Developed in collaboration between zero trust expert Jason Garbis of Numberline Security and Veeam Software, a new framework, zero trust data resilience model (ZTDR), applies zero trust principles to backup and recovery as an extension to the Cybersecurity & Infrastructure Security Agency (CISA) Zero Trust Maturity Model.
Essential to ZTDR is the separation of backup management systems and their storage tiers into distinct resilience zones to reduce the attack surface and limit the potential ‘blast radius’ from breaches; and immutable backup storage, to ensure that data cannot be modified even in the event of a ransomware attack.
Modern, effective security is based on zero trust, replacing the increasingly ineffective perimeter-based security approach. Yet most zero trust frameworks do not include the security of data backup and recovery systems, despite the fact that backup data is often the primary target of malicious actors in both ransomware and data exfiltration attacks.
Within the CISA Zero Trust Maturity Model, ‘Data’ is one of five pillars, under which it identifies five key functions: Data Inventory Management, Data Categorization, Data Availability, Data Access and Data Encryption. To extend this model to the critical function of data backup and recovery, the ZTDR principles are:
- Least Privilege Access
- System Resilience
- Proactive Validation
- Operational Simplicity.
To help organizations begin their journey to implement these principles, Numberline has developed a detailed ZTDR Maturity Model, as well as a ZTDR Reference Architecture which includes these key attributes for improved data resilience:
- Segmentation, for clear separation of Backup Software and Backup Storage layers to create distinct resilience zones that minimize the attack surface and reduce the blast radius when an attack occurs.
- Backup storage immutability, ensuring data cannot be modified or deleted.
The full Zero Trust Data Resilience model, core principles, recommended architecture and maturity model are available in a free white paper here