John Kindervag

And if there is a data breach in your organization, you allowed it to happen. All bad things happen inside of an allow rule. You have to allow it. You're not an innocent victim of cybercrime, but you have bad policies in place and you allowed it to happen and you didn't see it happening.

Jim Love

Right?

Welcome to Cybersecurity Today, the Weekend Edition. John Kinderweg is considered one of the world's foremost cybersecurity Experts with over 25 years of experience as a practitioner and industry analyst. He's best known for creating the revolutionary zero Trust model of cybersecurity while he was a vice president and principal analyst on the security and risk team at Forrester Research. Today, John is the chief evangelist of a firm called Illumio. I truly value a person who says what they think. My only prerequisite is that he or she actually thinks before they say what they think. As the first clip I played indicates, John is opinionated and forceful, but also incredibly thoughtful and hellishly interesting. Join me for a fascinating discussion with the godfather of Zero Trust. Great to meet you.

John Kindervag

Nice to meet you.

Jim Love

The godfather of Zero Trust. You wince at that or is that something you proudly accept?

John Kindervag

Yeah, I mean, that's a nickname that other people have given me. So, you know, yeah, sure, that's cool. I mean, there's a lot worse things that people could say about me. So, yeah, it's an honorific that I accept graciously.

Jim Love

But it does mean that you've been involved with this from the start. What was the original idea? And I've seen it from a distance. But what was the concept that hit you when you first started to think about Zero Trust?

John Kindervag

So in the, you know, at the turn of the century, I was installing firewalls, and firewalls have different interfaces and they're labeled by a trust level from 0 to 100. And so your internal network is your trusted network. It has the high trust level of 100. And your external network has a low trust level of zero. And then every other interface had a different trust level that was between 1 and 99, and they couldn't be the same. And then that trust level that you assign to an interface determine policy. So by default, you didn't need to put a rule going for traffic going outbound. And I said, this is silly. We need to put rules for outbound traffic. And my customers, the vendors and the company I was working for said, no, that's not how it works. It's right here in the manual. You don't need to have A rule, so don't do that. Quit putting outbound rules on. And I said, but if somebody gets inside, they can automatically expo all this data. No one will ever know. They said, well, but that's not how it's set up. And you know, that's not how the trust model works. I said there should be no trust model. There should be no trust in packets. There should be that every interface and every package should have the same trust level and that trust level should be zero. And that's where zero trust comes from.

Jim Love

And we even talked in terms of like a demilitarized zone, as if we could somehow declare that some areas were free or non combative at those times.

John Kindervag

Yeah, well those were just different interfaces that had a different trust level. So your first DMZ, you would put it say 50 and then, so traffic going from the internal network from zero to the DMZ didn't mean to have a rule because that had a higher trust level or a lower trust level. So you just went, you didn't need to put a policy there. So you always had bad policy that only cared about inbound traffic. And now what was going out.

Jim Love

And now today I think there's nobody out there who isn't tremendously concerned about outbound traffic. They might not be monitoring it as well as they should, or dealing with it as well as they should. So you started to formulate the concept of zero trust. And where did you go from there?

John Kindervag

Well, I went to Forester Research. And so they're the ones who gave me opportunity and Runway to do the research. So I could never have done this if I hadn't gone to Forrester Research. I was there for eight and a half years and it was a peer research organization. It's what universities should be.

Jim Love

Right.

John Kindervag

So our motto, what we were told the first day of analyst training was they wrote it up on the word, here's your mission statement. Big, big thoughts. And so nothing was out of bounds. And they we had these terms, widen your aperture, you know, put a different lens on it, look at it from a different perspective. And so you were always trying to, to kind of rotate it around, rotate an idea around in 3D and go in and out of it and all that kind of stuff. And if I hadn't had that opportunity, there was no vendor who would have ever let me do that. And there would have been no university who would ever have let me do that if I was a college professor. Because we have peer review, which always inhibits innovation.

Jim Love

Right.

John Kindervag

There's a whole, you should Do a whole podcast on the history of peer review because it's a fascinating subject.

Jim Love

Not sure I could do that. I was one of those profs who came in. I was at one of the major universities, and I had to sit with a bunch of people and bite my tongue while people told me about I didn't teach in an academic enough way. I have, by the way, no desire to dump on academia. Learning things, testing things. Having that discipline is a wonderful thing. But if what you're teaching students isn't applicable in the real world, or if you're criticizing it because it works in the real world but not in theory, it's a problem. But I don't want to go my history. I want to go back to yours. What was it like you were a tech guy who ended up at Forester? That, like, my impression of these guys is they were at the time that they were there, and I haven't followed them in the past few years, but they were the smartest people around.

John Kindervag

Very smart people. I got lucky. The founder, the CEO, still the CEO, George Forester Connelly, which is where you get the name from, his middle name, said, we need to put the S back in security. To him, it was getting too academic, and it wasn't, we need to find a real practitioner. We need a practitioner. And so I got lucky. I knew somebody at Forrester, and they said, we know somebody who, you know, designs networks and does penetration testing and all this stuff. And so I went in and interviewed. I was like. They said, you want to be an analyst? And I said, sure. What's an analyst? I didn't even know what an analyst was really. And I got the job. And my first day was like, what do I do? I didn't even know what to do. But it was a great education. And coming from my background, you know, as a security architect, engineer, network engineer, all that kind of stuff was a great background to be an analyst, because I knew things that weren't just hypothetical, they were real world. You know, I had built networks. I had installed firewalls and routers and switches and, you know, all the things that I was covering. So, you know, there was a deep amount of practical knowledge that I was able to bring to that.

Jim Love

Yeah, it's a funny place to be. And I started my consulting career at Ernst and Young, just at the top. And I'd never. I'd hired consultants. I'd never been one. I remember still sitting in one room, looking at a whiteboard, seeing this wonderful diagram and going, there's only one small Problem with this, the partner looked at me, said what? I said, that middle part hasn't been invented yet.

John Kindervag

Yeah, you're right.

Jim Love

So to their wonderment and smart people, they accepted there was a tension there when you're dealing with the theoretical versus the practical. We discussed it and they were glad to have that expertise there, at least most of the time.

Right.

So how long did this take you to come up with the first. What you would you call your. Your first version of zero trust?

John Kindervag

There was two years of primary research once I got to Forrester. I'd been thinking about the problem since I encountered this trust model installing firewalls. So I've been thinking about the problem for nearly a decade and been, you know, luckily, the best thing that ever happened to me actually, was I got fired from a job because I refused to not put outbound rules in. And I ignored the trust model and I started doing better policy, which made a bunch of people mad. To think that you're doing it better makes people mad. But that's a very common thing in our business. And so then I did, from 2008 to 2010, I did primary research. I did some test speeches and things on it. And then I wrote the first paper in September of 2010. No more chewy centers.

Jim Love

So you've got this. You've put this ide to get together. When did you know you had a complete idea? We all have ideas. Something that's actually going to form part of the mainstream of tech ideas moving forward. That's a big deal. When did you know it was going to work?

John Kindervag

When I knew it was ready to write.

Jim Love

Oh, yeah.

John Kindervag

So, yeah, I'd done enough primary research. I'd gone around the world, I'd gone to people, I'd asked them to poke holes in it. I built prototype environments. I knew it would work. I would talk to people who were really smart. They said, we don't see why this won't work. You know, there were some people say, well, we don't think it's going to catch on because no one will want to do it. This is just so embedded into our culture, this trust model thing. But I got called in to meet with a lot of important people, some from vendors, some from the government, some from foreign governments. They were like, let's, let's talk about this. And then some people said, let's start building it. So I was building zero trust environments before the paper was ever written.

Jim Love

Wow.

And from my perspective at least, it's one of those things I've heard people talk about.

John Kindervag

A lot.

Jim Love

I've seen very, very few good implementations. That might be the limits of my experience. But I've heard a lot of people talk about it, but a lot of people started it and they almost. I don't know how to describe this, but you almost get to that sort of thing where we're doing zero trust, but in our own way, you know what I mean? And that usually means we ignored the hard work. Is it hard work?

John Kindervag

No, it's not hard work. It's simple if you follow the right methodology. But a lot of people don't. The people who do it well don't talk about it. As one guy said to me who had put one in a very important place, he said, john, zero trust is like fight club. The first rule is you don't talk about it, right? So all the best zero trust implementations out there, there's a few of them people are talking about, but most of them, they're not talking about. They, you know, they don't feel the need to brag about it. When people do it badly, they feel the need to complain about it so that they can have an excuse for not doing it right? So. But most people, the big failures are they think it's a product. I bought this product and now it's, you know. Well, no, it's not a product. And then most people try to go too big. They try to do it all at once, for everything. And that never works. So they don't understand the context of protect surface, asking, what am I going to protect? So the bid then, if you want to determine who knows zero Trust versions, who's who's just pretending they know Zero Trust is ask them to tell you about a protect surface. So the protect surface is the inversion of the attack surface. The attack surface is unmanageable, right? It's always growing. It's like the universe, it's constantly expanded. You can't manage it, you can't control it. It's outside of your control. What do I got need to protect, right? What data do I need to protect? What assets do I need to protect? What services do I need to protect? These are known in STAS elements. So we take a single DAS element, put it into a single protect surface, and we build out zero trust one protect surface at a time. So you end up with like at a bank that I've done that's very successful, they won't talk about it, but that had different protect surfaces. Their ATM system is a protect surface. Their SWIFT system is a protect surface. Their mainframe that does all the financial transactions is a protect surface. Their DNS system is a protect surface. They have like 28 different protect surfaces that they can then monitor, maintain and maturity on and. But they built it out one protect surface at a time. And so that's the secret to zero trust is understanding that it's not about what are the threats, it's not about what is the product, it's about what am I trying to protect. And until you know the answer to that, you'll never move forward.

Jim Love

And people have heard it phrased a number of ways. You know, people say what are your crown jewels? What are the things that you most important to you? And I guess there's always a difficulty in having that discussion. I've always had sympathy for the guys that come up with their PowerPoint and their discussion and try and talk with the business about how, what they need to protect and get those types of conversations going. Did you ever stumble across that, that it was difficult to get people to, to give you that type of information?

John Kindervag

Well, because they didn't know, but I know how to get them to tell me that. So, you know, I've done dozens and dozens of workshops that are cross functional, that include leadership because you have to ask leaders what needs to be protected.

Jim Love

Right.

John Kindervag

So the leaders always know. But we in cyber security tend to talk to the practitioner who doesn't know what to protect. Which is why they want it to be a product.

Jim Love

Right?

John Kindervag

Because then I can just buy something and hope that something gets protected. But they don't know exactly what they have. They don't know how important it is to the business. They don't understand the objectives of the business and they kind of don't care about the objectives of the business. So they just don't want things to break.

Jim Love

Right.

John Kindervag

So if we have the CIA triangle, you know about the CIA triangle, right? Which of course, but the CIA triangle is kind of this bizarre thing that no one knows where it came from. But we talk about it like it's sacrosanct, like it's sacred.

Jim Love

I am going to make you explain it though, because even though I know it, we've got.

John Kindervag

So you have a, you have this supposedly equilateral triangle where you, you're trying to balance three things. Confidentiality, integrity and availability. Those three things are supposed to be imbalanced. In reality, all anybody cares about is availability. So it's not an equilateral triangle. It's a, I can't do a narosles triangle with five fingers. But the hypatnus is really, really long, and that's called availability, and that's all we care about. And then there's a really small part that's the C. It's supposed to be confidentiality, but it's really compromised. We've got a lot of highly available, yet compromised networks, so I can't tell you. I. I mean, I was in an office of a CEO. He had just had the Department of Justice come in and push a file and said, how come all your really important intellectual property for this government contract was found on the server of something we took down in an adversarial nation state? Oh, no, that can't be. Let me call the cio. No, the network's up and running, everything's fine. Call the ciso. The network's up and running, everything's fine.

Jim Love

Right.

John Kindervag

Call the. Call the head of networking. The network's up and running, everything's fine. No, just the fact that the network is up and running doesn't mean that everything's fine. In fact, it might. As one friend of mine says, unexplained uptime could be evidence of a data breach. Right, because the attackers never take the network down. In fact, I know of times when the networks have reconfigured and made the networks better to optimize their ability to steal stuff. And no one knew. So when somebody says, well, we're not in a breach condition, nothing bad is happening, everything's fine. How do you know? Do you have any visibility into that? Because we don't.

Jim Love

Right.

John Kindervag

Which is why I came to Illumio, because I wanted to have that visibility. I wanted to have that map. I wanted to understand where the important resources were so that I could understand how to put them in protect surfaces. And I could go through the five step methodology. And I could build these zero trust environments very easily, quickly and inexpensively.

Jim Love

So getting the concept of the protect service, and I confess, I learned most about what I know about cyber security from a lawyer who talked to me about how much risk, the risk the business wanted to take, and gave me. One of the best questions I ever had to ask was to look at. Somebody said, okay, how much risk do you want to take instead of trying to push? And that's where I got to a different place. Because I wasn't trying to push anything. I was saying, you could have all, no expense at all, but you have 100% risk. Where's your trade off? And I think that was one of the ways to open the discussion. How do you open that discussion?

John Kindervag

Well, I don't talk about risk at all. I think risk is bogus. So I have a whole thread of research that I'm doing now called Risk is Danger. We need to move from risk management to danger management because risk assumes a probabilistic statement that you can't make in cybersecurity, right? So we define risk as probability, times, impact and no one knows what the impact is, right? I mean, you go back to the Sony PlayStation Network going down. If I went back in my DeLorean and got my flux capacitor going and went up to 88 miles an hour and went back to Howard Strand, the CEO of Sony who got fired because the PlayStation Network was down for six or eight weeks or whatever it is, and said if your people don't upgrade these Apache servers, you know, in three weeks you're going to be down and you're going to be down for weeks and weeks and weeks and it's going to cost you your job and it's going to be, you know, many, many millions of dollars. And they'd say, our risk management people have said that's not possible. Well, okay, but it happened, right? So the impossible happens all the time. So I said we need to focus on danger. And this comes from, and you can find it on YouTube, a speech I did called Risk is Danger because my nephew, his name is Steven Danger, Danger is his middle name, got neuroblastoma cancer when he was four years old. Now the probabilities of getting neuroblastoma cancer are less than 1%. And then they told us that he had a 2% chance of survival and he's alive because the probabilities didn't work out. And so he shaved my head for cancer a year ago. That's why I'm bald. Given this speech and I'm, you know, I gave it in front of 1500 people at Hugh Satcon in Houston last September and I had 1500 people crying at the end of the speech when he came out because I didn't tell whether he lived or died. Told the story of how I got to thinking about risk versus danger and why we need to look at things from a danger management perspective, right? So that's dangerous. When I tell you that's dangerous. That's not something you can accept. The problem with risk is you can accept it because you don't understand it. And there's so many variables. I tried first going the old school way and building an actuarial table for cybersecurity. I went to really top notch actuaries and I got the same answer. Too many variables. You can never build an actuarial table. In his book Antifragile says, imagine a world where you have a dice with unlimited sides, so you can roll it and get any outcome, but you can never predict that outcome. It's unpredictable. You can't define a probability about it. And that's what cybersecurity is. So, you know, there's a few people who really hate the idea of risk is danger. And I've had a bunch of screens written on LinkedIn about it, and I don't pay any attention to that, but I've had a few people who said, I went to my CEO and told him about that concept. And we're redoing our program, so we're focusing on danger management instead of risk management. And that's typically how it goes. If you look at it from a macro level, it'll look like that's a stupid idea, nobody's doing it. But from a micro level, you'll find that this important person in this important company that really resonated and they're doing it, but they're not going to tell anybody about it because they don't want to sound like, well, you know, we're way out on the edge of weird ideas.

Jim Love

You know, great concept, but the question I'd have is how do you prioritize if all you've got one element by danger?

John Kindervag

Well, it works within the zero trust framework, so you prioritize it based upon the sensitivity or criticality of the protect surface.

Jim Love

So you're constantly working on that. But what if you have multiple decisions to make about that protect surface? What, how do you refine those?

John Kindervag

Well, in terms of, like, I've got multiple things that I think are dangerous.

Jim Love

So much budget you can spend and so many things you can do, even though we know that this is an old tech service, but how do I make those business decisions?

John Kindervag

There's a, on the back end, there's a whole maturity model assigned to protect surfaces, so you can see how mature each one is. And then you can prioritize where you want to put that effort in and where it goes when you do it. That way you can go, oh, my PCI protect surface. You know, I'm an acquiring bank, have a P. I, I process credit cards. My PCI environment has a low level of maturity. Where am I missing things? And then, okay, I'm going to put some effort here because it's dangerous things going on here. A lot of it is about changing incentives. Incentives is the other Thing that I talk about a lot. You know, Warren Buffett's partner, Charlie Munger used to say, show me the incentives and I'll show you the outcome. The reason we have such bad outcomes in cybersecurity is because we have bad incentives. I wrote about that for the Financial Times earlier this year, and it's still a big concept. I have a speech called Channeling Charlie Munger where I talk about that. Because we don't have good incentives, most people are managing their own downside personal risk. I don't want to do anything because if I do something and it goes bad, I get blamed. But if something goes bad and I didn't do anything, I say I didn't do that. And so instead of managing the upside potential for the organization, most people are managing their own personal downside risk because from a managerial perspective, they had bad incentives. They're going to get blamed if something goes wrong. Instead of somebody going, man, you really were on to something.

Jim Love

Right.

John Kindervag

It didn't turn out right, but you were on the right thread, and we need to do it better the next time. But you were right on. And. And no one feels confident to try to make things better. No one wants to make things better when they're in the trenches. Which is why I kept getting in trouble in some of my previous jobs, because I wanted to make things better. And you can get me in trouble. I watched an entire financial database exfiltrate live to an adversary of foreign country. And I said, let's shut it down. No, I'll get in trouble if we shut it down. All we got to do is pull this one wire. Well, no, no, we'll get in trouble, right? Because if we can't go down, it's okay if all of our data gets exfiltrated, because that won't be a public thing. But if we go down, that's a public thing. So you go back to, say, the target data breach, which is where I think cybersecurity began, that happened in 2013. And I say everything before that is BT before target. So we're now in the year, what, 12 after target. Because that's the first time a CEO got fired because of something it did or didn't do, which was allow a data breach. So the only thing that it can do to get the CEO fired is to allow a data breach. And if there is a data breach in your organization, you allowed it to happen. All bad things happen inside of an allow rule. You have to allow it. You're not an innocent victim of cybercrime like, you have bad policies in place and you allowed it to happen and you didn't see it happening.

Jim Love

Right.

John Kindervag

And so there were people at Target going, we need to pull the plug.

Jim Love

Right?

John Kindervag

I mean, I would talk to some people afterwards. We need to just unplug. We can't do that. It's Black Friday. You know, we're making all our money. Well, why did the attackers attack on Black Friday? They attacked on Black Friday because, one, that's got the most amount of credit card data and they were trying to steal credit card data. Two, they were in a change freeze. Three, a whole lot of people were on vacation because they were told, go on vacation. You're not allowed to make any changes, so you got nothing to do here. And as a result, not only was the CEO fired, there were lots of other consequences. Target, of course, doesn't talk about, but try to find a Target store in Canada.

Jim Love

You can't.

John Kindervag

They're all gone. Why? Because they ran out of money to fix the operational issues. So they said, well, we don't have any money to fix Canadian Target stores, so we're just going to withdraw from, from Canada. That was a direct result of the data breach.

Jim Love

So you've raised some interesting points, one of them being the cultural issues that are associated with cybersecurity. You know, I mean, I always think that the reason why we have CISOs is so the CEOs got somebody to fire before they fire him or her. Sorry, I get a little cynical as I get older.

John Kindervag

No, no, you're right. Right on. I always tell every CISO they should have a T shirt that has the word CISO right here. And then they have two tire tracks above and below it, because my job is to get thrown under the bus, and then they back it up, forward and backward, over and over again.

Jim Love

But this whole concept of building a culture of, you know, and, and this is why I kept pursuing on, in terms of prioritization, because one of the, the attitudes I get is you've. You've raised the first attitude, which I think is, don't touch it, because you're going to get blamed. The second one is, I can't do everything, so I'm not going to do anything.

John Kindervag

Right.

Jim Love

And that I, you know, I think, I think you address that with your maturity model. But that's, that's been one of the big things in cyber security. Well, we can't do all this stuff. Well, what are you going to do as an IT person? I didn't start out as a cybersecurity. I was an IT person. I ended up being in charge of cybersecurity because I became a CIO before we had CISOs. And that was my big thing was, hey, you're suddenly in charge of all this stuff and you have to think a new way. I thought like a developer or an operator. I didn't think like a cybersecurity person. And understanding that culture was, I think one of the, There's a leap you have to make, there's a learning you have to make.

John Kindervag

You know, your technical background gave you the acumen to understand. We have a lot of people who don't have that acumen in those high level roles now because they came from consulting, they came from governance or risk or compliance. They were auditors. They don't understand how a packet moves point A to point B. It's amazing how many people who are in these high level jobs that I talk to that don't understand how a packet moves or what a packet is or what the OSI model is or any of that stuff that is fundamental to, to how things work. And so I was talking to somebody recently, I don't care about the network because I'm in, I'm in charge of the cloud. And I said there's networks in the cloud. And they're like, I hadn't thought about it that way. And then I had one person who tried to convince me that there weren't networks in the cloud. The cloud didn't have any networks. You didn't have to worry about networks because there was no networks in the cloud. So you got a lot of people who didn't come up through the trenches like you and I.

Jim Love

Right.

John Kindervag

And so as a result, they don't know how it works.

Jim Love

Right.

John Kindervag

So like I don't know if it's the current CEO of UPS or the previous CEO of ups, but he started off in college loading trucks at night and then he did every single job at UPS before he became the CEO. You don't think he understood exactly how UPS worked, Right? But you'll run into a lot of places where somebody came in and they just had executive experience. In fact, I had one CEO tell me, well, you know what I do? I take the people who have great management potential and I want to put them in someplace so that they can learn and get experience, but it doesn't matter. So I put them in IT and make them a CIO or a CISO because that doesn't matter before they use, before they get into logistics or sales or something else. So I was, and I just looked at that guy, I was like, okay, your entire business, in fact, I think I said this to him and I don't think he'd ever thought about this. Your entire business depends on whether that IT system works. If it goes down, you don't have a business.

Jim Love

Right.

John Kindervag

There's no business in the world today that I can think of that if the computational systems don't work, you can still operate. You know, And I come from a farm in Nebraska. She didn't need computers. Now on our farm, which is my cousin runs it now, our family homesteaded in 1871. Right. So it's 120 some years old now, Everything's dependent upon some kind of computer system. In fact, if your tractor breaks down, you can't fix it yourself.

Jim Love

Right.

John Kindervag

You have to call the John deere dealer who's 40 miles away and they have to come out and, you know, then they have somebody who plugs it in and goes like this. So we keep a couple of the old tractors and combines just the analog stuff. And that is a trend that might be coming back. I know people who are rebuilding old cars from the 60s and 70s because they don't want a car that's computer controlled.

Jim Love

Well. And the right to repair is strongest through farm movements. And I just love this because I spent a lot of time living in farm country and I wouldn't say I was a farmer. I was probably that guy. I don't know if you remember the old show Green Acres, but I think, I think the music to that plate as I, as I drove by, because the farmers would be sort of nice to me. But anybody who thinks that farmers don't understand it, most of them are pretty sharp. You run a barn where you've got temperatures that must be within a certain tolerance or you lose all your hogs. You've got crops that have to go in. Farmers are pretty damn smart. Many of them are adapting technology in ways that if we could adapt technology and change processes as quickly in businesses many farmers have, we'd be in a lot better shape.

John Kindervag

They were the first people to really adopt GPS for a business use. So you would use GPS to drive your tractor and, and drive the rows.

Jim Love

Right.

John Kindervag

You know, I was never allowed to plant because I couldn't drive a row straight enough for my uncle to be happy. So I got all the menial labor jobs and I didn't get to sit in the tractor. By the time I was in high school, we had air conditioned tractors which was like, wow, air conditioning in Tractor. But you think about that. There's no business on earth that isn't 100% dependent upon it. We just had a big outage at one of the airlines.

Jim Love

Right.

John Kindervag

They had the three Ps of, of, of the airline world. Pilots, passengers, planes. That's really fundamentally what you need. But the computer system wasn't working, so none of them could take off and those passengers were stranded.

Jim Love

Yeah, our dependence is incredible. And that's, I think, what's one of the reasons why cybersecurity becomes so important and it becomes so complex and so difficult. I want to ask you, I want to go back to this because I want to make sure we get the concept across is you've talked about the protect surface as being one of the key elements of zero trust. We talked about culture. What other components are essential to making it work?

John Kindervag

Well, there's a five step methodology that I try to reinforce to people all the time. And if you do this five step methodology, you're almost 100% success rate for people who do this, for people who try to do it some other way. I've let people. Well, I don't want to do it that way. I want to do it my own way. Fine, do it your own way. But success, as they say, is not guaranteed. So the five steps are. One, define your protect surface. What am I trying to protect?

Jim Love

Right.

John Kindervag

Two, map your transaction flows. How does the system work together as a system? You know, I have a friend who is a former Navy seal. He and I do have a presentation that we do together and it's, it's, it's about why cybersecurity needs better cartographers.

Jim Love

Right.

John Kindervag

Well, the map is the important thing, you know, if you're going to fight. He always says, my favorite weapon in war was a map, you know, and, and so because if I have a map, there's two things you can be in. In combat, you can be wrong and lost. And if you have a map, you will be neither.

Jim Love

Right? You'll.

John Kindervag

Because if you're wrong, you look at the map and you figure out how to make it right. If you're lost, you look at the map, figure out how to make it right. And the map tells you everything. Where the enemy is, where you need to come in, where you need to go out, all the things you do. So mapping the transaction flows. That's why they came to Illumina. They have a great transaction flow mapping solution that tells you where the protect surfaces are, tells you what's connected to it, it tells you what everything that's working, right? And what's not working. And so now I'm like, you know, Eisenhower looking at the map of D day and figuring out where. Where the German positions are and how I need to go in, you know, because if you have a bad map, you lose the war. The wars are lost on bad maps. And so then the third step is architecture. Everybody wants to know, what product do I buy? No, you design that. You decide what products and technologies to implement after you understand what you're protecting and how it works. So every zero trust environment, the architecture is custom built, tailor made, bespoke, whatever word you want to use for it. So I have to know what I'm protecting in order to know how to design the system. I can't just have a reference architecture that's just general and generic. And then the fourth step is to define the policy, right? How do I write policy to determine what is allowed? And so we start with a denial policy instead of, in the old days, we played whack a mole, right? So you don't want to just try to stop the bad stuff. You say, what stuff should I explicitly allow? And so there's a pop. There's a policy methodology around that is called the Kipling Method. My personal homage to the writer Rudyard Kipling, who gave us the idea of who, what, when, where, why and how in a poem in 1902. I keep six honest serving men. They taught me all I knew. Their names were what and why and when and how and wherein.

Jim Love

Right?

John Kindervag

So who should have access via what application? When should that access happen?

Jim Love

Right.

John Kindervag

So it shouldn't be 24 hours a day. That's one of our big problems, is we just turn on a rule and we never turn it off. So turn off all your rules when people aren't working. Where is that located? That's the location of the protect surface. Why are we doing that? That's where we can put a lot of metadata into the system. We do this because it's a PCI environment. We do this because it's regulated by this thing or that thing. We do this for all this stuff. That's all stuff we can ingest in step five, which is monitor and maintain where we pull in all the telemetry into the system, we analyze it, and we know how to make it better and better. So we can do what's called create an anti fragile system. So again, Taleb gave me the vocabulary in his book Antifragile. For what? I've been trying to build a system that gets better and better under stressors. So the more when I have an attack a stress, you know, somebody's doing something, I can adapt to it, I can mitigate it, adapt to it and become stronger and stronger. And that's what we're doing. We're building anti fragile systems. We're going beyond resilience, which is the big buzzword. But as Taleb says, you know, resilience is static. When there's a stressor, it doesn't fall apart, but it doesn't get better either. But antifragile systems respond to a stressor and adapt and gets better and better. So like your human body, this is the example he gives in his book, right. If you go on vacation, I just came back from vacation, right, on a cruise. And you can eat and drink all you want. So what do you do? You gain a few pounds to get rid of pounds, to lose weight, to get in better health, you have to stress your body. Reduction of calories, that's a stressor. Exercise, that's a stressor. But your body doesn't fall apart and break down. It adapts and gets stronger. And so that's what we can do in zero trust. So if you follow those five steps, you will almost always be successful. In fact, I haven't run into anybody who has done the five step methodology and said it didn't work.

Jim Love

Right.

John Kindervag

I explained this to a three star general and he said, john, thank you for explaining this to me in a way that I could understand because I could never make heads or tails of what people were telling me with all this other mumbo jumbo. But making it simple, making it actionable, I can put a task force on this right now, on the things that I need to protect. Because he understood the concept of protect surface. It's a military protect surface. In the webinar I deal with Clint Bruce, the Navy seal, famous Navy Seal we talk about that is the high ground, the thing that you're trying to hold and protect. And in the battle of Little Round Top in Gettysburg, Joshua Chamberlain, they take the high ground, Little Round Top, and they hold it and then they're able. The stressors are the attacks that they're getting from the Confederates and they end up doing a charge and defeated. And they hold that whole ridge and that leads to the victory at Gettysburg.

Jim Love

Right.

John Kindervag

I mean by that time when, by the time Pickett's charge comes, the Confederate army is so depleted that it becomes defeated.

Jim Love

One of the things that becomes difficult with zero trust is the proving of a negative, I guess is, you know, Your system's really working and you're not being attacked, you're not having a successful attack. It's a hard thing to sort of prove.

John Kindervag

But, you know, I get screen captures from people a lot who send me. Look at, you know, look at what my zero trust environment just stopped. This big attack was starting and we just stopped it because we have all this evidence that they're trying to get in, but they weren't allowed to come in. They didn't get in.

Jim Love

Right.

John Kindervag

So it was like, I remember there was a pen test and I gave a presentation with the guy who did it, but I won't go into that. It was a number of years ago, but it was like the first pen test of a zero trust environment. And so the guy had defined what I hadn't yet come up with the term protect surface, but the important system that he wanted to build a zero trust environment around. So they had the pen tester coming in and the pen tester goes, hey, I can't get in. Well, of course you can't get in. Right. This is a zero trust environment. There's no rule that would allow you to get in. There's just not easy ways to get in. And as a former pen tester, you almost always got in because there was a bazillion ways because everything was allowed. So if we see the pen tester, we're going to try to stop it. So we're looking for the pen test to come in. That's what we're trying to find. And then. Oh, you didn't chew the pen test. Aha, you're bad. So, no, that's a failure of policy methodology, not a failure of the people.

Jim Love

Right.

John Kindervag

So everybody's looking for a thing to blame. Well, the policy methodology was the thing to blame. So the pen test didn't work. So he said, I need a domain credential to finish this pen test. Sure. Well, he couldn't do anything. Why can't I do anything? Well, I didn't assign a policy to your credential. Your credential has no policies assigned to it. Because typically when we onboard somebody, we give them access to everything, Right. Snowden, Nanny, they had access to everything on siprnet. That's why they were able to do what they did. And finally the pen tester said, what are you trying to do, make me look bad? And the CISO said, yes, that's my job.

Jim Love

Yeah. And so just a couple of things in terms of, of taking this to a level that, where I think it, it might have some residents with people. God, I just can't believe I said use the word residents. I'm sorry, I'm doing this too long.

John Kindervag

It's a good word. It's a good word.

Jim Love

What I'm trying to get at is what are the things that in the current security environment that you think zero trust has a real applicability to and real defense against? And a couple of things I'll bring up that just drive me crazy right now. The whole idea of social engineering is driving hacking. And the most successful, there's the group Scattered Spider, that's taken social engineering to a totally new level and really, really became an effective force in the hacking community.

John Kindervag

Well, because typically the people that get social engineered have access to things they shouldn't have access to. And so that's what they're taking advantage of. They're getting that lateral movement inside the internal network. So one of the key technologies that we use, I work for Illumio, I came to Illumio because of that micro segmentation technology that segments networks internally to build the protect surface. That's segmentation. Micro segmentation technology is what we use to define the micro perimeter that creates the protect surface.

Jim Love

Right.

John Kindervag

So there shouldn't be a policy in place that allows, you know, Jim Love, who's an IT manager, to have access to the financial database.

Jim Love

Right.

John Kindervag

Because that's not your job. And so even if your credentials are compromised, the attacker tries to use those credentials to get access to, say, the financial database, it's stopped because that rule doesn't exist. And then there's an alert that goes in and says, hey, Jim is just trying to access this. And you go, hey, Jim, why are you trying to access the financial database? I'm not. Oh, looks like your credentials have been compromised. We stopped. And then even if they get into that database, there's no rule that allows them to exfiltrate that stuff outside to a command and control server on the public Internet, which is an unknown ip. So, you know, there's no rule that says take all the data and allow it to go outbound to something that we don't know what it is. And so you've contained the blast radius. Even if somebody does get access to, to the protect surface, getting access to the command and control server outbound is extraordinarily difficult in those environments if they are done correctly.

Jim Love

And I notice you use micro segmentation as a way of describing where many people might say, segmentation, what's the difference?

John Kindervag

The size of the segment. I mean, micro segmentation is just a. Well, Known term.

Jim Love

Right.

John Kindervag

So Forrester did a wave on micro segmentation. You should link that in your thing. You can get that from the people who set this up. But we were the leader in their wave or yeah, the Forrester wave. And so it's a great technology that allows you to. And I've been a fan of it forever. In fact, the second report that I ever wrote about zero Trust was called Build Security InternetWorks DNA. About the Zero Trust Network architecture. New ways of segmenting networks must be created because all modern networks must be segmented by default. And I was a big believer in segmentation. And it was hard in 2010. November 2010 is easy now.

Jim Love

Right. But.

John Kindervag

And even the NSA last year in their guidance on the network and environmental pillar, it was really about segmentation. And they go back again to the target data breach. Why did the target data breach happen? Because the network wasn't segmented. You know, everybody says, well, the H Vac company had compromised credentials and it came in through the H Vac. Well, the H Vac. I'm a former QSA for pci. I was one of the first generation. I was in the second ever PCI certification class. There should have never been an H Vac computer on the cardholder data environment. That is a clear violation of pci. And it was that architectural decision that caused the problem. It wasn't a problem of the H Vac thing. It was a problem of how the system was designed and the policies that were allowed. So really, if you think about it, we focus so much on products, but really it's all about policies. Products exist to enforce policies. What policy is it going to enforce based upon what are you trying to protect? So I need to know what I'm protecting the protect surface so that I can define the policy which will tell me what the product needs to be.

Jim Love

Yeah, we're about to implement AI throughout our entire enterprise. Probably what I would call the least secure system that's ever been developed. How do we start to think about AI with a zero trust mentality? Because God knows we're creating huge holes in our security system and our world. How do we think about it differently? Or how can we attack it using the principles of zero trust?

John Kindervag

Well, there's a couple of things. One is it will be very important in step five, monitor and maintain. So I wrote an article for the Financial Times called why I'm Not Losing Sleep over AI. Because we'll be able to use AI to analyze the data to respond to the attacks much more quickly. And I think it gives Us an advantage over the attacker, because the attacker, no matter what you do in AI, they're still limited by the way that networks work. You know the TTCP protocol. TCP IP is a protocol.

Jim Love

Right.

John Kindervag

They're still limited by that. Second thing, you need to think of the AI repository as a protect service. So my friend George Schumann, the CISO of UT Systems, has written a great book called Rise of the Machines and it's about zero trust in the AI age. And I wrote the forward to both his book, books on zero trust. People should read that book because I think it's a really good book that explains it easily for people. And then there's a whole lot of things we don't know. In fact, I would say there's more things we don't know about AI than we do know about AI. And so all the hype that we're seeing, we don't know where that's going to go. But we're using it internally to give more visibility. We have what we call the AI security graph, so we can tell you exactly what's going on inside your environment, what we're seeing and how to make things better. We're partnered with Nvidia to where you can buy an Nvidia board card, Nvidia card that's preloaded with Illumio, so you can segment, do micro segmentation and create all these policies right there on the card at layer two as it's coming in. It's primarily for OT systems, but you could use it for anything and it'll be deployed in some of the big hyperscalers. So, you know, AI, there's a lot of downside, but there's also a lot of benefits. And we're so early in the journey that we don't know where it's going to go. There's so much hype and what did I read? The market cap is like 4.7 trillion and the revenue across everything is like.

Jim Love

20 billion, substantially less.

Yeah, right.

John Kindervag

So will it change the world? Yes. Will there be a rise of robots who come out and kill us? I don't know. I don't know. Maybe we should start building the time machine to go back to eliminate the people who create Skynet.

Jim Love

One of the things we could do. But. But chances are, as I've always told people, I said, the one thing you must depend on is nobody. We will have AI in our enterprises. So get over that. You know, this is like, you can be like the guys who tried to stop Cloud. It's something you can do if you want to encryption.

John Kindervag

Do you remember the story of Phil Zimmerman when he created pgp?

Jim Love

Yeah.

John Kindervag

The government tried to ban it. So he just put the algorithm on a T shirt and wore it around. I have several Phil Zimmerman signed T shirts in my collection. He just said you can't ban math.

Jim Love

Right.

John Kindervag

Which is true in AI. So he just put the the algorithm on a T shirt. Now I would suppose it's much harder to put the algorithm on a t shirt of OpenAI or whatever it is, all the code because be really small. But still, maybe somebody should still out there.

Jim Love

It's out there in the world. The models are out there. They're not going back. Just final thing from you, your advice to people, you've obviously walked in, we've covered part of that, but I'd like to close off with a bit of that. Your advice to people who haven't gotten started or feel like they've hit a wall with zero trust, what should they do?

John Kindervag

First thing they need to know is there's nothing that they need to do to get started. Everybody thinks, okay, I have to fix this whole thing, which is going to take five years, and then I'll start my zero trust journey. No, start wherever you are, there's always something that you can do. You know, I talk about three levels of protect surfaces. We have learning protect surfaces, things that don't matter. So you learn how to do it on systems that if you screw up, it doesn't matter. Yeah, practice, protect surfaces. Things that maybe have a little bit more sensitivity but they're still not mission critical. And Carnegie hall the same way. Practice, practice, practice. And then you have the crown jewels, case of the kingdom, high value assets which yet whatever you want to call them. And so go through it in that order so that you can learn, you can practice and then you can go to the bigs.

Jim Love

Right?

John Kindervag

So that's the first thing. So you don't ever have to have anything in place to. It's a prerequisite. Secondly, don't get discouraged.

Jim Love

Right.

John Kindervag

I mean, too many people give up too early. And this, you know, I do a lot of work with military veterans. We have an epidemic of veteran suicide in this country. So I volunteer with some veterans organizations. And one thing I learned from veterans is when they're in the military, they never give up.

Jim Love

Right?

John Kindervag

They never, they learn from failure. They adapt, they overcome.

Jim Love

What.

John Kindervag

Where they can't do that is in the private sector. When they translate into the private sector, it's really hard. And that's where we get, you know, get A lot of those suicides is, is that world is so. Our world is so strange to them.

Jim Love

Right?

John Kindervag

So, you know, when I'm.

Jim Love

Once you've been to life and death, the games that we play, the, you know, we talk about, the blame games must look just absolutely absurd.

John Kindervag

The things that you and I take for granted are sometimes terrifying for them.

Jim Love

Right?

John Kindervag

I got a call from a Navy SEAL friend of mine that I was involved with and, man, I had a bad day. I so wish I could go back to the teams. He had to leave the SEAL teams because he had a kid and his wife was like, no, you know, I mean, that's one of the primary reasons people leave, because they love what they do. I mean, they love it. And he said, man, I just, I really want to go back. I just, I can't. I can't deal with this. It was such a bad day. Well, what happened that was so bad? Well, I had a job interview. It's terrifying. He'd never been on a job interview before. I mean, think about that, right?

Jim Love

Yeah.

John Kindervag

And another guy said to me, being a Navy SEAL was the best job I ever had. Said, really? Why? He said, because I didn't have to make any decisions, you know, and then I was talking to somebody who studies this and said, the average person in one of these high level military things makes 50 decisions for themselves a day, right? So they're told, when you get up, you go to chow, you have very few choices on what you're going to eat, right? You're told, when you go to the dentist, when do you go to the doctor, when you go to, to train and work out, you're told everything. You don't make very many decisions. And this scientist, this neuroscientist was telling me that the average regular person in business, we make 500 decisions for ourselves every day, right? And so 10 times more. And it's that disconnect, that's that sometimes people have trouble transitioning from. Because the SEAL who had done things that would just terrify the heck out of me, he was like the things that, like going into a business meeting, he said, I would rather, he said this to me, I would rather go into a gunfight than go into a business meeting, he said, if there's a gunfight here, you get behind me, I'll take care of you. But if there's a business meeting, I want to follow you into the ring. And I thought that was a really interesting perspective because the things that are just common to me are uncommon to him.

Jim Love

Well, and bringing it back to our subject and let no one think that people who fear making decisions are unintelligent. As a matter of fact, there's good psychology, good science that says that the more intelligent you are, the more difficulty you have in making decisions because you can see all aspects of them. The people who scare you are the people make decisions right away without any facts or any interest at all. Now, there is a place for that. There's a time for that. You don't want people thinking about things all the time. But I just don't want anybody to disparage the idea that this fear of this business environment makes them less intelligent, because it doesn't probably is a good sign of intelligence.

John Kindervag

But ultimately, if you're going to be a leader, you have to be willing to make decisions.

Jim Love

Right.

John Kindervag

So there's a. You have a band of brothers.

Jim Love

Yes.

John Kindervag

So what was the guy's name?

Jim Love

Doug Wood was a big fan and.

John Kindervag

Sorry, long story, but there's a lieutenant. I can't remember who his name is. Anyway, he's portrayed as the incompetent lieutenant, right. Who in the battle breaks down, one of the guys says, lieutenant, whatever his name is. I can't remember his name. Wasn't a bad leader because he made bad decisions. He was a bad leader because he made no decisions. Making decisions takes courage. So you have to have the courage to analyze all the things, know what is the best decision to make at that time, and then have the courage to make that decision. So it's a bad thing to not have the courage to make decisions.

Jim Love

Right.

John Kindervag

It's not that you're unintelligent. You may be unintelligent, you may be very intelligent, but you may not. And I think if you're not incentivized to allow that courage to come out, then you will make no decisions at all.

Jim Love

And it's an issue in security because so many things happen where people have to make. They say that armies are resilient because people can make the right decisions at the work face or at the attacks face or wherever. And that's something we have to consider as we put things together. And I think takes us full circle back to that blame and shame game of, you know, people make mistakes and you teach them that we're going to blame you every time you make a mistake. You're not going to have people making the decision, taking the actions they need to.

John Kindervag

I was talking to a military historian and he was telling me, you know, in his mind, one of the big differences why the United States was so dominant over the Germans was the idea of commander's intent.

Jim Love

Right.

John Kindervag

So commander's intent is, here's an objective, get this done. And the commander says to do it. And so when, you know, on D day, if all officers get killed in your platoon, the next guy takes over and the next guy, and that's kind of the attitude, the next guy. And we're going to get the thing done in the German army, according to him, and I'm channeling him right now, you know, the officer got shot, you had to call back and give permission to continue the attack.

Jim Love

Right.

John Kindervag

And actually throughout history, a lot of times when leaders were killed, then armies couldn't fight. And culturally, one of the things that made the, makes the US great still is they have this concept of commander's intent that's written down. And we need to bring that into cybersecurity. So the grand strategic actors, the CEOs or generals or whoever need to define a commander's intent on cyber security and say, achieve this and then you can't get in trouble. When you're doing that, even if, if the op goes bad, it goes south, they're going to be mistakes that happen. That's just human nature. But if you're doing it for the right reason, that's what we want to know. Are you doing it for the right reason? Because the outcome has variability. But if you're doing it for the right reason, then the trajectory is correct.

Jim Love

Last question for you and just is, you've been with Zero Trust all this time. Where's, what do you think is the future of it? What do you think is the next thing in insecurity that you're, you're watching?

John Kindervag

Well, Zero Trust was designed to be strategically resonant. There's that word again. Strategically resonant to the top leaders of an organization, the grand strategic actors. So the first people who really Understood it were CEOs and high level people. And then it was designed to be tactically implementable using commercially available, off the shelf technology at whatever level that technology was going to be at. So I knew the strategy wasn't going to change. It didn't need to change. Strategies generally don't change.

Jim Love

Right.

John Kindervag

You know, we still read Sun Tzu, but tactics change and people confuse strategy and tactics. I got to study, I got to do a project with a guy who was a military strategist in the first Gulf War. And one of the reasons we won it so quickly is because of his strategic thinking. And he applied that to business and I got to be on a project for about two years with him. And he taught me all this stuff that ultimately, you know, 10 years later or so, I applied to zero trust. But he said, he used to say, and he said this to me so many times, John, most people confuse strategy and tactics. They think they're being strategic, but they're being tactical. If you're focused on things, you're being tactical. If you're focused on ideas, you're being strategic. So the idea of zero trust isn't going to go away. I don't think the products will get better and better the way we do. It will be faster and faster and its success will get greater and greater. It's not going away.

Jim Love

Yeah. John, this has been a fascinating conversation. I am so glad to have met you.

John Kindervag

Nice to meet you, Jim. Thank you for inviting me on your program.

Jim Love

And that's my chat with John Kinderweg. Love to know what you thought. Reach out to me. You can send me a message at our website at technewsday. Com, or ca use the contact us form or reach out to me on LinkedIn. And if you're watching this on YouTube, I read all the comments. I'm your host, Jim Love. Thanks for listening.