Zero-trust security must include data backup and recovery

Issue 2 2022 IT infrastructure

Who can you trust? The straight answer to that question is – nobody. Unfortunately, in today's digital world, the reality of the situation is that the old security maxim of 'trust but verify' is no longer adequate. We deal with borderless, global, mobile, hybrid and cloud-based environments where traditional security approaches do not work, and nobody is to be trusted, including employees, customers and partners.


Byron Horn-Botha.

The notion of a protective shield surrounding your organisation where interactions perceived as trusted and therefore safe, and exchanges outside of it are not safe, is outdated and naive. Zero Trust is a better approach and constitutes an antidote to stale security strategies because it demands organisations entirely remove trust from the equation by denying access to everyone.

Zero trust thinking

Zero Trust is not a specific technology or architecture. Instead, it's a new way of thinking that can help you achieve robust threat protection and gain next-level security. It is about evaluating the security posture of users based on location, device and behaviour to determine if they are who they claim to be. It is also about granting just enough privilege, just in time, so that users can perform work required tasks and operations.

With this model, only minimum permissions are granted at just the right time to get a job done. Such permissions are then revoked immediately upon completion of the project or transaction. A Zero Trust security approach authenticates and authorises every connection, for example, when a user connects to an application or to a data set via an application programming interface (API).

Gartner predicts that by the end of 2023, modern privacy laws will cover the personal information of 75% of the world's population.

GDPR was the first significant legislation for consumer privacy. Still, others quickly followed it, including Brazil's General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests you'll be managing data protection legislation in various jurisdictions, and customers will want to know what kind of data you're collecting and how it's being used. It also means you'll need to focus on automating your privacy management system. Standardise security operations using GDPR as a base and adjust for individual jurisdictions.

According to Gartner, the percentage of nation-states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by 2025, compared to less than 1% in 2021.

That is a significant jump, as shown by the recent US government announcement that it is moving towards a Zero Trust approach to cybersecurity to dramatically reduce the risk of cyberattacks against the nation's digital infrastructure.

Gartner further predicts that by 2025, 60% of organisations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, and 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. These predictions show that compliance is increasingly front and centre for C-suite executives in the management of businesses.

The fact is that organisations must assume bad actors will inevitably get in, and they must do everything to minimise their attack surface and protect business-critical data from being damaged or destroyed.

A successful zero trust strategy

Companies need to be vigilant concerning data backup and recovery strategies. The concept of constantly verifying, continuously authenticating, and always logging who is going where and doing what should apply to regular operations and application usage. It should also apply to data backup and recovery processes. It is crucial to know who is initiating backups and to where they are backing up the data.

It's also essential to ensure that whatever applications you're using for backup and recovery, those applications have embedded authentication mechanisms such as multi-factor authentication, identity services and role-based access.

One example is a worker who needs to have data recovered from their laptop. What are the credentials that allow this employee to restore the machine? What permissions were granted, and do those permissions need to be changed to reflect a new set of requirements? If the IT team is restoring a laptop set up a year ago, who ensures no one else has access to that machine? Zero Trust in data backup and recovery goes a long way to resolving these questions while securing enterprise data further.

Immutable storage should also be part of any Zero Trust initiative. Immutability is when data is converted to a write-once, read many times format. Immutable storage safeguards data from malicious intent by continuously taking snapshots of that data every 90 seconds. Because the object store is immutable, you can quickly restore data even if someone tampers with it.

As data breaches grow in volume and complexity, businesses must consider creative approaches to strengthen their protection against cyber threats. Still, it must be built around a Zero Trust security model – without it, breaches are guaranteed.

For more information contact Byron Horn-Botha, Arcserve Southern Africa, +27 11 417 8641, [email protected], www.arcserve.com


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Storage-as-a-service, optimised with AIOps
IT infrastructure
Organisations today have realised the relevance of adopting a hybrid cloud strategy when faced with issues such as data sovereignty, privacy, compliance and more.

Read more...
The importance of device and connectivity management
Trinity IoT IT infrastructure
If access to device data through cellular connectivity is the lifeline of a company’s business model, then device management is the key to sustaining this with connectivity management being the golden thread tying everything together.

Read more...
Becoming more cyber resilient
IT infrastructure
Organisations must consider the need for a highly secure and effective authorisation and authentication process, says Hayden Sadler, country manager for South Africa at Infinidat.

Read more...
Don’t let endpoint security be an afterthought
IT infrastructure
Data management is critical not only for mitigating the risk of ransomware, but also for compliance with various data privacy and data protection regulations.

Read more...
Cyber resilience is more than security
Industrial (Industry) Cyber Security IT infrastructure
Kate Mollett, regional director at Commvault Africa advises companies to guard against cyberattacks in the shipping and logistics sector using an effective recovery strategy.

Read more...
Citrix App Protection helps secure remote workers
Cyber Security IT infrastructure
Many organisations are implementing a zero-trust security model with data protection as a top priority. This is largely due to the increase in remote work and unmanaged personal devices playing a growing role in the enterprise.

Read more...
Kaspersky invests in development of neuromorphic processors
News IT infrastructure
Neuromorphic processors’ field of application is acceleration of the hardware used in the latest generation of artificial intelligence systems, which are based on spiking neural networks (SNN) training, which is more akin to biological interactions.

Read more...
Infinidat enhances channel support
News IT infrastructure
Infinidat drives go-to-market strategy with new global partner portal and expands channel sales with Storage-as-a-Service in ArrowSphere.

Read more...
2022 Cloud Security Report
Cyber Security IT infrastructure
The 2022 Cloud Security Report reveals how security executives and practitioners are using the cloud, how their organisations are responding to security threats in the cloud, and the challenges they are facing.

Read more...
Arcserve launches N Series appliances
IT infrastructure Cyber Security
Arcserve introduces N Series appliances offering enterprise-level integrated data protection, recovery and cybersecurity to allow customers to simplify their IT environments and secure data.

Read more...