For years, the well-known security maxim was, “Trust but verify.” However, the statement is no longer sufficient. In today’s borderless, global, mobile, hybrid, cloud-based environment, traditional security approaches cannot defend the digital fortress on its own, and nobody is to be trusted, including employees, customers, and partners. But there is a way out. Zero Trust is an antidote for stale security strategies because it demands that organizations entirely remove trust from the equation by denying access to everyone.
Zero Trust is all about evaluating the security posture of users based on location, device, and behaviour to determine if the users are who they claim to be. Zero Trust is also about granting just enough privilege, just in time, so that users can perform their needed tasks and operations—and nothing more. With Zero Trust, only minimum permissions are granted at just the right time to get a job done. Then those permissions are revoked immediately upon completion of the job or transaction. A Zero Trust security approach authenticates and authorises every connection, for example, when a user connects to an application or software to a data set via an application programming interface (API).
As organisations globally rushed to support the remote workforce with the threat vectors spread across endpoints, combining that with surging cyber attacks prompted them to deploy a zero-trust security model. Early this year, COVID-19 related data of around 20 thousand people were reported to have leaked from Indian government sites and were put on sale on the darknet. The data showed name, age, gender, mobile number, address, date and result of COVID-19 report of these people. This is a breach of people’s personal identity information and happened on a government website.
Even companies like Apple and Meta could not evade data breaches, when recently hackers managed to obtain unauthorised access to their customer databases. Hence, it is given that bad actors will inevitably get inside any organisation’s network. Hence everything possible must be tried out to minimize the attack surfaces and protect the business-critical data from being damaged or destroyed.
As part of this Zero Trust strategy, organizations must also be exceptionally vigilant around their data backup and recovery strategies. The concept of constantly verifying, continuously authenticating, and always logging who is going where and doing what should apply to regular operations and application usage. It should also apply to the data backup and recovery processes. For instance, it’s critical to know who is initiating that backup and where they are backing up the data.
It’s also essential to ensure that whatever applications you’re using for your backup and recovery, those applications have embedded authentication mechanisms such as multifactor authentication, identity services, and role-based access. Take, for instance, a worker who needs to have data recovered from her laptop. What are the credentials that allow this employee to restore the machine? What permissions were granted, and do those permissions need to be changed to reflect a new set of requirements? If the IT team is restoring a laptop set up a year ago, who ensures no one else has access to that machine? A Zero Trust approach to data backup and recovery can go a long way towards resolving these questions while securing enterprise data further.