Podcast appearances and mentions of john kindervag

  • 44PODCASTS
  • 54EPISODES
  • 37mAVG DURATION
  • 1MONTHLY NEW EPISODE
  • May 2, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about john kindervag

Latest podcast episodes about john kindervag

@BEERISAC: CPS/ICS Security Podcast Playlist
EP 61: Applying Zero Trust to OT systems

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later May 2, 2025 36:07


Podcast: Error Code (LS 27 · TOP 10% what is this?)Episode: EP 61: Applying Zero Trust to OT systemsPub date: 2025-04-30Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationZero Trust is a security model based on default-deny policies and fine-grained access control governed by identity, authentication, and contextual signals. For RSAC 2025, John Kindervag, Chief Evangelist of Illumio and the creator of Zero Trust, talks about introducing a "protect surface" into legacy OT systems —isolating critical data, applications, assets, or services into secure zones for targeted Zero Trust implementation.The podcast and artwork embedded on this page are from Robert Vamosi, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Error Code
EP 61: Applying Zero Trust to OT systems

Error Code

Play Episode Listen Later Apr 30, 2025 36:07


Zero Trust is a security model based on default-deny policies and fine-grained access control governed by identity, authentication, and contextual signals. For RSAC 2025, John Kindervag, Chief Evangelist of Illumio and the creator of Zero Trust, talks about introducing a "protect surface" into legacy OT systems —isolating critical data, applications, assets, or services into secure zones for targeted Zero Trust implementation.

The Segment: A Zero Trust Leadership Podcast
The Monday Microsegment for the week of 1/21/2025

The Segment: A Zero Trust Leadership Podcast

Play Episode Listen Later Jan 21, 2025 6:35


The Monday Microsegment for the week of January 21st. All the cybersecurity news you need to stay ahead, from Illumio's The Segment podcast.-What's up with one of the world's biggest messaging platforms? Targeted attacks, that's what.-While hotel guests were checking in last year, hackers were checking out their personal info-And a new phishing kit bypasses Microsoft 365 two-factor authenticationAnd Gary Barlet and John Kindervag join us for an Agree to Disagree segment. Head to The Zero Trust Hub: hub.illumio.comIllumio World Tour Registration: https://www.illumio.com/illumio-world-tour 

The Tech Blog Writer Podcast
3107: Reducing Cyberattack Risks by 90% with Illumio's Zero Trust Model

The Tech Blog Writer Podcast

Play Episode Listen Later Dec 3, 2024 43:20


What does it truly mean to "never trust, always verify"? In this episode of Tech Talks Daily, I'm joined by John Kindervag, Senior Vice President of Cybersecurity Strategy at Illumio and the pioneer of the Zero Trust approach to cybersecurity. With cyber threats evolving at an unprecedented rate, John argues that Zero Trust is no longer optional for organisations moving to cloud-based environments—it's a necessity. John explains why the traditional trust-based approach to cybersecurity is obsolete and shares actionable insights on adopting a Zero Trust strategy. He highlights the critical steps in implementing Zero Trust, emphasizing the importance of starting small with Protect Surfaces and flow maps to create manageable, effective security policies. Through real-world examples, he demonstrates how organisations have reduced their attack surfaces by up to 90% by embracing this model. We also explore common pitfalls, such as attempting to implement Zero Trust all at once, and how incremental changes can set the stage for long-term success. John sheds light on how Zero Trust dramatically enhances an organisation's resilience against cyberattacks, providing continuous monitoring and automated policies to safeguard critical assets in an increasingly cloud-driven world. How can organisations move beyond outdated approaches to cybersecurity and embrace the transformative power of Zero Trust? Are you ready to take the first steps toward securing your digital future? Tune in to this essential conversation with John Kindervag, and let us know your thoughts!

GRC Academy
Zero Trust - It's Way Easier Than You Think with John Kindervag

GRC Academy

Play Episode Listen Later Sep 3, 2024 31:45


Zero Trust is NOT complicated!Don't believe me? Let me introduce you to its creator!In this episode, Jacob speaks with John Kindervag, the creator of Zero Trust.John is the Chief Evangelist at Illumio where he accelerates awareness and adoption of Zero Trust Segmentation.In the episode he shares the origin story of Zero Trust starting with his time at Forrester Research. He explains the fundamental principles of Zero Trust, debunks common misconceptions, and how you can implement Zero Trust using a 5-step model.Here are a few highlights from this episode:The broken trust model that has allowed the largest data breachesDefining Zero Trust and misconceptions about itHow to implement zero trust in 5 steps"Things Run Amok" poem - if Dr. Seuss wrote about the Internet of ThingsJohn's elevator pitch for Zero Trust is a masterclass in itself.If you want to convince business leaders to invest in cybersecurity, you have to focus on how that investment will benefit the business. John does exactly that here and we should all take note.Illumio is a Zero Trust Segmentation company that prevents breaches and ransomware from spreading across hybrid environments. Their platform visualizes traffic flows, automatically sets granular segmentation policies, and isolates critical assets and compromised systems. Founded in 2013, Illumio protects organizations of all sizes, from Fortune 100 to small businesses.Follow John on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/Illumio Website: https://www.illumio.com/-----------Thanks to our sponsor Vanta!Want to save time filling out security questionnaires?Register for Vanta's upcoming webinar on Questionnaire Automation here: https://vanta.com/grcacademy-----------Governance, Risk, and Compliance Academy (GRC) Academy is a training and research platform!Online GRC Training: https://grcacademy.io/courses/?utm_source=podcast&utm_medium=s1-e30&utm_campaign=courses

CXOInsights by CXOCIETY
PodChats for FutureCISO: What we need to know about Zero Trust Segmentation

CXOInsights by CXOCIETY

Play Episode Listen Later Aug 1, 2024 18:11


Zero trust adoption in Asia has been gaining momentum, albeit with varying levels of progress across the region. While 76% of global organisations have begun implementing zero trust strategies, with 35% claiming full implementation, the Asia Pacific region shows a disparity in adoption rates. Organisations are motivated to adopt zero trust primarily to improve overall security, enhance user experience, and foster cooperation among security teams. Zero trust segmentation emerges as a viable option for enhancing cybersecurity postures, as it addresses the challenges posed by dissolving network perimeters and the increasing complexity of IT environments. As Asian companies continue to grapple with cybersecurity challenges in 2024, zero trust segmentation offers a promising approach to fortify their defences against evolving threats.John Kindervag, chief evangelist at Illumio and creator of the zero trust security model, joins FutureCISO to share his views on the following:You are credited with creating the concept “zero trust”. What was the inspiration for this?14 years on, where do you think organisations, regulators and security vendors are as it relates to zero trust?Let's go into zero trust segmentation. What is zero trust segmentation?What are the key challenges CISOs and CIOs face when implementing zero trust segmentation?What are the potential downsides of over-segmenting a network?How can zero trust segmentation be integrated with existing cybersecurity frameworks? Are all segmentation network technologies equal and what questions should CISOs/CIOs/network security teams be looking at to ensure that whatever solution they take is right for their environment?What is your advice for CISOs/CIOs concerning zero trust and network segmentation?

Federal Tech Podcast: Listen and learn how successful companies get federal contracts
Ep. 168 Who do you trust? Zero Trust & the Federal Government

Federal Tech Podcast: Listen and learn how successful companies get federal contracts

Play Episode Listen Later Jul 30, 2024 23:58


Want to make the most out of your next podcast appearance? https://content.leadquizzes.com/lp/fk1JL_FgeQ Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com John Kindervag is the father of Zero Trust; Greg Touhill is the general of Zero Trust; today, we sit down with Dr. Zero Trust, Chase Cunningham.  Dr. Chase Cunningham has a solid background for his opinions. He served in the military, has a PhD., five patents, and has written five books. We begin the discussion with praise from Randy Resnick, the Director of the DoD Zero Tryst Portfolio Management Office. The DoD is not the only federal area with large systems to concern themselves with. The challenge in making a transition to Zero Trust is extant in the civilian agencies. For example, LaMonte Yarborough from the HHS indicated he must manage systems to try to make a transition to Zero Trust. His Cunninham experience includes running a red team, so we pivoted the conversation about AI. Malicious actors or red teams can use AI-based tools like Dork GPT to create new ways to attack systems. Today's far-ranging discussion oversees many topics that federal leaders would be interested in., including cybersecurity skills, compliance, and managing legacy systems. Technology periodicals all have headline articles on the lack of talent in the world of cyber security. Chase mentioned a school in Virginia called CyberNow Labs. It is a “trade” school that can prepare individuals quickly for a job stopping malicious actors. He mentioned several students are getting job offers before they leave. When the topic of quantum was introduced, comments were made that, from a cybersecurity perspective, it is wiser to concern yourself with basics like identity and patching rather than worrying about a future quantum event

The CyberWire
The current state of the zero trust.

The CyberWire

Play Episode Listen Later Jul 29, 2024 18:29


Rick Howard, N2K CyberWire's Chief Analyst and Senior Fellow, discusses the current state of zero trust with CyberWire Hash Table guest John Kindervag, the originator of the zero trust idea. References: Jonathan Jones, 2011. “Six Honest Serving Men” by Rudyard Kipling [Video]. YouTube. Dave Bittner, Rick Howard, John Kindervag, Kapil Raina, 2021. Zeroing in on zero trust. [Podcast]. CyberWire-X Podcast - N2K Cyberwire. Dawn Cappelli, Andrew Moore, Randall Trzeciak, 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)  [Book]. SEI Series in Software Engineering). Goodreads.  Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. Learn more about your ad choices. Visit megaphone.fm/adchoices

Feds At The Edge by FedInsider
Ep. 157 Zero Trust Needed to Win the Cyber War

Feds At The Edge by FedInsider

Play Episode Listen Later Jul 10, 2024 67:16


Zero Trust has revolutionized the way agencies everywhere are securing their networks, and this week on Feds at the Edge, we talk with titans in the field, including John Kindervag, Chief Evangelist with Illumio, who in 2010 coined the phrase “zero trust model.”  We delve into this stricter cybersecurity program where identity leads in the guideposts in defending today's cyber landscape.  Dr. Robert Roser, CISO with the Idaho National Laboratory agrees, “Without identity, nothing else matters.”     We also discuss the larger-than-life landscape that agencies are tasked with protecting. Sean Connelly, Federal Zero Trust Architect with CISA reminds listeners, while most know the big three cloud providers, there are over 300. Limiting our understanding to “the main and the plain” could lead to trouble. La Monte R. Yarborough, Acting DCIO, CISO and Executive Director, Office of Information Security, HHS, shares HHS is tasked with protecting 1200+ networks every day.        

Threat Talks - Your Gateway to Cybersecurity Insights
Zero Trust with John Kindervag – Threat Talks on tour | Part 2

Threat Talks - Your Gateway to Cybersecurity Insights

Play Episode Listen Later Jun 18, 2024 31:39


Discover how Zero Trust can effectively protect against cyber threats and hear firsthand experiences from industry leaders! Lieuwe Jan Koning and cybersecurity expert John Kindervag dive into the concept of Zero Trust at the RSA Conference in San Francisco. They discuss the prevalence and importance of Zero Trust in the cybersecurity landscape, sharing insights from the conference and Kindervag's extensive experience. Learn about the fundamentals of Zero Trust, its evolution since 2010, and why it remains a critical strategy in combating modern cyber threats. Whether you're an IT professional, cybersecurity enthusiast, or just curious about the latest in cyber defense, this episode offers actionable insights and expert perspectives on a vital security strategy.

Threat Talks - Your Gateway to Cybersecurity Insights
Zero Trust with John Kindervag - Threat Talks on tour: Live from the RSA | Part 1

Threat Talks - Your Gateway to Cybersecurity Insights

Play Episode Listen Later Jun 11, 2024 30:57


Join host Lieuwe Jan Koning as he interviews John Kindervag, creator of Zero Trust, at the RSA conference. Explore the origins, principles, and impact of Zero Trust on modern cybersecurity. Download the NSTAC report discussed in the episode here. Get your Threat Talks T-shirt on https://threat-talks.com/!

The Segment: A Zero Trust Leadership Podcast
The Zero Trust Origin Story with John Kindervag, Chief Evangelist at Illumio and Creator of Zero Trust

The Segment: A Zero Trust Leadership Podcast

Play Episode Listen Later Apr 30, 2024 59:01


Welcome back to The Segment! In our Season 2 premiere, host Raghu Nandakumara sits down with John Kindervag, Chief Evangelist at Illumio and the “Godfather of Zero Trust”, to unpack John's Zero Trust origin story, where folks go wrong on their Zero Trust journeys, federal Zero Trust momentum, and so much more.--------“I said all interfaces should have the same trust and it should be zero. And that's really where Zero Trust comes from, is just a pushback against how we were building firewalls which affected policy and there was no reason for it." - John Kindervag--------Time Stamps(09:00) The foundation of “trust but verify”(15:39) The motivation behind John's seminal papers at Forrester(24:16) The uptick of Zero Trust (31:41) Is Zero Trust difficult to adopt? (46:48) What does a culture of Zero Trust mean?--------SponsorAssume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company. Learn more at illumio.com.--------LinksConnect with John on LinkedInRead the NSTAC Report to the President on Zero Trust and Trusted Identity Management (February 2022)

Better Tech
Cloud Security Economy: Trust, Doubts, and the Zero Trust Paradigm

Better Tech

Play Episode Listen Later Apr 17, 2024 40:57


In this BetterTech podcast of "Cloud Security Economy: Trust, Doubts, and the Zero Trust Paradigm," Colin McCarthy talks with John Kindervag, chief Evangelist at Illumio and the person who came up with the Zero Trust idea. They talk about how Zero Trust went from a new idea in 2010 to a very important way to keep computer systems safe today. John explains why Zero Trust is so important for stopping hackers and fixes some wrong ideas people have about keeping things safe in the cloud. He also says it's very important to learn by doing things yourself in cybersecurity and to start with basic jobs to get this experience. This episode gives a clear look at how to keep things safe in the cloud and why doing things yourself is so important, all through the story of Zero Trust. --- Send in a voice message: https://podcasters.spotify.com/pod/show/bettertech/message

Security Visionaries
Zero Trust: It's More Than Just Identity

Security Visionaries

Play Episode Listen Later Apr 2, 2024 30:14


On this episode of Security Visionaries, host Emily Wearmouth explores the concept of zero trust with cybersecurity experts John Kindervag, the "Godfather of Zero Trust,” and Neil Thacker. Listen in as they recount the origins of zero trust, its underlying principles, and how it's reshaping modern organizations. They also clarify the common misconception that zero trust is only about identity and access management, stressing that its broader scope in safeguarding organizational assets. Moreover, they delve into the trials and tribulations of implementing zero trust, and the need for comprehending the organization's mission and protect surface. Finally, we encourage organizations to gradually, iteratively, and inconspicuously adopt zero trust while keeping a close eye on the system.

Federal Tech Podcast: Listen and learn how successful companies get federal contracts
Ep. 121 The Godfather of Zero Trust, John Kindervag from Illumio

Federal Tech Podcast: Listen and learn how successful companies get federal contracts

Play Episode Listen Later Jan 16, 2024 29:10


The first part of this interview is a fascinating description of how John Kindervag produced the concept of Zero Trust. In the early days of networking, many users were described as “trusted users.”  John questioned as to why they did not take the next step and verify then. The response was classic – because it would be rude. Fast forward a few decades and we see countless breaches and billions of dollars of intellectual property lost because of fear of offending the sensitivities of users. Back to 2011. Interfaces on firewalls could have varying levels of trust associated with them; the question from John Kindervag was, “why any levels at all?” His idea of zero trust resonated in the commercial and federal marketplace. For example, an Executive Order was issued in May of 2021 mandating the adoption of zero trust for the federal government. During the interview John Kindervag presents a fascinating contrast between the attack surface and the protect surface. This is a framework to allow federal leaders to prioritize what data to protect. To gain a better understanding of how to deploy Zero Trust, The National Security Telecommunications Advisory Committee was established. It presents a five-step model and shows how to build Zero Trust  one protects surface at a time. Listen and learn about the Cloud Security Alliance and myriad ways to develop expertise in the nuances around incorporating Zero Trust into your federal network.   Mentioned in the interview:  What is Zero Trust Architeture?  https://www.illumio.com/blog/what-is-a-zero-trust-architecture  

The Cowbell Factors
Zeroing in on Zero Trust with John Kindervag

The Cowbell Factors

Play Episode Listen Later Jun 15, 2023 23:33


On the season finale of The Cowbell Factors Podcast, our guest host Marion Krueger interviews Cybersecurity Expert and Creator of the revolutionary Zero Trust Model of Cybersecurity, John Kindervag. Zero Trust means traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts no one and nothing. Listen to this week's episode to learn more. To learn more about Zero Trust, visit https://www.forrester.com/blogs/the-definition-of-modern-zero-trust/ To get appointed with Cowbell or to purchase a Cowbell product, visit cowbell.insure

Breaking Into Cybersecurity
Zero Trust Tenants

Breaking Into Cybersecurity

Play Episode Listen Later Jun 3, 2023 3:56


What is Zero Trust? Zero Trust is a cybersecurity concept that suggests that organizations should not automatically trust any user, device, or network, even if they are inside the network perimeter. Instead, all access to resources should be strictly controlled and verified based on the principle of least privilege. The idea behind Zero Trust is that traditional network security models, which rely on perimeter defenses to keep out external threats, are no longer sufficient in today's connected world. With the proliferation of mobile devices and cloud services, it is increasingly difficult to define a clear perimeter, and attackers can easily gain access to an organization's networks and systems from within. By adopting a Zero Trust approach, organizations can better protect themselves against these types of attacks. Instead of relying on perimeter defenses, they can implement granular access controls that are based on the specific actions and resources a user is trying to access. This can help prevent unauthorized access and reduce the risk of a security breach. With all of the huff and puff around Zero Trust, it is frustrating when vendors claim that their product is a Zero Trust “Solution.” For example, in a post this morning, a connection of mine shared some of the technical solutions to help achieve a Zero Trust approach but skipped the first steps of the Zero Trust Design Principles. According to the Zero Trust Principles by John Kindervag, you start with the following:* Define the protect surface (which you need to work with the business to understand the critical things to watch) -> There will be more than one “protect surface” and potentially more than one “protect surface” for a given business application * Map the transaction flows (which means understanding the business processes, how they flow, and they can be best designed considering any constraints) ->Look at What needs to be protected, Who needs access, When they need access, and Why they need access.* Architect a Zero Trust environment ( which means combining the protect surface, transactions flow, and an environment that includes access zero open access to people/systems that do not need access)* Create Zero Trust Policies (the formal design, governance, playbooks, incident response, etc., which will determine the way the systems are created)* Monitor and maintain (which ensures that the Zero Trust policies are managed, enforced, and continue to function in the manner designed, if not, the process for that protected surface should be re-designed). As you can see, Zero Trust is a design strategy that leads to something that can be managed and measured. Adding tools to the stack will not equal a Zero Trust environment if the protect surfaces and transaction flows are not designed with Zero Trust in mind. Zero Trust Design PrinciplesZero Trust Principles by John Kindervag --- Send in a voice message: https://podcasters.spotify.com/pod/show/breakingintocybersecurity/message

SoftwareArchitektur im Stream
Zero Trust mit Christoph Iserlohn

SoftwareArchitektur im Stream

Play Episode Listen Later May 26, 2023 61:02


In dieser Episode sprechen Christoph Iserlohn und Lisa Moritz über das Thema “Zero Trust” – Was verbirgt sich dahinter und woher kommt der Begriff? Außerdem klären sie, was das mit Softwarearchitektur zu tun hat und wie Zero Trust auch zusammen mit Legacy Systemen funktionieren kann. Links Schnaq zur Diskussion Doctor-Arbeit/Thesis in der Zero-Trust zum ersten mal auftaucht Der erste Report von John Kindervag, der Zero-Trust einführt, und seine Empfehlungen zur Implementierung. Die passenden Videos mit John Kindervag Erklärung des Konzepts https://www.youtube.com/watch?v=-ld2lfz6ytU NIST (US) Special Publication 800-297 zum Thema Zero-Trust National Cyber Security Center (UK) zum Thema Zero-Trust und das zugehörige Github-Repo BeyondCorp, die Zero-Trust Implementierung von Google

Hacking Humans
ZTNA (noun) [Word Notes]

Hacking Humans

Play Episode Listen Later Mar 7, 2023 7:17


A technology set design to support the cybersecurity first principle strategy of zero trust, that limits device people and software component access to only designated authorized resources and nothing more. CyberWire Glossary link: https://thecyberwire.com/glossary/zero-trust-network-access Audio reference link: “Zero Trust Explained by John Kindervag.” YouTube, YouTube, 2 Oct. 2022, https://www.youtube.com/watch?v=-LZe4Vn-eEo. 

Word Notes
ZTNA (noun)

Word Notes

Play Episode Listen Later Feb 28, 2023 7:17


A technology set design to support the cybersecurity first principle strategy of zero trust, that limits device people and software component access to only designated authorized resources and nothing more. CyberWire Glossary link: https://thecyberwire.com/glossary/zero-trust-network-access Audio reference link: “Zero Trust Explained by John Kindervag.” YouTube, YouTube, 2 Oct. 2022, https://www.youtube.com/watch?v=-LZe4Vn-eEo.  Learn more about your ad choices. Visit megaphone.fm/adchoices

The Segment: A Zero Trust Leadership Podcast
Practicing Zero Trust and Adopting Assume Breach with Dr. Chase Cunningham, Dr. Zero Trust

The Segment: A Zero Trust Leadership Podcast

Play Episode Listen Later Feb 1, 2023 36:46


In this episode, host Raghu Nandakumara sits down with Chase Cunningham, former Forrester analyst and “Dr. Zero Trust”, to discuss the evolution of the Zero Trust framework and what organizations get wrong when mapping out their Zero Trust strategies. --------“...John [Kindervag] says it all the time: Trust is a human emotion; we've built it into computers. If you remove the trusted relationships, it's not that there's going to be “zero trust.” It's that they're going to have manageable risk based on trust relationships, and that makes the bad guy's day really hard.” — Dr. Chase Cunningham--------Time Stamps* (6:34) Zero Trust is nothing new, just an evolution of something that's always made sense * (10:32) You can get Zero Trust wrong – but start small to get it right * (16:18) How vendors have changed the Zero Trust landscape * (21:39) How APIs are transforming the future of cybersecurity platforms * (28:34) Federal Zero Trust progress is “fast-ish” --------SponsorAssume breach. Minimize impact. Increase resilience. With Illumio, the Zero Trust Segmentation company. Learn more at illumio.com/--------LinksConnect with Chase on LinkedInCheck out the DrZeroTrust podcast

Dark Mode Podcast
#31 - The Creation, Evolution and Future of Zero Trust - John Kindervag

Dark Mode Podcast

Play Episode Listen Later Jan 22, 2023 42:01


In this episode Gabe Marzano (@GabeMarzano) & Ben Sullivan (@BenSullivan) host host John Kindervag the Creator of Zero Trust and now Senior Vice President of Cybersecurity Strategy at ON2IT.// SUPPORT THIS CHANNEL //

Cybersecurity Unplugged
Protecting Neutral Networks

Cybersecurity Unplugged

Play Episode Listen Later Dec 21, 2022 33:22


Tito Sestito is the co-founder and CEO of HiddenLayer, a cybersecurity startup in the business of preventing adversarial machine learning attacks. In this episode, Sestito is joined by John Kindervag, who we all know as the 'father of Zero Trust' and a friend to HiddenLayer. 

Ask A CISO
Project Zero Trust

Ask A CISO

Play Episode Listen Later Oct 19, 2022 25:49


The old mantra that humans are the weakest link in cybersecurity should be discarded, according to George Finney. Listen in as we talk to him about why he thinks so, and why he chose to draw from sciences like psychology, neuroscience, history, and economics for his first book Well Aware. We also had George define Zero Trust and talk about his new book Project Zero Trust, which he co-authored with John Kindervag, the “father” of Zero Trust. Learn about:

Cloud Security Today
Zero trust with no FUD

Cloud Security Today

Play Episode Listen Later Jul 21, 2022 46:25 Transcription Available


In today's episode, the Creator of Zero Trust, John Kindervag, joins Matt on the show to discuss implementing Zero Trust in your organization. While at Forrester Research in 2010, John developed Zero Trust, promising adequate and effective protection of an organization's most valuable assets.Today, John talks about the driving force behind Zero Trust, the concept of the Protect Surface, and Kipling Method Policies. Why is trust a vulnerability? Hear about Zero Trust, Shadow IT, and get John's recommended resources. Timestamp Segments·       [02:20] About John.·       [05:29] How does John define Zero Trust?·       [07:45] Why is trust a vulnerability?·       [09:56] The Protect Surface.·       [12:32] Kipling Method Policies.·       [17:22] The roadmap to Zero Trust at scale.·       [22:56] It's the inspection that matters.·       [28:26] Zero Trust in the Cloud.·       [31:33] Shadow IT.·       [38:54] Tracking specific metrics.·       [40:58] John's resource recommendations. Notable Quote"We can never stop cyber attacks from happening, but we can stop them from being successful.”Relevant LinksRecommended Reading:       The Zero Trust Learning Curve.Antifragile, by Nassim Nicholas Taleb. On Grand Strategy, by John Gaddis.Winning in FastTime, by John Warden.LinkedIn:         https://www.linkedin.com/in/john-kindervag-40572b1ISMG:              https://ismg.ioComprehensive, full-stack cloud security Secure infrastructure, apps and data across hybrid and multi-cloud environments with Prisma Cloud.

Paul's Security Weekly TV
Clearing the Air on Zero Trust - Steven Turner - ESW #267

Paul's Security Weekly TV

Play Episode Listen Later Apr 2, 2022 36:30


Cybersecurity buzzwords tend to go through a process. They're used as a differentiator. Then everyone adopts them and things get out of control. The term Zero Trust originally gained traction in InfoSec thanks to the model designed by John Kindervag during his time at Forrester. These days, you could be seeing the term Zero Trust because: 1. a vendor makes a product that fits into any one of dozens of categories that contribute to a Zero Trust architecture (IAM, MFA, ZTNA, micro segmentation, directory services, etc) 2. a vendor is using 'zero trust' as a metaphor (small z, small t) 3. a vendor is using 'zero trust' as a philosophy, or company principle (small z, small t) 4. the CMO said it needs to be somewhere on the website for SEO 5. someone told a founder to put it in the sales and/or pitch deck Steve joins us to separate the cyber virtue signaling from the truth of what Zero Trust actually looks like, why it's difficult, and what impact federal interest in Zero Trust will have on this trend.   Segment Resources: NIST SP 800-207 https://csrc.nist.gov/publications/detail/sp/800-207/final UK NCSC ZT Guidance https://github.com/ukncsc/zero-trust-architecture USA CISA/OMB ZT Guidance https://zerotrust.cyber.gov/ DOD ZT Reference Architecture https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf Microsoft ZT Guidance https://docs.microsoft.com/en-us/security/zero-trust/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw267

Enterprise Security Weekly (Video)
Clearing the Air on Zero Trust - Steven Turner - ESW #267

Enterprise Security Weekly (Video)

Play Episode Listen Later Apr 1, 2022 36:30


Cybersecurity buzzwords tend to go through a process. They're used as a differentiator. Then everyone adopts them and things get out of control. The term Zero Trust originally gained traction in InfoSec thanks to the model designed by John Kindervag during his time at Forrester. These days, you could be seeing the term Zero Trust because: 1. a vendor makes a product that fits into any one of dozens of categories that contribute to a Zero Trust architecture (IAM, MFA, ZTNA, micro segmentation, directory services, etc) 2. a vendor is using 'zero trust' as a metaphor (small z, small t) 3. a vendor is using 'zero trust' as a philosophy, or company principle (small z, small t) 4. the CMO said it needs to be somewhere on the website for SEO 5. someone told a founder to put it in the sales and/or pitch deck Steve joins us to separate the cyber virtue signaling from the truth of what Zero Trust actually looks like, why it's difficult, and what impact federal interest in Zero Trust will have on this trend.   Segment Resources: NIST SP 800-207 https://csrc.nist.gov/publications/detail/sp/800-207/final UK NCSC ZT Guidance https://github.com/ukncsc/zero-trust-architecture USA CISA/OMB ZT Guidance https://zerotrust.cyber.gov/ DOD ZT Reference Architecture https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf Microsoft ZT Guidance https://docs.microsoft.com/en-us/security/zero-trust/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw267

Pwned: The Information Security Podcast

Zero Trust is a highly attractive term that conjures beneficial impacts, but is inconsistently defined (hint: it means "Don't Trust Anything"). Its history of overuse means Justin and Jack have to spend some time making it clear. Beware the Pit of Despair! If you have any suggestions on what might fall into the pit next, send us an email at pwned@nuharborsecurity.com. Content referenced in this episode can be found in the links below: Microsoft's approach to advocating for a Zero Trust business plan. John Kindervag's Zero Trust Network Architecture video. Check out NuHarbor Security for complete cyber security protection for your business and a security partner you can trust. Website: https://nuharborsecurity.com Facebook: https://www.facebook.com/nuharbor/ Twitter: https://twitter.com/NuHarbor@nuharbor LinkedIn: https://www.linkedin.com/company/nuharbor/ Instagram: https://www.instagram.com/nuharborsecurity/

Podcasts – TechSpective
Den Jones Talks about Zero Trust

Podcasts – TechSpective

Play Episode Listen Later Jan 27, 2022


The concept of zero trust is not new. John Kindervag popularized the term back around 2010 when he was a Forrester analyst, and organizations have been implementing and deploying variations on the idea ever since. However, the combination of the … Den Jones Talks about Zero Trust Read More »

ISTARI Voices: Demystifying Zero Trust
Ep. 101 - John Kindervag

ISTARI Voices: Demystifying Zero Trust

Play Episode Listen Later Nov 1, 2021 42:06


This episode features John Kindervag, one of the world's foremost cybersecurity experts best known for creating the revolutionary Zero Trust model.

BarCode
Zero Proof with John Kindervag

BarCode

Play Episode Listen Later Oct 18, 2021 57:54


Organizations are increasingly adopting a Zero Trust model, which is based on the philosophy that there should be no implicit trust in a corporate network. Rooted in the principle of “Never Trust, Always Verify”, Zero Trust is designed to protect modern digital environments against successful data breaches. While it has existed for over a decade, Zero Trust is one of the most misused “buzzwords” in the industry today. Vendor marketing and other misleading data has unfortunately caused mass confusion about what Zero Trust really is and how to use it properly.Former Forrester Research analyst and creator of Zero Trust, John Kindervag, stops in to demystify the term, while explaining how it's a proven security strategy within enterprise security. Our conversation at the bar includes properly defining the term, the value of adoption, implementation techniques, exemptions, and more!Tony the Bartender develops a “Python”.Support the show (https://www.patreon.com/barcodepodcast)

DrZeroTrust
Zero Trust conversation with John Kindervag

DrZeroTrust

Play Episode Listen Later Aug 16, 2021 46:03


A conversation on Zero Trust with the person noted for coining the term and starting the ZT movement.

Burned by the Firewall
What Does Trust Mean to You?

Burned by the Firewall

Play Episode Listen Later Jul 7, 2021 40:00


Mike and Davin are joined by John Kindervag, creator of Zero Trust for the Season 2 Premiere of Burned by the Firewall! The trio discuss how Zero Trust came to be, its fundamentals, and some common myths. For anyone who is concerned with their current deployments, or who is considering setting up new infrastructure, this episode is for you!

The Virtual CISO Podcast
Trust Is a Vulnerability: 5 Steps on the Path to Zero Trust with John Kindervag

The Virtual CISO Podcast

Play Episode Listen Later Jun 25, 2021 60:32 Transcription Available


How do you quantify trust? Is it something that can be digitized? In the world of cybersecurity, trust is a vulnerability. What we need is Zero Trust. That's why I am so excited to speak with my latest guest, John Kindervag, Senior Vice President of Cybersecurity Strategy and Group Fellow at ON2IT Cybersecurity, who pioneered the concept of Zero Trust a decade ago — even if the world is only catching up to it now. What we talk about: - What makes Zero Trust different from traditional security models - How Zero Trust easily solves the ransomware problem - The 5 steps to get to Zero Trust To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don't use Apple Podcasts, you can find all our episodes here. Listening on a desktop & can't see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

Ready, Set, Secure
Zero Trust – Really Not Complicated with John Kindervag

Ready, Set, Secure

Play Episode Listen Later Jun 3, 2021 49:20


For this round of our Security Influencer Series Michael and Hutch are joined by John Kindervag, the man behind the Zero Trust methodology. Listen in as they discuss why this process – and not a singular tool – is important for your organization. Things Mentioned:·       https://www.bleepingcomputer.com/news/security/ransomware-gangs-slow-decryptors-prompt-victims-to-seek-alternatives/·       https://www.cnn.com/2021/05/28/tech/cybersecurity-labor-shortage/index.html·       https://www.cbsnews.com/news/cybersecurity-job-openings-united-states/·       https://www.bellingcat.com/news/2021/05/28/us-soldiers-expose-nuclear-weapons-secrets-via-flashcard-apps/Do you have questions for the hosts? Reach out to us on our website at https://www.setsolutions.com/contact/Hosts: Michael Farnum and Justin HutchensProduced by: Set SolutionsEdited by: Lauren LynchMusic Credit: Inspired by Kevin MacLeodLink: https://incompetech.filmmusic.io/song/3918-inspiredLicense: http://creativecommons.org/licenses/by/4.0/

The CyberWire
Zeroing in on zero trust. [CyberWire-X]

The CyberWire

Play Episode Listen Later May 16, 2021 32:50


The Zero Trust security model asserts that organizations should not trust anything within its perimeters and instead must inspect every traffic and verify anything connecting to its systems before granting access. While Zero Trust is generating a lot of buzz in the cyber world, it’s often hard to determine the implications of this security model.  In this episode of CyberWire-X, guests will discuss the origins of the model, cut through the hype, and discuss what you really need to know to design, implement, and monitor an effective Zero Trust approach. John Kindervag of ON2IT Cybersecurity, also known as the "Creator of Zero Trust," shares his insights with the CyberWire's Rick Howard, and Tom Clavel of sponsor ExtraHop joins Kapil Raina from their partner CrowdStrike to offer their thoughts to the CyberWire's Dave Bittner.

Meanwhile in Security
ZTA: What's Your Plan?

Meanwhile in Security

Play Episode Listen Later Apr 22, 2021 12:12


Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: All Layers Are Not Created Equal”: https://blog.paloaltonetworks.com/2019/05/network-layers-not-created-equal/ Help Net Security article: https://www.helpnetsecurity.com/2021/04/06/john-kindervag-zero-trust/ TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Last week, I talked about Zero Trust as an office building where you have different ways of getting access to different parts of the building. Now, we're going to talk about Zero Trust architecture or ZTA. That always makes me think of a ZA plan. What's your plan? When the zombie apocalypse comes, you need to have Zero Trust. You do not trust anyone until you've confirmed that they are in fact, not a zombie.But how do you do this? Well, first you have to define what a zombie is and you have to define what a human is. And you also have to define what kind of resources that they get to access. Zombies don't get to access anything, especially not brains. But humans, they get to access all kinds of things: defensive positions, food, resources, medicine, shelter, and you have to confirm their identity every single time that they want to access something.How do you do this? Well, the first thing you have to do is to find this, kind of, statically. Jesse comes up, shows he's not zombie, gets something out of the kitchen. Next time, Jesse comes back, wants some medicine. You check; yep, Jesse's still not a zombie; he gets to have some medicine.However, in a Zero Trust world, what if one time somebody comes along, looks like Jesse, but he's actually a zombie? He doesn't get access because the risk has changed. This is exactly what Zero Trust is all about. It's doing authentication and then authorization based on the current context, what's happening right now. You let somebody in until it become a zombie.You let an account into your resources to use your applications until it looks like it's probably an attacker and not the actual real person behind that account. See how they are just like? When you're implementing Zero Trust architectures, it's not quite so as simple as seeing if somebody's flesh is rotting off their bones. So, what is in a Zero Trust architecture? Well, there's some basic components.For instance, you have policy engine, which is basically what determines what the rules are and how they are applied in context, and you have Identity and Access Management—or IAM—and that is how you authenticate and how you determine whether an account actually is being driven by the person or thing that it should be. There's of course monitoring systems to gather and report on your environment, and then you have a SIEM—or Security Information and Event Manager—and an optional security orchestration automation and response or SOAR tool. And the reason for this is so that you can change the architecture and the environment based on the current status of things. So, the policy engine can alter the environment in a feedback loop. And so the policy engine itself, as you can tell, is the brains behind everything, it sits in the middle and it drives the Zero Trust architecture to implement Zero Trust model in your environment.So, how does this work? Well, if you talk to John Kindervag, the original creator of the Zero Trust model, he recently has an article where he was interviewed and he talked about some of the methodologies of doing this. So first, you define your protective surfaces—what are you protecting—then you map the transaction flows, what things are talking to other things, what systems are working together? How do your applications work? And then you architect the environment, so you have to put controls where the data or the services are, right?So, right at every single application, which is great in a cloud environment, especially if you're doing things like using Lambda functions, microservices, serverless functions, as well. And then you create a Zero Trust policy, and you do that by using the Kipling Method, which is the journalistic method of who, what, when, where, why, and how. There's even an article that he wrote—John Kindervag that is—a couple of years ago, and he talks about how that applies.It's a great reading, but the main thing you have to get out of that is you have to answer all of these questions about what's happening in your environment. And then lastly, you monitor and maintain your environment. You gather telemetry, you do machine learning and analytics, and you look at risk analysis, and you have automated responses going through your SOAR platform. Those are the five key things. In short, this is what you should take away from that article on Help Net Security.One, define your protective service. Two, map your transaction flows. Three, architect your environment. Four, create your policies, your Zero Trust policies using the Kipling method. And five, monitor and maintain your environment just like anything else. Make sure it's working, tune it, tweak it, evaluate it constantly.This is a never-ending cycle where you should always be analyzing, tuning, changing because your environment that you're protecting changes. And also the risks that you have will migrate and change over time. And technologies change; you're going to be moving things, swapping things out, implementing new things. You have to keep this in mind and go through this cycle over and over again, always defining what the new thing is, figuring out how that interacts with other things and how accounts access data and resources within it. And also following your business; how are things changing in your organization? What other types of things are needed for you to do and to protect the environment as close as possible to those new services and those new data sources?Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.Let's do a quick example. You have a fictitious service running on an EC2 instance and it plugs into your IAM—remember that Identity and Access Management tools. You have monitoring on it, you've got the logs going places, it has a security event manager looking at it, so your SIEM's got it covered. And you've got your store platform has the ability to create accounts, shut it down, do all the things to it. Your Zero Trust policies indicate that if an employee has put in their notice, or they've otherwise been put on a watch list because management a little worried about them or HR is investigating them, then they cannot access this resource.So today, I log in, I authenticate using IAM, I used my correct multi-factor authentication. It is successful, and then I go to access your application and the Zero Trust policy engine says, “Yep, Jesse can now get in.” And then tomorrow, I put in my notice in the morning and I've got two weeks left. I go to log in to use your service, but today I'm on the watchlist. And so your service goes to the policy engine, says, “Can Jesse login?” And the policy engine says, “Hey. So, he's authenticated correctly; he does not have an increased risk score except for this anomaly where he's also in the watchlist.”Now, suddenly, Jesse doesn't get access to that particular resource. And if I get an offer to stay and I rescind my notice, and now I'm off the watch list and now I'm back, so in theory, I should be able to access that same application. However, you could also put in rules that says if somebody rescinds their notice and they stick around, they stay in a watchlist for a while. So, perhaps you do allow me access to that system, but you do better monitoring on what I'm doing in that system. Or even better yet, I can only access some of those resources, not all of them available in that application.If you design your infrastructure correctly, and you design your applications in a dynamic fashion that allows this to happen with granular rule sets for permissions inside of the application or resource, then you can do this kind of nuanced access through the policy engine that you cannot otherwise do in a traditional format where it's just, you're in and you get everything. This is even better than role-based access controls because it's granular permissions about individual little things that I can access or do and that application. That's a good primer on how to think about implementing your own Zero Trust architecture.Now, for the tip of the week. I cannot stress enough this point to secure your cloud storage. Everyone says this; all the cloud people get tired of hearing it. I know. So, do I. However, all of us have had some permissions somewhere that we didn't change, or we changed to the wrong thing—“Oh, we're just going to do this to test for a little while.”—and then it's like the days of yore with anonymous FTP sites, and suddenly there's a wide-open, world-readable and world-writable upload and download site for [whereas 00:10:47] and other nasty things you don't want in your infrastructure.So, you open your cloud storage, like S3 buckets, and it's just free storage for anybody and everyone. Or even worse, it is something that you do not want the world to see: your secret plans for your next go-to-market strategy. So, just go to your cloud provider, like AWS's own documentation has a topic called, “How can I secure the files in my Amazon S3 buckets?” Just go read it; go do it. Every time and every single time you come across storage that you haven't seen before, audit it. Audit your storage regularly; make sure that somebody hasn't changed permissions just to test this one thing. We all know that all changes are permanent until replaced. And that's a wrap for the week, folks. Securely yours, Jesse Trucks.Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.

Cybersecurity Unplugged
How Zero Trust Is Inverting the Way We Do Cybersecurity

Cybersecurity Unplugged

Play Episode Listen Later Apr 21, 2021 26:29


Although the news of the growing attack surface continues to heighten, there has not been a necessary change in how we protect and defend. This what Kindervag has set out to change. In this episode, John Kindervag, the creator of zero trust, discusses: How to practically implement zero trust; Shifting focus from worrying about the attack surface to securing the "protect surface"; The future threat of quantum and the fear of falling behind; And the difference between digital and kinetic warfare.  

Meanwhile in Security
Zero Trust: Do You Trust Me?

Meanwhile in Security

Play Episode Listen Later Apr 15, 2021 10:39


Jesse Trucks is the Minister of Magic at Splunk, where he consults on security and compliance program designs and develops Splunk architectures for security use cases, among other things. He brings more than 20 years of experience in tech to this role, having previously worked as director of security and compliance at Peak Hosting, a staff member at freenode, a cybersecurity engineer at Oak Ridge National Laboratory, and a systems engineer at D.E. Shaw Research, among several other positions. Of course, Jesse is also the host of Meanwhile in Security, the podcast about better cloud security you're about to listen to.Show Notes:Links: An introduction to the mathematics of trust in security protocols: https://ieeexplore.ieee.org/document/246634 No More Chewy Centers: The Zero Trust Model Of Information Security: https://www.forrester.com/report/No+More+Chewy+Centers+The+Zero+Trust+Model+Of+Information+Security/-/E-RES56682 800-207, “Zero Trust Architecture”: https://csrc.nist.gov/publications/detail/sp/800-207/final TranscriptJesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.Announcer: This episode is sponsored by ExtraHop. ExtraHop provides threat detection and response for the Enterprise (not the starship). On-prem security doesn't translate well to cloud or multi-cloud environments, and that's not even counting IoT. ExtraHop automatically discovers everything inside the perimeter, including your cloud workloads and IoT devices, detects these threats up to 35 percent faster, and helps you act immediately. Ask for a free trial of detection and response for AWS today at extrahop.com/trial. That's extrahop.com/trial.Zero Trust is everywhere and nowhere. Over a decade old, Zero Trust feels like a new thing for many of us, but this feeling is likely because most of us experience or manage operational security methodologies following various forms of old-school trust and access models. In these models, a user or service authenticates to a network or service and gets all the things granted to them by their role or account permissions. This is often referred to as a trust but verify paradigm. Many organizations still use Virtual Private Network, or VPN, access mechanisms to connect from the outside to internal or trusted networks.Accessing these internal or trusted networks provides access to a variety of systems with low to moderate security generally available to anyone granted access to the associated network. Each user accessing these networks is authenticated in some manner and then is trusted with the ability to connect to available resources. This is like many corporate office buildings: badge in or show ID to the security desk in the lobby, and you are granted access to wander the halls at will, with access to nearly any floor and office. In many modern office buildings, especially those with multiple tenants, there might be sections of the building that require additional verification using a badge reader or being cleared by guards at another security desk. This is like network segmentation trust models where each user must be granted specific access to certain networks.Much like accessing different companies in the multi-tenant building works by being cleared by the front desk or using badge readers to unlock the doors and being granted access to all of the offices they're in, access to resources and services on these network segments is controlled at the entrance by firewalls and/or authentication gateways. While most services today require authentication to get beyond the front door, similar to the network segmentation model but on an application or service level. Usually, there are static definitions of access granted to each user although most applications and services rely on role-based access controls or RBAC, these roles are statically defined with access to a list of resources, services, or capabilities for all users given that role. Searching network segmentation best practices finds dozens of results over the last couple of years with great advice on segmenting networks and limiting access to resources on those networks. Much of it is similar to one another and generally good advice to follow. I like to think of access to networks, resources, and services as being on a need-to-use and access to data on a need-to-know basis. Zero Trust upends the entire access model.In June of 1993, IEEE published GJ Simmons' article, “An introduction to the mathematics of trust in security protocols,” which, as the title implies, defines a mathematical approach to calculating trust in the context of computer systems. This concept opens possibilities for automating complex access authorization schemes. In 2009, while working as an analyst for Forrester Research, John Kindervag published a white paper titled “No More Chewy Centers: The Zero Trust Model Of Information Security,” outlining the Zero Trust model as a new paradigm for controlling access to resources and services.Implementing a Zero Trust model creates the ability to dynamically grant access to resources and services based on real-time context, not statically defined need-to-use and need-to-know bases. Going back to the office building analogy, this is like the security station guards verifying things that are currently true before allowing you to access the building or any of the building spaces. For example, they could confirm you are currently employed by a tenant of the building and give you an access card that is good for one-time entry into your organization space. However, if you leave your offices and need to return, you have to go back to the security station to get another one-time entry pass to your suites. Even if you never leave the building, you still must go down to the security station to get your one-time access pass.If you need to visit another space in the building, the security station guards would verify you have an appointment that grants you access to a different space, and they would give you a one-time access pass to enter those spaces. Once again, when you need to return to your own offices, you must go back for another pass to get in. This is exactly how Zero Trust works.In an ideal Zero Trust world, every time you must access a network, resource, or service, you must also authenticate in some way to both verify your identity and to obtain authorization to access the network resource or service. This goes beyond having a token to use for multiple transactions, like when we store a website cookie or token to skip logging in when we return to a site. Instead, the site would require authentication for access authorization every time we return. In a realistic Zero Trust Architecture, or ZTA implementation, a cookie or token stored for a single session to skip login for every single page or image access is useful, but in a strict ZTA implementation, there would be an authentication action for every single file access even within the context of a site's single page load with graphics.Announcer: If you have several PostgreSQL databases running behind NAT, check out Teleport, an open-source identity-aware access proxy. Teleport provides secure access to anything running behind NAT, such as SSH servers or Kubernetes clusters and—new in this release—PostgreSQL instances, including AWS RDS. Teleport gives users superpowers like authenticating via SSO with multi-factor, listing and seeing all database instances, getting instant access to them using popular CLI tools or web UIs. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. Download Teleport at goteleport.com. That's goteleport.com.The US National Institute of Standards and Technology, or NIST, published the Special Publication, 800-207, “Zero Trust Architecture” to define how to implement ZT. I recommend NIST ZTA as a foundation for your approach to, or at least understanding of, an operational ZTA implementation in the absence of other guidance from a reputable source. To implement ZT takes some basic components, and at the heart of it all is the policy engine.The policy engine contains the rules to determine whether to grant or deny authorization for an account to access any particular resource or service. These rules should contain contextual parameters such as the device and network being used to initiate the request, or whether an account is in a watchlist or is otherwise at a higher risk level or in a different risk category than it usually is at the time of the request. For example, if I require access to HR records to perform my job duties, by default, my account would be granted access to the HR system providing those records. However, whether I am granted such access for a particular request should depend on the device I'm using, the network my device is using, and the current risks associated with the device, the network, and my account. In this situation, if I used my organization-issued laptop to connect to the VPN, the policy engine could grant me access to the HR system which provides me access to the HR data.However, if I used my personal smartphone from a public network and the security monitoring systems show anomalous behavior associated with my account, the policy engine should deny my access to the HR system. There are myriad ways to architect a ZTA solution and there are a number of reliable vendors with policy engines or whole CTA service offerings available as either implementation or ongoing managed services.I strongly suggest you review your environment to see where Zero Trust is already in place or ought to be implemented. At the very core of a Zero Trust implementation is the ability to quickly change access rules for accounts connecting to resources or services. This can be done in simple or complex ways. In the next episode, I will explore Zero Trust architecture implementation in much more detail.Jesse: Thanks for listening. Please subscribe and rate us on Apple and Google Podcast, Spotify, or wherever you listen to podcasts.Announcer: This has been a HumblePod production. Stay humble.

What's Next|科技早知道
S5E05|SaaS专栏:云安全领域独角兽频出,资本推波助澜还是市场呼唤?

What's Next|科技早知道

Play Episode Listen Later Apr 14, 2021 43:33


又有两只年轻的独角兽出现了,从公司创立到平均估值 15 亿美元,均不到一年时间。这两家公司正是 3 月底完成融资的 Wiz 和 Orca Security。 如此短的时间拿到如此高的估值,这背后的逻辑是什么?随着多云环境的发展,网络云安全也面临着越来越多的外部威胁,但目前来看,云安全技术还有很大发展空间。 这是硅谷人工智能创投家 Howie Xu 主持的 SaaS 专栏的第二期节目,嘉宾是滴滴出行信息安全战略副总裁弓峰敏博士,他在安全领域有着三十年的丰富经验。我们将以中美市场的比较眼光,探讨云安全面临的大环境发生了哪些变化;创业公司应该主动在哪些方面创新;同样越来越重视数据安全,中美市场又存在哪些差别等等问题。 欢迎收听。 【主播】 Howie Xu,硅谷人工智能创投家、Zscaler 副总裁 @H0wie_Xu (https://twitter.com/H0wie_Xu) 【嘉宾】 弓峰敏,滴滴出行信息安全战略副总裁、滴滴美国研究院院长 【主要话题】 [04:31] 云安全领域正在面临哪些挑战 [07:50] 从僵尸网到恶意软件,黑产是怎么成为一条生态链的 [11:48] 安全防御的「孤岛效应」不减反增 [16:08] 做软件不能只考虑短期利益 [28:26] Wiz 和 Orca 火箭式增长的背后 [34:20] 中美安全技术还有三到五年的差距 【延伸阅读】 - Palo Alto Networks:总部位于加州的网络安全公司,核心产品为「下一代防火墙」,提供网络活动的可视化能力,可基于应用、用户与内容进行网络活动的精细化控制,同时提供基于云的安全服务来拓展防火墙的安全性。 - Wiz:由 Yinon Costica 和 Assaf Rappaport 等人联合创立的云安全服务提供商,它能够帮助企业大规模保护其云基础架构。2021 年 3 月 17 日,Wiz 完成 1.3 亿美元 B 轮融资,估值高达 17 亿美元。 - Wiz 融资新闻:A tiny security start-up founded by engineers who sold their last company to Microsoft is already worth $1.7 billion (https://www.cnbc.com/2021/03/22/security-start-up-wiz-valued-at-1point7-billion-after-a-year-of-existence.html) - Orca Security:以色列网络安全创业公司。2021 年 3 月 23 日,获得 2.1 亿美元,估值 12 亿美元。Orca Security raises $210M Series C at a unicorn valuation (https://techcrunch.com/2021/03/23/orca-security-raises-210m-series-c-at-a-unicorn-valuation/) - Exploit kit:即(漏洞)利用套件,它是利用软件应用程序漏洞散布恶意程序的预封装软件,一般来说,漏洞利用套件会包含一系列不同的漏洞利用程序,其中大部分会针对常用的操作系统,Web浏览器或浏览器插件中的漏洞(比如 Adobe Flash)。 - 僵尸网络(Botnet):亦译为丧尸网络、机器人网络,指黑客利用自己编写的分布式拒绝服务攻击程序将数万个沦陷的机器,即黑客常说的傀儡机或「肉鸡」(肉机),组织成一个个命令与控制节点,用来发送伪造包或者是垃圾数据包,使预定攻击目标瘫痪并「拒绝服务」。 - Cyber Wars: How The U.S. Stock Market Could Get Hacked (https://www.investopedia.com/news/are-your-stocks-danger-getting-hacked/) - Mirai (malware):一款恶意软件,它可以使运行 Linux 的计算系统成为被远程操控的「僵尸」,以达到通过僵尸网络进行大规模网络攻击的目的。Mirai 构建的僵尸网络已参与几次影响广泛的 DDoS 攻击,包括 2016 年针对计算机安全撰稿人布莱恩·克莱布斯个人网站的攻击、对法国网站托管商 OVH 的攻击,以及对 Dyn公司的网络攻击事件。可参见:回顾恶名昭著的Mirai僵尸网络 (https://www.anquanke.com/post/id/89119) - 2014 年 5 月,美国百货公司 Target 的 CEO Gregg Steinhafel 因用户数据大规模泄漏被迫辞职。 - 书籍 Dry Powder: A Play (https://www.amazon.com/Dry-Powder-Play-Sarah-Burgess/dp/0802126421/ref=sr_1_1?dchild=1&qid=1618278498&refinements=p_27%3ASarah+Burgess&s=books&sr=1-1&text=Sarah+Burgess) - 零信任安全网络架构:零信任是一种战略性网络安全模型,旨在保护现代数字业务环境,该环境越来越多地包括公共和私有云,SaaS 应用程序,DevOps,机器人流程自动化(RPA)等。零信任的主要目标是减轻大多数组织运作的现代化环境中网络攻击的风险。行业分析师 John Kindervag 在 2010 年创造了「零信任」和「零信任架构」这两个词。更多信息请见:零信任 (https://www.cyberark.com/zh-hans/what-is/zero-trust/) 【后期】 Luke,陈太太 【监制】 Amanda 【音乐】 - Set the Pace-Jon Sumner - To New Beginnings-Greatfool - Pebble's Song-Revel Day 【关于我们】 网站:shengfm.cn 社交媒体:声动活泼 邮件:admin@sheng.fm 国内打赏支持:https://www.shengfm.cn/donation 国外打赏支持:http://www.shengfm.cn/donation Special Guest: 弓峰敏.

Cloud Security Podcast by Google
Zero Trust: Fast Forward from 2010 to 2021

Cloud Security Podcast by Google

Play Episode Listen Later Apr 1, 2021 28:10


Guest:  John Kindervag, who is widely considered to be the creator of zero trust model in 2010 (currently works at ON2IT) Topics: What has changed in the world of zero trust since 2010? What must be trusted for a zero trust (ZT) system to work? What are key ZT project success pre-requisites? What is the first step in ZT implementation that increases the chance of its success? Is zero trust hard for most companies? What’s the most spectacular failure you’ve seen in a ZT project? Where do you see ZT heading in the next 10+ years? Resource: John's original zero trust paper (2010)

ShadowTalk by Digital Shadows
Special: Creator of Zero Trust John Kindervag Talks Origins and the Future of Zero Trust!

ShadowTalk by Digital Shadows

Play Episode Listen Later Mar 23, 2021 39:44


Digital Shadows CISO Rick hosts this edition of ShadowTalk. He’s joined by special guest John Kindervag, creator of Zero Trust and Senior Vice President, Cybersecurity Strategy, ON2IT Group Fellow at ON2IT Cybersecurity. They discuss: -John’s origin story and influences - what led to the creation of Zero Trust? - Zero Trust - origin, design principles, and terminology - What are your protect surfaces? - using Zero Trust - John’s new position at ON2IT ***Resources from this week’s podcast*** Find John Kindervag on LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/ Find John Kindervag on Twitter: https://twitter.com/Kindervag Understanding Zero Trust Terminology: https://www.paloaltonetworks.com/resources/zero-trust Antifragile: Things That Gain from Disorder: https://www.amazon.com/Antifragile-Things-That-Disorder-Incerto/dp/0812979680

Hacker Valley Studio
Episode 65 - Chatting with John Kindervag the Godfather of Zero Trust

Hacker Valley Studio

Play Episode Listen Later May 13, 2020 24:59


John Kindervag is a household name in cybersecurity and he is the creator of the Zero Trust networking model. John is a brilliant thought-leader and we think you will agree with us after this episode. John's LinkedIn: https://www.linkedin.com/in/john-kindervag-40572b1/John's Twitter: https://twitter.com/Kindervag

Down the Security Rabbithole Podcast
DtSR Episode 384 - Zero Trust Redux 2020

Down the Security Rabbithole Podcast

Play Episode Listen Later Mar 3, 2020 38:36


This week Rafal hosts Dr. Chase Cunningham, Forrester analyst and all-around security badass to redux Zero Trust. The last time we tackled the topic was Episode 222 with John Kindervag back in 2016 - so it's time to see what's new. Zero trust is more than just firewall rules, and it encompasses a lot of security technologies we don't even think about - so this update is a great primer for 2020. Guest: Dr. Chase Cunningham - https://www.linkedin.com/in/dr-chase-cunningham-54b26243/

CyberScoop Radio
How to embrace zero trust into network security with John Kindervag from Palo Alto Networks

CyberScoop Radio

Play Episode Listen Later Feb 1, 2019 10:28


The creator behind the zero-trust network model, John Kindervag, talks about why “trust” has become a vulnerability that needs to be mitigated like other vulnerabilities and where to start. Sponsored by Palo Alto Networks. Guest: John Kindervag, VP and principal analyst

SailPoint's Mistaken Identity Podcast
29 | Mistaken Identity | It’s a Matter of Trust: BeyondCorp and Representation with Wendy Nather

SailPoint's Mistaken Identity Podcast

Play Episode Listen Later Sep 20, 2018 48:22


Wendy Nather (twitter: @wendynather) joins David Lee and Mike Kiser as they explore the interplay of trust and security. We examine the implications of what John Kindervag termed the “zero-trust model” — and the subsequent security architectures they have spawned: Google’s BeyondTrust and Duo Beyond, for example. A lively discussion of the current state of representation (a reflection of trust) within the security industry follows. Headlines range from a new Apache Struts vulnerability, ATT being sued for $200 million for a cryptocurrency theft, and privacy regulation that is coming to you in five years (or fifty, depending on who you ask.)

And There You Have IT!
Zero Trust Architecture: Debunking Myths

And There You Have IT!

Play Episode Listen Later Feb 7, 2018 15:07


Sponsor: Palo Alto Traditional data security strategies tend to operate under a “trust but verify” approach — trusting internal users with unrestricted network access and considering the external network as the only network in need of security controls. Rooted in the principle of “never trust, always verify,” Zero Trust architecture is an alternative and individualized approach to network security that uses an organization’s functionality and business objectives to determine exactly what data needs to be safeguarded and how best to do it. Because it diverges from traditional strategies, there are common misconceptions about the implementation and function of this approach. We spoke with the creator of Zero Trust, John Kindervag, to debunk myths and learn how the model can be strategically implemented. Listen to this episode to learn: Why Zero Trust architecture is changing security strategies The 4 major myths about Zero Trust architecture How real companies are finding success with this model How to implement the Zero Trust approach 4 Major Myths of Zero Trust Architecture – Zero Trust architecture can help organizations maximize data security. Let’s debunk the myths so you can build a stronger security solution that aligns with the needs of your enterprise. Get Your Guide to Transforming Enterprise Cybersecurity Today – In this eBook, get actionable security advice from industry experts on the cybersecurity landscape, and what your organization should be doing to combat threats. Sirius - Sirius is a national integrator of technology-based business solutions that span the enterprise, including the data center and lines of business. Built on products and services from the world's top technology companies, Sirius solutions are installed, configured and supported by our dedicated teams of highly certified experts.

Down the Security Rabbithole Podcast
DtSR Episode 279 - Deeper Down the SDP Rabbithole

Down the Security Rabbithole Podcast

Play Episode Listen Later Jan 16, 2018 44:29


This week, Jason Garbis re-joins the podcast to go past the Primer (Episode 257) and dive deeper into SDP (Software Defined Perimeter) with a discussion on cloud and relevance to the re-invention of the data center and related infrastructure.   Related DtSR listening: Zero Trust Model w/ John Kindervag: http://podcast.wh1t3rabbit.net/dtsr-episode-222-zero-trust-security-model Software Ate the Perimeter w/Jason Garbis: http://podcast.wh1t3rabbit.net/dtsr-episode-257-software-ate-the-perimeter  

Down the Security Rabbithole Podcast
DtSR Episode 222 - Zero Trust Security Model

Down the Security Rabbithole Podcast

Play Episode Listen Later Nov 29, 2016 54:26


This week, after a long wait, we have John Kindervag on the show! John talks us through the concept of "Zero Trust Security" and where and how it's implemented. It's a concept everyone should be familiar with by now - but I bet you aren't! Join us, and as always provide feedback to the team using the hashtag #DtSR on Twitter, and you can always ping John directly at @Kindervag as well.

Paul's Security Weekly TV
Security Weekly #474 - John Kindervag

Paul's Security Weekly TV

Play Episode Listen Later Jul 24, 2016 58:38


John Kindervag is a Principal Analyst on the Security and Risk Management team and works out of the Dallas Research Center. John covers various topics in Information Security including PCI Data Security, Security Information Management (SIM), Network Security, VoIP Security and Wireless Security.

Paul's Security Weekly (Video-Only)
Security Weekly #474 - John Kindervag

Paul's Security Weekly (Video-Only)

Play Episode Listen Later Jul 24, 2016 58:38


John Kindervag is a Principal Analyst on the Security and Risk Management team and works out of the Dallas Research Center. John covers various topics in Information Security including PCI Data Security, Security Information Management (SIM), Network Security, VoIP Security and Wireless Security.   Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode474#Interview:_John_Kindervag

Paul's Security Weekly (Podcast-Only)
Paul's Security Weekly #474 - "Segway Segue"

Paul's Security Weekly (Podcast-Only)

Play Episode Listen Later Jul 22, 2016 117:26


This week on Security Weekly, John Kindervag from Forrester joins us! Paul and Rick Farina demonstrate Bluetooth scanning using the PwnPad4 and Blue Hyrda. In security news, we show you how to cheat in Pokemon Go. Stay tuned!

Paul's Security Weekly
Security Weekly #474 - "Segway Segue"

Paul's Security Weekly

Play Episode Listen Later Jul 22, 2016 117:26


This week on Security Weekly, John Kindervag from Forrester joins us! Paul and Rick Farina demonstrate Bluetooth scanning using the PwnPad4 and Blue Hyrda. In security news, we show you how to cheat in Pokemon Go. Stay tuned!