Air gapping is a security measure that physically or logically isolates at least one copy of a data backup. The purpose of air gapping is to keep malicious entities away from the last copy of an organization’s digital assets. A malicious entity, in this context, could be a virus, malware, an attacker, an unauthorized insider, ransomware, a human mistake, or an unexpected power outage that could corrupt backed up data accidentally.
Air gaps plays an important role in 3-2-1 backups. A 3-2-1 strategy requires three copies of each backup, at least one of which has to be air gapped and stored off-site.
Importance of Air Gap Backups
With the increase in demand for security and compliance, the advantages of air-gapped backups cannot be overstated. Air gapped storage volumes cannot be accessed by applications, databases, users and workloads running on the production environment.
Air gap backups serve two primary purposes. First, they prevent at least one copy of a backup from being manipulated or destroyed. Second, they help ensure quick restores because the integrity of an isolated, air-gapped backup can be trusted.
The idea behind air gapping backups is this: Even if all the data on a primary system gets compromised, there will be a foolproof resource that can be used to restore data. Backups are an important part of every organization’s data recovery plan and should be protected at all times.
Air gapped backups are one of the best ways to keep sensitive information secure while still providing assurance that a good copy of the last backup will be accessible when you need it most. Since air gapped backups do not have network access, even if someone hacks into a network, they would not be able to access and change the backup unless they are physically present at the backup’s location and have the right access credentials.
Furthermore, air-gapped backups prevent infection to a certain degree. In a data center where multiple servers are being backed up and one server becomes infected with ransomware, for example, the infection could spread to the other backups on the network. With an air gap solution, at least one copy of the backup will always be isolated from the network and allow administrators to safely and quickly conduct a restore.
How To Air Gap Backups
Although there are many ways to air gap backups, there are three main types as follows:
Physical Air Gaps
Total physical air gapping completely isolates from any kind of network connections physically. Administrators must be physically present to read or write data to this type of data backup, which usually requires high-level security clearance.
Segregated Air Gap Backups
Segregated backup systems are in the same physical location as the production environment, but are not connected to the network. This type of air gapping provides digital protection against viruses, malware and hackers, but not against physical theft.
Logical Air Gap Backups
Logical air gap backups are logically isolated network resources. This can be implemented in many different ways. For instance:
- Use hashing and encryption techniques like AES 256-bit encryption or SSL tunneling.
- Implement role-based access control policies that allow only specific people to access high-level data.
- Virtualize and isolate backup appliances from the network while the physical machines remain connected to the internet.
Challenges of Air Gapping Backups
Air gap backups present a very strong case against data loss. With that being said, air gapping isn’t the holy grail. There are, of course, drawbacks to every approach. For example, there is always a possibility of human error exposing the gapped backup to the network. This, of course, isn’t the case with modern backup appliances that automate air gapping.
An offline backup strategy, if done correctly, ensures that data backups are highly secure and impossible to compromise. This is why air gapped backups should be a part of every backup strategy.