President Biden’s cybersecurity executive order is clear as day … Zero Trust Architecture and modernized infrastructure is the key to protecting the nation’s data against the rampant threat landscape. We’ve seen the devastating effects firsthand with a ransomware attack disrupting gasoline distribution, causing outages and increased prices across the United States. It’s a global problem and statistically growing month on month from last year. https://www.blackfog.com/the-state-of-ransomware-in-2021/
In this blog post, I’ll explain why Zero Trust is important, what it is and how to harden your infrastructure by adopting Zero Trust principles using Commvault and Metallic.
What is Zero Trust?
Zero Trust is not a singular technology or feature. Zero Trust is a collection of design principles for IT infrastructure that enforces a “trust no one; always validate trust” approach to data access.
A great way to visualize Zero Trust Architecture is to think of home security. Around the perimeter of your house, you have cameras, locks, window sensors, and a fence. Essentially all your belongings are safe inside the perimeter of the house. However, if you have friends and acquaintances over for coffee, you have authorized entry into your home – at that point, your personal belongings are accessible and at risk of theft.
The above example perfectly illustrates a traditional approach to security – wherein firewalls provide perimeter security (keep the bad guys out) and user permissions control access. Once a bad actor gets in and gains access to privileged credentials (which they do) – they often go unchallenged while laterally moving through the environment doing damage.
With a Zero Trust approach, privileged access is continuously challenged, limiting malicious actors to move and operate effectively. Going back to the house example, just because I am authorized inside the house, combination safes, inside door locks, and internal cameras provide multiple layers of scrutiny and validation. So, although authorized into the house, I must continue to validate myself by giving the combination to the safe or keys to the bedroom doors If I were to attempt to move around the house.
Key principles of Zero Trust
National Institute of Standards and Technology (NIST) SP 800-207 is the definitive reference guide for Zero Trust Architecture (ZTA). Many of the principles outlined within the NIST publication have been implemented as features and best practices allowing the Commvault platform to be fully deployed in a Zero Trust architecture. Additionally, Metallic™ Data Management as a Service (DMaaS) is completely architected in the cloud using Zero Trust principles from the ground up. A few key principles outlined by NIST are Least privilege access, multi-factor authentication, and Micro-segmentation. Let’s explore this further.
Least privilege access – NIST SP 800-207 Section 2.1
The concept of least privilege access provides users and/or accounts with the bare minimum capabilities to do their job and nothing more. This minimizes exposure if the account is compromised, as well as limits data access leaks. Commvault can lock down backup data using role based access controls and special data privacy locks. It is easy to limit users to specialized capabilities such as restore only or view only. You can additionally restrict browse/restore access to data owners, only superseding any global level admin capabilities. Additional integration with Privilege Access Management (PAM) platforms like CyberArk® further improves security posture through policy-driven account management, credential rotation, and privilege session management.
Multi-Factor Authentication – NIST SP 800-207 Section 2.1
Multi-Factor Authentication (MFA) is another key Zero Trust concept. Since trust needs to be continuously validated – MFA provides an additional layer of validation for any authentication request making it difficult for a threat actor to gain access to data. Commvault and Metallic BaaS supports modern implementations of MFA through its SAML-based authentication framework. Using Azure AD, ADFS, Okta, or other IDP, Commvault allows customers to deploy pin-based MFA tools and hardware authentication tools to control data access to backups.
On-premises deployments using AD or local accounts have integrated two-factor authentication (2FA), allowing organizations to use any pin generating application based on the Time-based One-Time Password (TOTP) algorithm specified in RFC 6238, such as Google authenticator, Microsoft Authentication as well as many others.
According to the NIST Digital Identity guidelines (NIST 800-63) cross referenced in their ZTA publication; hardware authentication technologies offers one of the highest standards for MFA providing Authenticator Assurance Level 3. This includes MFA technologies using modern specifications such as FIDO/FIDO2. Commvault is fully integrated with FIDO/FIDO2 MFA devices, such as offered through Yubico’s YubiKey as well as PKI based Common Access Cards. This completely maximizes the level of protection from illegitimate authentication attempts and future proofs your data protection environment.
Once authenticated into the management interface, the command authorization framework validates actions within the management interface. Regardless of the user’s role, any deletion, restore, or configuration request requires authorization from an approval authority. This protects against insider threats, both malicious and accidental, and keeps data safe from destructive actions.
Micro-segmentation – NIST SP 800-207 Section 3.1.2
Micro-segmentation is another key Zero Trust principle. Micro-segmentation is the technique of separating resources both logically and physically to make access very restrictive and controlled.
On-premises setups can use network segmentation techniques to isolate and air gap storage targets within the network. Once the network architecture is segmented, apply Commvault Network Topologies to block inbound connection to the storage target and automate whitelist access policies only allowing authentication connections outbound to pull data into the safe data vault. Many of our customers also choose to segment data in cloud, taking advantage of WORM storage controls offered by the Cloud vendor.
Metallic Cloud Storage Service (MCSS) provides an even simpler air gap approach requiring no infrastructure change. MCSS is a cloud storage target managed through Metallic, offering offsite, secure air gapped data protection capabilities for the Commvault platform. Data protected in MCSS is unchangeable and cannot be accessed or exposed on the backend cloud account. The data is protected in Metallic’s zero trust architected environment. This provides an easy method to segment and separate data from an on-premises environment.
In addition to physical segmentation, data management can also be logically segmented. Using multi-tenancy controls; access to data is segmented and compartmentalized, reducing potential data exposure.
Encryption key management can also be segmented across several KMS systems such as AWS Key Management Service, Azure KeyVault, as well as with one of many certified KMIP providers providing greater levels of protection against data access.
Metallic DMaaS Architecture
For a fully zero trust managed platform, look no further than Metallic. Metallic is a multi-tenant SaaS Platform with built in-segregation between tenants. Customer data is wholly isolated and stored in separate locations, creating a virtual air-gap between source environments and backup data copies. Hardened security and zero-trust access controls, including multifactor authentication, role based access, advanced data encryption, and privacy locks, prohibit unauthorized access to and lateral movement of data. Metallic also meets the industry’s most stringent security standards and maintains HIPAA, ISO27001, GDPR, and SOC 2 compliance, as well as the only SaaS data protection to achieve FedRAMP High standard.
As you can see, whether you build an on-premises Commvault solution, use Metallic DMaaS, or any mix and match of all of the above, the Commvault platform is secured using Zero Trust Architecture principles.
Learn more by attending the upcoming Commvault webinar “Going beyond Zero Trust” on March 23rd.