As cyberattacks become more sophisticated and IT systems ever more complex, zero-trust architecture is becoming a hot topic in security. But zero trust is not a new idea, it's a continuation of a principle that’s been around for years. Let's explore the history and challenges of zero-trust, the critical role of secure backups, and why such projects are never really over.
If you pay attention to industry news you will see a lot of discussion around zero trust in recent months. Cyberattacks, particularly ransomware, are becoming increasingly nuanced and more frequent. Research from the IBM 2021 Cost of a Data Breach Report, shows record levels of data breaches around the world with Asia topping the world as the most attacked region in 2021. Asia accounted for one in four cybersecurity attacks launched worldwide. Japan, Australia, and India experienced the most incidents in the region,
Zero-Trust: New concept, old principles
A key driver is accelerating the adoption and growing complexity of digital infrastructure - meaning more access points and integrations across IT and OT networks, public clouds, and between a myriad of different parties. In Asia, zero-trust adoption among APAC organisations has been slower than in the rest of the world.
However there are signs of accelerating growth as the Okta State of Zero Trust Security in Asia Pacific 2022 report, showed that 50% of APAC companies had implemented a Zero Trust Security initiative, an 18% jump from 2021, albeit still slower than the rest of the world
In truth, zero trust is not a new idea.
I’ve worked in data storage for 20+ years and even in those early days, the practice of building systems or components to be ‘mutually suspicious’ of each other was commonplace. Zero-trust is a continuation of this same idea but like many things in the digital space, scale and complexity have reached new levels.
The other thing about zero-trust which people often misunderstand is that it's not a product that you can purchase and just plug into your existing architecture. Zero-trust is a culture, it's a complete change of mindset, for both the organisation and the system itself, and it's supported by a litany of intertwined products. This focus on mindset is crucial. You can’t just implement it and forget about it. You need to constantly re-evaluate and apply it to everything you do.
Backup and recovery are an overlooked necessity for zero-trust
The two core principles of a zero-trust architecture are to always verify, and always assume a breach, meaning security on the inside of the system has to be as robust as that on the outside. An element of this that is not talked about enough is backup and disaster recovery.
Zero-trust is a layered strategy - you design the architecture assuming traffic may be malicious, devices and infrastructure could be compromised, and critical data is always at risk. But this bottom layer is the most crucial, if all else fails you need a core fail-safe to restore your data and get your systems back up and running as quickly as possible.
Modern threats like ransomware are incredibly sophisticated, actively targeting system backups as part of their attacks. In the recent Veeam Ransomware Trends Report, Veeam found that 94% of ransomware attacks targeted backup repositories, with 68% of those being successful.
A truly zero-trust strategy needs to account for this and has backups in place that are either offline, air-gapped (unreachable), immutable (unchangeable), or, even better, all three to have a bulletproof setup.
Never-ending challenges
Implementing zero trust across an organisation is not a simple task. Many challenges are involved in building a truly zero-trust architecture. The first is getting buy-in. Because adopting zero-trust requires a united effort and a top-to-bottom mindset change, it needs to be embraced and understood by leadership, administrators and users.
Senior decision-makers need to understand its value and assign adequate funding, administrators need to have buy-in as well as relevant training, and users must truly understand and follow new policies. Even after initial zero-trust capabilities have been implemented, you must ensure follow-through across the organisation, rather than a ‘one and done’ mentality.
It's vital to keep re-evaluating your security and pushing that mindset as far as possible. In reality, most ‘zero-trust’ architectures are probably 0.3% or 0.5% trust; the journey to zero has to always be ongoing.
Bringing it back to the basics
In the modern environment, zero-trust is becoming a requirement to keep businesses and systems safe from evolving threats. The commitment required to implement such a strategy should not be taken lightly, however, as it takes organisation-wide commitment to truly adopt and build a zero-trust architecture and culture.
Doing so is a constant journey, but if you start with a modern data protection strategy entailing secure backups and robust disaster recovery and build out from there, you will always have something to fall back on.
