Cybersecurity can feel like a continuous game of leapfrog — contending with insider threats, outsider threats and blunders that are inevitable in any organization.
“But the primary question that almost all organizations ask themselves when thinking about a cyber event is this: Can we recover?” said Aaron Lewis, Sales Engineering Director at Rubrik, The Zero Trust Data Security Company.
Key to answering that question is understanding that backup data is the last line of defense, Lewis said. Zero-trust principles are core to how Rubrik secures data, including encryption, ensuring secure communications and providing a holistic view of the data and operations.
“People need to start thinking about zero trust across their entire environment,” Lewis said. It’s common for agencies to start their zero-trust roadmap by focusing on identity. But they quickly realize that they need to evolve that discussion to include centralizing identity management, or replacing perimeter-based security with security at all points in the environment.
Asking the right questions helps to open that aperture and broaden agencies’ perspectives around zero trust. Here are some thoughts to keep in mind.
How solid is your recovery strategy?
Understanding if and how quickly you can recover after an attack requires deeper questions.
- Is my data encrypted?
- Is access to data limited, based on roles and responsibilities?
- Is data air gapped, or isolated from unsecure or other parts of the network?
- Is there a secure path to retrieve data after an event?
- Is data integrity ensured?
The ultimate goal is to support a smooth and timely recovery, to get employees back online and able to provide services to constituents, Lewis said.
What are your critical applications?
The president’s cybersecurity executive order underscores the need for agencies to safeguard the integrity of critical software and applications. “I think that scope has increased for many agencies,” Lewis said.
As agencies broaden that lens for identifying mission-critical apps, they must also consider how they manage and secure those apps using a zero-trust framework. For example, just because someone is inside the network and authenticated, that doesn’t mean they have unfettered access to every application on the network.
Rubrik’s investments in zero trust, long before it became a security buzzword, has been vital for its partners, including governments like Durham, North Carolina.
City officials discovered a ransomware attack on a Saturday morning, and by Sunday evening Rubrik had core systems and services back online, Lewis said.
“The way that we’ve built zero trust in our platform has enabled us to be a standard within many agencies,” he said. “They rewrote some of the language around what air gapping and zero trust meant based on the way that we’ve implemented some things.”
Ultimately, zero trust is a journey. “It will always be something that needs to be evaluated and updated as it constantly evolves,” Lewis said.
This article is an excerpt from GovLoop’s guide “Why (Zero) Trust Matters at Work: And How to Foster It.”