The concept of an air gap backup copy — a backup copy stored on a storage infrastructure that is not accessible from an external connection or the internet — has been around for decades. Air gapping typically plays an important role in the 3-2-1 backup strategy that is an accepted industry best practice. This strategy calls for three copies of data, on two different types of media, with one copy off-site.
Air gapping has a lot of promise, especially in the fight against today’s onslaught of ransomware and other cyber attacks, but it’s not completely foolproof. With a variety of storage media and consumption models expanding the traditional definition of an air gap, it is important for organizations to understand the unique benefits and disadvantages of each approach to data air gapping.
Physical air gaps
Many organizations have moved to isolate some backups from external networks and devices, and tape storage is the traditional form of air gapping. Backup data is copied to a tape cartridge, which is then physically removed and stored in a tape library that is typically hosted off-site. As a result, the air gap backups are physically disconnected from external networks, as well as other storage devices.
In more recent years, off-site object stores, as well as disconnected file systems, have been introduced to facilitate a physical air gap, while, at the same time, addressing some of the pain points of tape, such as lengthy recovery times. These systems require a network connection when data is ingested, so to facilitate isolation, these systems include additional safeguards.
Logical air gaps
The use of storage media that is not removable has introduced the concept of a logical air gap. Logical air gaps rely on network and user access controls to create isolation from the production and primary backup environments.
For example, admins may isolate the backup copy by removing access via production-accessible UIs or via host or administration networks. This only enables data transfer through a designated, secure networking port and firewall that are only opened and closed when data is being transferred. Also, some methods require physical access to the designated air gap system with an interface that can be disconnected when not in use.
Some cloud vendors create an air gap by storing backup copies in a separate storage account, requiring another set of logins for access, or in a separate region. It is also a functionality being built into some production block storage systems.
Benefits and areas for improvement with air gaps
Air gaps make it more difficult for bad actors to access backup copies, limit the ability of malware to spread and wreak havoc, and increase the likelihood that the organization can recover from cyber attacks like ransomware.
There are several potential drawbacks for organizations to bear in mind — the biggest being that the inherent isolation requires more operational involvement and time, leading to increased recovery point objectives and recovery time objectives. Tapes are physical devices that could be stolen by outside or inside personnel. There are also a variety of logistics that go into tape rotation and maintenance — some of which has improved with automation technologies.
Meanwhile, when using a logical air gap, it is important to account for the fact that there is technically still a network connection, at least at times. Be sure to secure immutability and access control measures, such as multifactor authentication, role-based access control, and two-person concurrence, for administrative actions.
Encryption of data at rest and data in flight with encryption key management is another important safeguard. Organizations may also consider if an offering has been audited as an air gap. Close integration with existing backup software and facilitating common management are also important. If the air gap capability is not consistent with other backup practices, it could add complication or create ambiguity about who holds responsibility.
Organizations have a variety of options for air gap backups, which stand to play a critical role in cyber resiliency. However, no option is fully impenetrable. As a result, be aware of the strengths and drawbacks of each backup approach to ensure effectiveness.