Exclusive Q&A: Four Zero Trust practices for better data security
- Written by Paul Lancaster, Director Pre-Sales Engineering at Commvault
The past year has seen industries dramatically shift from on-premises operations to cloud and hybrid solutions, fundamentally changing how businesses of all sizes approach data management. As businesses embraced this digital change, data has exponentially grown, providing invaluable insights while highlighting the importance of security approaches that help safeguard their most critical data.
With data growth showing no signs of slowing and security and ransomware threats rising, a Zero Trust architect is becoming central to an enterprise data security strategy. Zero Trust, simply put, is to trust no one and authenticate everyone, ensuring all administrators and users are authenticated and authorised, protecting against threats both external and internal across every environment.
However, with numerous solutions available, how do businesses start their Zero Trust journey, and what do they need to know? To make it easy, we've outlined the top four Zero Trust practices businesses can enable to implement and shield their data from cybercriminals and shore up their cyber resilience.
What is the importance/benefit of implementing security through role-based access? How does this contribute to a business's cyber defence?
Role-based access is a vital part of security strategies in most modern enterprises, allowing a company to limit potential risks by restricting individuals' access to systems and data within the organisation. This is primarily done by assigning permissions for which users, business units, or even project teams can assess/change specific IT resources like applications and files, depending on the organisation's structure and the users' responsibilities
'Role Assignments' are created and used to build permissions within this framework, defined by criteria such as authority, responsibilities, cost centre, and business unit. The role refers to the collection of user permissions and allows the system manager to update access for groups of people instead of assigning access to each individual.
The challenge with a role-based approach is once a role is assigned, that user has access to all the information connected to the role, as it's not possible to grant partial user access to a subset of the data or systems available to a specific role. This can result in a proliferation of roles and IT access as individuals work across different systems.
Push and Pull architecture, what is it, and what works best?
The increase in remote working has fundamentally changed the way employees connect to their work networks, demanding a renewed focus on securing internal and external data access and assets.
Commonly referred to as 'push' and 'pull' architecture, each takes a different approach to how businesses connect with their servers. 'Push' architecture relies on a persistent connection and may be beneficial for simpler systems that focus on real-time alerts. However, attackers can exploit these 'always on' connections to launch Malware and phishing attacks, exposing businesses to significant cyber risks.
"Pull architecture", however, relies on a periodic connection, isolating data and requiring a request for access and authentication of entry, "pulling" data and events from that network. While it does depend on a business's needs, pull architecture helps isolate data securely, preventing attackers from freely and easily moving between secure systems.
Why should a business self-encrypt their data, and what security measures protect decryption keys from being compromised or stolen?
Encryption is seen as the answer to preventing criminals from using stolen data; however, it's essential to understand what's being encrypted, how it's being encrypted, at what level, and why.
When encrypting data, businesses should consider solutions that secure data 'in-flight' and 'at rest'; this ensures complete protection from attackers who may attempt to access data within a network or intercept it during transit. By encrypting data in this way, even if criminals obtain sensitive data, it is rendered useless without the decryption keys.
When it comes to different types of encryption algorithms, RSA is one such method, wherein messages are encrypted asymmetrically with a public key code; once a message has been encrypted with the public key, it can only be decrypted by another key called 'the private key'.
RSA encryptions allow for easy sharing of secured data without risking or revealing sensitive information; Commvault takes this a step further, storing and encrypting the private key with a built-in passphrase or with the passphrase provided by the business user, securing both data and the decryption key to access it.
What is a 3-2-1 approach to data backup, and how does it help a business strengthen their security and keep data safe during an attack?
The 3-2-1 rule is a simple guide to setting up backup and recovery systems. The rule is: keep at least three copies of your data and store two backup copies on different storage media, with one of them located off-site and preferably air-gapped for disaster recovery.
A 3-2-1 approach is essential for several reasons. Even a trivial event such as a fire can result in a massive loss in data if the infrastructure is exposed to water damage or in some other way. For this reason, the core system that is being used and accessed daily can be lost in a moment. A backup on-site can be damaged in the same event; however, if it has not been affected, this is the fastest means to get systems back online and running. If the backup is lost, a second backup, this time off-site, can ensure that systems can be restored regardless of what happened.
With the recent increase in ethical hackers targeting primary data sources and backup infrastructure, creating environments with multiple redundancies is critical for business continuity and resilience. Any security measure should minimise downtime and allow for safe data recovery at speed, and with professional hackers launching increasingly sophisticated ransomware attacks, Zero Trust is the best solution for securing and locking down business data vulnerabilities, internally and externally.