.webp)
In previous blog posts, we’ve talked about Zero Trust, the need to back-up data in multiple ways at multiple locations, the need to regularly assess your security posture and – because Murphy’s Law applies all too frequently – the importance of breach preparedness.
Unfortunately, some of the recent and more public breaches, including those experienced by multiple municipalities and public service entities, have taken longer to remediate than anyone would have liked. In part, it is because important data sets had not been backed up to an off-site location.
We all know that being able to fully restore your network and data is very different than simply being able to remediate the problem. To do so, it’s imperative that you have reliable, intact data sets.
The challenge: Making sure you don’t reimport malware, if a virus has been sitting dormant a long time in your backups. There are steps to take to reduce the likelihood of this happening, and it starts with Zero Trust Data Resilience.
What is Zero Trust Data Resilience?
Most of us are familiar with Zero Trust, as a solution and approach based on the concept that no device or user should be automatically trusted, even if already within the organisation, or part of its approved diversified stakeholder network.
To date, Zero Trust has typically been introduced/enforced across an organisation’s entire ecosystem. Unfortunately, the vast majority of Canadian organisations – from large multinational enterprises to SMBs, do not apply the same principle to their backup environments. Hence the above comments.
With Zero Trust Data Resilience (ZTDR), the Zero Trust principles are extended to include the backup environment. The approach starts by encompassing the core backup principles, with which we are all already familiar:
- Separating backup software and backup storage to minimize the attack surface, and to reduce the impact in the event of a breach.
- Having multiple backup methods, all differently geo-located. This is the standard 3-2-1 backup approach that has been used for years.
- Having immutable and encrypted backup data sets, to prevent those files from being modified or deleted. Note: There must also be some backup data sets that can be modified by system administrators, to enable malware to be detected and eradicated, where possible, before data is reimported to a “clean” network environment.
One of our partners, Veeam, has a good blog post entitled Understanding Zero Trust Data Resilience (ZTDR). You might also want to read the research paper that served as fodder for the post.
If you would like to discuss your own security posture, or would like more information about Veeam or other backup solutions, please feel free to contact us: [email protected] or call 416.429.0796.
