By: Sandeep Bhambure, Vice President & Managing Director, India & SAARC, Veeam and Dave Russell, Vice President, Enterprise Strategy at Veeam
Zero Trust is a model that operates under the assumption that the security of the network is invariably susceptible to external and internal threats. The Zero Trust model helps organisations to conceptualise an unassailable and airtight approach to neutralising those threats.
If the Zero Trust model were to be explained to someone who is technologically unversed, then perhaps the easiest way to do that is by analogizing this model to a discotheque. For instance, now imagine your computer network as a club, and instead of allowing entry to anyone, zero trust, as the name suggests, assumes that everyone inside is untrustworthy.
Zero Trust model verifies every access request in such a manner as though it has come from a dubious and suspicious source. This way, even if anyone is already inside the network, they will need to furnish the proof that they are supposed to be there prior to getting access to any information. To put it simply, a Zero Trust model is the archetype of a tough bouncer who vets and scrutinizes each patron before letting them enter the club.
Changing with the times
A cat and mouse game, an arms race – call it what you want – security has always been about adapting and evolving to stay ahead of threats. Bad actors constantly experiment and move the needle to get ahead of their targets. This is exactly what has driven so much innovation across the industry since the first-ever cyber-attack took place. It almost goes without saying that the security tools considered the benchmark three-to-four decades ago would be a paper shield against a modern cyber gang. It’s not just the tools that have had to evolve, but also the mindset – how we think about security and use the tools at our disposal has had to change.
Zero Trust is a prime example of this. Once, security was just around the perimeter, it was a moat around the castle, but once you were in, you were in. As more and more enterprises worldwide have adopted Zero Trust as a best practice, this has shifted. Security measures now need to be inside and outside – doors are locked, proof of identity is required, and people are not allowed access to parts of the castle if they don’t need to be there.
For instance, the Indian IT industry is majorly been depended on perimeter security strategies to keep its proprietary resources like user data and intellectual property protected. These security strategies embraced the usage of firewalls and other network-based tools to examine and verify users going in and out of the network, however, the ways the Indian IT industry is doing business are morphing due to the move to hybrid cloud infrastructure and relying solely on a network is no longer adequate.
The incorporation of zero trust is of paramount importance for organisations as it promotes a security-centric workplace culture and improves productivity, transparency, and data reliability. Adoption of this approach compels every employee to have their identity authenticated before they have any access to confidential information, which results in promoting their responsibility and accountability.
But the thing about evolution is that it never really stops.
Introducing Zero Trust Data Resilience
Even the most broadly used Zero Trust models have a few fatal flaws in the modern environment. Namely, they lack any kind of guidance in pivotal areas like data backup and recovery. This gap is significant as recent attacks often attempt to target backup repositories. For example, according to the Veeam Ransomware Trends 2023 Report, ransomware attacks targeted backup repositories in at least 93 percent of attacks in 2022.
Data backup and recovery systems are critical parts of enterprise IT and must be considered as part of the security posture. They have read access to everything; they can write data into the production environment and contain full copies of the business’s mission-critical data. Simply put, following modern Zero Trust principles to the letter makes you fairly water-tight when it comes to ‘traditional’ security, but leaves a huge gap in the armour regarding backup and recovery.
The sophistication of the tools the bad actors use has inexorably risen. Miscreant hackers have become increasingly ingenious and adept at circumventing the defense systems deployed by organisations to protect their company-critical data.
Zero Trust has become too limited in scope as threats have evolved, which is why the concept of ‘Zero Trust Data Resilience’ has been born. An evolution of Zero Trust, which essentially broadens the scope to ensure backup and recovery follow the same principles.
Bringing backup and recovery into the fold
The core concepts are the same. The principle of least privilege and assume breach mentality are still key. For example, backup management systems must be isolated on the network so that no unauthenticated users can access it. Likewise, the backup storage system itself must be isolated. Immutability is also key. Having backup data that cannot be changed or tampered with means if repositories are reached by attacks like ransomware, they cannot be affected by its malware.
Assuming a breach also means businesses should not implicitly ‘trust’ their backups after an attack. Having processes to properly validate the backup or ‘clean’ it before attempting system recovery is vital to ensure you are not simply restoring a still-compromised environment. The final layer of distrust is to have multiple copies of your backups – fail-safes in case one (or more) are compromised. The best practice is to have three copies of your backup, two stored on different media types, one stored onsite, and one kept offline. With these layers of resilience, you can start to consider your backup as Zero Trust.
Taking the first step
With Zero Trust Data Resilience, just like zero trust, it is a journey. You cannot implement it all at once. Instead, follow a maturity model where you gradually implement new practices and refine and evolve them over time. For example, if you do not currently validate your backup data, start doing so manually and over time implement technology to automate and schedule routine validation processes.
The other key thing you need is buy-in – everyone in the organisation must be on the journey together. Senior leadership is key to implementing any broad changes across an organisation but so is educating across the business on new processes and their need. Finally, for Zero Trust Data Resilience especially, the security and wider IT operations teams must be aligned. Backup often falls under the responsibility of the latter, but as this becomes more and more crucial for security posture, the two need to work together to prevent security siloes or gaps.
The journey to Zero Trust is endless. So much so that the exact destination evolves overtime. Our advice to businesses is that while Rome wasn’t built in a day, it is better to start taking steps today, no matter how small, instead of postponing and being left behind.