The traditional method when it comes to perimeter-based security has relied on the assumption that once inside a network, all entities could be trusted. Zero trust operates on the principle of verifying and authenticating every user and device, regardless of their location within or outside the network. While this approach has proven effective in enhancing overall security posture, there remains a critical oversight in many Zero Trust frameworks — the security of data backup and recovery systems.

Despite being the lifeline for organizations in the event of a cyberattack, backup data often becomes the primary target for malicious actors, particularly in ransomware and data exfiltration attacks. The Veeam Data Protection Trends Report for 2023 highlights the alarming statistic that 93% of ransomware attacks are specifically aimed at compromising backup repositories, emphasizing the imperative need for an integrated and fortified security strategy that encompasses data protection.

Taking that data, Veeam knew something had to be done, so they acted. The data protection and ransomware recovery provider, in collaboration with zero trust expert Jason Garbis of Numberline Security, introduced Zero Trust Data Resilience, or ZTDR, a model to help organizations reduce the risk of growing data security threats and improve their overall resilience.

“To reduce that risk, Numberline and Veeam are proposing practical Zero Trust Data Resilience tools, including core principles, an architecture, and a maturity model,” said Garbis. “Our goal is to help organizations fill a gap in their security strategy by extending Zero Trust to backup and recovery to achieve greater cyber resilience.”

ZTDR is an application of the zero-trust principles to the realm of backup and recovery, extending the established Cybersecurity & Infrastructure Security Agency, or CISA, Zero Trust Maturity Model. Embedded within the CISA Zero Trust Maturity Model, the "Data" pillar identifies five critical functions: Data Inventory Management, Data Categorization, Data Availability, Data Access and Data Encryption. ZTDR extends these principles to the vital domain of data backup and recovery through its defined set of principles, which include Least Privilege Access, Immutability, System Resilience, Proactive Validation and Operational Simplicity.

Central to the ZTDR framework is the concept of separating backup management systems and their storage tiers into distinct resilience zones. This strategic segmentation aims to diminish the attack surface, thereby limiting the potential impact of breaches and reducing the overall blast radius. Another key feature integral to ZTDR is the implementation of immutable backup storage, a safeguard mechanism ensuring that data remains unalterable even in the face of a ransomware attack.

For organizations wondering about the process of adopting these principles, Numberline has you covered. Numberline developed a comprehensive ZTDR Maturity Model, complemented by a ZTDR Reference Architecture. These resources provide a structured approach to enhancing data resilience by incorporating key attributes such as segmentation, which ensures a clear division between backup software and backup storage layers, creating distinct resilience zones to minimize the attack surface and mitigate the impact of potential attacks. Furthermore, the emphasis on backup storage immutability guarantees that data remains impervious to unauthorized modifications or deletions.

“With the ZTDR Maturity Model, every organization can chart their path to greater data security and less down time,” said Danny Allan, CTO at Veeam. “While Veeam has always been committed to this architectural approach, we are working with storage partners to implement an industry leading zero trust model.”

Enterprises have a clear path for fortified defenses, efficient operations of faster recovery by adopting this ZTDR framework.