--- title: "Assume Breach: The Design Principle That Changes Your Architecture" date: 2026-05-21T13:20:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/assume-breach-das-designprinzip-das-ihre-architektur-verändert" section: "Entries: Articles" --- ### What “Assume Breach” Means [\#](#what-assume-breach-means "What ") “Assume Breach” means: **build your architecture as if your network is already compromised.** This has concrete consequences: 1. **You cannot rely on perimeter security.** A firewall is not enough. 2. **You cannot rely on authentication at login.** A hijacked account can be anywhere. 3. **You cannot rely on backups in your production network.** If the network is compromised, network-attached backups are too. 4. **You cannot assume recovery works automatically.** A restored server placed into a compromised network just brings the attacker back. ### The Architecture Consequences [\#](#the-architecture-consequences "The Architecture Consequences") #### 1. Zero Trust Architecture [\#](#1-zero-trust-architecture "1. Zero Trust Architecture") Traditional network security works like this: everything outside is malicious, everything inside is trusted. Zero Trust reverses the model: everything is potentially compromised. Every access is verified: - An employee logs in with a laptop: password plus MFA - The laptop attempts to access a file server: device certificate is checked - Every network connection is inspected - Admin access to a server: time-limited credentials, not permanently valid This adds complexity and some performance overhead. But it means: even if an endpoint is compromised, the attacker cannot move laterally with ease. #### 2. Micro-Segmentation [\#](#2-micro-segmentation "2. Micro-Segmentation") The network is divided into zones that are isolated from each other: - **Zone 1 (User Zone):** Standard workstations, laptops. Highest attack risk. - **Zone 2 (Application Zone):** Servers that communicate with Zone 1, but Zone 1 cannot reach Zone 2 freely, only via defined services. - **Zone 3 (Data Zone):** File servers, databases, critical assets. Reachable only from authorized systems in Zone 2. Zone 1 has no direct access. - **Zone 4 (Admin Zone):** Separate infrastructure for admin activities. No user workstations. Separate admin identities. The idea: if an attacker compromises Zone 1, they cannot simply jump to Zone 3. They would have to breach every zone. #### 3. Air Gap [\#](#3-air-gap "3. Air Gap") This is the last line of defense: **backup infrastructure that is separated from the production network.** An air gap backup works like this: 1. Daily backups are stored in Tier 1 (online). 2. On a defined schedule, a copy is written to air-gapped secondary storage and then disconnected. With the Silent Brick System, SB Pro achieves this with bricks that are physically removable from the Controller X (a physical air gap); SB Max Air achieves it through galvanic separation, with no physical removal needed. 3. The isolated copy is unreachable for an attacker operating in the production network. 4. When ransomware compromises the production network, Tier 1 backups are likely compromised too. The air gap copy is not. This is not a theoretical defense. It is practical insurance, and it addresses exactly what attackers do: Veeam’s 2025 data shows backup repositories were targeted in 89% of ransomware attacks. #### 4. Segregated Admin Contexts [\#](#4-segregated-admin-contexts "4. Segregated Admin Contexts") A classic mistake: an admin has a universal admin account that works everywhere. Production, backups, recovery systems: one account, full access. Assume Breach means: admin accounts are specialized. - **File server admin:** can only administer file servers. - **Database admin:** can only administer databases. - **Backup admin:** can only administer backup systems, with credentials that exist nowhere in production. If one admin account is compromised, the entire IT infrastructure is not exposed. Only one part. ### How “Assume Breach” Changes Backup Architecture [\#](#how-assume-breach-changes-backup-architecture "How ") This is crucial: **a traditional backup architecture fails against a compromised network.** Traditional: backup server in the same network, synchronized daily with production. Attacker’s view: “I compromise the file server today. The backup synchronizes tomorrow. I have 24 hours to delete the backup too.” Assume Breach architecture: backup is organized in tiers. - **Tier 1 (Online):** Deduplicating backup system, synchronized daily and automatically. Resilience against ransomware: weak, because an attacker with credentials can delete it. - **Tier 2 (Air Gap):** Silent Brick System with physical (SB Pro) or galvanic (SB Max Air) separation, written on a schedule and then disconnected. Resilience: strong, because it is unreachable from the network. - **Tier 3 (WORM):** Silent Cubes hardware WORM archive for long-term retention, written monthly or per archiving policy. Resilience: extremely strong, because immutability is enforced in hardware and cannot be bypassed with credentials. - **Tier 4 (Geo):** An external copy at a second site for geographic redundancy. Resilience: strong against site-level disasters. A competent attacker will destroy Tier 1. But they cannot reach Tier 2 (disconnected). And even if they obtained access to the archive, they cannot delete or alter Tier 3 (hardware-level WORM protection). That is the architecture Assume Breach implements. ### Practical Implementation Steps [\#](#practical-implementation-steps "Practical Implementation Steps") **Step 1: Audit.**Where are your critical assets? File servers, databases, email, Active Directory? **Step 2: Plan segmentation.**Which zones do you need? Which systems belong where? **Step 3: Redefine access.**Which systems are allowed to access which others? Where do you need strict controls? **Step 4: Rebuild backup architecture.**Tier 1 online remains, but Tier 2 must be isolated from production credentials and the production network. **Step 5: Build a recovery environment.**A zone where you can restore systems without touching production. **Step 6: Test.**Not just theory. Practical recovery tests and penetration tests to verify whether segmentation and restore paths work. This is not a weekend project. It is a 6 to 12 month initiative for a mid-sized organization. But it is the way to build ransomware resilience, and it maps directly onto what NIS2 (Directive (EU) 2022/2555) requires: risk management measures including backup management and disaster recovery, with management accountable for them. ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Is Assume Breach practical for small organizations?**Yes, it scales. An SMB with 50 users does not need the same complexity as a large enterprise. But the principles remain the same: segmented access, an isolated backup copy, a tested restore path. **Does Assume Breach mean prevention is unimportant?**No. Assume Breach means: prevention is important, but not sufficient. You need both. **Can Assume Breach be implemented with cloud?**Only partially, and cloud should not be the primary strategy. Cloud services offer less control over segmentation, and a continuously synchronized cloud copy is not an air gap. The isolated backup tier belongs on on-premises secondary storage under your own control; cloud can serve as a supplementary geo copy at most. --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Isolated Recovery Environment (/en/blog/isolated-recovery-environment/) → Multi-Tier Backup Architecture (/en/blog/mehrstufige-backup-architektur/) → What Is an Air Gap? (/en/blog/was-ist-air-gap/) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)