John Kindervag's 3 Zero Trust Truths for Government Agencies

In the last few years, the U.S. public sector has received a multitude of guidance on Zero Trust – from CISA’s Zero Trust Maturity Model to EO 14028 and NIST SP 800-207. It can feel like an overwhelming amount of information to sort through or know where to begin at your agency.  

That’s why the Federal Tech Podcast sat down in a recent episode with John Kindervag, the godfather and creator of Zero Trust and Chief Evangelist at Illumio, to understand the three key truths about Zero Trust. This information is vital to helping agencies find and stay on the right track as they comply with Zero Trust mandates.

1. You can’t do Zero Trust all at once

According to Kindervag, one of the top misconceptions about Zero Trust, especially in the federal government, is that you can achieve Zero Trust all at one time and within a specific time frame.  

However, that’s far from how he designed the strategy.

“It’s a journey that you go on, and you’re on it forever,” Kindervag explained.  

Starting Zero Trust now is essential for agencies to build mission resilience. But knowing when your agency will reach full Zero Trust is impossible because it’s an ongoing effort. Kindervag said that the more important questions agencies should be asking is what they’re securing, not when.

“I don’t worry so much about time but about getting the right incentives and programs in place,” Kindervag said.  

He recommends agencies begin with getting complete, end-to-end visibility into their environment. With this insight, they can see where risk lies, prioritize securing the areas that are most at risk and most critical to the mission, and then work through one protect surface at a time: “You build Zero Trust out in chunks,” he said.

2. Zero Trust isn’t hard

Kindervag created the Zero Trust security strategy to resonate throughout an organization, from top-level leadership to security practitioners. To this end, the strategy was designed to be simple to understand and implement.

“Why are all these people making Zero Trust look so hard?” he joked. “It’s incremental. You do it one protect surface at a time.”

By making enforcement an iterative process, security teams can focus on one system, application, or resource at a time – from the most critical to the least. A major benefit of this is that it causes little, if any, disruption to the mission.

“You implement Zero Trust controls one protect surface after another, and that makes it nondisruptive,” Kindervag explained. “The most you can screw up is one protect surface. You can't screw up the whole network or the whole environment.”

3. Implement Zero Trust proactively

Zero Trust is predicated on the fact that breaches are unavoidable; it reflects the best-practice security strategy for the modern attack surface.  

“The attack surface is like the universe — it’s constantly expanding,” Kindervag said.

Traditional prevention and detection security tools were built for a time when compute environments were much smaller, simpler, and all within a single perimeter. Today, networks are complex, distributed, and perimeter-less.  

A Zero Trust architecture helps agencies manage the increased risk resulting from this evolution. “Zero Trust inverts the problem, reducing it down to something small and easily known called a protect surface,” Kindervag explained.

While prevention and detection tools are still important, they’re not enough to secure against ever-evolving cyber threats. It’s vital that agencies build proactive security for both the network exterior and interior. Zero Trust technologies, including foundational tools like Zero Trust Segmentation (ZTS), help agencies proactively prepare for breaches.

“There’s a lot of people who won’t do anything until something bad has happened,” Kindervag said, noting that this is an outdated way of thinking about security. “It’s like when the hailstorm hits and then you want to get insurance for your car. What does the insurance company tell you? No, it’s too late."

"You need to get in front of security, not behind it,” Kindervag recommended.

The 5 steps for Zero Trust

Kindervag encourages agencies to follow his five-step process for Zero Trust implementation as they build Zero Trust compliance:

1. Define your protect surface: You can't control the attack surface because it's always evolving, but you can shrink your organization's protect surface into small, easily known parts. The protect surface usually includes a single data element, service, or asset.

2. Map communication and traffic flows: You can't protect the system without understanding how it works. Getting visibility into your environments shows where controls are needed.

3. Architect the Zero Trust environment: Once you get complete visibility into the network, you can start implementing controls that are tailor-made for each protect surface.

4. Create Zero Trust security policies: Build policies that provide a granular rule allowing traffic to access the resource in the protect surface.

5. Monitor and maintain the network: Inject telemetry back into the network, building a feedback loop that continuously improves security and builds a resilient, anti-fragile system.

Illumio can help your agency work through these five steps on your Zero Trust journey. Learn more about how we support government agencies, and contact us today to get started.