said, “Oh, of course, it’s trust, but verify.” And I said, “Yeah, I get the trust part.” Trust means I’m actually not going to do anything. Because if you trust all the resources, you don’t actually have to do anything to protect them. But what are you doing for verification? He said, “Oh, well, we actually don’t do any verification because that would be rude because they’re trusted.”

John Kindervag (00:13:42):

I realized, now these are digital systems. And so, I said, “Well, why do you do trust, but verify?” And he said, “Well, because Ronald Reagan said so.” And in my back of my mind I’m thinking, “Oh, yeah, that great cybersecurity expert, Ronald Reagan.” I looked up him saying trust but verify, that great myth that he created.

John Verry (00:14:00):

Yeah, he didn’t actually say exactly that.

John Kindervag (00:14:02):

Right. Yeah.

John Verry (00:14:03):

Most people don’t realize that.

John Kindervag (00:14:04):

Yeah. My Russian is bad. [crosstalk 00:14:10]. [foreign language 00:14:10]. Yeah, you know the story, which means the exact opposite.

John Verry (00:14:14):

Exactly.

John Kindervag (00:14:14):

So, he made a joke, and we didn’t get it. Our industry never got the joke. It just went right over the top of our head. And I remember that moment in New York City, and I went, “Oh, this is the validation that I needed to continue on.” And so, then once a few key, people started saying, “Yeah, you’re right on.” Like Palo Alto Networks, the reason I went to Palo Alto Networks is I had a great relationship because they were the first vendor who said, “We see what you’re doing. It’s a great idea. We’ve created technology for it. Let’s go to market on this.”

John Kindervag (00:14:48):

So the very first video about zero trust was filmed by René Bonvanie, the legendary CMO of Palo Alto Networks who just retired last year and joined the Battery Ventures, but he was the camera guy. It was his… It was such a small company back then. There was probably 120, 150 people in the company, and he was the camera guy. That was 2000… I don’t know, very early on. I may not even have published the report yet because I was test marking it for two years with vendors and speeches, and just getting feedback. So, I don’t remember exactly when it is. It’s on the internet, you can find it, but you had a few people like that who really supported me, and encouraged me, and say, “This is right. We’re going to be here with you.” And so, I had a bunch of those people. Martin Casado, who created VMware NSX did a lot of stuff with him. Just lots of people. And then just a lot of people in the marketplace encouraging me and a lot of companies who were early adopters who said, “We get it. We’re going to go down this road.”

John Verry (00:15:57):

Cool. Got a question for you. So, there was, I found it very interesting that there was two definitions of zero trust in the executive order. So, I was just curious if you agreed with them. I’ll just read them real quick, and you tell me if you’re like, “Hey, that’s a good summary, or that’s a little off.” Because I think this is going to have a lot of impact on the way people perceive it. A lot of people have seen this. So, the first one was zero trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.

John Kindervag (00:16:33):

Yeah, that would be a tactical definition of how you do zero trust. That would be an accurate… That’s a decent, accurate-

John Verry (00:16:41):

Good. I thought it was too, but I was just curious as to your… And then the other one, I actually think is a really powerful one. I think it really speaks to how zero trust is fundamentally different is the zero trust architecture security model assumes that a breach is inevitable or has already occurred or has likely already occurred. So, it constantly limits access to only what is needed and looks for anomalous or malicious activity.

John Kindervag (00:17:04):

That’s true. The question is how are you going to define breach? So, [inaudible 00:17:09] versus intrusion. In cybersecurity we say, “The breach happened, somebody got into our environment. That’s going to happen all the time.” Breach I would argue has been redefined on us by legal and regulatory entities like PCI, CCPA, GDPR, and it means that data that is sensitive or regulated has been exfiltrated from our networks or systems completely in the hands of a malicious actor. So, we need to start making a distinction about intrusions versus a breach. We can assume intrusions, probably. You have to have knowledge of breaches.

John Verry (00:17:44):

I would like to get your… I think your point is a really good one. I would love to see the industry standardized on language. What’s a security event? What’s a security incident? What’s an intrusion? What’s a breach? Because we do all throw those terms around, and I do think it’s a little confusing to less knowledge, less nuance personnel.

John Kindervag (00:18:03):

Well, and it is hard to standardize on that language because of course, there’s going to be different people are going to view it differently. And we don’t all have the same objective lens. But also different people have different incentives to want to focus on one thing or another and call an intrusion a breach because it’s a scarier word, but they don’t have the ability to discover a breach. So, in our managed service, our zero trust as a service, we have four buttons. And you can click on one to see the number of intrusions and another one to see the number of breaches. And we say our goal is zero breaches because I’ve defined the grand strategy of cybersecurity to be stopping data exfiltration. I have this four stage model, [crosstalk 00:18:49] strategic model, grand strategy, strategy is zero trust, tactics and operations.

John Kindervag (00:18:55):

And so, zero trust is ultimately a strategy. The tactics will change over time because technology is going to get better. It has in the past 10, 12 years. But the strategy won’t necessarily change unless there’s some other major disruption like we’ve reinvented the internet, which as much as people talk about, we need a new internet. It’s so big, I don’t think we can do that. And so, I focus on reality, not real aspirations.

John Verry (00:19:24):

Quick question for you there. So, your definition is interesting and I largely agree with it, but I have a question with regards to it. So, ransomware is not necessarily exfiltration. But I think we might call that a breach or an incident of node or something of that nature. So, when you think about your model, does it differentiate ransomware from data exfiltration?

John Kindervag (00:19:42):

So, as of now, no CEOs have been fired for ransomware attacks. I mean, a couple of them maybe have resigned. But I look at the grand strategic actors are the CEOs, the boards of directors, and they typically get fired over data breaches. Ransomware is an easily solvable problem if you have zero trust because there’s no rule that allows a resource that has the ransomware malware on it to make an outbound call to set up a command and control channel. So, it’s a policy problem. And so, during these latest rounds of ransomware attacks, I was getting screenshots from people saying, “Look, this was stopped because the attempt to go outbound was blocked.” Just by having outbound rules that say, “You can’t go here unless we know where you’re going,” stops, I don’t know, 99% of ransomware, probably.

John Verry (00:20:39):

I would agree.

John Kindervag (00:20:41):

So, it’s not a hugely [inaudible 00:20:44] problem, and it’s a will to solve the problem. And of course, it exploits all kinds of VMs that have already been patched, but you just didn’t patch them. There’s patches available, you didn’t patch them. Either because it was too difficult in your mind, or you were worried about how good the patch was. So, let’s think about risk management. Let’s go back to Equifax. And the CEO got in front of Congress and said, “Well, there was one guy who refused to patch Apache Struts.” And you and I know that’s not true. The guy whose job it was to patch Apache Struts wanted to patch Apache Struts, but there was somebody in charge of the overall system who was afraid that the Apache [crosstalk 00:21:25].

John Verry (00:21:27):

Yeah, it would break the application and keeping the operations running takes higher priority than security in most large organizations.

John Kindervag (00:21:35):

Right. So, here’s the risk equation. If we’re down for an hour, we know the cost of that. But there’s no risk calculation for what if we have an extra 400 million credit reports and the CEO gets fired. They would say that’s not a possible thing that could happen, but it did happen. To totally misquote my favorite risk theorist, Nassim Nicholas Taleb, “In cybersecurity, we don’t even know how many sides the die has that we’re casting. So, how are we able to calculate risk and probability?”

John Verry (00:22:11):

Which is the fallacy of quantitative risk assessment, correct?

John Kindervag (00:22:14):

Yeah.

John Verry (00:22:14):

I mean this is not actuarial. We don’t have exact data. There’s systems where we have defined information, we’ve got full information. And then there’s systems where we have some logical subset of that. And then there’s information security where we’ve got a significant subset of that. We just don’t have all the information. So a model like yours, which is, it’s going to happen at some point some way. And there’s a way not to have it happen, let’s just employ that. And then, in a sense, risk assessment, which is a very challenging thing to do well becomes a lot less important.

John Kindervag (00:22:47):

Right. And when you think about it, you can’t stop every attack. But you can stop attacks from being successful. A successful attack means that the attackers won and they got something. They either brought you down, they got money, they got data that they’re going to monetize. I think if I’m guessing, and this is just a wild guess on my part, but I think I know that the attackers are stealing data as they’re doing these ransomware attacks. I have been told that by people who are theoretically in the know, so I have good sources. But I wonder if the ransomware attack is just the smokescreen for the data breach.

John Verry (00:23:30):

That’s interesting. Well, the other way that they do it that I’ve seen, and I don’t know if it’s maybe both of this, but the second thing is that if you don’t pay the ransomware because you’ve got backups then they start to leak your data. That was the big thing in the last one. So, I do think, yeah, it gives them a lot of value. And who knows what the long term implication of that data being out there is going to be?

John Kindervag (00:23:53):

Well, and people are damaged. I’ll hear people say, “Well, that was only a million records.” Well, every record has a person attached to it. And we have to understand the moral imperative of the business that we’re in. The reason that I’m in this business is we make the world a little bit better every day, right? I mean, we do. We have an ethos behind our business that you feel good to go to work in the morning. I mean, I’ve done a lot of crap jobs. My first job was cleaning typewriters at 14.

John Verry (00:24:29):

You just lost some of the audience, John. People going, typewriter? There’s people googling typewriter right now.

John Kindervag (00:24:34):

Yeah, right. Well, have them Google [crosstalk 00:24:37]-

John Verry (00:24:36):

And carbon paper. [crosstalk 00:24:38].

John Kindervag (00:24:39):

Yeah, I grew up on a farm that had a party line.

John Verry (00:24:42):

Rotary phone.

John Kindervag (00:24:44):

Rotary phone.

John Verry (00:24:46):

A rotary phone, yeah.

John Kindervag (00:24:46):

Everybody in that part of, all the farmland was probably like… Yeah, no, I mean, you see these technologies come and go, but at the same time, I mean, we’re making a difference. So get up every morning and go, “Yeah, I’m going to Make a difference.” And then be thankful that… I tell people when they talk about how hard this is I’m like, “Yeah, I’m thankful I’m not up at 5:00 [inaudible 00:25:07]. There’s a lot harder jobs in the world than what we’re doing, and we’re making a big difference, we are. And maybe it doesn’t look like that. But imagine how many ransomware attacks could have happened if the people at certain companies hadn’t made certain decisions, and there’s been a lot of stuff that’s been stopped. We only get to see the stuff that’s successful. We might never get visibility into all of the defenses that were successful.

John Verry (00:25:33):

I agree completely, and I do consider myself blessed in many ways that I’m working in this field. Not only is it ample opportunity, not only does it allow me to pay my mortgage and live a very comfortable lifestyle, but it is good to put your head down on the pillow at the end of the night and say, “You know what, I did something good today. So, I couldn’t agree with you more.” So, let’s talk about… So, I like before you started the process of taking us through zero trust, it’s a journey. There are some logical steps that you’ve outlined yourself that I’ve read. You talked, one, about the first step to define your protect surface. That’s around figuring out what exactly is it that we need to protect? In your case, and I couldn’t agree with you more, I take a very data centric approach to information and security, and you’re doing the same thing. What information is if exfiltrated, if this was compromised, is going to have a significant business impact you, right? So, that’s step one for you?

John Kindervag (00:26:22):

Yeah. And I’ve expanded that a little bit because I talk about protecting DAAS elements. So, DAAS is an acronym that I talk about. It stands for data, applications, assets or services, because I found through experience and these five steps were the five steps that were common amongst every single zero trust network I designed and worked on the deployment of. So, they’re real world things. So, data, yeah, very data centric. I used to say just define your data, but then I realized there were certain times when I couldn’t know that, but I knew the application that was using the data. So, let’s secure the application.

John Kindervag (00:26:57):

There were certain assets like SKAD assets, IT, IoT, MRI machines, wireless morphine infusion pumps, all those kinds of things, they’re an asset. And then, of course, they exchange data, but people think of them as assets. And then there are services like DNS, DHCP, Active Directory Network Time Protocol. And so, those are the things that we need to protect, and that’s how I tend to talk about it. You take a single DAAS element, put it into a single protect surface, and build your zero trust network or environment because I use the word environment because some people can’t grok the fact that there are networks inside of clouds. I’m not doing networks. I’m doing cloud. Okay, but there’s networks in the cloud. No, there’s not. Oh, yeah, there is, but anyway. So, put a single DAAS element into a single protect surface, and you then go through the five steps on that single protect surface. So, the second step [crosstalk 00:27:56]-

John Verry (00:27:55):

Before you go there, because I have a question for you. Because I like what you said there. And first off, I need to see that DAAS stuff. If you have it published anywhere, I’d like… I’ve not seen that. Second thing is that you broke a model in a way that sometimes I don’t think I think enough about. So, a lot of times when we’re talking about data, we talk about store, process, transit. But what I liked about what you did with your model is the last element is the supporting systems, and you see that like in an SSP in the NIST world. You need to define what other supporting systems. And I think a lot of times people forget that. In fact, I think sometimes I forget that because there are these systems that are not necessarily part of that store, process, transit. But if there’s a failure in those supporting systems, that’s going to yield a failure in the first three, those first DAAS elements that you talked about. So I think that’s a super powerful observation there.

John Kindervag (00:28:45):

Oh, thank you. Yeah, well, it was learned the hard way. That’s why I put it in step two, which is map the transaction flows. Because I can’t design a network that I don’t know how it works. And so, typically, here’s a reference architecture, you change the IP addresses on it, and you gave it to the [inaudible 00:29:04]. They said, “Great, thanks for giving me this set of round holes, but I have square pegs, what do I do?” And you go, “Well, you’re going to have to start whittling a little bit. You have to make it fit what I built for you.” And so, every zero trust environment has to be tailor made for each protect surface, but I can’t know how the protect surface interacts with all these other systems until I map the transaction flows. How does everything work together and define that?

John Kindervag (00:29:28):

I learned that the hard way. I was on a project where we brought down and entire point of sale system globally for a company because somebody went in and said, “Hey, what’s this box? I don’t know. Let’s just take it out. That’s an old box.” And it was really important to the system and no one knew it was part of the system. So they just took it out, and everything went down. And you’re like, well… I realized that there was nobody at that company who was there when that first system was put in. So, the understanding of the system fully as a system was gone. So, I make everybody understand the system before we then start figuring out how we’re going to control the system.

John Verry (00:30:10):

Yeah, that’s exactly what you’re talking about. We took down and 911 system because there was a transit link between two networks, a public safety network, and the business network. And we were doing testing on the business network, and we asked about it. And they said, “Oh, that’s nothing, don’t worry about it.” And we flooded the link and basically DOSed their 911 system for about five minutes. Fortunately, nothing bad happened. But because of exactly that. So when you say map the transaction flows, can I think of that as being a data flow… We sometimes call data flow diagrams?

John Kindervag (00:30:38):

Yeah.

John Verry (00:30:38):

Do you think of it as being the same thing?

John Kindervag (00:30:40):

Yeah. Mm-hmm (affirmative).

John Verry (00:30:41):

Perfect. Cool. So that’s step two, which makes total sense, because that’s going to inform those protect surface. I mean, that’s going to allow you to actually validate that what you’ve defined in that DAAS model is really what’s happening, correct?

John Kindervag (00:30:54):

Right.

John Verry (00:30:55):

Cool, what’s the third step?

John Kindervag (00:30:57):

The third step is architecture. You architect the environment, whether it’s in a cloud or on-premise, or wherever it is, and you use that flow map or that data flow, or whatever you want to call it. And it shows you where the controls need to be. I mean, you just look at it, and you go, “I need a control here because of the way this is going and how I want to write policy because I want to make sure this thing can’t talk to this thing. Or I want to make sure this thing talks to this thing, but only in this certain way.” So, it shows you where to put the architectural elements. And so, that’s when you architect it, design it, you deploy the architectural elements of the various controls. Whether it’s like a next generation firewall function as a segmentation gateway, whether it’s something that you’re going to… A container security control, whether it’s an endpoint control, whether it’s an SD-WAN control. Whatever the control is, where it’s located, you need to understand how it works as a system before you decide where you’re going to put it.

John Kindervag (00:31:55):

So, a lot of times I’m on these calls. They’ll bring a bunch of people on who we’re going to design a zero trust network, and they’re all trying to position, my product should go here, my product should go there. Usually, I will start… At some point, I’ll let that go on for a while, and then I’ll go, “Hey, guys. So what are we protecting in this system? I lost the thread here.” And they’ll go, “Oh, we haven’t thought about that yet.” Yeah, it’s probably not going to work. You could probably put all these controls in and it’s not going to get to the outcome that you want because you don’t even know what you’re protecting first.

John Verry (00:32:25):

Right. So, question for you there. What we find a lot… So, this process is like one we’re using a lot right now with CUI enclaves and the defense industrial base. People going towards CMMC here, [crosstalk 00:32:37] 800-171. Same fundamental concept. As a good SSP, first thing is you define what information, data flow diagrams? What we find a lot of times though is that, and I’m assuming in your architect environment stage this happens quite a bit as well is that the current construct is fundamentally flawed. So, as an example, they’ve got CUI, and they’ve got five people that need to have access to it, but they’ve got a wide open network. It’s being transited in ways that it shouldn’t. So, I’m assuming that architect the environment, a lot of times that’s not just look at that data flow diagram and say, “Okay, where are we going to put the controls?” It’s like, “Guys, this data flow diagram is really not the most effective, efficient way to do this.” And it’s more sometimes re architecting the environment as much as it’s architecting the environment?

John Kindervag (00:33:20):

Sometimes, yeah, sometimes you can figure out where to put transparent controls in place, so that you don’t have to re-architect the environment because that takes forever and everybody mad at you. So, there’s a lot of ways that I can put controls in place without re architecting it. And I’ve tried to do that first because it’s going to be forever, and it’s never going to happen. So, what’s [inaudible 00:33:45] is that a lot of people get upset when we show that the way it’s being done is not effective, and it’s like you’re insulting the design or something. And it’s like, “No, no, man.”

John Kindervag (00:34:00):

All of these design principles were created before there were threats. So, organically, your environment grew up around you. You did nothing wrong because everybody wants to, well, why is this not right? Well, it’s the same thing as, “I bought this outfit for my toddler. Now he’s 17 and he can’t wear it.”

John Verry (00:34:20):

You didn’t do anything wrong.

John Kindervag (00:34:21):

I didn’t do anything wrong. It was a fine outfit when he was a toddler. The network grew up, and we didn’t grow up around.

John Verry (00:34:30):

A good analogy there will be fashion as well.

John Kindervag (00:34:33):

Right, yeah.

John Verry (00:34:36):

Why are you wearing elephant bell pants? They were big at one point, I’m telling you.

John Kindervag (00:34:42):

I know. Believe me, I grew up by the ’70s.

John Verry (00:34:45):

All right. So, step one, define the surface, map the transaction flows, two, architect the environment. Step four, create the zero trust policy. Can you explain that?

John Kindervag (00:34:55):

Yeah, so that’s where everything’s zero trust ultimately is instantiated as a policy. Hopefully, up to layer seven because if you’re trying to do this at layer three and layer four, I mean, when I talk to pen testers and people who know they’re like, “Every attacker knows how to bypass those things, come on.” Port and protocol just doesn’t work anymore, and people try to tell me, “No, it’s gotten better over the years.” No, it hasn’t. I mean, it can’t because TCPIP has its own limitations. So within the constraints of TCPIP, you have to go up to layer seven. So, that’s what you ultimately try to do. And so, the policy construct model is called the Kipling method. It’s named after Rudyard Kipling who gave us the idea of who, what, when, where, why, and how [crosstalk 00:35:39]-

John Verry (00:35:39):

Six Ws, I didn’t know that’s where that came from. I use six Ws all the time, and I never knew that reference. Thank you.

John Kindervag (00:35:46):

Yeah, I keep six honest serving men, and they taught me all I knew. Their names were what, and why, and where, and how, and when, and who. So as a global resource, when you travel around the world, you have to have things that resonate not just in America in English, but everybody in the world has that same concept of who, what, when, where, why, and how. And so, I can define a who statement. Who should have access to a resource? And that’s related to authentication, and identity. And then I can have a what statement, by what application should they be allowed to access a resource? Because every resource is accessed by an application. It may be a simple application like Modbus or maybe a complex application like some sort of custom web app, then I can have when statements. We need a lot more when statements. Most people don’t use this rule.

John Verry (00:36:40):

Is that contextual? Is that the whole of idea it’s a contextual authentication?

John Kindervag (00:36:44):

Yeah.

John Verry (00:36:45):

When and where, I guess, would fit into that contextual bucket a bit.

John Kindervag (00:36:49):

Well, and where is all to locate the resource. If it’s on prem, if you’re in certain environments, you’re going to go to a cloud, but I can only go to the cloud service that’s located in this particular region or country. And then the why statement is usually related to classification. The ultimate goal was this is where I’m going to read your data classification metadata, so I can use that in creating policy. We don’t have enough data being classified yet to make it actionable, but the placeholder is there for it. Thank you, Rudyard. The how statement is the criteria because ultimately every policy statement is finite. All you can do is allow or deny, but you can have massive amounts of data and very complex criteria that you use to determine whether something should be allowed or denied. So, you can… Traditionally, it’s like IPS technology or firewall, maybe sandboxing, or DLP, or user behavior analytics, or some kind of thing that we think of as a separate product. But it really just becomes a criteria metric to see if it’s past that criteria or not.

John Verry (00:37:58):

Gotcha. One question for you with regards to the zero trust policy. When you talk about a policy are we talking about a high level policy like management promulgation, and/or policies in more like technical policies like ACLs, and firewall rules, and things of that nature? Or are we talking both when you talk about a zero trust policy? Is there an overarching more management promulgation? Does this get reflected in my organizational policies, my incident response plans, my password policies, my configuration management, change management? Do I see this propagating through or just at that [crosstalk 00:38:34]?

John Kindervag (00:38:34):

Yeah, you see it propagating through, but this particular policy and step four is the technical instantiation.

John Verry (00:38:38):

Is the technical instantiation. Okay, cool. Gotcha. Okay, so that makes sense. So that’s where the rubber hits the road, basically. Now that we’ve architected the environment, you figured out, okay, I need to segregate this, I need to allow access in these constructs, to these individuals, to these particular assets. And that’s what that actually takes place. And then the last step, of course, is monitor and maintain the environment. So, I guess that’s verify that it’s working the way that we think it is and detect deviations. Is that the idea behind step five?

John Kindervag (00:39:10):

Yeah, that’s where all of your traditional log management comes in, your machine learning, your automation, all of the things that are happening so that you can take all of this data and say, “Is this working? And then what do I need to do to make it work better?” So, we have our own engine. We call it Event Flow, that looks at all of events, all of the data that’s coming into the environments that we’re managing, and we take an automated action 99% of the time, and that’s what you’re trying to get to.

John Kindervag (00:39:40):

And so, what’s fun about this is I always had this concept in mind, even before I knew about anti-fragility from Taleb. The idea that a system under load gets stronger and stronger because it responds to that load. So, he talks about working out. If you work out, you put incredible stress on your body, it gets stronger. And we can do that in a network. That was what I was trying to achieve, and Taleb gave me the vocabulary. So, zero trust is an anti-fragile system. And what’s fun, I was looking at some data earlier this week for one of our clients that’s been a client for 10 years, and we looked at the, here’s the number of events that we processed over the course of 10 years.

John Kindervag (00:40:20):

And then how many manual interventions did we have to do? How many manual engagements? And the curve went down. The more data we had, the more events we looked at, the more we were able to train the system so that we had fewer manual interactions. And I was like, “This works.” I mean, it validated what I had been seeing at small data sets. Now I’m looking at data in the 10s of millions, and I’m seeing, yeah, the more stuff you see, the fewer times you have to interact with it as a human because the machine does the work now.

John Verry (00:40:54):

That’s interesting.

John Kindervag (00:40:55):

So, in our environment, about on average in a production system, about one out of every 100,000 events has to be investigated by a human being.

John Verry (00:41:05):

So, it’s almost like a hermetic response in a human. I mean, that’s really what you’re saying is that the more that we stress, the healthy stress, obviously. So, that’s really interesting. And that hermetic response, that getting stronger, is it based on just the increasing volumes of data or is there an organizational awareness and a feedback loop where we’re continually improving at the same time? Or is it some combination of the two of those, I’m guessing?

John Kindervag (00:41:32):

It’s an absolute combination because the more you learn about it you might say, “Oh, I need to refine my protect surface in this way.”

John Verry (00:41:39):

Yes.

John Kindervag (00:41:39):

Or I need to change your policy statement a little bit. So, yeah, you would automatically always be, that’s a continuous feedback loop. So, it becomes dynamic, and it updates itself over time.

John Verry (00:41:52):

So, as a company, we spend an awful lot of our time, it’s what we’re known for is helping organizations become provably secure and compliant through things like ISO 27001, and CMMC, and FedRAMP, and SOC 2, and all these great frameworks that are out there. So I’m looking at what zero trust does, and I look at what we do, and I think there’s a ton of similarity. So, I want to ask you, when you think about taking zero trust, do you see it as being different? Or do you have different models or have you altered the process at all for those different types of use case? Or is it such a fundamental framework that really, it’s just a matter of applying it within the unique context of each organization and the framework is the framework, guys. Just use the framework, but just understand context, and context comes through defining the protect service. Understanding scope, understanding context.

John Kindervag (00:42:45):

Yeah, we use zero trust as a way to simplify making somebody ISO 27000 compliant or one of the reports I wrote at Forrester was about how you could simplify cybersecurity for government who had to do 853 at the time by leveraging zero trust and apply these ideas to all of these policies. So, you look at all the policy constructs, whether it’s HIPAA, HITRUST, SOC 2, blah, blah, blah, all these tactical controls. Well, then we can bring them into the strategy, and then map them so that you just do one thing, and it covers a whole bunch of things that are technical. So, yeah, it becomes the strategy. And so, this is designed to be strategically resonant to the highest levels of any organization.

John Kindervag (00:43:33):

I’ve given presentations to boards of directors, CEOs, chief risk officers, chief legal officers, chief manufacturing officers, generals, admirals, heads of various government agencies around the world, they all get the strategic idea. And then that what they do, where their value is, they change the incentive structure and say, “It’s okay to do this.” Because this is still considered new to a lot of the operators, the people who are doing the job, and they’re afraid of doing anything different because they might get in trouble. Right. And so, if they have the right incentives to say, “Yeah, you won’t get in trouble for doing this.” This is what President Biden has done for me. He’s changed the incentive structure, so that you can’t get in trouble for doing zero trust. [crosstalk 00:44:22].

John Verry (00:44:22):

You say he did it for you, I mean, literally. If somebody wants to go to management right now and say, “Hey, I think we should move to zero trust.” This is not a matter of that they’re out on a ledge here and adopting something, which is a fantastic sounding idea. This is, hey, here is who’s behind me right now. And so, I think you’re at a point now where if you’re listening to this, and you’re thinking, “Oh, that would never fly, bullshit,” because I don’t know any board member right now or any CXO who with that level of support behind something and perhaps somebody who’s struggling to be, no, this is secure, wouldn’t look at this and go, “Okay, let’s talk about it.”

John Verry (00:45:01):

So, I have one question there because I think this is going to be the next logical question is, okay, this sounds great, but I can’t tell you how many times I talk to people about doing something from a security perspective, and they’re like, “Yeah, yeah, but how is that going to impact our operational effectiveness? Are people still going to be able to do their job? I can’t afford for this person not to be able to get to this data when they need it. I can’t afford 17 logins and passwords that change once a day. So, talk a little bit about, how much impact will zero trust have on conventional operational effectiveness and efficiency of operations?

John Kindervag (00:45:39):

Well, that’s why we do it incrementally, first of all, so that we can’t screw up everything all at once. It’s a mistake, and there will be. We’re human beings doing things that are incredibly complex. I’m never amazed that things don’t… Things breaking [crosstalk 00:45:54]-

John Verry (00:45:54):

I’m amazed things work.

John Kindervag (00:45:55):

Yeah. When you watch the whole process from the beginning to now you go, “Wow, this is amazing.” But generally, it’s transparent to the user. So, a user won’t know they’re on a zero trust environment unless Ed Snowden goes, “Hey, I was just about to download all this data, and send it to WikiLeaks. Now, I can’t.” So, now he has to decide, should I open up a help desk ticket to get access to this resource? What is my reason? Well, I was about to steal this for WikiLeaks. In general, if somebody can’t get access to data, then there’s two things. One is they don’t need to have access to it. They might have used to have access to it. But then somebody has to say, “Do they need to have access to do their job?” Or second, yeah, there was just something didn’t go right. And so, now we’re immediately going to give you access to it. And we can change that policy dynamically pretty quickly through our mechanism.

John Kindervag (00:46:53):

And so, those are the only two outcomes. So, it doesn’t impact people in a negative way, planning to do something malicious, or they just liked having to feel the power of having access to everything, even though they didn’t need it, but it’s like me. I know you do a lot of work in the government, and I do, too. Over the years, so many people said, “No, we’ll sponsor you for your clearances. I don’t have any clearances. So, no, I don’t want a clearance. Well, no, everybody wants clearance. I don’t want a clearance. Why not? [crosstalk 00:47:24].

John Verry (00:47:24):

It’s a liability.

John Kindervag (00:47:28):

Well, that’s true. But also, look, I don’t need to have access to any of your data to do my job for you, which is this high level architectural design. So, if we’re doing this real zero trust thing, then you should ask, “Does John need to have access to the data?” And the answer is no, then we won’t give him a clearance. And I like being a guy that they walk through with the flashing red light going unclear, unclear. It’s like that Monty Python movie, clean. I like being that guy. I get to see how many people are playing solitaire as they turn off their computer screens. But why give me access to that? Why give me a clearance? I don’t need that, and that’s the question. We give too much access to too much data to too many people for no reason except that’s the way we’ve always done it.

John Verry (00:48:10):

Yep. Let me ask a question. Are you an engineer by training?

John Kindervag (00:48:13):

Yeah. Network engineer, broadcast [crosstalk 00:48:15]-

John Verry (00:48:16):

Oh, a network engineer, not an engineering degree.

John Kindervag (00:48:17):

I’m not an engineer.

John Verry (00:48:19):

You strike me as an engineer. I’m an engineer.

John Kindervag (00:48:22):

I’ve been accused of being a mathematician once. [crosstalk 00:48:25].

John Verry (00:48:24):

I mean that as a compliment because just the way that you attack and think through problems is so logically structured, and that’s such a fundamental engineering concept.

John Kindervag (00:48:32):

I worked for TI for a number of years as a contractor. I just think osmosis… I got to be with Jack Kilby on the day he won his Nobel Prize for creating the integrated processor, which is the-

John Verry (00:48:46):

That’s cool as hell.

John Kindervag (00:48:47):

To spend a day with Jack Kilby, man. I mean, just-

John Verry (00:48:51):

Kilby is amazing, and he’s definitely one of the titans of our industry. I had the opportunity to work with a guy by the name of Dr. Arthur Ashe, and he won the Nobel Prize for he was the first guy to isolate a virus with laser tweezers. And I had helped him with all of the optics of the design. I was working for Carl Zeiss, which was [crosstalk 00:49:09] at the time. It is so cool to be in the presence of genius. You know what I mean? It really is. I love really smart people like I’m a Leonardo da Vinci fanatic. I mean, I just love… I would love to have met him. If you asked me one person in the history of the world, that would be the person I’d want to meet. Because I just think he was brilliant in so many different disciplines.

John Kindervag (00:49:31):

Well, I mean, and there’s so many people. That’s what I like. In fact, I’m trying to figure out how to document the history of the internet and internet security as a side project. We just launched Stan Kaminski a few weeks ago. [crosstalk 00:49:43].

John Verry (00:49:43):

No, I knew of him. I’ve never met him.

John Kindervag (00:49:47):

I knew him pretty well. And I met him first in 2007, and we were both speaking at Tour Con in San Diego and that was my first interaction with him and then I have interacted with him many, many times since then. I had dinner with him and all that stuff. I wouldn’t say we’re good friends, but we were well known acquaintances in the business, and we would talk a lot. I realized nobody documented all the things that he brought to this business, except anecdotally, and now we’re going back and telling the anecdotes. Like he told me once, well, in 2007, no one will ever allow JavaScript to execute on the client side because it’s too dangerous, and he was right and wrong. We will allow it, but it is too dangerous.

John Verry (00:50:33):

This is dangerous as he thought it was.

John Kindervag (00:50:35):

Yeah, yeah.

John Verry (00:50:39):

On your project… I was just saying your project, do you know Bill Cheswick?

John Kindervag (00:50:43):

I do not.

John Verry (00:50:43):

Cheswick is a brilliant guy. He came out of AT&T Bell Labs, and he was the first guy to actually map the internet. And then he ended up starting a company and the name just escaped me, dammit. But he created Lumeta.

John Kindervag (00:50:58):

Oh, yeah. I know Lumeta, yeah.

John Verry (00:51:00):

Okay. So, Cheswick was the guy who founded Lumeta, and I had the privilege of meeting him once. My wife worked at AT&T, and I just happen to go to a Christmas party, and chatted with him briefly. But anyway, he would be a guy that would probably know an awful lot about that based on the work that he did both at AT&T as well as Lumeta in terms of that early internet security and what exactly was occurring because he did some fascinating work.

John Kindervag (00:51:25):

There was a guy named Rodney Joffe over at… I think he’s still at Neustar, but he created… He was one of the progenitors of DNS, but he and Postel used to go around and do domain registration in the early days of the internet. But the internet was so small, they kept it in a notebook and wrote it down by hand. Postel passed away, but Rodney is still alive. I’m trying to get ahold of him to do an interview with him because I want to document that. But, I mean, that’s something maybe as a community, we could figure out how to do, but it’s just a fascinating thing because it’s one of the rare businesses that has matured very, very quickly over 30 years.

John Kindervag (00:52:08):

I mean, Jack Kilby and Bob Noyce, both created integrated circuits in 1957. Independently of each other and always shared the credit. Noyce died before the Nobel Prize was awarded, so they couldn’t award it to him. Kilby originally didn’t want to accept the prize because Noyce was dead. Intel had to call Kilby and say, “Yes, it’s okay for you to accept the Nobel Prize.” Because that’s what Bob Noyce would have wanted. 1957 was the beginning of this. That’s not that long ago for an industry that’s this mature. It took typewriters longer to mature. And so the pace of change has been so amazing. And that’s what’s interesting about cybersecurity is because the attackers will come up with these ways of thinking that we never thought about.

John Kindervag (00:52:55):

And so, I heard somebody say, “Well, we just need to eliminate vulnerabilities. We’ll just outlaw vulnerabilities once.” Somebody was saying that to me. I was like, “No, not going to happen because what’s not vulnerable today might be vulnerable tomorrow because somebody thought of it in a way that you can’t think of it.” Just because you didn’t think of it doesn’t mean it can’t happen. And that’s how I view the world. And so, yeah, that’s what makes it fun, though. We’re an adversarial business, and a military general a few years ago, he said, “John, I fought my wars, you go out and fight this one. It’s as important war as the ones that I fought.”

John Kindervag (00:53:37):

That inspires me every day to think about that because it’s like what he did for our country was so incredible. And it made me realize that what we’re doing it for the country and for the world is pretty incredible, too. And if we can get ahead of this and defeat some of these things. I mean, there’s ways of making ransomware not a problem, and it’s not signing law making it illegal to pay the ransom. I mean, there’s a good incentive, but there’s technical controls that we can put in place to solve it so let’s do it.

John Verry (00:54:09):

Yep. Listen, this has been awesome. Any last thoughts before we start our wrap up here?

John Kindervag (00:54:17):

No, I mean, I just want to thank you for having me on, man.

John Verry (00:54:20):

Thank you for coming on. I really looked forward to meeting you, and you didn’t disappoint.

John Kindervag (00:54:25):

Thank you.

John Verry (00:54:26):

I’m a fan of zero trust and the stuff that you bring, and I’m thrilled for you that the world has paid so much attention to it recently. I think you guys are really going to get a lot of traction with it. So, I don’t know if you prepared because I did send you it ahead of time. Did you see the question about the amazing or horrible CISO? Are you prepared for that one, or should we skip it?

John Kindervag (00:54:46):

No, I vaguely remember it. Go ahead and ask the question.

John Verry (00:54:49):

I’ll ask question. We’ll see how quick you are on your feet here. So, what fictional character or real person do you think would make an amazing or horrible CISO and why?

John Kindervag (00:54:58):

Captain Ahab would make an amazing CISO because he would never give up. Nothing would stop him from achieving it. He would go after that problem until everything is over. So, I think he would make… He’d also be hard to work for, but he would make an amazing CISO.

John Verry (00:55:18):

But aren’t so many of the really brilliant people hard to work for?

John Kindervag (00:55:23):

Probably, right. I think that’s changing because culturally there was a time when it was like mad men and you were supposed to be this tough mean person. And then we have people who understand how to motivate people differently. So, that’s changing. I think the really good CISO are actually good to work for. I mean, I know some of them that just people really love them because I knew one guy who left and his people were crying because… Yeah, he pushed him hard. He made them accountable. But he gave them those affirmations that you’re doing a good job because that’s what people don’t know. You can easily see when somebody is doing a bad job, or when a breach happened, or some event happened. And you should have caught that, what are you, and blah, blah, blah. But do they say day to day, “Look at all this stuff that we caught. This is amazing. You made us safer today.” People are starting to understand that. Malcolm Harkins, a guy like that, he wrote a book about that, and he’s the prototype of that modern CISO who understands the soft skills and the hard skills.

John Verry (00:56:30):

Yeah. I just realized there’s one thing we didn’t cover is that it would be very important for anyone listening to know that all they have to do is buy one product from a vendor that tells them it’s a zero trust product, and they have zero trust. John, I mean, it’s literally that simple. I know I piss you off. I didn’t do that earlier in the conversation because I knew I was going to piss you off. I mean, it’s so funny how everybody, whenever something’s hot, everybody paints their product with that colored paint. So, just to be real clear to people, zero trust is not a product.

John Kindervag (00:57:04):

No, it’s not.

John Verry (00:57:06):

Zero trust is a model, it’s a principle, it’s a framework. And that you can probably use almost any product, even one that doesn’t claim to be zero trust when you implement that product, right?

John Kindervag (00:57:17):

Absolutely.

John Verry (00:57:19):

It’s all about just ensuring that we’re providing that access, only based on those six Ws that you outlined earlier. Fundamentally, really boiled down because I laugh every day when they… Buy our zero trust product. And I’m like, “Oh, John’s not going to be happy about that.”

John Kindervag (00:57:35):

It’s not even that I’m not… It’s not happy or sad. It’s like, I look at those people as force multipliers in marketing for me. So, hey, I’m the FRAM oil filter of zero trust. You’re going to pay me now or you’re going to pay me later. But at some point, you’re going to come back to this. And that’s happened all the time. I tried to do it this way with this product, and it didn’t do it. And so, like MFA, MFA gives you zero trust. No, there’s so many ways to break MFA, and MFA is an important thing contextually to have, but it’s not a panacea. [crosstalk 00:58:08].

John Verry (00:58:08):

Yeah, I mean, and people will… I literally had a client that said, “We use zero trust.” I said, “That’s great. What you do?” “We put in plan and we’ll use the vendor’s name. We put in place this solution.” I’m like, “Great. Let’s talk about your internal network architecture.” “What do you mean?” So, basically, you have MFA into an incredibly wide open trusted network on the backend. Yes, that’s not MFA. I mean, that’s not zero trust. Excuse me.

John Kindervag (00:58:33):

Yeah. I get where you’re going, yeah.

John Verry (00:58:36):

Yeah. All right. Well, listen, this has been awesome. If somebody listened, so correct me if I’m wrong. The MSSP that you’re at now, ON2IT, is this is what you do every day, all day is help people implement zero trust. And you’re probably unique in the MSSP community, or very few entities. Certainly, you’re going to be the most knowledgeable MSSP out there doing it. How would people get in touch if they would like to work with ON2IT?

John Kindervag (00:59:00):

You can send an email to zerotrust&on2it.net That’s an easy way. You can connect with me on LinkedIn. You can shout out to me @Kindervag, and I’m pretty easy. I can’t be stealthy anymore. It’s hard to be stealthy, but I’m easy to find, and I love talking to people. And that’s what I love about this businesses is everybody helps each other out if they’re doing it right. If somebody is not helping you out, then you don’t want to work with them. I love the interactivity of this. I love the people who are in the business. It’s just a great business to be in.

John Verry (00:59:38):

Yeah, you and me both, sir. Well, thank you so much. I appreciate taking so much time on a Friday afternoon, and look forward to catching up with you in the future.

John Kindervag (00:59:48):

Thank you so much, John.

Narrator (Intro/Outro) (00:59:50):

You’ve been listening to the virtual CISO podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.