Aug 01 2023

How Backup as a Service Fits with Agencies’ Adoption of Zero-Trust Security

Both aim to protect access to data, so why is BaaS often an afterthought?

Federal agencies’ interest in Backup as a Service has grown with the recognition that they need to recover quickly from ransomware attacks, which have increased over the past two years.

Once considered a state and local government and critical infrastructure problem, ransomware is giving federal cybersecurity professionals greater cause for fear following a Russian-backed Cl0p ransomware gang’s breach of the Department of Energy and several other agencies. More troubling: The gang was content to delete the data it stole rather than use it for extortion, indicating the attack’s motives were political espionage and disruption of the public and private sectors.

Both the zero-trust security architectures agencies are required to implement and BaaS platforms aim to protect access to data and services, which is why the latter shouldn’t be the afterthought it often is for the federal government.

“A year ago, [BaaS] wasn’t very widely demanded,” says Kevin Youngquist, vice president of public sector at Veritas. “Now, what we're seeing is a pivot to saying, ‘Okay, we've adopted principles of zero trust, but we need help not only protecting the data but also optimizing it, no matter where it lies.”

BaaS Sidebar


BaaS Underpins the Federal Zero-Trust Security Requirement

Agencies continue to migrate to the cloud seeking greater operational efficiency, but underlying that efficiency is data readiness, which is contingent upon agencies having a comprehensive data protection solution in place, says Richard Breakiron, senior director of strategic initiatives for Americas public sector at Commvault Systems.

Major cloud service providers such as Microsoft and Amazon Web Services offer agencies backup tools, but less well known is the fact vendors such as Commvault back up key and even classified workloads for those companies.

The government mandates the Department of Defense and other agencies have backup systems in place in the event of a cyberattack, system failure or natural disaster, but the cost is often seen as a “boat anchor,” Breakiron says. Historically, DOD has prioritized new weapon systems and operational capabilities over backing up existing ones.

“In the past 10 years, it became very apparent — across both industry and federal government — that that is a failed strategy,” Breakiron says. “If you cannot recover from a ransomware attack or classified spillage, if you do not have a system in place beforehand, you will have mission failure.”

LEARN MORE: Why zero-trust architectures should include data protection and cyber recovery.

BaaS underpins the federal zero-trust security architecture requirement because data is a pillar of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, he adds.

Commvault backup and disaster recovery systems alerted Colorado’s CIO to a new server coming online and accumulating data in February 2018. The server was quarantined, and when the state’s data team revealed they hadn’t stood it up, it became clear they were in the first stage of a ransomware attack.

In that instance, BaaS functioned as an automated alert system, thanks to basic artificial intelligence and machine learning.

“Is that a cyber tool? Maybe not in some people’s minds,” Breakiron says. “But in my mind, it is because it recognized a cyber event that was occurring up front, gave necessary alerts and prevented the attack from happening.”

Click the banner below to learn how Backup as a Service boosts data protection.

Agencies Need Air-Gapped, Immutable, Easily Restored Backups

BaaS makes it easier for agencies to move on-premises data to the cloud and manage the resulting hybrid, multicloud environments while also ensuring availability and rapid recovery from downtime. That’s why about half of Veritas’s installed base has transitioned to backing up workloads in public and private clouds in partnership with AWS, Microsoft, Google and other cloud service providers, Youngquist says.

Veritas introduced its BaaS model to bring more autonomous data protection to the market with patching, provisioning and storage tiering occurring automatically. All the company’s products are based on zero-trust security principles because the end goal is cyber resilience, Youngquist says.

“It's not good enough just to have a perimeter defense or even zero trust,” he adds. “Quite frankly, you have to be able to restore very quickly at scale.”

BaaS further takes advantage of AI, ML and anomaly detection capabilities to proactively limit critical data and resource access to authorized parties, in line with zero trust.

Not only should BaaS be hosted in the cloud, but agencies need the right credentialing systems and rule-based access control to govern who can access what data. That keeps backups air-gapped and immutable — impossible to delete, encrypt or change.

And while an employee manually monitoring backups might miss something, automation can help agencies identify data that’s not backed up.

Veritas is part of CISA’s expanded Joint Cyber Defense Collaborative, which found that some of the federal data deleted in the recent Cl0p ransomware gang attack wasn’t backed up anywhere due to information silos.

“Some of that data is lost, but luckily most of it you can get back,” Youngquist said. “It’s just a matter of how quickly can you bring it back online.”

Click the banner below to learn how Backup as a Service boosts data protection.

Richard Breakiron
That integrated, enterprise approach to data protection is also where the focus of zero trust is.”

Richard Breakiron Senior Director of Strategic Initiatives for Americas Public Sector, Commvault Systems

Prioritize an Integrated, Enterprise Approach to Data Protection

While agencies often lack personnel with the necessary cloud skills, the federal Cloud Smart strategy emphasizes partnerships with managed service providers whose systems integrate with cloud data protection services. These services help identify hard-to-detect anomalies faster.

For this reason, the first step an agency should take when adopting BaaS is to conduct market research into capabilities and how they interact with the agency’s IT environment, focusing on platforms with zero-trust security built in for microsegmentation, device control and automation, Youngquist says.

Some services aim to generate storage consumption, but agencies need services that deduplicate data to reduce their footprint while also indexing and tagging it, Breakiron says. That way, agencies pulling data back can target only what they need and reduce egress charges.

Very few platforms can handle granular removal of a classified document, such as when a classified email accidentally lands in an unclassified space.

“That integrated, enterprise approach to data protection is also where the focus of zero trust is,” Breakiron says. “You have to have that end-to-end view where, as data is created, it’s immediately secured, protected, managed, tagged and inventoried in a way that you don't lose track of it — and oh, by the way, it's automated, and you have easy-to-use interfaces.”

Image by Staff Artist

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.