Doctor Zero Trust

From Ranch to NSA

Chase Cunningham was one of 51 graduates from his high school in a little town south of Dallas. He grew up on a ranch and wasn’t “into computers” until he enlisted in the Navy at 17. “That’s when I had my first real access to computers,” he says. “And that’s when I found out I could do things on them without any formal training.”

Cunningham attended code analysis school, advanced signals analysis and a slew of other highly technical curricula before working as a cryptologist in the U.S. Navy and later at the NSA. He focused on understanding cyber threats and the methods hackers used, and he coordinated important intelligence projects with federal agencies, including the Federal Bureau of Investigation, Central Intelligence Agency, and Department of Homeland Security. 

It was during this time, when Cunningham was working as a “red-teamer” at NSA in the mid-2010s and tasked with simulating cyber attacks to find weaknesses in the U.S. government’s defenses, that he saw the potential of zero-trust architecture.

“As a government-sanctioned hacker, I knew zero trust was going to make my day really miserable,” Cunningham recalls. And that’s exactly what made it so necessary.

The Roots of Zero Trust

Cunningham will be the first to tell you he didn’t invent zero-trust architecture. That honor goes to John Kindervag, who coined the term in 2010 when he was a Forrester analyst. “Back then, we didn’t even have cybersecurity,” Cunningham says, “we called it information engineering.”

IT experts understood that external networks couldn’t be trusted, but Kindervag was among the first to challenge the long-held assumption that internal networks were inherently safe. He was particularly wary of the complete lack of access rules for users, once granted internal access, for exfiltrating data. 

“John looked at things from the perspective of ‘Why do things keep going wrong?’ and ‘Why do bad guys keep being able to maneuver through these systems?’” Cunningham explains. The answer: “It was these trust relationships.”

Once a user is granted unfettered access inside an enterprise, their scope is unlimited, making them big targets for hackers. “That’s why a bad guy goes after an admin — because they’re trusted,” Cunningham explains. “With ZT, we’re saying, ‘Let’s whittle away all these kind of default and useless trust relationships because all they are is risk.’”

In March 2017, Kindervag recruited Cunningham to work with him at Forrester, conducting security and risk research. Cunningham worked with clients to prevent hacks at their organizations and build out their zero-trust infrastructure. It was here that a friend gave him the nickname “Dr. Zero Trust” on a PowerPoint slide as a joke. It stuck.

“My contribution to John's original model was to formalize it,” Cunningham explains. “As soon as I launched the framework for zero trust into the market — it just took off.”

At Forrester, Cunningham would instill the basic tenets of zero trust to all of his clients, which included major oil and gas providers, railroad logistics companies, and members of the Fortune 500: Most importantly, limit access to only what’s necessary. Breaking up networks into smaller zones and applying internal firewalls means breaches can’t spread.

“It’s like a tree being on a fire versus a forest fire,” Cunningham explains. “We never tell somebody that you’ll never have a breach. But if you do this correctly, when a breach does occur, it won't be an end-of-days type of event.”

Cunningham points to Google as evidence. 

In 2010, the company was one of more than 20 U.S. firms targeted in Operation Aurora, a sophisticated cyber attack traced back to China, in which hackers gained access to the Gmail accounts of certain Chinese dissidents. The breach exposed just how vulnerable even the most advanced tech companies were to cybersecurity attacks, and it marked a turning point for the tech giant.

“After that, Google switched over to a zero-trust model that they call BeyondCorp, and they have had no breaches since then,” Cunningham says. “With 188,000 employees globally — for me, that’s all the proof you need.” 

Why Simple Beats Shiny

Of course, it’s impossible to have a system that runs on absolute zero trust. For operations to function, users must be entrusted with some level of access. “A system is never going to be zero trust, just like if a bodybuilder were to have zero body fat they would die. What we’re trying to do is get it as low as possible,” Cunningham says.

Zero trust is a deceptively simple cybersecurity philosophy. He bristles at the idea that it’s too bulky or too hard to implement. Doing it right is about “blocking and tackling — doing the basics really well,” Cunningham explains. “The mistake is trying to make this some huge AI-powered moonshot.”

But, he warns, the zero-trust model’s simplicity often leads to it being overlooked in favor of flashier, more expensive gadgets. He’s seen organizations spend untold sums on AI-driven threat detection platforms, blockchain-based identity systems or “next generation” firewalls. “People still think they can just buy a lot of technology and get where they want to be strategically, and that’s not the case,” Cunningham explains. “If you keep buying shiny new tools without changing the model, you’re not actually safer.”

Cunningham’s best advice may be the hardest to accept: Assume you’ll be breached. With this mindset, Cunningham has found that clients can treat their internal traffic as they would external traffic. That is, with a high degree of suspicion. 

“Just accept that the bad guys are already in there,” he sighs, “and then we can start working on figuring out how to get them out.” 

How to Think Like a Hacker

When advising clients, Cunningham draws on his experience as a government-sanctioned hacker. This is where he excels, putting himself and his clients in the mindset of a potential infiltrator.

“Figure out what the bad guy would do to cause you to be compromised — stop that from being available to them, and you win,” Cunningham says. “At the end of the day, that’s really all it is.”

To start, Cunningham recommends working backwards, thinking of the most valuable assets that could be compromised in a breach and ensuring those files have the strictest access protections. From there, inventory users, devices, data and workloads, and classify each according to levels of sensitivity or risk. Finally, enforce strong authentication for each user, who should only have access to what they need — using role-based access control (RBAC) or attribute-based access control (ABAC) to manage permission.

For example, Cunningham might advise a hospital to secure its patient records under the highest level of security with need-to-know access, or tell a manufacturing firm to focus on sequestering its industrial control systems. As companies bring more valuable information under a zero-trust model, their network becomes more resistant to attack.

The work, he stresses, is never over. Cunningham recommends continuous monitoring to watch for anomalies and to encrypt data — but not to overthink it.

“At the end of the day, this is really about making sure my house is nice and safe and secure with dobermans in the front yard,” Cunningham says. “And if some dummy down the street doesn't do that and they get robbed, that's not my problem.”

Before 2020, back when Cunningham’s moniker first wound up on a PowerPoint slide about zero-trust, companies “weren’t really moving very fast” on this cybersecurity model, he says. That’s changed. Cunningham, who’s now a private cybersecurity consultant, has noticed a widening range of industries embracing the zero-trust model. “More recently, it’s been lots of hospitals waking up to this,” he says. “Oil and gas, e-sports, even some banks in Africa. It’s not just the traditional tech players anymore — it’s everybody who realizes they have something worth protecting.”

The Takeaway

Zero trust isn’t a buzzword or a shiny new tool — it’s a fundamental shift in how you safeguard your enterprise. The threats outside your walls aren’t your only risk, according to Cunningham. The bigger danger is what you assume to be safe.

The potential rewards of this mindset shift are massive. Leaders who build zero trust into their culture and operations will be able to innovate without fear, secure their most valuable assets, and position their organizations to thrive in an increasingly hostile digital landscape.

Cunningham’s ethos: Don’t wait for a breach to make the change. Your moat and walls aren’t enough anymore to keep out intruders. Make sure everyone inside your castle is wearing armor — your business depends on it.