For years, the well-known security maxim was, ‘Trust but verify’. But this is no longer sufficient. In today’s borderless, global, mobile, hybrid, cloud-based environment, traditional security approaches do not work, and nobody is to be trusted, including employees, customers, and partners.
The notion a protective moat surrounds your enterprise — where interactions inside the castle are trusted, and all interactions outside the castle are not — is hopelessly outdated. But there is a better way. Zero Trust is an antidote for stale security strategies because it demands that organisations entirely remove trust from the equation by denying access to everyone.
Zero Trust is all about evaluating the security posture of users based on location, device, and behaviour to determine if the users are who they claim to be. Zero Trust is also about granting just enough privilege, just in time, so that users can perform their needed tasks and operations — and nothing more. With Zero Trust, only minimum permissions are granted at just the right time to get a job done. Then those permissions are revoked immediately upon completion of the job or transaction. A Zero Trust security approach authenticates and authorises every connection, for example, when a user connects to an application or software to a data set via an application programming interface (API).
The US Government recently announced that it is moving toward a Zero Trust approach to cybersecurity to dramatically reduce the risk of cyberattacks against the nation’s digital infrastructure. The bottom line is that today’s security is not secure. Organisations must assume bad actors will inevitably get in, and they must do everything to minimise their attack surface and protect their business-critical data from being damaged or destroyed.
As part of this Zero Trust strategy, organisations must also be exceptionally vigilant around their data backup and recovery strategies. The concept of constantly verifying, continuously authenticating, and always logging who is going where and doing what should apply to regular operations and application usage. It should also apply to the data backup and recovery processes. For instance, it’s critical to know who is initiating that backup and where they are backing up the data.
It’s also essential to ensure that whatever applications you’re using for your backup and recovery, those applications have embedded authentication mechanisms such as multifactor authentication, identity services, and role-based access. Take, for instance, a worker who needs to have data recovered from her laptop. What are the credentials that allow this employee to restore the machine? What permissions were granted, and do those permissions need to be changed to reflect a new set of requirements? If the IT team is restoring a laptop set up a year ago, who ensures no one else has access to that machine? A Zero Trust approach to data backup and recovery can go a long way toward resolving these questions while securing enterprise data further.
The good news is that adopting Zero Trust for backup and recovery can mean extending the security controls that already exist within your environment. For example, applying multifactor authentication to your backup and recovery processes can go a long way toward establishing identity insurance and adding a greater level of protection to your organization.
Immutable storage should also be part of any Zero Trust initiative. Immutability is when data is converted to a write-once, read many times format. Immutable storage safeguards data from malicious intent by continuously taking snapshots of that data every 90 seconds. Because the object store is immutable, you can quickly restore data even if someone tampers with it.
As data breaches grow in volume and complexity, organisations must consider novel approaches to strengthen their protection against cyber threats. Zero Trust is not a specific technology or architecture. Instead, it’s a new way of thinking that can help you achieve robust threat protection and gain next-level security.