By Rick Vanover, Senior Director of Enterprise Strategy at Veeam
Four decades after a Scottish computer science professor coined the term, “zero trust” still stands as IT’s primary model for securing high-value assets. The model requires each and every user to verify their credentials – essentially to convince the system they’re not rogue actors trying to hack their way in.
But while the term is not new, the implementation of zero trust practices is evolving. For decades, most zero trust frameworks ignored the protection of data backup and recovery systems. The thinking was that resources should be concentrated on protecting the perimeter to stop attacks before intruders can get in and move throughout the system. Today, as ransomware attacks become more frequent and the value of data skyrockets, organizations are seeing the value of extending zero trust models principles to data and backup itself.
The tactical shift couldn’t come at a better time. A study of 1,200 IT professionals found that 85% of organizations were hit by a ransomware attack over the past year, representing a 12% increase in total attacks compared to the previous year. And those attacks targeted valued assets. Nearly half (45%) of these organizations’ production data was impacted during the attacks, putting their financial and operational health at risk.
The same study showed that 93% of ransomware attacks directly targeted backup systems and data, where attackers feel they can cause the most damage. Three quarters of the victims of these successful attacks lost backup data and 39% completely lost their entire backup repositories.
The data is hard to ignore: Attackers are targeting data backups. The most effective way to protect backups is to apply zero trust principles. While it’s important to apply zero trust policies to cybersecurity systems that keep intruders out, the numbers show that successful intrusions are more than likely to occur, elevating protection of data backups to the highest priority.
A change in mindset
This requires a change in mindset toward the zero trust as a concept – that it’s not a “silver bullet to success.” Zero trust is a mindset, not a product, and not a rigid set of principles that can’t be adapted to address escalating levels of threats.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) launched the Zero Trust Maturity Model several years ago to define security strategies in an age when data fuels modern organizational business strategies. The model includes five pillars based upon the foundations of zero trust – identity, devices, networks, applications and workloads, and data. But it leaves out data backups.
A new model updates these concepts further. The Zero Trust Data Resilience (ZDTR) Maturity Model extends the five pillars from the CISA structure to backup and recovery systems.
The ZDTR model applies five core principals along with a reference architecture and a new set of capabilities for the Zero Trust Maturity Model.
Here are how each of the five principles apply to data backup and recovery systems:
Conclusion
The importance of data backup and recovery can’t be overstated. For years, organizations considered backups to be potentially deferrable budget items because the odds of getting breached were low. Now the script has flipped: The odds of getting attacked more than once are rising every year. Organizations should do whatever they can do now to ensure they have an absolutely portable, absolutely recoverable copy of their most critical data.
Zero trust requires organizations to trust no one and verify everything. The ZDTR approach takes this to heart, elevating data backup and recovery to the highest level of importance in protection strategies. The approach maintains that the data copy – that crown jewel, that holiest of holy assets – needs to be protected at all times, assuming that all other safeguards are at risk of failing.