Data Backup and Recovery: An Unexamined Part of Zero Trust

Zero Trust is a security strategy, and by necessity is broad in scope. In fact, we believe that this strategy is the lens through which you should view your entire IT infrastructure and business. The widely accepted Zero Trust Maturity Model, from the US Cybersecurity and Infrastructure Security Agency (CISA), defines its scope broadly – across the now-familiar pillars of Identity, Devices, Networks, Applications & Workloads, and Data, supported by the cross-cutting capabilities of Visibility and Analytics, Automation and Orchestration, and Governance. 

However, even given this breadth, there are areas which need more attention, and I’m pleased to be able to share the new concept of Zero Trust Data Resilience [updated to v1.1, May 2024], which resulted from our work applying Zero Trust principles to Data Backup and Recovery.

For this research, we dove into the security and architectural requirements for data backup and recovery systems, and debated the ways in which Zero Trust principles should apply here. We’re happy with the results, and will be using this series of three blog posts to talk about the approach we took. So let’s dive in.

Data backup and recovery systems, along with their backed-up data, are frequently the primary target of malicious actors. This is the case regardless of whether they’re attempting to apply ransomware, exfiltrate data, or both. Given this, we need to apply security best practices – Zero Trust. As we thought about this, we created the concept of Zero Trust Data Resilience, which is based on three principles that we explore in the whitepaper:

• Segmentation and Least Privilege Access
• Immutability
• System Resilience

We also introduce two Platform Requirements

• Proactive Validation
• Operational Simplicity

We also created a set of additional Maturity Model functions specific to the data backup and recovery arena, against which enterprises can measure their maturity:

• Access to Enterprise Data and Systems
• Access to Backup Storage and Data
• System Resilience
• System Monitoring and Validation

We explore both the principles and the new functions in depth in the research whitepaper. As part of this work, I had a conversation with data backup and recovery expert Tom Sightler, who is Vice President, Product Management, Enterprise Solutions at Veeam Software. Veeam is a data backup and recovery company, whose solutions help customers achieve Zero Trust Data Resilience. I’ll be including excerpts from our conversation throughout this series of blog posts:

Jason: Tom, let’s start out by talking about why we thought this work was needed.

Tom:  It’s interesting, even among enterprise customers, traditionally we’ve seen that backup and storage teams were not security-focused, and security teams, while heavily focused on network, systems, and applications, were often not tuned into backup and storage systems. This has been changing in recent years, likely due to the increase in ransomware impact and the frequency of recovery operations being needed. As the responsibility for security has expanded across IT departments. we’re starting to see security teams getting more visibility into these storage and backup teams, with better alignment all around.

Jason: I’m glad to see this, because enterprise data is now being targeted for both encryption and exfiltration – sometimes within the same incident.

Tom: Yes, the need for better security has become so pervasive that awareness and education is happening across the organization, top to bottom. Previously, we’d seen organizations with great security programs and great backup programs, but they were siloed. So…when an incident occurred, they were unable to quickly or easily recover because they didn’t have a recovery practice in place that had been properly evaluated and tested.

Jason: And this led us to the principles of Proactive Validation and Operational Simplicity, which will go a long way toward ensuring that both mid-sized and large enterprises have effective and secure data backup and recovery programs. When combined with the other principles – Least Privilege Access, Immutability, and System Resilience – organizations will be able to ensure their data backup and recovery systems are well-aligned with Zero Trust.

Note: Conversation to be continued in upcoming blog posts 2 and 3.

The new research, titled Zero Trust Data Resilience: A Secure Data Backup and Recovery Model is available here [updated to v1.1, May 2024]

I’ll also be discussing this in a panel webcast, November 30 at 1pm ET. Register here.

Look for two more blog posts in this series, which will focus on the Zero Trust Data Resilience reference architecture and the new maturity model functions.

And, if you’re interested in applying this Data Backup and Recovery resilience model to your enterprise, sign up for a free 30-minute workshop here.

Added:
The 2nd post in this blog series is here.
The 3rd post in this blog series is here.