Around 18 months ago, I was writing about the “endless journey” to Zero Trust. I used the word “endless” because Zero Trust is a mindset rather than a product or a destination – it’s a target to aim towards. Like many things in cyber, it’s a matter of constant evolution. You have to adapt to survive and thrive in your environment. Even the idea of Zero Trust has had to evolve with the times.
Changing with the times
A cat and mouse game, an arms race – call it what you want – security has always been about adapting and evolving to stay ahead of threats. Bad actors constantly experiment and move the needle to get ahead of their targets. This is exactly what has driven so much innovation across the industry since the first-ever cyber-attack took place. It almost goes without saying that the security tools considered the benchmark when I started my career 35 years ago would be a paper shield against a modern cyber gang. It’s not just the tools that have had to evolve, but also the mindset – how we think about security and use the tools at our disposal has had to change.
“Even the most broadly used Zero Trust models have a few fatal flaws in the modern environment. Namely, they lack any kind of guidance in pivotal areas like data backup and recovery.”
Dave Russell, Vice President, Enterprise Strategy, Veeam
Zero Trust is a prime example of this. Once, security was just around the perimeter, it was a moat around the castle, but once you were in, you were in. As more and more enterprises worldwide have adopted Zero Trust as best practice, this has shifted. Security measures now need to be inside and outside – doors are locked, proof of identity is required, and people aren’t allowed access to parts of the castle if they don’t need to be there.
But the thing about evolution is that it never really stops.
Introducing Zero Trust Data Resilience
Even the most broadly used Zero Trust models have a few fatal flaws in the modern environment. Namely, they lack any kind of guidance in pivotal areas like data backup and recovery. This gap is significant as recent attacks often attempt to target backup repositories. For example, according to the Veeam Ransomware Trends 2023 Report, ransomware attacks targeted backup repositories in at least 93% of attacks in 2022.
Data backup and recovery systems are critical parts of enterprise IT and must be considered as part of the security picture. They have read access to everything, they can write data into the production environment and contain full copies of the business’s mission-critical data. Simply put, following modern Zero Trust principles to the letter makes you fairly water-tight when it comes to ‘traditional’ security, but leaves a huge gap in the armour regarding backup and recovery.
But this is where we are. Zero Trust has become too limited in scope as threats have evolved, which is why the concept of ‘Zero Trust Data Resilience’ has been born. An evolution of Zero Trust, which essentially broadens the scope to ensure backup and recovery follow the same principles.
Bringing backup and recovery into the fold
The core concepts are the same. The principle of least privilege and assume breach mentality are still key. For example, backup management systems must be isolated on the network so that no unauthenticated users can access it. Likewise, the backup storage system itself must be isolated. Immutability is also key. Having backup data that cannot be changed or tampered with means if repositories are reached by attacks like ransomware, they cannot be affected by its malware.
Assuming a breach also means businesses shouldn’t implicitly ‘trust’ their backups after an attack. Having processes to properly validate the backup or ‘clean’ it before attempting system recovery is vital to ensure you aren’t simply restoring a still-compromised environment. The final layer of distrust is to have multiple copies of your backups – fail-safes in case one (or more) are compromised. The best practice is to have three copies of your backup, two stored on different media types, one stored onsite, and one kept offline. With these layers of resilience, you can start to consider your backup as Zero Trust.
Taking the first steps
With Zero Trust Data Resilience, just like Zero Trust, it’s a journey. You can’t implement it all at once. Instead, follow a maturity model where you gradually implement new practices and refine and evolve these over time. For example, if you don’t currently validate your backup data, start doing so manually and over time implement technology to automate and schedule routine validation processes.
The other key thing you need is buy-in – everyone in the organization must be on the journey together. Senior leadership is key to implementing any broad changes across an organisation, but so is educating across the business on new processes and their need. Finally, for Zero Trust Data Resilience especially, the security and wider IT operations teams must be aligned. Backup often falls under the responsibility of the latter, but as this becomes more and more crucial for security posture, the two need to work together to prevent security siloes or gaps.
The journey to Zero Trust is endless. So much so that the exact destination evolves over time. My advice to businesses is that while Rome wasn’t built in a day, it is better to start taking steps today, no matter how small, instead of postponing and being left behind.