Don’t Trust, Verify: How John Kindervag Shifted Our Approach to Security

Businesses of every size need to prioritize their security. This fact has not changed and will not change anytime soon. What has changed, however, are the recommended ways to approach this security.

Today, we wanted to review the history of today’s predominant cybersecurity advice and explore how the zero-trust security model applies.

Meet John Kindervag, the Godfather of Zero Trust

Once an apprentice to be a typewriter repair specialist before transitioning into the role of broadcast engineer and then diving into the world of computer animation (and building his own high-end computers in his spare time), Kindervag ultimately credits the video game Doom for his interest in networking.

How a Game Inspired Today’s Most Effective Network Security Strategy

Under the pretense of using it to transfer animated files (which were too large to be shared in this way at the time), Kindervag convinced his bosses to allow him to build an ethernet network to more effectively support the after-hours multiplayer LAN (local area network) parties that were held in the office.

He wasn’t the only one, by the way… many advancements in computing and networking were initially made in the interest of playing Doom (no word on whether they were primarily using it to play the cooperative multiplayer campaign or the player versus player deathmatch mode).

However, as he worked on these networks, Kindervag realized they were inherently insecure, with little attention paid to their security in favor of routing and switching. With the only protection being a firewall to keep threats out, there was little stopping users from removing data from the network. The trusted, internal network that the business maintained could easily allow data to be shared to an untrusted, external network… like the Internet.

John saw this as “insane”—his word for it—and concluded that all interfaces should have zero inherent trust. Hence, the zero-trust framework.

How Zero-Trust Works

To create a zero-trust system, there are five critical steps that an organization must take:

Step One: Defining the Protect Surface
As Kindervag puts it, “Zero Trust inverts the traditional problems of cybersecurity. Instead of focusing on what's attacking you, it focuses on what I call the Protect Surface. What do I need to protect?”

In other words, you need to identify all the data you have that needs to be protected, whatever form that data takes. Only then will you know the scope of your data protection needs and be able to cover them adequately.

Step Two: Mapping Your Data
So, once you know what data you possess, you need to fully understand how the rest of your business and its IT infrastructure interact with it. Which users need access to what, which applications regularly access this data, and how is your infrastructure set up to store and transfer it? This information is critical to the next step.

Step Three: Designing an Architectural Framework
With all these insights in mind, you must then create a framework that meets all of the above needs and requirements, explicitly considering your IT infrastructure and its construction. While some frameworks may ultimately look similar, any zero-trust strategy needs to be customized to the individual business—hence, all the audits and mapping.

Step Four: Creating Your Zero-Trust Policies
With your network designed to be more security-focused, you need to identify and dictate who can access what, how and when they can, from where, and for which purpose. This goes for every user, role, device, and network, as any of these could be used to access information without authorization.

Step Five: Monitoring and Enforcing Compliance
Finally, you’ll want to actively monitor your network to identify any oversights or loopholes in your zero-trust implementation. This will allow you to make corrections that resolve security issues and potentially optimize your business network's performance.

Some Pieces of Advice from Kindervag

First and foremost, Kindervag reminds us all that security issues like ransomware and other attacks—the kind that zero-trust actively helps mitigate—are not prejudiced against any kind or size of business. As a result, everyone is a target, and the impacts of a cyberattack can easily have severe real-world repercussions in our highly digitized society… and not always the kind you might expect. 

Kindervag refers to a ransomware attack targeting a Swiss Alps dairy farmer and his milking machines. While the farmer could still manually collect milk from his livestock, he couldn’t access the telemetric health data that may have prevented one of his cows from dying.

Emotional losses from losing an animal aside, that’s potentially a few hundred dollars of profit each year, just gone.

Kindervag also points out that many large businesses are still about as prepared as this farmer was to deal with ransomware, even though computer systems and their processes directly impact a modern business’ success. Therefore, according to Kindervag, the most intelligent and cost-effective approach is to be proactive in fighting cybersecurity threats.

We Agree, and We Can Help

If you’d like advice and assistance in keeping your business secure and productive in the face of modern cybersecurity issues, call MSPNetworks at (516) 403-9001 to find out what needs to be done to implement a zero-trust approach.