On July 28, I had the privilege of moderating a fascinating webinar discussion focused on Zero Trust with two of the leading experts in this space. John Kindervag, a.k.a. ‘The Godfather of Zero Trust,’ created the concept of Zero Trust as a Forrester Research analyst in 2010. John, who is now Senior Vice President of Cybersecurity Strategy at ON2IT, joined me for a wide-ranging and compelling discussion on the origin and evolution of Zero Trust, along with Jason Georgi, a Zero Trust expert in his own right who is Field CTO, Prisma Access/SASE at Palo Alto Networks.

During our discussion, John shared that his love-hate relationship with trust as a security concept began when he was installing firewalls at the turn of the century in a prior role. As John explained, firewalls had at the time both “trusted” and ‘untrusted” interfaces, and untrusted traffic that resided on the Internet could be transferred to trusted internal networks without policy controls, which John “hated. And I hated studying arbitrary trust levels on interfaces and having that determine the policy. I thought that policies should be much more granular.”

 

Fast-forwarding to his role as a Forrester analyst in 2008 and John describes how he began to evaluate the issue of trust more deeply in security. This ultimately led him down the path to the concept of Zero Trust which encompasses much stricter access controls. In essence, to eliminate the notion of implicit trust and to continuously validate every stage of a digital interaction.

Like others who have developed pioneering ideas, John’s development of the Zero Trust model initially met with quite a bit of resistance. “People thought I was literally insane -this is not how things had been done in the past and the way we’d done it had been working so well,” John shared with us. “But there were some important people who understood. In fact, Palo Alto Networks was the first vendor that got behind it and called me in to meet with its founders.”

During our highly engaging discussion, we also explored how the shift to hybrid work and expanded digital footprints that arose during the pandemic have dramatically broadened enterprise attack surfaces. As Jason shared, this has exposed many of the vulnerabilities of Zero Trust Network Access (ZTNA) 1.0 architectures, including the inability to detect or prevent malware, to identify lateral movements across the network, to monitor changes in user, application or device behavior as well as the lack of visibility or control over data. These susceptibilities and other factors are prompting a growing number of CISOs and security teams to adopt ZTNA 2.0 architectures to better safeguard the enterprise.

Jason explained how we got into the current situation, starting with implicit trust as part of traditional networking. “The whole idea is to get traffic flowing – anything that could stop that traffic could stop business.” This has directly challenged remote access security. “Now that the majority of employees are working remotely, organizations were looking at how to scale their remote access solutions.

Inherent trust is the problem we now have to solve. Cybersecurity leaders across the board completely understand that implicit trust is no longer viable for connectivity because it violates the business outcome of reducing risk. How do we reduce risk? Trust is the opposite of what you’re trying to accomplish in that world.”

I learned a lot from my conversation with Jason and John about the origins of Zero Trust and how Zero Trust is evolving.

But I’m only scratching the surface here. To hear additional insights shared by Jason and John -- including effective ways for CISOs and tech leaders to clearly communicate the Zero Trust concept to the CEO and the Board -- click here.

Cybersecurity continues to be a top priority among the 400,000+ CISOs and technology leaders in the HMG community according to our ongoing research on these and other technology/leadership topics. I’m grateful to be connected to brilliant thought leaders like Jason and John. Be sure to listen to more of what they have to share and join us for one of our upcoming summits, webinars or roundtable discussions.