{"id":14848,"date":"2025-09-24T11:09:50","date_gmt":"2025-09-24T11:09:50","guid":{"rendered":"https:\/\/newestek.com\/?p=14848"},"modified":"2025-09-24T11:09:50","modified_gmt":"2025-09-24T11:09:50","slug":"what-i-learned-extending-zero-trust-to-the-storage-layer","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14848","title":{"rendered":"What I learned extending zero trust to the storage layer"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>When I first started thinking seriously about applying zero trust principles to the storage layer, it wasn\u2019t because of some white paper or vendor presentation. It was because of what I saw happen during a ransomware incident that still keeps me up at night. The attackers didn\u2019t just target production systems; they also went after backups. At that moment, I realized we\u2019d been fooling ourselves about what true resilience looked like.<\/p>\n<p>That gut-punch experience taught me something crucial: if your storage layer isn\u2019t zero trust-ready, everything else you\u2019ve built is standing on quicksand. This isn\u2019t theoretical anymore. Let\u2019s look at what happened to Change Healthcare in February 2024. The attackers didn\u2019t stop with encrypting their data; they also systematically destroyed the organization\u2019s ability to recover by targeting backups that weren\u2019t properly isolated. Months of chaos. Billions in losses. All because storage was treated as a trusted afterthought.<\/p>\n<p>The numbers can be scary. Ransomware attacks continue to <a href=\"https:\/\/www.hipaajournal.com\/ransomware-attack-surge-continues-in-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">get more frequent and more devastating<\/a>. We\u2019re not just dealing with more attacks \u2014 we\u2019re dealing with smarter ones. Today\u2019s ransomware isn\u2019t content to just encrypt your files. Strains like Qilin are purpose-built to hunt down and destroy your backups. Dire Wolf goes even further, making restoration technically impossible. Criminals have industrialized their approach with <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/ransomware-as-a-service-raas\" target=\"_blank\" rel=\"noreferrer noopener\">Ransomware-as-a-Service<\/a> platforms, such as <a href=\"https:\/\/www.checkpoint.com\/cyber-hub\/threat-prevention\/ransomware\/medusa-ransomware-group\/\" target=\"_blank\" rel=\"noreferrer noopener\">Medusa<\/a>, and are specifically targeting the one thing we\u2019ve always counted on: our ability to recover.<\/p>\n<h2 class=\"wp-block-heading\" id=\"why-storage-remains-our-achilles-heel\">Why storage remains our Achilles\u2019 heel<\/h2>\n<p>After years of helping organizations implement zero trust for networks, identities and applications, I consistently observe the same pattern: storage is often overlooked. Every. Single. Time.<\/p>\n<p>I\u2019ve identified three reasons this keeps happening:<\/p>\n<ol class=\"wp-block-list\">\n<li><strong>Storage feels invisible.<\/strong> Most teams view it as \u201cback-end infrastructure\u201d; something passive that simply sits there. However, the reality is that<a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noreferrer noopener\"> MITRE ATT&amp;CK techniques<\/a> such as <a href=\"https:\/\/attack.mitre.org\/techniques\/T1485\/\" target=\"_blank\" rel=\"noreferrer noopener\">T1485 (Data Destruction)<\/a> and <a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\/\" target=\"_blank\" rel=\"noreferrer noopener\">T1490 (Inhibit System Recovery)<\/a> are specifically targeted at storage. Attackers know exactly where to hit us, and we\u2019re still thinking of storage as scenery instead of a battlefield.<\/li>\n<li><strong>It\u2019s genuinely complex.<\/strong> Try enforcing consistent policies across multiple cloud providers, regions and on-premises systems. I\u2019ve seen teams spend months just mapping their storage footprint, let alone securing it.<\/li>\n<li><strong>We inherited bad assumptions.<\/strong> For years, we\u2019ve treated data as \u201ctrusted\u201d simply because the application accessing it was secure. But what happens when an attacker bypasses the application entirely and goes straight to the storage APIs? Game over.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\" id=\"3-principles-that-actually-work\">3 principles that actually work<\/h2>\n<p>After implementing storage-layer zero trust across multiple organizations, I realized the importance of framing this challenge around three leadership principles to ensure strategic outcomes are understood by executives.<\/p>\n<h3 class=\"wp-block-heading\" id=\"1-control-where-data-can-be-touched\">1. Control where data can be touched<\/h3>\n<p>Perimeter controls for storage require setting clear policy boundaries so that only trusted networks and environments can use storage APIs, rather than relying on a single firewall.<\/p>\n<p>In one rollout I led, we used network boundaries to prevent cross-project sprawl in a multi-tenant cloud environment. The result was immediate: even with valid credentials, an attacker outside the perimeter had no pathway to sensitive datasets.<\/p>\n<p>The important lesson here? Make \u201cdeny by default\u201d the organizational norm, and treat every exception request as a risk decision.<\/p>\n<h3 class=\"wp-block-heading\" id=\"2-control-who-can-touch-it-and-when\">2. Control who can touch it and when<\/h3>\n<p>Identity and Access Management (IAM) for storage needs to go beyond static role assignments. That means:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege:<\/strong> Only the permissions needed, for only as long as they\u2019re needed.<\/li>\n<li><strong>Separation of duties<\/strong>: Different people control access rights and retention settings.<\/li>\n<li><strong>Just-in-time access<\/strong>: Privileges granted for a specific task, then revoked automatically.<\/li>\n<\/ul>\n<p>This shift was tough \u2014 developers feared losing speed and operations disliked the added approval steps. But tying JIT to clear privilege and audit reductions drove adoption.<\/p>\n<h3 class=\"wp-block-heading\" id=\"3-make-some-data-untouchable\">3. Make some data untouchable<\/h3>\n<p>Write-once-read-many (WORM) immutability isn\u2019t just a compliance checkbox; it\u2019s a strategic safeguard. Once applied, a retention lock ensures that even privileged insiders can\u2019t alter or delete protected data until the lock expires.<\/p>\n<p>I\u2019ve seen the difference this makes. In a simulation, an \u201cattacker\u201d with administrative credentials was able to wipe entire datasets except for the immutable backups. That was the difference between a full-blown crisis and a quick recovery.<\/p>\n<p>For leaders, the takeaway is clear: immutability buys you <em>time and certainty<\/em>, which are the two things you\u2019ll want most in the middle of an incident.<\/p>\n<h2 class=\"wp-block-heading\" id=\"when-storage-wasnt-ready-real-world-lessons\">When storage wasn\u2019t ready: Real-world lessons<\/h2>\n<p>Every major breach teaches us something. These attacks all share one terrifying commonality \u2014 the attackers targeted recovery points as aggressively as primary systems.<\/p>\n<p><a href=\"https:\/\/www.sipa.columbia.edu\/sites\/default\/files\/2022-11\/NotPetya%20Final.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Maersk (2017)<\/a> got lucky in the worst possible way. When NotPetya wiped out their global infrastructure, including domain controller backups, the only surviving data came from a single server in Ghana that had been offline due to a power outage. One power outage. That\u2019s what stood between a shipping giant and complete digital annihilation.<\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/JBS_S.A._ransomware_attack\" target=\"_blank\" rel=\"noreferrer noopener\">JBS Foods (2021)<\/a> had backups that survived the REvil attack. They still paid an $11 million ransom. Why? Because recovery would have taken longer than their business could survive. Having backups isn\u2019t enough \u2014 you need recovery that\u2019s fast enough to keep your business alive.<\/p>\n<p><a href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/hotforsecurity\/sweden-scrambles-after-ransomware-attack-puts-sensitive-worker-data-at-risk\" target=\"_blank\" rel=\"noreferrer noopener\">Milj\u00f6data (2025)<\/a> illustrates the evolution of supply chain attacks. One Swedish IT provider was hit, and suddenly, 200 municipalities were unable to process payroll. If your critical vendors aren\u2019t following zero trust principles for storage, their vulnerabilities become your vulnerabilities as well.<\/p>\n<p><a href=\"https:\/\/www.hipaajournal.com\/davita-ransomware-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">DaVita (2025)<\/a> faced the double-extortion nightmare \u2014 1.5 TB of patient data stolen and systems encrypted. The Interlock group demanded ransom for both threats. A comprehensive zero-trust architecture directly counters this: perimeter controls make data exfiltration harder to achieve undetected, while immutable backups remove the leverage from encryption-based demands.<\/p>\n<h2 class=\"wp-block-heading\" id=\"looking-through-the-governance-lens\">Looking through the governance lens<\/h2>\n<p>When I present these principles to executive teams, I focus on three clear outcomes for leaders: risk reduction, resilience and compliance. Executives should ensure the attack surface at the data layer is shrinking, that recovery points will survive if upstream defenses fail, and that retention and access policies are mapped to key regulations, such as SEC 17a-4(f) or HIPAA.<\/p>\n<p>Policy as code has been a game-changer here \u2014 not because it\u2019s \u201cDevOps-cool,\u201d but because it provides leaders with an auditable and reviewable change history for every critical control. For the board, this means we can answer questions like, \u201cHow do you know the backups are locked?\u201d by pointing directly to the policy commit log, demonstrating transparency and accountability.<\/p>\n<h2 class=\"wp-block-heading\" id=\"lessons-from-the-trenches\">Lessons from the trenches<\/h2>\n<p>Extending zero trust to storage isn\u2019t a weekend project. Here\u2019s what I wish someone had told me before I started:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Expect pushback about speed and complexity, but automation, straightforward<\/strong> exception workflows and metrics can demonstrate that risk reduction needn\u2019t harm productivity.<\/li>\n<li><strong>Simulations matter more than you think.<\/strong> Running a ransomware tabletop without testing your storage recovery is like conducting a fire drill without verifying that the exits are functional. You don\u2019t know if your strategy holds up until you test it under pressure.<\/li>\n<li><strong>Finance leaders can become your biggest allies.<\/strong> I learned to bring CFOs into the design process early. Once they understood how retention policies translated into recovery assurance and protection against multi-million-dollar ransom payments, they became champions for funding.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"the-hard-question\">The hard question<\/h2>\n<p>If you\u2019re responsible for your organization\u2019s cyber resilience, ask yourself this: If an attacker had valid credentials and network access right now, could they compromise your recovery points?<\/p>\n<p>If you answered \u201cyes\u201d or \u201cI\u2019m not sure,\u201d then your zero-trust strategy is incomplete.<\/p>\n<p>Don\u2019t wait until attackers are inside to find storage gaps. Zero trust for storage is a business imperative for survival, not just a technical upgrade.<\/p>\n<p>We need to stop treating storage as invisible infrastructure and start treating it as the active attack surface it really is. Because when everything else fails, the speed and certainty of your recovery will be the only thing standing between your organization and catastrophe.<\/p>\n<\/p>\n<p><strong>This article is published as part of the Foundry Expert Contributor Network.<\/strong><strong><br \/><\/strong><a href=\"https:\/\/www.csoonline.com\/expert-contributor-network\/\"><strong>Want to join?<\/strong><\/a><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>When I first started thinking seriously about applying zero trust principles to the storage layer, it wasn\u2019t because of some white paper or vendor presentation. It was because of what I saw happen during a ransomware incident that still keeps me up at night. The attackers didn\u2019t just target production systems; they also went after backups. At that moment, I realized we\u2019d been fooling ourselves&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14848\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14848","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14848"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14848\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}