Branded Content By
Image may contain: Logo, and Cutlery

How the Creator of Zero Trust Developed Today’s Most Robust Cybersecurity Strategy

The Game-Changing Approach That’s Reshaping Digital Defense
Image may contain Art Painting Indoors Interior Design Person Modern Art City Accessories Bag and Handbag

For years, the strategy for preventing cyberattacks could be summed up in one word: prevention. Beef up security at the perimeter and keep attackers out. If you did that, you’d be all set.

The problem? Attackers kept getting in. And not through the well-protected front doors; no, cybercriminals learned that they could gain access via things like undersecured email servers and spool printers. And once inside, they had access to the keys to the kingdom.

Cybersecurity expert and Illumio Chief Evangelist John Kindervag changed all of that by developing a philosophy he christened “Zero Trust.”

“In firewall technology, there was a concept of a Trust model where the Internet was on the untrusted interface and the interface going to the internal network was trusted,” Kindervag explains. “And because of that trust relationship, you didn't need a policy statement to move traffic from the internal or trusted network into the external or untrusted network.”

He remembers thinking: “This is insane! People are going to exfiltrate data out of there. I said that all interfaces should have the same trust and it should be zero. And that's really where Zero Trust comes from.”

Fourteen years ago, Kindervag wrote “No More Chewy Centers”, which challenged the idea of network security with a hard exterior and a soft, trusted interior. This concept laid the foundation for Zero Trust, where every part of the network is equally protected.

“Zero Trust inverts the traditional problems of cybersecurity,” he says. “Instead of focusing on what's attacking you, it focuses on what I call the Protect Surface. What do I need to protect? That's the first question of Zero Trust.”

“And once I understand what I need to protect, it changes the game exponentially.”

A Cybersecurity Paradigm Shift

This philosophy of Zero Trust has reached the highest levels of state and corporate governance, with the US President recently issuing an executive order mandating a Zero Trust cybersecurity strategy for all federal government agencies.

So how does it work?

There’s a five-step approach to creating a Zero Trust system. The first is defining that protect surface—what data you have that’s most vulnerable, be that credit card info or intellectual property. Step two involves mapping the transaction flows so you can see exactly how your users, applications, data, and infrastructure interact.

Once you have a clear sense of what needs protecting and how it operates internally, the third step is creating an architectural framework specific to those needs. Then step four is implementation on your network, with five being its continued maintenance over time.

Kindervag identified the problem and came up with a solution. Now at Illumio, he helps organizations of all sizes everywhere implement that solution in a manageable way. Problem solved, right? Unfortunately not.

Ransomware Is Everywhere

While you might think that cybercriminals are only targeting large companies and those in the tech sphere, the opposite is actually true.

In August 2024, a dairy farmer in the Swiss Alps found the computer that ran his milking machines frozen by a ransomware attack. Even though he wasn’t prevented from milking his cows, because he was unable to view the telemetry data on their health, one of them died. Not exactly what comes to mind when one thinks of cybersecurity losses.

“Ransomware is ubiquitous. It hits everybody. You're not safe, even if you're a single dairy farmer in the Alps in Switzerland,” warns Kindervag.

Surprisingly, Kindervag finds that sophisticated organizations often have security setups just as inadequate as that of our unfortunate farmer.

“I think even the big companies still feel like they need something bad to happen before they're going to pull the trigger,” Kindervag says. And increasingly, these neglected systems are at the very heart of organizations.

“Computational systems drive everything that we do,” Kindervag says. “Quit thinking of them as a cost center and realize that they are structural to your business success as much as anything else that you do.”

When you start thinking like that, you realize that the smartest thing you can do for your organization is to protect it from and plan for breaches before they happen, not deal with them after the fact.

“All cybersecurity events of any significance could be mitigated for less than the cost of the legal fees involved after the fact,” says Kindervag.

“The costs are orders of magnitude more than just doing the right thing upfront.”