Air gap backups: What are they, and how do they work?

Air gapping does for software what social distancing does for people—wards off infections. It’s a backup and recovery strategy that stops malicious agents from infiltrating, buttresses the security posture in hyper-converged infrastructure (HCI), and plays a crucial role in recovery procedures such as disaster recovery plans (DR).

What is air gapping?

Air gapping is a method of protecting data by physically separating a storage volume from all possible access points, wired and wireless. After the isolation, the volume becomes a country within a country, even within its own infrastructure, removed from internal workloads and processes. If hackers breach the network, air-gapped data remains inaccessible – hidden behind a barrier known as an air wall. This air wall adds another layer of protection and prevents unlawful manipulation except through direct manual tampering or destruction. Because of these attributes, air gaps are considered one of the best backup practices.

What is an air gapped backup?

An air gapped backup is an offline copy of data fortified by an air wall. Air gapping suits virtually nothing better than backups because it makes them impenetrable and inaccessible. Conversely, operations would likely halt if one were to air gap a production environment because of the inherent transfer delays. For this reason, the air gap technique lends itself great to backups.

How do air gapped backups work?

Air gapped backups reside outside main networks, often in separate buildings, sometimes in what’s called a Faraday Cage (an enclosure that neutralizes electromagnetic waves). A standard protection strategy dictates that employers should transfer data between source and target by themselves on removable devices such as USB sticks. This air-gapping technique is the most stringent security measure and a robust defense against data loss.

Some organizations, however, can’t or won’t use air gaps this way. Maintaining an extra facility for physical devices, walking from one place to another, and investing in a Faraday Cage might be too cumbersome and inefficient. But that’s not the only air gap strategy out there.

What are the types of air gaps?

There are two basic types of air-gapped systems: physical and logical.

What is a physical air gap?

A physical air gap involves a literal space—a buffer—between the backup and production. Consider these factors before implementing such a buffer:

• Location: You can place the storage device in a separate building or the main one. In the latter case, ensure ample room between the device and its surroundings.
• Separation: Decide whether your security posture needs an additional screen, such as a Faraday Cage. A sufficiently strong Faraday Cage might deflect electromagnetic pulse events (EMP) or solar flares.
• Connection: Keep the volume permanently disconnected from the network or leave it physically connected but equipped with switches that manage access control manually or automatically.

What is a logical air gap?

Some companies prefer logical air gaps instead. These follow the same security principles as physical air gaps but apply them through software. The software isolates the volume from the network, even as the volume may remain physically attached to it. The mechanisms responsible for the separation include encryption, firewalls, or access control management—for example, S3 Object Lock.

What is a cloud air gap?

Some cloud vendors offer air gapped backups. While ostensibly a contradiction in terms, cloud air gap backups provide similar security as local implementations do. They leverage logical processes to keep data safe and are only used to restore and ingest information. Disconnected in the interim, they’re effectively off-site repositories with occasional network connectivity.

How to set up and implement air gapped backups on premises

Companies who want to set up an on-prem air gapped backup can choose from the following three options. Each adheres to rigorous security standards while balancing security and convenience differently.

• Completely manual setup. This encompasses manually operated offline tape arrays or other storage systems. Although this separation from the outside is uncompromising, security experts advise against it because manual management introduces too big a margin for error.
• Partly/completely automated setup. These include purpose-built backup appliances (PBBA). PBBAs consist of an independent storage medium with an autonomous operating system that activates and deactivates the appliance according to security policies in place.
• Software-based setup. This is when air gapped backups are enforced through software rather than hardware. Security engineers configure logical processes that grant and revoke access automatically per predefined rules.

There are a few things to remember when implementing air gapped backups:

• Sequester. Make sure they are physically out of reach of unauthorized parties.
• Perform backups frequently—ideally every day. The shorter the interval, the more minor the mismatch between production and backup data—expressed as Recovery Point Objective (RPO), the maximum acceptable amount of data at risk of being lost.
• Keep constant tabs on the health of air gapped backup devices. Modern hardware is often short-lived, with hard drives in particular susceptible to defects that can render them useless in less than five years. If the medium is old or riddled with errors, consider replacing it.

What are the pros and cons of air-gapping?

Few other solutions provide better safeguards against malevolent intrusion and protection against data loss than air gapping.

But there are some caveats. For example, many organizations struggle to map their network connections faithfully. This confuses connected devices. Specifically, assets believed offline may turn out to be online when audited. Make sure you know the structure of your network through and through.

Air gapping does not eliminate data transfer. Intermittent connectivity opens offsite copies to physical access and exposes them to vulnerabilities. Leverage immutability, encryption, and sophisticated role-based access to fortify them against that.

Updating air gapped backups takes time and effort. Unfortunately, there’s no easy workaround. Expect a backup procedure to last a few hours instead of minutes or seconds, as it would with the cloud. When considering air gapping, decide which matters more – security or speed. Air gapped backups tip the scales toward the former.

Physical air gaps often leave little to no paper trail. This increases the risk of someone from within the company stealing data because they can do it with relative impunity. Make sure your team is trustworthy and reliable.

Finally, logical air gaps trade off security for speed and convenience. Strictly speaking, they are always connected to the network and rely on software for sequestration. A physical air gap might be the better choice for bulletproof security.

How do air gaps provide data protection against ransomware?

Ransomware is a malicious program that sneaks inside a network, encrypts its data, and leaves a conspicuous ransom note demanding payment in exchange for decryption.

Perpetrators of ransomware are trying to keep up with the defenses deployed against them. Most recently, they set their crosshairs on backups, rightly convinced that if they scramble them, the victim will have no recourse but to surrender.

An air gap insulates sensitive data and keeps bad actors at bay, strengthening a ransomware defense strategy – provided that other security measures complement it.

• Immutability. An air-gapped must occasionally connect to another medium to do its job. That brief moment may be all an attacker needs to get inside. Immutability will stop them in their tracks.
• Encryption. You might employ data encryption at rest, in flight, or both to boost security.
• Governance. Assigning, announcing, and policing clearance levels to manage air-gapped backups will infinitely improve the system’s security posture.
• Monitoring. The activity around air gapped backups must be under constant scrutiny. Pay close attention to even the slightest anomalies. They might indicate nefarious behavior.

How do air gapped backups fit into the 3-2-1 rule?

One backup does not cut it when data is a matter of life and death. But how many backups are enough to prevent data loss?

American photographer Peter Krogh proposed a 3-2-1 rule. Krogh believed every backup must consist of three identical copies. Additionally, these copies should use at least two different mediums—for example, tape and HDD—with one located offsite in case of an on-site disaster.

The scheme was later amended to address cybersecurity challenges like ransomware better. The corrected version adds two digits to the codename and reads 3-2-1-1-0. “0” refers to the fact that all copies must be free of errors. “1” means that one of the three copies must be immutable or air-gapped.

Should you protect your data with air gaps?

Air gapped backups provide excellent security against cyber attacks, but they come at a price. To find out if they have their place in your organization’s security strategy, consider the following questions.

• Have you audited your infrastructure and determined which assets are network-connected? This is important information to have before instituting an air-gapped defense system.
• Are you committed to implementing additional security measures—such as immutability or access control – to go alongside air-gapping itself?
• Do you realize and accept that air gapped backups are slower and do not match the high availability of cloud backups?
• Do you store sensitive data? Air gapping is effective against data erosion, loss, and manipulation, which helps safeguard confidential information.
• Are your employees trustworthy, dependable, and security-savvy? Air gapped backups are prone to human error and malice. It’s essential to cultivate a work culture that engenders loyalty and supports education on security.
• Is your budget large enough to accommodate the expense? Air gap systems may be costly to implement.
• Are you subject to data protection laws such as GDPR, CCPA, CPRA, PCI, and others? If so, the cost of installing an air gapped system, however steep, will still be lower than the fines for transgressing the regulation.

Ootbi — the best of both worlds in air gap backup strategy

Ootbi from Object First is a purpose-based backup appliance designed specifically for Veeam. It works as an offline backup that combines the best features of physical and logical air gaps. Not only is it a stand-alone, on-prem device, physically decoupled from the environment; it also comes with a robust, custom-made operating system streamlined for Veeam; adopts S3 Object Storage technology for on-prem use; and enforces the principles of WORM—write once, read many.

A way to protect your backup data

Air gaps shield sensitive information and critical data better than other protective measures. Still, it’s essential to take to heart the words of Gene Spafford, who said: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.“

On the other hand, businesses of all sizes cannot hope for a better defense against ransomware and many other types of malware than a carefully deployed air gapped system augmented with immutability and role-based access control. At a time when ransomware runs amok, air gapping is the last line of defense in the event of a disaster.