The endless journey to zero-trust
As cyberattacks become more sophisticated and IT systems ever more complex, zero-trust architecture is becoming a hot topic in security. But zero-trust is not a new idea, it's a continuation of a principle that’s been around for years. Let's explore the history and challenges of zero-trust, the critical role of secure backups, and why such projects are never really over.
Zero-Trust: New concept, old principles
If you pay attention to industry news you will see a lot of discussion around zero-trust in recent months. Cyberattacks, particularly ransomware, are becoming increasingly nuanced and their frequency has risen sharply over the last year. Digital infrastructure is also growing more complex - meaning more access points and integrations across IT and OT networks, public clouds, and between a myriad of different parties.
Both of these factors mean more and more organisations are looking to implement a zero-trust architecture. In simple terms - a system that is secured from top-to-bottom rather than just the outside and one that never trusts and always verifies internal access requests.
In truth, zero-trust is not a new idea. I’ve worked in data storage for 20+ years and even in those early days, the practice of building systems or components to be ‘mutually suspicious’ of each other was commonplace. Zero-trust is a continuation of this same idea but like many things in the digital space, scale and complexity have reached new levels.
The other thing about zero-trust which people often misunderstand is that it's not a product that you can purchase and just plug into your existing architecture. Zero-trust is a culture, it's a complete change of mindset, for both the organisation and the system itself, and it's supported by a litany of intertwined products. This focus on mindset is crucial. You can’t just implement it and forget about it. You need to be constantly re-evaluating and applying it to everything you do.
Backup and recovery are an overlooked necessity for zero-trust
The two core principles of a zero-trust architecture are to always verify, and always assume a breach, meaning security on the inside of the system has to be as robust as that on the outside. An element of this that is not talked about enough is backup and disaster recovery. Zero-trust is a layered strategy - you design the architecture assuming traffic may be malicious, devices and infrastructure could be compromised, and critical data is always at risk. But this bottom layer is the most crucial, if all else fails you need a core fail-safe to restore your data and get your systems back up and running as quickly as possible.
There’s a golden rule in data protection known as the ‘3-2-1’ backup rule. This states that when you back up data, there should be three copies of that data, on two different media, with one of those being kept offsite. This rule was popularised nearly 20 years ago and still holds today and is what we’ve built upon to make it viable for modern zero-trust architecture.
The ‘3-2-1-1-0’ rule might not be as catchy, but it's critical for advanced backups to be truly resistant to anything. These additions cover one copy of backup data being kept offline, air-gapped or immutable, and zero errors due to recovery verification, but it's the former I want to focus on now.
Modern threats like ransomware are incredibly sophisticated, actively targeting system backups as part of their attacks. In the recent Veeam Ransomware Trends Report, Veeam found that 94% of ransomware attacks targeted backup repositories, with 68% of those being successful. A truly zero-trust strategy needs to account for this and have backups in place that are either offline, air-gapped (unreachable), immutable (unchangeable), or, even better, all three to have a bulletproof set-up.
Never-ending challenges
Implementing zero-trust across an organisation is not a simple task. Many challenges are involved in building a truly zero-trust architecture. The first is getting buy-in. Because adopting zero-trust requires a united effort and a top-to-bottom mindset change, it needs to be embraced and understood across leadership, administrators and users. Senior decision-makers need to understand its value and assign adequate funding, administrators need to have buy-in as well as relevant training, and users must truly understand and follow new policies. Even after initial zero-trust capabilities have been implemented, you must ensure follow-through across the organisation, rather than a ‘one and done’ mentality.
Another challenge is the constantly shifting threatscape of an organisation. While this is not a unique concern to zero-trust (as any security team has to monitor new risks) because this kind of architecture is so un-comprising, any new element being added to the ecosystem needs to be assessed and often modified to follow zero-trust principles. Examples of expanding threats can include anything from a bring your own device policy to open source software.
Open source software is an invaluable tool but it does present some issues when following zero-trust. An infamous example of this is the ‘endemic vulnerability’ found within Log4j which left many organisations exposed. That's not to say it's impossible to use open source alongside zero-trust, but such programmes need to be correctly bundled and wrapped to isolate vulnerabilities
This exemplifies a larger challenge with zero-trust, one that is pivotal to the success or failure of the strategy - constantly re-evaluating the architecture. This is because the journey to zero-trust is never really over, to truly succeed you have to make it part of your culture and that means not just applying it to everything you do, but ensuring it underpins everything you do going forward. I often compare it to an exercise routine, if you just do it once - nothing will change, if you do it for a while and then stop entirely, your results will start to backslide until you’re back where you started. It's vital to keep re-evaluating your security and pushing that mindset as far as possible. In reality, most ‘zero-trust’ architectures are probably 0.3% or 0.5% trust; the journey to zero has to always be ongoing.
Bringing it back to the basics
In the modern environment, zero-trust is becoming a requirement to keep businesses and systems safe from evolving threats. The commitment required to implement such a strategy should not be taken lightly, however, as it takes organisation-wide commitment to truly adopt and build a zero-trust architecture and culture. Doing so is a constant journey, but if you start with a modern data protection strategy entailing secure backups and robust disaster recovery and build out from there, you will always have something to fall back on.
Copyright: Project Syndicate
-- Contact us at [email protected]
-
The hidden heroine behind GPS Dr. Winnie Tang
According to a report by investment bank Goldman Sachs, there has been an upward trend of women in the workforce around the world over the past 25 years, especially in Japan and Germany. However,
-
To Be Free Brian YS Wong
I have long been fascinated by the question – “What does it to be free?” Freedom is something both coveted and feared at once – much as absolute authority. To be free, and to be a maximal authority,
-
Wayne McGregor’s Deepstaria toured Hong Kong Kevin Ng
Sir Wayne McGregor, the resident choreographer of the Royal Ballet in London since 2006, also directs his own modern dance company, Company Wayne McGregor. Nine dancers from this troupe performed
-
LawTech strengthens Hong Kong’s position as a financial centre Dr. Winnie Tang
The Hong Kong Judiciary issued guidelines on the use of generative artificial intelligence (GenAI) earlier to judges and supporting staff, stressing that the use of technology should not “undermine
-
Living Life to the Fullest Brian YS Wong
I used to think I had lived life to the fullest. I now think I’m beginning to see what that in fact entails. I grew up in a culture that treasured hard work – industriousness was prized as a norm. To