10 best practices for zero-trust data security

Throughout the course of 2021, the true scale of ransomware threats has become abundantly clear.

Not only did this year’s Australian Cyber Security Centre (ACSC) Annual Threat Report label ransomware “the most serious cyber crime threat due to its high financial impact and disruptive impacts to victims and the wider community”, but at the political level, a national Ransomware Action Plan was created in a bid to shore up our defences.

In the face of the ransomware threat, zero trust data security has emerged as a key strategy to keep data out of the hands of attackers and keep businesses in business.

With a zero-trust approach to data security, every user, every application and every device is treated as untrustworthy. The core idea is to only provide the minimum level of access needed to perform an approved task and assumes an attacker has already infiltrated the network.

In developing such an approach, there are 10 key steps to take to achieve best practice zero trust data security.

Backup SLA policies – Your backups are the last line of defence against a cyber attack. With this in mind, it is vital to meet not only your recovery point objective (RPO), but also your recovery time objectives (RTO). As an example, recovering to a point in time, which ensures you lose only seconds of data, is meaningless if it takes months to verify exactly when your systems were compromised before they can be restored to that point in time.

Properly defining SLA policies and applying these against business-critical workloads and datasets should be a priority. Setting policies is one thing, but once these are in place, backups should be regularly monitored to verify these have been completed because failures can result from any number of factors including application, infrastructure or services outages.

SLA retention lock – Retention Lock ensures that data retention settings within an SLA policy cannot be reduced or removed. Without this, a ransomware attacker might attempt to change the retention period from three years to just one day, causing the system to remove any data older than 24 hours. This would prevent any data older than a day from being restored.

VIEW ALL

Multi-factor authentication – Multi-factor authentication (MFA) is key to preventing an attacker with compromised credentials from accessing enterprise systems. Whether for backup data, business critical workloads or even email inboxes, it has to be applied to all user accounts to be effective.

Least privilege access – With fine-grained role-based access control (RBAC), administrators should assign the least privilege level that a user needs to perform their role. This greatly limits exposure when an attacker compromises credentials as they will only grant access to a limited number of systems.

Data encryption – This turns the main weapon of ransomware attackers (encryption) against them. A recent advance in the attacker toolkit is the threat of releasing exfiltrated data. By encrypting data-at-rest and in-transit, attackers won’t be able to leak or access the data they’ve stolen.

Secure protocols for third-party systems – No platform operates in a vacuum and integrations with third-party systems are an essential component of most new implementations. These integrations should communicate with each other only via secure channels such as HTTPS, SSH or API.

Create IP whitelists – Particularly for backup systems, the IP networks which can access the platform should be as limited as possible. This ensures access to only specific trusted networks and that users and devices outside the environment cannot log in and corrupt backups.

SSL-certificate security for user interface (UI) and APIs – Wherever applicable, signed TLS certificates must be used. These certificates authenticate the identity of web-based interfaces, enabling an encrypted connection over HTTPS to protect against man-in-the-middle attacks.

Secure service accounts – In order to reduce the lateral movement potential from an attacker, service accounts (rather than user accounts) should be created for applications that need to invoke APIs – particularly for the critical backup data platform. This is particularly important for automation tools and integrations that only require API access to the platform and each different application should have its own unique service account.

Scoped API roles with least privilege – Much like limiting privileges for user accounts, APIs must be scoped to grant access only as necessary and implemented in the least privileged manner. In this way, risks are minimised if a role were to be compromised – either directly, or via a software supply chain attack like the recent Solar Winds and Kaseya attacks.

With all these measures in place, you can be assured of your availability to rapidly recover even after the most severe ransomware attacks. In fact, we’re so confident in these measures we’ve recently announced a ransomware recovery warranty of up to USD$5 million for our Enterprise Edition customers who have the above measures in place.

Dale Heath is the sales engineering manager at Rubrik A/NZ.