The concept of Zero Trust security has been around for more than a decade. It has spiked and waned as newer cybersecurity technologies have come to market, but over the past couple years there has been renewed momentum for Zero Trust. In a pivotal development, John Kindervag, dubbed the “Godfather of Zero Trust” because he is credited with coining the term during his time at Forrester, has joined Illumio as Chief Evangelist, adding a fresh layer of insight and expertise to the company’s mission.
Focus on Zero Trust
The resurgence in Zero Trust goes back a couple of years. President Biden’s Executive Order, issued in May 2021, serves as a clear directive for federal entities to fortify their cyber defenses by implementing a Zero Trust architecture. This strategic move emphasizes the administration’s recognition of the escalating cyber threats and the need for a more resilient cybersecurity framework.
Biden’s EO states, “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
It directed that federal agencies must develop a plan to implement Zero Trust Architecture. It also specified that efforts to migrate to the cloud must include Zero Trust Architecture and mandated, “The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture.”
While the EO only applies directly to federal agencies and departments, much of the private sector takes its cybersecurity cues from the government—particularly from NIST and CISA—so Zero Trust has renewed momentum in general as well.
Chief Evangelist
A press release from Illumio broke the news today of Kindervag joining the company. John Kindervag’s appointment at Illumio heralds a new chapter in the advancement of Zero Trust. I have not typically thought of Illumio as a Zero Trust provider, but when I spoke with Kindervag and Illumio CEO Andrew Rubin about the news, I was struck by the synergy between Kindervag’s vision for Zero Trust and how it meshes with Illumio’s approach to cybersecurity. Kindervag’s enthusiasm for joining Illumio stems from a shared belief in the fundamental principles of Zero Trust and a mutual commitment to refining this approach.
When I asked Andrew why he added John to the Illumio team, he explained, “John and I have known each other a long time. We’ve sat next to each other on panels—me in my Illumio context and him in his day job context, but also in the context that I’ve always thought of him in, which is in all honesty, it may sound like a funny way to describe it, but the kind of ‘Godfather of Zero Trust,’ it’s his term. He was there before all of us.”
Andrew continued, “So for me, as I think about him being on the team now, you couldn’t pick a better moment in time to have somebody who basically is rooted in the beginning of this entire movement speaking with an Illumio voice. He knows why it’s important. He figured it out before all of us and he’s been telling it as a story and an important part of cyber for a very long time.”
Segmentation is Essential
I also asked John why he is choosing to align himself with Illumio at this time. He responded, “Why Illumio? Well, because of their high-performance focus on segmentation. I think segmentation as a core technology is the most important technology in Zero Trust. If I want a Zero Trust environment, it must be segmented for sure.”
Microsegmentation stands as a cornerstone in implementing effective Zero Trust security. By dividing the network into smaller, isolated segments, organizations can limit unauthorized access and contain the impact of potential breaches. Andrew stressed in our chat that companies do a good job with prevention, but no cyber defense is perfect. Eventually, things happen—and when things happen, it’s important to be resilient.
Segmentation allows you to limit the blast radius. We talked about the comparison between microsegmentation of a network, and the way a submarine or ship is designed—with doors that can seal off rooms or sections of the boat if necessary, so that a breach in the hull or a flood in one portion of the boat does not impact the rest of the boat…or sink it entirely. Microsegmentation lets you do essentially the same thing for your network.
John emphasized that he has talked about the importance of segmentation from the beginning. He implored me to go back and read his report, “Build Security Into Your Network’s DNA.” John explained, “I talked about segmentation gateways. I talked about what became protect surfaces—I called them endcaps—micropores and perimeter. So, defining a micro perimeter around it—a micro perimeter is a type of microsegmentation.”
Understanding Zero Trust
For those unfamiliar, the Zero Trust model operates on the premise of “never trust, always verify.” It abandons the traditional notion of a secure perimeter and treats every user and device as potential threats, thereby necessitating continuous verification and least-privilege access. In a world where cyber threats are increasingly sophisticated and pervasive, this model offers a more robust defense mechanism, particularly pertinent for protecting sensitive government data and infrastructure.
The concept has evolved and improved over time. Most implementations take into account a variety of factors to determine if increased scrutiny is necessary in an effort to reduce friction and find a workable balance between security and draconian controls.
This collaborative endeavor comes at a critical time, as organizations globally are recognizing the importance of reinforcing their cybersecurity posture. The Executive Order from President Biden and the growing adoption of Zero Trust by various entities underscore the urgency of this shift. By embracing Zero Trust and focusing on microsegmentation, organizations can effectively limit the ‘blast radius’ of attacks and create a more resilient and secure cyber environment.
As we venture further into this digital age, the collaboration between thought leaders and innovators in cybersecurity will continue to be paramount. The union of Kindervag and Illumio signifies a step forward in this direction, with the promise of pioneering advancements in Zero Trust and the collective goal of safeguarding our digital world.
Read the full article here