In the world of highly innovative attackers and the growing incidence of insider threats, the perimeter-based security approaches that IT has long relied upon are no longer sufficient. As a result, the topic of Zero Trust, which is defined by the National Institute of Standards and Technology as an architecture that “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership”, has been getting headlines and executive-level attention.
Not simply a buzzword, Zero Trust was emphasized as a guiding principle of both federal sector and private sector IT systems in the Biden-Harris National Cybersecurity Strategy, which was released last month. Increasingly, Zero Trust principles will guide how IT infrastructures and networks are architected – including data protection implementations.
The Role of Data Protection in a Zero Trust Framework
Backup systems are increasingly the subject of cyberattacks because attackers know that companies will be less incentivized to pay ransoms if they can recover their data and applications. This is part of the reason why protecting critical data assets is a core component of a Zero Trust Framework. Specifically, the ability to recover the organization’s most critical data assets as quickly as possible is paramount to mitigating the effects of attacks.
From a Zero Trust perspective, backup and recovery tools are having capabilities built in to inhibit malicious access and to detect that an attack has occurred. Role-based access control (RBAC), multi-factor authentication (MFA), two-person concurrence for data deletion, and air gapping/data vaulting are just a few Zero Trust-related technologies that are established or are becoming table stakes for an effective data protection strategy.
The Role of Data Protection in a Zero Trust Approach and the Challenges Ahead
Although organizations are realizing that Zero Trust principles should guide IT architecture, there is not an overnight fix. It will take time for organizations to both understand the importance of Zero Trust and to embrace it, and there are potential issues standing in the way. First, it is not easy to integrate new technologies into the data protection ecosystem and data protection plays an outsized role. To complicate matters further, data protection has a very long tail of adoption.
Another challenge is that, historically, administrators have been extensively trained on specific solutions. Additionally, in many cases, data that has been backed up with a particular solution cannot be recovered by a different solution. Moreover, when looking at Zero Trust specifically, it is important that new technologies or processes do not inhibit the need for the right data getting to the right users in a timely manner; it can’t impede or slow down business processes by getting in the way.
Data protection by itself is not the end-all-be-all, for Zero Trust or for cyber resiliency, and attackers will continue to innovate. But understanding the role data protection plays in the process as a whole will help, and strides are being made, which is encouraging.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other insights from The Futurum Group:
World Backup Day: Taking Stock of Data Protection Best Practices
