About 18 months ago, I was discussing the “endless journey” toward Zero Trust. I described it as “endless” because Zero Trust is more of a mindset than a product or a destination—it’s a goal to strive for. Like many aspects of cybersecurity, it requires continuous evolution. You must adapt to survive and thrive in your environment. Even the concept of Zero Trust itself has had to evolve over time.
Adapting with the Times
Cybersecurity is a cat-and-mouse game, an arms race if you will—always about adapting and evolving to stay one step ahead of threats. Malicious actors constantly innovate and push the boundaries to outpace their targets. This relentless challenge has fueled a great deal of innovation in the industry since the very first cyberattack. It’s almost taken for granted that the security tools considered state-of-the-art when I began my career 35 years ago would now be virtually ineffective against a modern cyber gang. It’s not just the tools that have needed to evolve, but also the mindset—our approach to security and how we utilize these tools has had to change.
Zero Trust is a prime example of this evolution. In the past, security was focused on the perimeter, like a moat around a castle; once inside, you were considered safe. However, as enterprises worldwide have embraced Zero Trust as a best practice, this perspective has shifted. Security measures are now implemented both inside and outside—doors are locked, identity verification is required, and individuals are not granted access to areas they don’t need to access. But evolution never truly stops.
Introducing Zero Trust Data Resilience
Even the most widely adopted Zero Trust models have significant vulnerabilities in today’s landscape, particularly a lack of guidance on critical areas such as data backup and recovery. This oversight is crucial, as recent attacks frequently target backup repositories. For instance, the Veeam Ransomware Trends 2023 Report noted that ransomware attacks targeted backup repositories in at least 93% of incidents in 2022.
Data backup and recovery systems are crucial components of enterprise IT and must be integrated into the overall security strategy. They have read access to everything, can write data into the production environment, and contain complete copies of the business’s mission-critical data. Adhering strictly to modern Zero Trust principles makes you relatively secure against ‘traditional’ threats but leaves a significant vulnerability in terms of backup and recovery.
This is the current reality. Zero Trust has become too narrow in focus as threats have evolved, leading to the emergence of ‘Zero Trust Data Resilience.’ This concept expands on Zero Trust by including backup and recovery within its scope, ensuring these processes adhere to the same principles.
Incorporating Backup and Recovery
The foundational principles remain unchanged. The concepts of least privilege and an assume-breach mentality are still crucial. For instance, backup management systems must be network-isolated to prevent access by unauthenticated users. Similarly, the backup storage system itself must be isolated. Immutability is also essential. Ensuring backup data cannot be altered or tampered with means that if repositories are compromised by attacks like ransomware, the malware cannot affect them.
Assuming a breach also means businesses should not blindly ‘trust’ their backups following an attack. Establishing procedures to properly validate or ‘clean’ the backup before attempting system recovery is critical to avoid restoring a compromised environment. The ultimate layer of distrust involves maintaining multiple backup copies as fail-safes in case one or more are compromised. The best practice is to have three backup copies, with two stored on different media types, one stored onsite, and one kept offline. With these layers of resilience, your backup strategy can align with Zero Trust principles.
Taking the First Steps
Like Zero Trust, achieving Zero Trust Data Resilience is a journey. It cannot be implemented all at once. Instead, adopt a maturity model where you gradually introduce new practices and refine and evolve these over time. For example, if you’re not currently validating your backup data, begin by doing so manually. Over time, implement technology to automate and schedule routine validation processes.
Another critical element is buy-in—everyone in the organization must embark on this journey together. Senior leadership plays a crucial role in implementing any widespread changes across an organization, but educating the entire business about new processes and their importance is equally vital. Specifically, for Zero Trust Data Resilience, it’s essential that the security and broader IT operations teams are in sync. Backup often falls under the purview of IT operations, but as it becomes increasingly vital for a robust security posture, these teams must collaborate closely to avoid creating security silos or gaps.
The journey toward Zero Trust is indeed endless, to the point where the destination itself evolves over time. My advice to businesses is that while Rome wasn’t built in a day, it’s better to start taking steps today, no matter how small, rather than delaying and risking being left behind.
Dave Russell is Vice President of Enterprise Strategy at Veeam.
The opinions expressed are those of the author and may not reflect the editorial policy or an official position held by TRENDS.