Zero-trust principles are evolving to include backup and recovery systems, protecting critical data from rising ransomware threats, and ensuring business resilience.
Four decades after a Scottish computer science professor coined the term, “zero trust” still stands as IT’s primary model for securing high-value assets. The model requires users to verify their credentials to convince the system they’re not rogue actors trying to hack their way in.
However, while the term is not new, implementing zero-trust practices is evolving. For decades, most zero-trust frameworks ignored the protection of data backup and recovery systems. The thinking was that resources should be concentrated on protecting the perimeter to stop attacks before intruders can enter and move throughout the system. Today, as ransomware attacks become more frequent and the value of data skyrockets, organizations are seeing the value of extending zero trust model principles to data and backup itself.
The tactical shift couldn’t come at a better time. A study of 1,200 IT professionals found that 85% of organizations were hit by a ransomware attack over the past year, representing a 12% increase in total attacks compared to the previous year. And those attacks targeted valued assets. Nearly half (45%) of these organisations’ production data was impacted during the attacks, putting their financial and operational health at risk.
The same study showed that 93% of ransomware attacks directly targeted backup systems and data, where attackers feel they can cause the most damage. Three-quarters of the victims of these successful attacks lost backup data, and 39% completely lost their entire backup repositories.
The data is hard to ignore: Attackers are targeting data backups. The most effective way to protect backups is to apply zero-trust principles. While it’s important to apply zero-trust policies to cybersecurity systems that keep intruders out, the numbers show that successful intrusions are more than likely to occur, elevating the protection of data backups to the highest priority.
Also Read: The Cyber Threat Landscape Has Changed. Has Your Strategy?
A change in mindset
This requires a change in mindset toward zero trust as a concept—that it’s not a “silver bullet to success.” Zero trust is a mindset, not a product, and not a rigid set of principles that can’t be adapted to address escalating threats.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) launched the Zero Trust Maturity Model several years ago to define security strategies in an age when data fuels modern organizational business strategies. The model includes five pillars based upon the foundations of zero trust: identity, devices, networks, applications and workloads, and data. However, it leaves out data backups.
A new model updates these concepts further. The Zero Trust Data Resilience (ZDTR) Maturity Model extends the five pillars from the CISA structure to backup and recovery systems.
The ZDTR model applies five core principles, a reference architecture, and a new set of capabilities to the Zero Trust Maturity Model.
Here is how each of the five principles applies to data backup and recovery systems:
- Least privilege access: Like backup management systems, backup storage systems should be isolated on the network so that no unauthorized users can break in. This prevents bad actors from getting access to critical backup copies—the “crown jewels” inside the castle—through network reconnaissance or exploiting a vulnerability.
- Immutability: Immutable backups ensure that attackers can’t modify or delete specific data sets if they gain control of the backup system. Immutability can be provided by the physical properties of storage media or through technologies embedded at hardware, firmware, or software layers.
- System resilience: Since backup functions extend beyond the data, systems must be hardened to protect the entire ecosystem of tools, technologies, and processes related to data backup and recovery. An important move is to segment the backup software and backup storage layers. This shrinks the size of the attack surface of backup repositories and limits the potential impact of a ransomware event.
- Proactive validation: To truly trust a backup system’s efficacy, it must be validated at any time. That means monitoring the backup system for network, performance and security. The data backed-up data itself, along with the reliability and effectiveness of recovery policies, need to be validated regularly.
- Operational simplicity: Organisations can develop the most extensive, strategic security plans but fail if they are too complicated to implement.
Also Read: Streamlining Cybersecurity: Tackling Tool Sprawl Effectively
Conclusion
The importance of data backup and recovery can’t be overstated. For years, organizations considered backups potentially deferrable budget items because the odds of getting breached were low. The script has flipped: The odds of getting attacked more than once are rising yearly. Organizations should do their best to have a portable, recoverable copy of their most critical data.
Zero trust requires organizations to trust no one and verify everything. The ZDTR approach takes this to heart, elevating data backup and recovery to the highest importance in protection strategies. The approach maintains that the data copy – that crown jewel, that holiest of holy assets – needs to be protected at all times, assuming that all other safeguards are at risk of failing.
