Back to resources
How John Kindervag's Zero-Trust Model Applies to Cloud Security
July 2022 / 4 min. read /
At its core, the Zero-Trust Model is wonderfully simple: when you remove trust, you reduce security risk. The concept was developed by John Kindervag, who now serves as a Senior Vice President for ON2IT Cybersecurity. Kindervag realized enterprises could gain better security paradigms by removing inherent, default, and installed trust.
John Kindervag’s Zero-Trust Model
Kindervag’s zero- trust model is now used as a defense mechanism for organizations all over the world. In most cases, zero-trust moves the control pane closer to the defended asset and attempts to tightly direct access and privileges, which are the objective arbiters of trust within most systems.
In other words, zero-trust is often an inversion of older security models that rely on high-security walls and elevated standing permissive access. Zero-trust views, validates, and enables every access request and use case within the system on an as-needed basis.
The Protection of Kindervag’s Zero-Trust Philosophy
The central philosophy of John Kindervag’s zero-trust model is that everything is compromised until proven otherwise. At some point, for some reason, an asset or entity will serve as a vulnerable point of entry to be exploited by a hacker.
When a hacker gains access as a user on a compromised system, they are handed the keys to the castle. Worst case scenario - or best case, in the eyes of the hacker - is that they are able to acquire credentials, access, passwords, user accounts, and privileges.
Hacker efforts can be cut short if they end up tied to a user account with the limited privileges maintained by the zero-trust mentality. With a zero-trust model, the standing privileges that lead to hacker infiltration are eliminated completely. Zero-trust takes away the keys, so that the castle stays safe.
Applying Kindervag’s Zero-Trust Access in Cloud Systems
All data points to cloud computing as the future of technology and business. The cloud infrastructure approach has many benefits, but unfortunately it also comes with a lot of potential security pitfalls. As cloud data storage and repositories grow, more data becomes available for an attacker to target and compromise.
Vendors and third parties can pose their own set of security risks when they access corporate cloud systems. It’s as if you invited someone into your home and they left the front door open behind them on their way in. Adopting Kindervag’s zero-trust philosophy will limit third party privileges and significantly reduce security risks to your enterprise.
How to Apply John Kindervag's Zero-Trust Model
Applying Kindervag’s zero-trust model is as easy as 1, 2, 3: think big, start small, and move fast.
Think Big
Think about the problem you face and the totality of what is required to solve it from the grand strategic level. If you’re solving access management and cloud security, keep those issues top of mind as you strategically enable zero trust.
Start Small
Be hyper-focused on what to do first. Don’t start an access management project with 500 users; start with 25. Or just five. Do the small stuff right and as close to perfect as possible, and then progress. Enterprises typically solve isolation and segmentation at a micro-level once they handle access management. Small and midsize businesses usually try to address device posture management and software-defined perimeter problems first because they directly affect users and are simpler to resolve.
Move Fast
Here is where the beauty of technology shines. Numerous vendors can provide the technology you need to operate at speed and scale in the cloud. Use their solutions to scale your efforts, optimize your budget, and operationalize resources as you scale. Remember: Do the small stuff right. Then you can scale fast and leverage vendor solutions to push your zero trust strategy forward at the pace your business demands.
Things to Remember During Your Zero-Trust Adoption
Data is the most transitory and ethereal asset that businesses create. Trying to lock such a dynamic asset before solving access management problems that define how data is accessed and by whom is akin to putting the cart in front of the horse.
Lastly, be sure to remember the adversary: the hackers. Hackers want you to be oblivious to what is occurring in your systems. They are chasing those keys to the castle. By controlling your access and privileges through the zero-trust model, you are making sure the castle stays secure.