5 Zero Trust Myths Busted by John Kindervag and Michael Farnum

In 2010, John Kindervag published No More Chewy Centers: Introducing The Zero Trust Model Of Information Security, a report detailing the new concept of Zero Trust he had created.

In the nearly 15 years since he introduced the concept, it’s been widely adopted in the cybersecurity industry. But its definition has also been misunderstood over time. Several Zero Trust myths have popped up that lead organizations astray as they work toward cyber resilience.  

Kindervag, now chief evangelist at Illumio, is ready to set the record straight. That’s why he joined Michael Farnum, advisory CISO at Trace3, for a fireside chat to discuss the most common Zero Trust myths they’re seeing in the industry and the truths behind them.  

Watch their full discussion on demand, and keep reading to get the truth from the creator of Zero Trust and a leading security expert.

John Kindervag’s definition of Zero Trust

The unique title of Kindervag’s report, No More Chewy Centers, comes from what he says is an old saying in information security: “We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center.” The motto is based on the traditional Trust model of cybersecurity. It assumes attackers can’t get past the “hard crunchy outside” of the secured network perimeter.

But as Kindervag explains, “In today’s new threat landscape, this is no longer an effective way of enforcing security. Once an attacker gets past the shell, he has access to all the resources in our network.”  

The Zero Trust model is Kindervag’s response to this old security model.

“Zero Trust is a strategy. It’s not a product. You can’t buy it,” he said.

Zero Trust is designed to do two things:

• Stop data breaches (Kindervag defines data breaches as incidents when sensitive or regulated data has been exfiltrated from a network or system into the hands of a malicious actor)

• Stop cyberattacks from being successful

Zero Trust provides a roadmap for getting those two things done at a strategic level. It helps guide you to the right tactics and technologies.  

“Cybersecurity is a journey, not a destination. I think the same thing is true with Zero Trust,” he noted.  

Kindervag’s 5 steps to Zero Trust

1. Define your protect surface: You can't control the attack surface because it's always evolving, but you can shrink your organization's protect surface into small, easily known parts. The protect surface usually includes a single data element, service, or asset.

2. Map communication and traffic flows: You can't protect the system without understanding how it works. Getting visibility into your environments shows where controls are needed.

3. Build the Zero Trust environment: Once you get complete visibility into the network, you can start implementing controls that are tailor-made for each protect surface.

4. Create Zero Trust security policies: Build policies that provide granular rules allowing only permissible traffic to access the resource in the protect surface.

5. Monitor and maintain the network: Inject telemetry back into the network, building a feedback loop that continuously improves security and builds a resilient, anti-fragile system.

Zero Trust Myth #1: There are defined standards for cybersecurity and Zero Trust

“There are no cybersecurity standards in the world,” Kindervag said. Despite their published reports on Zero Trust, organizations like NIST and CISA don’t set cybersecurity standards – they only provide guidance.

“If you read CISA’s Zero Trust Maturity Model (ZTMM), they say it’s one way you might choose to do it. They’re not being prescriptive at all, and neither am I,” he explained.  

This also means that there’s no standard for Zero Trust. Every organization is unique and must take a unique approach to building Zero Trust. Security guidance can be very helpful, but it’s not necessarily the best way to do it.

Zero Trust Myth #2: You can get Zero Trust by following a checklist

In truth, every organization’s Zero Trust journey will be different. It depends on your size, growth, budget, and resources.  

“It’s a matter of figuring out the point on the maturity model where you want to focus on and what you need to do to reach it,” Kindervag explained.  

Kindervag recommends starting with your organization’s protect surface. Teams must ask, what do we need to protect? This is different than an approach that starts with the attack surface which can start an endless, fruitless cycle of reacting to threats rather than proactively preparing to protect the most important assets.

Farnum agreed that Trace3 often sees organizations who have started their Zero Trust journeys by focusing on the attack surface, but they’ve met pitfalls. Instead, Trace3 encourages clients to use Kindervag’s five steps to Zero Trust by first identifying their protect surface.

Zero Trust Myth #3: Zero Trust is just identity security

Kindervag cautioned against getting “too literal” with Zero Trust. For many security leaders, this can look like following the maturity model too strictly.

“People feel like they have to do all of identity first because that’s the first Zero Trust pillar,” Kindervag said. Instead, he encourages organizations to look at their unique protect surface and focus on whatever Zero Trust pillar secures their most important resources first.

“You have to look at it horizontally, not just vertically,” Kindervag explained.

This often means organizations should focus on segmentation rather than identity. 13 years ago in his second report ever written on Zero Trust, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture, Kindervag puts segmentation at the core of Zero Trust. As he says in the report, "New ways of segmenting networks must be created because all future networks need to be segmented by default."

Segmentation, also called Zero Trust Segmentation, is an essential part of Zero Trust. You can't achieve Zero Trust with out.

Zero Trust Myth #4: Buying a Zero Trust platform means you have Zero Trust security

If you're in the cybersecurity industry, you’ve heard the term defense in depth. But for many organizations, this concept has turned into “expense in depth,” according to Kindervag.

Why are organizations still suffering severe cyber incidents when we’re spending more than ever on security solutions?

“If security is about buying enough stuff or spending enough money, then we’ve done it,” Kindervag said.  

Farnum said he sees many companies spending money on security platforms without first understanding what they need to protect. Trace3 encourage clients to shift their thinking about Zero Trust before making any more purchases. They go back to getting visibility into their network and knowing what’s most important to secure.

Kindervag endorsed this approach. “We just want it to automatically work in a magical sort of fairy dust way. But that's not how it works. You always start with the protect surface.”

Zero Trust Myth #5: “Zero Trust” is just new packaging for an old security concept

Some in the cybersecurity industry have questioned the validity of Zero Trust. They’ve condemned it as marketing jargon that’s just new wrapping on an old idea.

But for Kindervag, this just shows that they misunderstand the concept. “What was Zero Trust before Zero Trust? There was no Zero Trust. That was the problem,” he said.

In the 20^th century, the focus was on perimeter-based security. Networks were designed from the outside in: the outside was untrusted and the inside was trusted. This created completely wide-open flat networks on the inside. With this design, attackers can not only get inside the network, but they can stay there for days, week, months, even years.  

“You have to reset your mindset,” Farnum agreed. “All interfaces should be untrusted. Just because your network is up and running doesn’t mean it’s secure.”

Illumio + Trace3 partner to advance your Zero Trust strategy

Trace3 is a leading technology consulting firm helping clients build, innovate, and manage their entire IT sphere, including cybersecurity. They’ve partnered with Illumio to help clients build Zero Trust security with Zero Trust Segmentation.  

Together, the partnership offer a comprehensive approach to building and implementing a Zero Trust architecture. By combining Trace3’s strategic expertise with Illumio’s advanced segmentation technology, you can find a tailored approach to Zero Trust that fits your organization's security needs.

Watch Kindervag’s and Farnum’s full conversation on demand. Contact us today to learn how Illumio + Trace3 can help your organization build Zero Trust.