Zero Trust

As the name suggests, it literally means not to trust any device or user, by default. The main principle of zero trust is “never trust, always verify.” This security approach assumes that every user and every device that is trying to access your organization’s data is a threat. 

Your organization might already be using zero trust principles in some sense. Multi-factor authentication (MFA) for VPN access or using the four eyes workflow for critical data deletion are some examples of how an organization currently employs a zero trust workflow. However, it’s the remaining exposures that leave you vulnerable to attacks. As ransomware attacks become more intelligent and more aggressive, any exposure will be exploited.

Traditional IT security systems worked with a perimeter-based security approach. They used things like VPNs and firewalls assuming that only employees with valid credentials and pre-identified devices would be able to access the organization’s network and data. This worked pretty well as long as you were working from your office using the laptop provided by your company.

Although the zero trust model has existed for more than a decade (analyst John Kindervag of Forrester Research described it in 2010), adoption of it has surged only recently, in part as a response to the COVID-19 pandemic. 

The pandemic caused a rapid shift to remote work, leaving IT and security teams scrambling to secure enterprise data. Suddenly, employees were using a variety of personal devices to connect to their organization’s network to get work done. Data was shared across devices and applications. IT teams had to quickly secure multiple endpoints to prevent breaches or leaks. Employees also used multiple cloud services, making it even more difficult for IT to secure the organization’s data. 

Protecting data, regardless of where it lives, became the primary objective of security and IT teams. A survey conducted by Microsoft for their Zero Trust Adoption Report, 2021 revealed that 76% of security decision-makers are in the process of implementing zero trust. This was a 56% increase compared to the previous year’s data. 

Ponemon Institute’s 2022 Cost of Insider Threats Global Report found that credential thefts have almost doubled since 2020. Additionally, the findings showed that 56% of incidents experienced by organizations were due to negligence. 

Such stats cemented the fact that IT and security teams need a new approach to data security.

As zero trust is more of a concept rather than a standard, there is no official set of rules that define it. 

However, in August 2020, cybersecurity researchers from the U.S. National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) published SP 800-207 – Zero Trust Architecture. This document contains an abstract definition of zero trust architecture (ZTA) and describes general deployment models and use cases. This publication can serve as an excellent handbook for any organization looking to implement zero trust security. 

According to the SP 800-207 document, zero trust architecture has the following basic tenets:

Consider all data sources and computing services as resources – You should consider any device that can access your organization’s data as a resource of your organization. No matter how small the footprint of a device, if it’s accessing your organization’s data, it should be deemed as a resource. 

Secure all communications regardless of network location – You must secure the communication with a resource regardless of its location. For example, a server rack present in the local data center of your organization’s office should not be trusted even though it’s within the company’s premises and network perimeter. A zero trust network should not implicitly trust anything. 

Grant access to individual resources as needed – When a user sends a data access request for a resource, the user should be identified and authenticated before granting access. The user should receive least-privilege access (bare minimum access permissions to complete a task) to the authorized resource. The request should time-out after a predefined interval so that the user needs to go through the authentication process once again. Also, getting access to a resource should not grant a user access to other similar or associated resources. 

Resource authentication and authorization are dynamic and strictly enforced – Organizations must use several attributes to verify and confirm the identity of a resource. Attributes may include device characteristics (such as software version, network location), behavioral attributes (such as device analytics, previous usage patterns), and environmental attributes (time of the request, reported active attacks). These attributes may vary based on the acceptable level of risk to the business and the sensitivity of the resource and data. Use policies to define the attributes required for verification and authentication of resources, users, and tasks. 

Monitor and measure the integrity and security posture of all owned and associated assets – Automate all the authorization and mechanisms so that it does not affect the business operations. Each action should be logged so that anyone can go back and check historical data. Organizations should collect as much information as possible about the current state of its assets, network infrastructure, and communications. This data should be utilized to improve the security posture of the organization.

• Minimizes risk with least privilege access – Any kind of access is restricted only to the business needs of an employee. A hacker can do very little damage if compromised credentials cannot access other parts of the network.
  
• A single security framework – Organization-wide implementation of zero trust ensures that all departments use the same framework to secure devices and users. This promotes collaboration, because departments are aware that their data is safe regardless of where it lives. A single security standard also helps IT. They can use the same set of security tools for any department regardless of how critical their data is.
  
• Faster incident response times – Even if there is a cyber attack, its spread is contained within a finite set of devices and users. As all activities are logged, it’s easy to quickly trace the inception of the attack and determine the amount of damage. Fast identification gives the security team more time to determine the reason and nature of the attack and quickly resolve the issue. 

It isn’t hard to weave in a zero trust approach into your existing cyber security tools and services. To get started, follow the minimum requirements for zero-trust:

• Multi-factor authentication (MFA) — MFA forces cyber criminals to compromise multiple components of your infrastructure, not just one.
  
• Four eyes — Any destructive operation should require the confirmation of at least two people. This can help protect against ransomware and internal bad actors.
  
• Monitor unusual administrative activity — If an administrator is behaving outside of the norm, suspend activity until the activity can be explained.
  
• Delay deletes — In a world of deduplication, most deletion occurs only when garbage collection heaps freed blocks. If you are experiencing excessive deletes, hold onto the blocks until the activity can be validated.
  
• No root access to an underlying system — Organizations often focus on securing the backup software management layer but forget that everything runs on a Linux or Windows box that can, itself, be compromised. If the ransomware can compromise the underlying operating system, your environment is not zero-trust.

Security is critical to everything we build at Druva. And, zero trust forms one of the foundational pillars of how we go about making our product secure. 

We are so obsessed with zero trust, that we don’t even trust our customers. Here’s an excerpt from a funny yet true story of how this obsession of ours saved a customer from a ransomware attack. 

Over the 2020 Thanksgiving weekend, our internal security and monitoring system kept alerting us about a customer reducing consumption and deleting some data. We contacted the customer and got an email response confirming they were simply right-sizing. We called them and received the same response. 

We were informed Tuesday that all the while we were actually communicating with a hacker who had taken over the customer’s identity system, and hence also the email and phone systems. The hacker was deleting all the virtual machine (VM) backups and associated infrastructure in the Druva system.

Read the full story here.

Later, this Druva customer was able to fully recover their environment using Druva’s Delayed Deletion feature. 

Visit the security and trust page of the Druva site to learn more about the key security features. Explore Druva’s ransomware recovery page and watch our cyber resilience summit sessions on-demand for data protection best practices in the age of ransomware.