The (endless) journey to zero-trust

Conceptual art of a computer system being hacked.
(Image credit: Getty Images)

As cyberattacks become more sophisticated and IT systems ever more complex, zero-trust architecture is becoming a hot topic in cybersecurity. But zero-trust is not a new idea, it's a continuation of a principle that’s been around for years. Let's explore the history and challenges of zero-trust, the critical role of secure backups, and why such projects are never really over.

About the author

Dave Russell is VP of Enterprise Strategy at Veeam.

Zero-Trust: new concept, old principles

If you pay attention to industry news you will see a lot of discussion around zero-trust in recent months. Cyberattacks, particularly ransomware, are becoming increasingly nuanced and their frequency has risen sharply over the last year. Digital infrastructure is also growing more complex - meaning more access points and integrations across IT and OT networks, public clouds, and between a myriad of different parties.

Both of these factors mean more and more organizations are looking to implement a zero-trust architecture. In simple terms - a system that is secured from top-to-bottom rather than just the outside and one that never trusts and always verifies internal access requests.

In truth, zero-trust is not a new idea. I’ve worked in the data protection space for over twenty years, and even in those early days, the practice of building systems or components to be ‘mutually suspicious’ of each other was commonplace. Zero-trust is a continuation of this same idea but like many things in the digital space, scale and complexity have reached new levels.

The other thing about zero-trust which people often misunderstand is that it's not a product that you can purchase and just plug into your existing architecture. Zero-trust is a culture, it's a complete change of mindset, for both the organization and the system itself, and it's supported by a litany of intertwined products. This focus on mindset is crucial. You can’t just implement it and forget about it. You need to be constantly re-evaluating and applying it to everything you do.

Backup and recovery are an overlooked necessity for zero-trust. The two core principles of a zero-trust architecture are to always verify, and always assume a breach, meaning security on the inside of the system has to be as robust as that on the outside. An element of this that is not talked about enough is backup and disaster recovery. Zero-trust is a layered strategy - you design the architecture assuming traffic may be malicious, devices and infrastructure could be compromised, and critical data is always at risk. But this bottom layer is the most crucial, if all else fails you need a core fail-safe to restore your data and get your systems back up and running as quickly as possible.

There’s a golden rule in data protection known as the ‘3-2-1’ backup rule. This states that when you back up data, there should be three copies of that data, on two different media, with one of those being kept offsite. This rule was popularized nearly 20 years ago and still holds today. A core tenant at Veeam, this rule is one we’ve built upon to make it viable for modern zero-trust architecture. The ‘3-2-1-1-0’ rule might not be as catchy, but it's critical for advanced backups to be truly resistant to anything. These additions cover one copy of backup data being kept offline, air-gapped or immutable, and zero errors due to recovery verification, but it's the former I want to focus on now.

Modern threats like ransomware are incredibly sophisticated, actively targeting system backups as part of their attacks. In the recent Veeam Ransomware Trends Report, Veeam found that 94% of ransomware attacks targeted backup repositories, with 68% of those being successful. A truly zero-trust strategy needs to account for this and have backups in place that are either offline, air-gapped (unreachable), immutable (unchangeable), or, even better, all three to have a bulletproof set-up.

Never-ending challenges

Implementing zero-trust across an organization is not a simple task. Many challenges are involved in building a truly zero-trust architecture. The first is getting buy-in. Because adopting zero-trust requires a united effort and a top-to-bottom mindset change, it needs to be embraced and understood across leadership, administrators and users. Senior decision-makers need to understand its value and assign adequate funding, administrators need to have buy-in as well as relevant training, and users must truly understand and follow new policies. Even after initial zero-trust capabilities have been implemented, you must ensure follow-through across the organization, rather than a ‘one and done’ mentality.

Another challenge is the constantly shifting threatscape of an organization. While this is not a unique concern to zero-trust (as any security team has to monitor new risks) because this kind of architecture is so un-comprising, any new element being added to the ecosystem needs to be assessed and often modified to follow zero-trust principles. Examples of expanding threats can include anything from a bring your own device policy to open source software.

Open source software is an invaluable tool but it does present some issues when following zero-trust. An infamous example of this is the ‘endemic vulnerability’ found within Log4j which left many organizations exposed. That's not to say it's impossible to use open source alongside zero-trust, but such programs need to be correctly bundled and wrapped to isolate vulnerabilities. At Veeam for example, we even have some products that use Log4J, but as part of our architecture, we built in modifications meaning vulnerabilities were isolated or removed.

This exemplifies a larger challenge with zero-trust, one that is pivotal to the success or failure of the strategy - constantly re-evaluating the architecture. This is because the journey to zero-trust is never really over, to truly succeed you have to make it part of your culture and that means not just applying it to everything you do, but ensuring it underpins everything you do going forward. I often compare it to an exercise routine, if you just do it once - nothing will change, if you do it for a while and then stop entirely, your results will start to backslide until you’re back where you started. It's vital to keep re-evaluating your security and pushing that mindset as far as possible. In reality, most ‘zero-trust’ architectures are probably 0.3% or 0.5% trust; the journey to zero has to always be ongoing.

Bringing it back to the basics

In the modern environment, zero-trust is becoming a requirement to keep businesses and systems safe from evolving threats. The commitment required to implement such a strategy should not be taken lightly, however, as it takes organization-wide commitment to truly adopt and build a zero-trust architecture and culture. Doing so is a constant journey, but if you start with a modern data protection strategy entailing secure backups and robust disaster recovery and build out from there, you will always have something to fall back on.

We've featured the best endpoint protection software.

Dave Russell

Dave Russell is VP of Enterprise Strategy at Veeam.