Understanding Zero Trust Data Resilience (ZTDR)

Key Takeaways:

• Zero Trust Data Resilience applies Zero Trust principles directly to backup environments, closing a critical gap in many security strategies.
• Separating backup software from backup storage reduces attack surfaces and limits the blast radius of potential breaches.
• Multiple resilience zones following the 3‑2‑1 rule ensure data availability, even if one location is compromised.
• Immutability and encryption protect backup integrity and confidentiality, making data safe from tampering, deletion, and unauthorized access.
• Extending Zero Trust to backups strengthens cyber resilience and ensures faster, more secure recovery after an incident.

Why Zero Trust?

With users, devices, and data spread across countless networks, the old “secure perimeter” model no longer works. No connection can be assumed safe, so every access request must be verified. Zero Trust replaces blind trust with explicit validation, ensuring only the right users, devices, and workloads get the right access at the right time.

Traditional tools like virtual private networks (VPNs) were designed to extend the secure perimeter, but in a Zero Trust world, they’re only part of the picture and far from foolproof.

VPNs offer some protection, allowing users outside of the secure perimeter to access data by building a secure tunnel from their system into the secure perimeter. That said, VPNs are not perfect. Beyond basic usability challenges, they still offer a variety of paths for attackers to breach the perimeter. The more distributed users and sites leveraging VPNs, the higher the risk.

The Zero Trust model grew from recognizing that creating fully secure perimeter networks is simply not possible, and therefore, security must evolve to be more explicit. This new model states that, rather than assuming that specific networks are secure, users should assume that all networks are insecure. This is called “assume breach.”  Effectively, this means that you should have “Zero Trust” that a connection coming from any network endpoint is a valid one without taking additional validation steps.

This validation can come in various methods and implementations, but should generally follow these core Zero Trust principles:

1. Least-privilege access: Access is restricted to what’s essential at the right time and with just enough access. This prevents lateral movement and unauthorized access to other network parts.
2. Verify explicitly: Departing from traditional “trust but verify” methods, this principle focuses on always authenticating and authorizing by using available information like user identity, location, devices, workload, data, etc.
3. Assume breach: Operating under the assumption that breaches will happen, Zero Trust prioritizes detection, response, and rapid recovery to minimize the impact of security breaches and the subsequent blast radius.

What is Zero Trust Data Resilience?

Zero Trust Data Resilience applies Zero Trust security principles directly to an organization’s backup environment, which is a critical area often overlooked in traditional Zero Trust strategies. It assumes that every network and connection could be compromised, and builds safeguards to protect backup data from ransomware, insider threats, and accidental deletion. Veeam’s Zero Trust Data Resilience approach separates backup software from storage, creates multiple resilience zones, and enforces immutability and encryption, ensuring backups remain secure, accessible, and ready for recovery in any scenario.

Core Principles of Zero Trust Data Resilience

1. Separate Backup Software and Backup Storage With Segmentation and Air Gapping

A key principle of ZTDR is ensuring that backup software and backup storage are separate. These separations ensure that, in the case you lose software with your backup vendor, this won’t mean a loss of data for your entire organization. By separating backup management systems and backup repositories onto different networks, threat actors will have minimal access or connection to both networks, making it much harder to compromise all locations at one single time.

Additionally, strong controls should be placed around accessing these segregated networks to ensure that only authorized users can access what they need when they need to. This helps reduce attack surfaces for all networks and their components.

Air-gapping provides an additional layer of protection by separating a backup data copy either logically or physically. Common ways to implement air-gapping includes leveraging true, physical isolation (like with rotated media or tape) or by using logical air-gapping techniques such as storage-level replication of immutable snapshots. This can also include automated methods for isolating network access to backup storage outside the backup window.

Segmentation and air-gapping are both critical components to helping your organization maintain availability for authorized users while reducing the risk to confidentiality and integrity by keeping the blast radius extremely limited should one part of the environment be compromised. However, it is key to note that relying purely on credentials or separate network paths should not be your only layer of protection.

2. Establishing Multiple Resilience Zones

Within the data protection industry, the 3-2-1 rule is one that reigns above all and serves as a critical foundation to any organization’s data protection strategy. This rule focuses on maintaining multiple copies of your organization’s data to ensure you can recover quickly and securely. Here’s a breakdown:

3: Maintain three copies of your data: This includes the original data and at least two copies.

2: Use two different types of media for storage: Store your data on two distinct forms of media to enhance redundancy.

1: Keep at least one copy off-site: To ensure data safety, have one backup copy stored in an off-site location, separate from your primary data and on-site backups.

By spreading your data across multiple resilience zones, you can prevent a full loss of your organization’s data. Even if you were to lose one zone, that wouldn’t mean losing everything.

3. Immutable and Encrypted Backup Storage

The final core principle of ZTDR is immutability and encryption. Backups are only good if you can restore them when needed, so the integrity of your data should be made a priority for your data protection and backup admins.

Immutability means that something that was once written is now unable to be altered or deleted. Specific to data protection, immutability means backups can only be deleted once a set period of time has expired, and is therefore safe from potential changes, including accidental and intentional deletion. Immutability should be implemented across all resilience zones regardless of where data is stored, including primary backup, secondary backup, cloud, tape, etc.

Any repository that’s critical in an incident response and recovery plan should implement immutability. It’s important to note that destruction or malicious encryption of data also makes data unavailable, and immutability can help ensure the availability of your backup data as well.

Immutability and air gapping doesn’t protect confidentiality, however. Fortunately, encryption is a double-edged sword that makes data unreadable by anyone without the key, which locks cybercriminals out of backups. This greatly reduces the risk of data exfiltration, espionage, and reconnaissance.

An important element of encryption for cybersecurity programs is the use of centralized key management systems (KMS). Utilizing a KMS to encrypt Veeam backups is a simple implementation task that allows security team to manage and protect the keys that will allow users to decrypt backup data.

Encryption should be applied everywhere, since accessing any single copy is enough to cause a data leak. However, encryption doesn’t prevent destruction or another layer of encryption, so it can’t help to ensure integrity and availability. By implementing both immutability and encryption on top of an air-gapped implementation, customers can take a layered approach to achieving the CIA Triad.

Achieving Zero Trust Data Resilience With Veeam

Zero Trust is foundational to any organization’s cyber resilience strategy. However, to have a stronger, robust defense, it’s critical that you extend these principles to an organization’s backup system and environment. Without implementing Zero Trust Data Resilience, your security strategy is incomplete and puts the ability to recovery and respond securely and quickly at risk.

To better understand Veeam’s approach to ZTDR, check out the Research Brief and whitepaper for additional information and insights.

Related Content

Zero Trust Data Resilience Whitepaper

Zero Trust Data Resilience Research Brief

New Zero Trust Data Resilience Model Introduced by IT Security and Data Protection Experts

FAQs

How is Zero Trust Data Resilience different from Zero Trust Security?

Zero Trust Security focuses on controlling and verifying access across an organization’s networks, applications, and endpoints by assuming all connections could be compromised. Zero Trust Data Resilience extends these principles specifically to backup environments. It adds controls like separating backup software from storage, creating multiple resilience zones, and implementing immutability and encryption.

What role does immutability play in Zero Trust Data Resilience?

In Zero Trust Data Resilience, immutability ensures that backup data cannot be altered or deleted for a defined retention period. This protects the integrity and availability of backups, even if a breach occurs.

How does Zero Trust Data Resilience align with compliance frameworks?

Zero Trust Data Resilience supports compliance by safeguarding backup data against tampering, unauthorized access, and premature deletion. Features like immutable storage, encryption, and multiple resilience zones help meet regulatory requirements for data retention, integrity, and confidentiality. Such measures align with industry standards and frameworks that mandate secure, verifiable, and recoverable backups.

How do air‑gapping and segmentation strengthen Zero Trust Data Resilience?

Air‑gapping in Zero Trust Data Resilience isolates backup data from production systems, either physically or logically, making it inaccessible to attackers who breach the network. Segmentation separates backup software and backup storage onto different networks, reducing the attack surface and limiting the blast radius if one environment is compromised.

What are the core principles of Zero Trust Data Resilience?

The core principles of Zero Trust Data Resilience include:

• Separation of backup software and storage to reduce attack surfaces.
• Multiple resilience zones following the 3‑2‑1 backup rule for redundancy.
• Immutable and encrypted backup storage to protect data integrity and confidentiality.

These principles extend Zero Trust concepts directly to backup environments, ensuring that data remains protected, accessible, and recoverable regardless of the threat landscape.