Zero-trust security must include data backup and recovery

Issue 2 2022 IT infrastructure

Who can you trust? The straight answer to that question is – nobody. Unfortunately, in today's digital world, the reality of the situation is that the old security maxim of 'trust but verify' is no longer adequate. We deal with borderless, global, mobile, hybrid and cloud-based environments where traditional security approaches do not work, and nobody is to be trusted, including employees, customers and partners.

Byron Horn-Botha.

The notion of a protective shield surrounding your organisation where interactions perceived as trusted and therefore safe, and exchanges outside of it are not safe, is outdated and naive. Zero Trust is a better approach and constitutes an antidote to stale security strategies because it demands organisations entirely remove trust from the equation by denying access to everyone.

Zero trust thinking

Zero Trust is not a specific technology or architecture. Instead, it's a new way of thinking that can help you achieve robust threat protection and gain next-level security. It is about evaluating the security posture of users based on location, device and behaviour to determine if they are who they claim to be. It is also about granting just enough privilege, just in time, so that users can perform work required tasks and operations.

With this model, only minimum permissions are granted at just the right time to get a job done. Such permissions are then revoked immediately upon completion of the project or transaction. A Zero Trust security approach authenticates and authorises every connection, for example, when a user connects to an application or to a data set via an application programming interface (API).

Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world's population.

GDPR was the first significant legislation for consumer privacy. Still, others quickly followed it, including Brazil's General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests you'll be managing data protection legislation in various jurisdictions, and customers will want to know what kind of data you're collecting and how it's being used. It also means you'll need to focus on automating your privacy management system. Standardise security operations using GDPR as a base and adjust for individual jurisdictions.

According to Gartner, the percentage of nation-states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by 2025, compared to less than 1% in 2021.

That is a significant jump, as shown by the recent US government announcement that it is moving towards a Zero Trust approach to cybersecurity to dramatically reduce the risk of cyberattacks against the nation's digital infrastructure.

Gartner further predicts that by 2025, 60% of organisations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, and 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. These predictions show that compliance is increasingly front and centre for C-suite executives in the management of businesses.

The fact is that organisations must assume bad actors will inevitably get in, and they must do everything to minimise their attack surface and protect business-critical data from being damaged or destroyed.

A successful zero trust strategy

Companies need to be vigilant concerning data backup and recovery strategies. The concept of constantly verifying, continuously authenticating, and always logging who is going where and doing what should apply to regular operations and application usage. It should also apply to data backup and recovery processes. It is crucial to know who is initiating backups and to where they are backing up the data.

It's also essential to ensure that whatever applications you're using for backup and recovery, those applications have embedded authentication mechanisms such as multi-factor authentication, identity services and role-based access.

One example is a worker who needs to have data recovered from their laptop. What are the credentials that allow this employee to restore the machine? What permissions were granted, and do those permissions need to be changed to reflect a new set of requirements? If the IT team is restoring a laptop set up a year ago, who ensures no one else has access to that machine? Zero Trust in data backup and recovery goes a long way to resolving these questions while securing enterprise data further.

Immutable storage should also be part of any Zero Trust initiative. Immutability is when data is converted to a write-once, read many times format. Immutable storage safeguards data from malicious intent by continuously taking snapshots of that data every 90 seconds. Because the object store is immutable, you can quickly restore data even if someone tampers with it.

As data breaches grow in volume and complexity, businesses must consider creative approaches to strengthen their protection against cyber threats. Still, it must be built around a Zero Trust security model – without it, breaches are guaranteed.

For more information contact Byron Horn-Botha, Arcserve Southern Africa, +27 11 417 8641, [email protected],


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Citrix App Protection helps secure remote workers
Cyber Security IT infrastructure
Many organisations are implementing a zero-trust security model with data protection as a top priority. This is largely due to the increase in remote work and unmanaged personal devices playing a growing role in the enterprise.

Kaspersky invests in development of neuromorphic processors
News IT infrastructure
Neuromorphic processors’ field of application is acceleration of the hardware used in the latest generation of artificial intelligence systems, which are based on spiking neural networks (SNN) training, which is more akin to biological interactions.

Infinidat enhances channel support
News IT infrastructure
Infinidat drives go-to-market strategy with new global partner portal and expands channel sales with Storage-as-a-Service in ArrowSphere.

2022 Cloud Security Report
Cyber Security IT infrastructure
The 2022 Cloud Security Report reveals how security executives and practitioners are using the cloud, how their organisations are responding to security threats in the cloud, and the challenges they are facing.

Arcserve launches N Series appliances
IT infrastructure Cyber Security
Arcserve introduces N Series appliances offering enterprise-level integrated data protection, recovery and cybersecurity to allow customers to simplify their IT environments and secure data.

LucidLink Filespaces 2.0 cloud NAS offering
Products IT infrastructure
Drive Control Corporation (DCC) has announced the availability of LucidLink’s new cloud NAS product, Filespaces 2.0, which forms part of the distributor’s StorVault value proposition to its channel partners.

Leaning into the edge
Technews Publishing Axis Communications SA Forbatt SA Hikvision South Africa Editor's Choice CCTV, Surveillance & Remote Monitoring Integrated Solutions IT infrastructure
Video storage and analytical processing, with the help of artificial intelligence on the edge, is simple today with the powerful and advanced camera technology we have available.

Optimising edge analytics
CCTV, Surveillance & Remote Monitoring IT infrastructure
Service provider inq leverages Advantech’s edge appliances combined with Enea’s uCPE virtualisation and management solution for delivery of high-performance video analytics services at the customer premises edge.

Turnkey data loss prevention solution
IT infrastructure Cyber Security Products
Acronis’s expertise in data protection and the managed service provider market yields an innovative, fast-track approach for the prevention of catastrophic data leaks.

Video surveillance and the cloud
Secutel Technologies CCTV, Surveillance & Remote Monitoring IT infrastructure
Use existing investments in CCTV to provide analytical and proactive detection capabilities on standard IP or analog surveillance systems.