Interview: John Kindervag, Creator of the Zero Trust Revolution

Why Trust Techopedia

Fifteen years ago, businesses automatically trusted everything and everyone on the corporate network and trusted nothing on the outside.

John Kindervag dared to question this traditional trust model and developed the Zero Trust framework, built on the principle of “never trust, always verify.”

The concept quickly entered the mainstream and transformed how many think about cybersecurity.

Although often misunderstood, Chief Information Security Officers (CISOs) recognized the importance of a different approach to meet the security challenges caused by remote working, hybrid cloud services, and BYOD (Bring Your Own Devices).

Techopedia caught up with Kindervag to talk about the birth of Zero Trust security and why he believes it’s more important than ever for organizations as they continue migrating to cloud-based environments.

Key Takeaways

  • Zero Trust eliminates inherent trust — “never trust, always verify” for every connection.
  • John Kindervag began applying the principle when working at Forrester, and his framework is now adopted by 82% of organizations, including all U.S. federal agencies.
  • Zero Trust policies deny everything by default, allowing only legitimate actions for authorized users.
  • AI/ML enhances Zero Trust, creating adaptive, anti-fragile systems that strengthen under attack.
  • Automation enables Zero Trust to outpace attackers with faster responses and real-time threat neutralization.

The Origin Story of Zero Trust

According to Gartner, 63% of organizations have implemented a zero-trust strategy, and yet it still remains a relatively new concept, with 82% of companies adopting it in the last three years.

Advertisements

So, how did we get here?

Zero Trust originated when John Kindervag was installing firewalls and was confronted by an artificial trust model where everything inside the firewall was trusted, and everything outside was trusted.

“This felt silly,” he recalls.

“I started saying that firewalls should have a trust level of zero. You should treat every packet the same.”

This simple yet revolutionary idea — that no system, user, or packet should be inherently trusted — became the foundation of Zero Trust.

John Kindervag
John Kindervag: “Let’s not focus on all the ways you can be attacked — let’s focus on what you need to protect”.

When Kindervag joined research group Forrester in 2008, he did two years of primary research and began building prototypes of Zero Trust environments.

Kindervag continued using his time at Forrester to refine his ideas, conducting research and creating proof-of-concept environments to demonstrate the viability of the Zero Trust model.

But he would quickly encounter resistance to change from reluctant professionals who didn’t want to move away from traditional security models.

“I can’t tell you how often I heard, ‘That’s not how we’ve always done it.’ And I would say, ‘Well, the way we’ve always done it isn’t working.'”

Ironically, his persistence in challenging the status quo would pave the way for the success of Zero Trust. For the first five years, Kindervag was one of the few designing and overseeing Zero Trust environments.

He got to make many mistakes, learn from them, and then document them to ensure others wouldn’t repeat them.

“I inverted the concept of the attack surface into the protected surface. Let’s not focus on all the ways you can be attacked — let’s focus on what you need to protect.”

His persistence in challenging the status quo would pave the way for success. Eleven years later, the President of the United States issued an executive order mandating Zero Trust for federal agencies.

Eliminating the Myths Surrounding Zero Trust

Some professionals took Kindervag’s creation and intentionally made Zero Trust seem complicated to appear smarter, which Kindervag believes only deters organizations from adopting the framework.

Kindervag believes that Zero Trust is simply removing the outdated notion of Trust from digital systems entirely: As a human emotion, it has no place in cybersecurity, and systems should operate under the assumption that no entity or connection is inherently safe.

He humorously suggests using a “trust jar” where people deposit money every time they refer to trust positively in the context of digital systems, further emphasizing the need to eradicate the concept of Trust in cybersecurity.

He adds that Zero Trust isn’t about making systems trusted and it can’t be “bought” as a product. Vendors might claim to sell Zero Trust solutions, but the reality is that Zero Trust is implemented through strategy, tailored policies, and the right technologies — not through a single purchase.

Or, more succinctly:

“You can’t buy Zero Trust — you do it.”

Kindervag also points out that Zero Trust isn’t about preventing attackers from trying. It’s about ensuring their attempts are ineffective by tightly controlling access and reducing vulnerabilities.

“Zero Trust doesn’t stop attacks—it makes them unsuccessful.”

Contrary to popular opinion, Kindervag insists that implementing Zero Trust is not complicated and can be broken down into a simple 5-step plan.

Zero Trust 5 Step Plan, by John Kindervag

Step 1: Define the Protect Surface

The first step for any business starting with Zero Trust is to shrink the attack surface into something small and manageable. For example, identify the critical elements you must protect, such as Data, Applications, Assets, or Services (DAAS).

Unlike traditional approaches focused on the vast attack surface, Zero Trust hones in on specific, high-value items.

By narrowing the focus, organizations can prioritize their resources and efforts on what truly matters, making the process manageable and effective.

Step 2: Map the Transaction Flows

You can’t protect what you don’t understand. Mapping the transaction flows shows how the system works. This step shows how data moves across your network and how users and systems interact with the protected surface. It identifies dependencies and operational workflows.

Understanding these flows ensures that security policies are designed to support legitimate transactions while blocking malicious ones. It also lays the groundwork for micro-segmentation.

Step 3: Architect a Zero Trust Environment

This step builds the architecture around the protected surface and transaction flows. It includes tools like micro-segmentation and technologies tailored to the organization’s needs.

Instead of retrofitting systems into a generic architecture, this step ensures the environment is customized, minimizing risk and maximizing effectiveness.

Step 4: Create Zero Trust Policies

Zero Trust is built on granular allow rules — deny everything by default and only allow specific access. Policies should be written to control access tightly, ensuring only the right users can access the right resources at the right time.

Ultimately, you replace traditional “allow all” policies prone to abuse with precise, prescriptive rules that reduce vulnerabilities.

Step 5: Monitor and Maintain

Zero Trust isn’t a one-and-done project — “it’s a continuous monitoring and improvement process.” This step transforms Zero Trust into an anti-fragile system that gets stronger with use, adapting to evolving threats and organizational changes.

Security Gains with Micro-Segmentation

Zero Trust environments can reduce attack surfaces. Even when an attack occurs, Zero Trust minimizes the damage and reduces the likelihood of significant breaches.

Organizations focusing on defining protect surfaces and creating micro-segmentation have seen tangible results — reduced attack surfaces, minimized damage from breaches, and better security outcomes.

For example, during a ransomware attack, Zero Trust can block its communication with command-and-control servers, effectively neutralizing the threat.

“Even if malware gets into a Zero Trust environment, it’s contained. Micro-segmentation limits the blast radius, preventing attackers from moving laterally within the network.”

Looking to the future, Kindervag believes that artificial intelligence (AI) and machine learning (ML) will transform how organizations monitor and maintain Zero Trust environments, enabling real-time insights and faster, more accurate responses to threats.

AL and ML can ingest all the telemetry data from a Zero Trust environment and reinject it into the system to improve every step organically over time. This creates a feedback loop where Zero Trust environments continuously evolve and adapt based on real-world activity and threats.

“Zero Trust, combined with AI and ML, becomes an anti-fragile system — it gets stronger under attack.”

Borrowing from Nassim Nicholas Taleb’s concept of anti-fragility, Kindervag explained that Zero Trust environments will improve as they are exposed to stress (such as cyberattacks), learning from each attempt and becoming more resilient.

“Think of the human body: when you work out, you stress your muscles, but instead of breaking down, they adapt and get stronger. AI and ML will help Zero Trust systems achieve the same anti-fragile effect in cybersecurity.”

This analogy highlights how AI/ML can make Zero Trust environments more dynamic and self-improving rather than static and reactive.

Automation Will Outpace Attackers

What if only a machine can defeat another machine? That idea from Alan Turing inspires Kindervag because we can use automation and AI to outpace attackers.

While attackers are becoming more sophisticated, defenders have an opportunity to use AI/ML to their advantage, automating responses to threats in ways that attackers cannot counter as effectively.

People are worried that attackers will use AI to create more sophisticated attacks. But Kindervag sees AI/ML as a “force multiplier” for Zero Trust, enabling defenders to process massive amounts of data, detect patterns, and identify threats faster than human analysts ever could.

“Hackers don’t have change control. They don’t have to get permission to try again. AI and ML allow us to operate with the same speed and agility as our adversaries.

 

“We’ll be able to dissect data and threats at a scale and speed that attackers can’t imagine. That’s how we change the game.”

The Bottom Line

Zero Trust is not a product. It’s a strategy. It’s not as complicated as you might think, and by starting small, being iterative, and leveraging technologies like AI/ML, security teams can create an environment that ensures data breaches and other attacks continue to be unsuccessful.

Techopedia tends to agree with Kindervag: Zero Trust will continue delivering on its promise of transforming cybersecurity into a proactive, resilient, and anti-fragile defense system that gets stronger under attack.

Advertisements

Related Reading

Related Terms

Advertisements
Neil C. Hughes
Senior Technology Writer
Neil C. Hughes
Senior Technology Writer

Neil is a freelance tech journalist with 20 years of experience in IT. He’s the host of the popular Tech Talks Daily Podcast, picking up a LinkedIn Top Voice for his influential insights in tech. Apart from Techopedia, his work can be found on INC, TNW, TechHQ, and Cybernews. Neil's favorite things in life range from wandering the tech conference show floors from Arizona to Armenia to enjoying a 5-day digital detox at Glastonbury Festival and supporting Derby County.  He believes technology works best when it brings people together.