How to achieve a zero-trust security model in Zmanda Pro.
How to Enable
To enable Zero-Trust Encryption, the Allow administrator to reset password parameter must be toggled Off on the UI. Then click Save changes. Once this setting is turned off, it cannot be turned back on*. You can enable this manually for each user, or via a Policy.
*except by using the backup user's password on the device associated with that user. Contact support@zmanda.com for more information.
More Information
With this setting disabled, administrators cannot access any backups (hence, the "Zero Trust"), nor can they reset the backup user's password if it's lost. The only way to reset the password is by providing the original password first. This ensures that only the backup user who knows the original password can access the data.
If the password is lost, the data becomes unrecoverable. Thus, it's important to exercise caution when using this option and ensure that passwords for each backup user are securely stored in an external password management system.
Compatibility with Auto-Onboarding
Auto-onboarding is a convenient tool used to automatically onboard hundreds of devices at a time.
You cannot use auto-onboarding if you have Zero-Trust configured since it relies on generating a random password for each device. Because the password is randomly generated, neither the admin nor the end-user will know what it is, although the administrator may reset it if needed.
However, with Allow administrator to reset password set to Off, the admin cannot reset the password, and since the password is random and unknown, data recovery becomes impossible. Therefore, we recommend automatically onboarding devices with Password Recovery enabled.
Once devices are onboarded, the admin can manually reset each device's password from the UI to a strong, known password, which should be securely stored in a password management system. Subsequently, the admin can then enable Zero Trust Encryption by toggling Allow administrator to reset password to Off from the UI, which disables Password Recovery.