The Never Ending Journey to Zero-Trust Architecture

 As cyberattacks increase, there is much discussion about zero-trust architecture. However, it is not a new idea. Dave Russell, vice president of enterprise strategy, Veeam, discusses the brief history and challenges of zero trust, the need for secure backups, and why zero-trust implementation is an ongoing project.

As cyberattacks become more sophisticated and IT systems ever more complex, zero-trust architecture is becoming a hot topic in security. But zero-trust is not a new idea; it is a continuation of a principle that has been around for years. Let us explore the history and challenges of zero-trust, the critical role of secure backups, and why such projects are never really over.

Zero-trust: New Concept, Old Principles

If you pay attention to industry news, you will see much discussion around zero-trust in recent months. Cyberattacks, particularly ransomware, are becoming increasingly nuanced, and their frequency has risen sharply over the last year. According to the 2022 Ransomware Trends Report,Opens a new window 76% of companies had at least one ransomware attack in 2021. Digital infrastructure is also growing more complex — meaning more access points and integrations across IT and OT networks, public clouds, and between a myriad of different parties.

Both of these factors mean more and more organizations are looking to implement a zero-trust architecture. In simple terms, it is a system secured from top-to-bottom rather than just the outside and one that never trusts and always verifies internal access requests. 

In truth, zero-trust is not a new idea. I have worked in data storage for 20+ years, and even in those early days, the practice of building systems or components to be ‘mutually suspicious’ of each other was commonplace. Zero-trust is a continuation of this idea, but like many things in the digital space, scale and complexity have reached new levels.

The other thing about zero-trust, which people often misunderstand, is that it is not a product you can purchase and just plug into your existing architecture. Zero-trust is a culture; it is a complete change of mindset for both the organization and the system itself, and it is supported by a litany of intertwined products. This focus on mindset is crucial. You cannot just implement it and forget about it. You need to constantly re-evaluate and apply it to everything you do. 

Google TrendsOpens a new window : Use of ‘Zero Trust’ over time

Backup and Recovery Are an Overlooked Necessity for Zero-trust

The two core principles of a zero-trust architecture are always to verify and always assume a breach, meaning security on the inside of the system has to be as robust as that on the outside. An element of this that is not talked about enough is backup and disaster recovery. Zero-trust is a layered strategy — you design the architecture assuming traffic may be malicious, devices and infrastructure could be compromised, and critical data is always at risk. But this bottom layer is the most crucial; if all else fails, you need a core fail-safe to restore your data and get your systems back up and running as quickly as possible.

There is a golden rule in data protection known as the ‘3-2-1’ backup rule. This states that when you back up data, there should be three copies of that data, on two different media, with one of those being kept offsite. This rule was popularized nearly 20 years ago and still holds today. A core tenant at Veeam, this rule is one we have built upon to make it viable for modern zero-trust architecture. The ‘3-2-1-1-0’ rule might not be as catchy, but it is critical for advanced backups to be truly resistant to anything. These additions cover one copy of backup data being kept offline, air-gapped or immutable, and zero errors due to recovery verification. But it is the former I want to focus on now.  

Modern threats like ransomware are incredibly sophisticated, actively targeting system backups as part of their attacks. In the recent Veeam Ransomware Trends ReportOpens a new window , Veeam found that 94% of ransomware attacks targeted backup repositories, with 68% of those being successful. A truly zero-trust strategy needs to account for this and has backups in place that are either offline, air-gapped (unreachable), immutable (unchangeable), or, even better, all three to have a bulletproof set-up.

See More: How To Upgrade Your VPN with Zero TrustOpens a new window

Never-ending Challenges

Implementing zero-trust across an organization is not a simple task. Many challenges are involved in building a truly zero-trust architecture. The first is getting buy-in. Because adopting zero-trust requires a united effort and a top-to-bottom mindset change, it needs to be embraced and understood by leadership, administrators, and users. Senior decision-makers need to understand its value and assign adequate funding, administrators need to have buy-in as well as relevant training, and users must truly understand and follow new policies. Even after initial zero-trust capabilities have been implemented, you must ensure follow-through across the organization rather than a ‘one and done’ mentality. 

Another challenge is the constantly shifting threatscape of an organization. This is not a unique concern to zero-trust (as any security team has to monitor new risks) because this kind of architecture is so un-comprising. However, any new element being added to the ecosystem needs to be assessed and often modified to follow zero-trust principles. Examples of expanding threats can include anything from a bring your own device policy to open source software. 

Open source software is an invaluable tool, but it does present some issues when following zero-trust. An infamous example of this is the ‘endemic vulnerabilityOpens a new window ’ found within Log4j which left many organizations exposed. That is not to say it is impossible to use open source alongside zero-trust, but such programs need to be correctly bundled and wrapped to isolate vulnerabilities. At Veeam, for example, we even have some products that use Log4J, but as part of our architecture, we built in modifications meaning vulnerabilities were isolated or removed.

This exemplifies a larger challenge with zero-trust, one that is pivotal to the success or failure of the strategy — constantly re-evaluating the architecture. This is because the journey to zero-trust is never really over; to truly succeed, you must make it part of your culture. That means not just applying it to everything you do but ensuring it underpins everything you do going forward. I often compare it to an exercise routine; if you just do it once, nothing will change; if you do it for a while and then stop entirely, your results will start to backslide until you are back where you started. It is vital to keep re-evaluating your security and pushing that mindset as far as possible. In reality, most ‘zero-trust’ architectures are probably 0.3% or 0.5% trust; the journey to zero has to always be ongoing.  

Bringing It Back to the Basics

In the modern environment, zero-trust is becoming a requirement to keep businesses and systems safe from evolving threats. The commitment required to implement such a strategy should not be taken lightly, however, as it takes organization-wide commitment to truly adopt and build a zero-trust architecture and culture. Doing so is a constant journey, but if you start with a modern data protection strategy entailing secure backups and robust disaster recovery and build out from there, you will always have something to fall back on.

How has your journey to zero-trust architecture evolved over time? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON ZERO-TRUST

• Rethinking Network Security: Three Steps to Zero Trust
• The Blind Spot in Zero Trust: Securing Voice CommunicationOpens a new window
• The Case for Zero Trust amidst Soaring ConnectivityOpens a new window