Air gaps for backup and how they help against ransomware

The air gap is a fundamental concept of storage and backup.  Essentially, it means to have a physical or logical disconnect between production systems and the location of secondary data, including backups.

Its role as a fundamental of backup has come into closer focus with the rise of ransomware as a key threat to organisations’ security.

Here, the idea of an air gap aims to isolate data from which the organisation may need to restore following a ransomware attack.

The 3-2-1 rule and the air gap

The 3-2-1 rule is a fundamental of backup. It dictates that there should be three copies of an organisation’s data. Then, if one of those three copies is the production copy, there should be two copies of the data held as backups and they should be on different media. Finally, one copy of the two backups should be taken off-site. Therein lies the air gap.

But things have progressed a little since the 3-2-1 rule was conceived in the early 00s, most notably by the now ubiquitous presence of the cloud, which offers alternatives to the physical air gap, which we will look at in this article.

Physical air gap

The air gap as originally conceived was just that – physical distance between the primary site and backups with no network connection between them. So, here we’re talking about tapes or optical drives that are taken off-site.  In an organisation of any size above smaller SMEs, this would mean backups on tape, which would reside off-site, possibly in a tape library.

Benefits are – and if we think of this in the light of how ransomware operates – that valuable data that you may need to restore is beyond the reach of malware introduced into primary systems.

Potential flies in the ointment here are several-fold.  Namely that to restore from off-site media that is physically separate from your main systems is time-consuming, and there is always scope for your backups off-site and on tape or disk to be stolen or destroyed.

It is also possible that any corruption introduced into data in production systems may also be transferred to backups and be moved off-site with them.  Ransomware attackers are well-practiced at injecting software that remains dormant for some time before activation.

This all goes to show that backups are only one defence against ransomware and upstream protection – such as anomaly detection or encryption – is almost certainly required.

Logical air gap

A logical air gap is one where there is a protection in software – i.e. access control – that isolates secondary site locations from production and primary backup environments.

So, admins may be able to isolate backup copies by removing access from production UIs, as well as by making data transfer possible only through a designated, secure networking port and a firewall that is only opened when data is transferred. Other immutability and access control measures include multifactor authentication, role-based access control, and two-person concurrence.

It is also possible to create a cloud air gap by storing backup copies in a separate account with a separate set of logins needed for access.

Air gaps: part of a range of protections

The bottom line is that air gapped systems can be a valuable protection against security threats, including from ransomware, but for the reason mentioned above, they are not invulnerable to infection, corruption and the vagaries of human error.

So, as with all data protection measures, they are best used as part of a suite of measures that run the gamut from prevention to the potential for clean restores in case of attack or data loss.

Leave a Reply

Your email address will not be published. Required fields are marked *