The endless journey to zero-trust: How to thrive amidst rising threats

With cyberattacks on the rise around the globe and IT systems becoming more complex, zero-trust has become a hot topic within the technology space. However, zero-trust is not new and has been a continuation of a principle that’s been around for years. To better understand why more business leaders are looking into zero-trust as a secure backup solution, let’s explore the history, challenges and why such projects are never really over.

Why zero-trust becoming a household need for firms?

We’ve seen discussion around zero-trust over the last couple months, with cyberattacks such as ransomware becoming increasingly nuanced. In a 2022 ransomware report by Veeam, 75% of organisations experienced at least one cyberattack in 2021, while 24% were either not attacked or more worryingly, unaware if their systems were compromised.

This means more firms are looking at alternatives like zero-trust architecture to safeguard their systems. In simpler terms, business leaders want a system that is secured from top-to-bottom and never trusts anyone, requiring internal access requests to be verified at all times.

Being in the backup and data storage business for over 30 years, zero trust has always been around, and the practice of building systems or components to be ‘mutually suspicious’ of each other was commonplace. Zero-trust is a continuation of this same idea but like many things in the digital space, scale and complexity have reached new levels

Another thing about zero-trust is that it is not a plug-and-play product that can be plugged into existing architecture. Zero-trust is a culture and a change of mindset for the system and the organisation, Zero-trust should be evaluated and applied across all levels of employees.

Why are backup and recovery a necessity for zero-trust?

The two core principles of zero-trust is to never trust, and to always verify – meaning that security within has to be as robust as the outside. Every stage of interaction will require verification and while it seems enough, backup and disaster recovery must be implemented.

Zero-trust policy is designed in a way that the architecture assumes that traffic may be malicious, devices and infrastructure could be compromised, and critical data is always at risk. But this bottom layer is the most crucial, if all else fails you need a core fail-safe to restore your data and get your systems back up and running as quickly as possible.

There is a golden rule in data protection known as the ‘3-2-1’ backup rule. When you back up data, there should be three copies of that data, on two different media, with one of those being kept offsite. This rule was popularised nearly 20 years ago and still holds today.

A core tenant at Veeam, this rule is one we’ve built upon to make it viable for modern zero-trust architecture. The ‘3-2-1-1-0’ rule might not be as catchy, but it’s critical for advanced backups to be truly resistant to anything. These additions cover one copy of backup data being kept offline, air-gapped or immutable, and zero errors due to recovery verification. 

Ransomware is sophisticated and is actively targeting system backups as part of their attacks. The 2022 Veeam Ransomware report found that 97% of ransomware attempted to infect backup repositories, with 73% of these being successful. A zero-trust strategy needs to account for this and have backups that are either offline, air-gapped (unreachable), immutable (unchangeable), or, even better, all three to have a bulletproof set-up.

What are the challenges of adopting zero-trust?

Implementing zero-trust across an organisation is not a simple task. Since zero-trust requires a united front and the cooperation of all employees, it needs to be embraced across all users, with senior decision makers clear on d its value and assign adequate funding.

Training sessions will have to be rolled out and policies adhered to. Even after initial zero-trust capabilities have been implemented, you must ensure follow-through across the company. 

With the way zero-trust is structured, any new element added to the ecosystem has to be assessed and modified to follow zero-trust principles, One example of expanding threats can include anything from a bring your own device policy to open source software. Open source software is an invaluable tool but it does present some issues when following zero-trust.

This exemplifies a larger challenge with zero-trust, one that is pivotal to the success or failure of the strategy – constantly re-evaluating the architecture. The journey to zero-trust is an on-going journey and will eventually underpin everything you do. I often compare it to an exercise routine, if you just do it once – nothing will change, if you do it for a while and then stop entirely, your results will start to backslide until you’re back where you started.

It’s vital to keep re-evaluating your security and pushing that mindset as far as possible. Most ‘zero-trust’ architectures are probably 0.3% or 0.5% trust; the journey to zero is ongoing.  

The commitment required to implement such a strategy should not be taken lightly, however, as it takes company-wide commitment to truly adopt and build a zero-trust culture. Doing so is a constant journey, but if you start with a modern data protection strategy entailing secure backups and robust disaster recovery, you will always have something to fall back on.

Dave Russell is the Vice President of Enterprise Strategy at Veeam.