![zero trust (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fc99e7342-f870-11ef-9988-43a0b0f522df%2Fimage%2F441b0ca2db080b93b935568d381ce462.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
Host (0:02)
You're listening to the Cyberwire Network, powered by N2K. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, Prepare and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more@AI.domo.com that's AI.domo.com.
John Kinderwog (0:59)
The word is zero trust spelled zero for none and trust for unfettered access. A security philosophy that assumes adversaries have already penetrated the digital environment and tries to reduce the potential impact by limiting access by people, devices, and software to only the resources essential to perform their function and nothing more. Example sentence In Zero Trust, someone will assert their identity, and then we will allow them access to a particular resource based upon that assertion. Origin and context the ideas around zero trust have been orbiting the industry since the early 2000s, but John Kinderwog published the essential paper that solidified the concept in 2010. He wrote it when he was working for Forrester, and he called it no More Chewy Centers. Introducing the Zero Trust model of information security, he based his thesis on how the military and intelligence communities think about protecting secrets essentially treat all information as need to know. In other words, if you don't requ information to do your job, you shouldn't have access to it. To achieve a zero trust posture, then network architects make the assumption that their digital environments are already compromised and designed them to reduce the probability of material impact if it turns out to be true. That's a powerful concept, and completely radical to the prevailing idea at the time called perimeter defense. With perimeter defense, we built a strong outer protection barrier, but once the attackers got in, they they had access to everything. All transactions on the inside were automatically trusted. From the original paper, John thinks that idea is ludicrous. More than a decade later, organizational assets are scattered across multiple data islands, mobile devices, traditional data centers, SaaS services, and various cloud services. If there ever was such a thing as a trusted network, it for sure doesn't exist today. In the early 2000s, the US military started experimenting with the idea of deperimeterization under the project name the Jericho form. The idea was to decouple the identification and authorization functions away from the workload. In other words, you don't connect to a sensitive workload and then try to log in, you connect to a separate system that verifies your identity and validates that you are authorized to connect to the sensitive workload. If you are, it then establishes the connection to the workload and nothing else. The same year that Kinderwog published his paper, Google got hit by a massive Chinese cyber espionage attack called Operation Aurora. In the weeks that followed, we learned that there wasn't just one Chinese government entity operating inside the Google network. There were three the Chinese equivalents of the FBI, the Department of Defense, and the CIA. And in a nod to government bureaucracies everywhere, they each didn't know the other two were in there until Google went public with the information. In response to the Aurora attack, Google engineers redesigned their internal security architecture from the ground up, using the concepts of deperimeterization and the Zero Trust philosophy. A few years later, they released a commercial product called BeyondCore that incorporated many of the ideas they developed internally. Today, deperameterization is known in the industry as software defined perimeter. It's important to note, as Kinderbog originally explained, zero Trust is not a product, it's a philosophy, a strategy, a way to think about security, and it can always be improved in that way. It's not about the destination you're never going to get to the end. It's more about the journey. You can buy products to help, but Zero Trust is a mindset, and you can start with the systems you already have on your network. In order to have a mature Zero Trust environment, organizations must have complete visibility of all people, devices, and applications that access material, data, or systems. Once that's accomplished, organizations must then have the ability to restrict access to resources based on need to know. Key to all of that is a robust identity and authorization system. Nerd Reference over the years, Kinderwog has traveled around the world explaining his Zero Trust philosophy, and he uses a Kipling poem called I Keep Six Honest Serving Men to help people understand the basic concepts. The poem is about Kipling's young daughter's endless curiosity and how, as we all get older, we tend to lose that sense of wonder in asking questions about who, what, when, where and why. Here's John Kinderwog from a Cyberwire X episode we published in May 2021 explaining.