zero trust (noun) [Word Notes]

Host

You're listening to the Cyberwire Network, powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com.

John Kinderwog

The word is zero trust spelled zero for none and trust for unfettered access. A security philosophy that assumes adversaries have already penetrated the digital environment and tries to reduce the potential impact by limiting access by people, devices, and software to only the resources essential to perform their function and nothing more. Example sentence In Zero Trust, someone will assert their identity, and then we will allow them access to a particular resource based upon that assertion. Origin and context the ideas around zero trust have been orbiting the industry since the early 2000s, but John Kinderwog published the essential paper that solidified the concept in 2010. He wrote it when he was working for Forrester, and he called it no More Chewy Centers. Introducing the Zero Trust model of information security, he based his thesis on how the military and intelligence communities think about protecting secrets essentially treat all information as need to know. In other words, if you don't requ information to do your job, you shouldn't have access to it. To achieve a zero trust posture, then network architects make the assumption that their digital environments are already compromised and designed them to reduce the probability of material impact if it turns out to be true. That's a powerful concept, and completely radical to the prevailing idea at the time called perimeter defense. With perimeter defense, we built a strong outer protection barrier, but once the attackers got in, they they had access to everything. All transactions on the inside were automatically trusted. From the original paper, John thinks that idea is ludicrous. More than a decade later, organizational assets are scattered across multiple data islands, mobile devices, traditional data centers, SaaS services, and various cloud services. If there ever was such a thing as a trusted network, it for sure doesn't exist today. In the early 2000s, the US military started experimenting with the idea of deperimeterization under the project name the Jericho form. The idea was to decouple the identification and authorization functions away from the workload. In other words, you don't connect to a sensitive workload and then try to log in, you connect to a separate system that verifies your identity and validates that you are authorized to connect to the sensitive workload. If you are, it then establishes the connection to the workload and nothing else. The same year that Kinderwog published his paper, Google got hit by a massive Chinese cyber espionage attack called Operation Aurora. In the weeks that followed, we learned that there wasn't just one Chinese government entity operating inside the Google network. There were three the Chinese equivalents of the FBI, the Department of Defense, and the CIA. And in a nod to government bureaucracies everywhere, they each didn't know the other two were in there until Google went public with the information. In response to the Aurora attack, Google engineers redesigned their internal security architecture from the ground up, using the concepts of deperimeterization and the Zero Trust philosophy. A few years later, they released a commercial product called BeyondCore that incorporated many of the ideas they developed internally. Today, deperameterization is known in the industry as software defined perimeter. It's important to note, as Kinderbog originally explained, zero Trust is not a product, it's a philosophy, a strategy, a way to think about security, and it can always be improved in that way. It's not about the destination you're never going to get to the end. It's more about the journey. You can buy products to help, but Zero Trust is a mindset, and you can start with the systems you already have on your network. In order to have a mature Zero Trust environment, organizations must have complete visibility of all people, devices, and applications that access material, data, or systems. Once that's accomplished, organizations must then have the ability to restrict access to resources based on need to know. Key to all of that is a robust identity and authorization system. Nerd Reference over the years, Kinderwog has traveled around the world explaining his Zero Trust philosophy, and he uses a Kipling poem called I Keep Six Honest Serving Men to help people understand the basic concepts. The poem is about Kipling's young daughter's endless curiosity and how, as we all get older, we tend to lose that sense of wonder in asking questions about who, what, when, where and why. Here's John Kinderwog from a Cyberwire X episode we published in May 2021 explaining.

Rick Hauer

The poem and so this is my personal homage to him. Because who, what, when, where, why and how. I'm trying to determine who should be allowed to access a resource. Here's a way to write the policy because ultimately, Zero Trust is a layer seven policy statement. When it's implemented, who should be accessing a resource that's the asserted user identity that's been validated by something like multi factor authentication or some other authenticator. So it's highly validated. Where a statement is, where is it located? When statement is when does this rule need to be turned on? There's a lot of rules that should be turned off at various times because no one typically uses them. We need a lot more time delimited rules. The why statement is because this is mission critical data. It's highly classified, top secret. That's where we can tie classification levels into the policy. We have a how statement. What kind of processes are we going to put to the packet? The what statement is the application typically that you're accessing that by what application should they have access to that protect surface? The protect surface, of course, is the shrinking down of the attack surface orders to magnitude to something that is small and knowable. So we put a data type or a single application or a single asset or a single service inside of a protect surface, break it down into a very small chunk so that we can solve that one problem and move on to another.

John Kinderwog

Wordnotes is written by Nailah Genoi, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Hauer. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.

Host

Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door, the login. Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing. For individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.