Contents
- Introduction
- The definition of air gapping and air gapped backup
- Different types of air gapped systems
- Variations of an air gap backup strategy
- Cloud
- Tape
- Immutability vs air gapping
- Air gap security vulnerabilities
- Benefits of an air gapped backup system
- Additional benefits of air gapping
- Backup strategies: 3-2-1 and 3-2-1-1-0
- Air gapping implementation recommendations
- Shortcomings of an air gapped backup system
- Examples of air gap cyber security systems
- Air gap backups and compliance
- Air-gapped backup maintenance tips
- Conclusion
Introduction
The threat of cyber attack is real today as ever, with the number of data breaches and cybercrimes growing at an alarming pace with every passing year. In fact, these growth rates are so troubling that Cybersecurity Ventures predicts a ransomware attack happening somewhere on the planet every 2 seconds by the year of 2031, with the annual ransomware costs being a massive $265 billion. With data security being this big of a priority for the past few years (and because the trend in question shows no signs of stopping) – it is easy to see why data security has become one of the most prioritized topics for most companies worldwide.
The traditional security approach often had issues protecting data not stored inside the “security perimeter” around the company’s internal network. In its place, a data-centric security approach was presented to these issues. The data-centric security method uses a lot of context to protect the data itself rather than the fixed perimeter.
The definition of air gapping and air gapped backup
Air gapping is a relatively old concept in the context of data security. It is also often the last line of defense against either system failures or malicious acts against a company’s sensitive information. Air gapping is a security measure that uses physical isolation from other devices and networks to prevent unauthorized access to sensitive information.
The shortest way to describe how air gapping works is the word “isolation”. Air gapping implies the physical separation of a device or a network of devices from outside influence, including physical and wireless connections – meaning that FTP clients, browsers, and email clients within this network are entirely disconnected from the rest of the world.
Airgapped backups follow the same logic – these are system backups stored in a very particular manner, completely severing the ability of airgapped data to be connected with the rest of the infrastructure. It is one of the most basic protections against modern forms of ransomware that can now find and affect backups alongside original files.
Different types of air gapped systems
There is not only one single air gap security standard that should be followed. In fact, there are different types of air gap backup strategy, such as:
- Logical air gapping is a somewhat unusual or “impure” type, since the very definition of air gapping implies that there needs to be a physical isolation for the concept to work. However, logical air gapping aims to keep the devices or systems within the same network physically – but separates them logically. There are multiple ways to perform this kind of separation. Most require advanced systems and technologies, such as a combination of RBAC (role-based access control) and data encryption.
- Isolated air gapping is having a system located in the same environment as the rest of the devices but not connected to the same network. This arrangement can be useful in some cases but also defeats the purpose of air gapping to a certain degree.
- Physical air gapping is the leading case we discussed above – a complete physical separation of a system or network, including hardware and software. A complete separation of hardware is for this air gapping type, and there are also many cases when additional security measures are installed for this new remote location – mostly revolving around physical access restrictions.
Variations of an air gap backup strategy
Air gap backup strategies can be tricky since only so many storage methods can support this technique. We can use two main categories to explain different variations of air gap backups: cloud and tape.
Cloud
Cloud storage, both public and private, fits within the definition of air gapping on a technicality since the data in question is stored within a cloud storage separate from the original physical infrastructure. That way, ransomware cannot travel from the physical infrastructure to the cloud storage.
Some cloud storage providers also have specific services for long-term data archival as a direct countermeasure against ransomware. It is usually cheaper and takes longer to retrieve when necessary. However, the fact that this data cannot be accessible immediately is another layer of protection that technically fits within the term “air gapping”.
Tape
Tape backup is often considered the “original” air gap backup strategy since it readily lends itself to physical separation from any network when the actual tape is removed from the drive. Therefore, tape storage is a perfect environment for offline, air gapped data storage. To be clear, the tape itself can even be ejected from the tape storage after the writing process is done – creating a complete physical separation between the data copy and its original version.
The need for manual interaction with tape storage is not always in harmony with the ongoing digitalization and automation of the backup industry, where there has been a trend towards “always on” IT architectures. However, that trend developed before the massive increase in ransomware attacks, and it is a small price to pay for a highly effective data protection measure against ransomware and other attack types.
On that note, another backup tactic is worth mentioning in the context of air gapping, even though it is not the same process. The tactic in question is called data immutability.
Immutability vs air gapping
Air gapping as a topic shares plenty of similarities with another element of the backup industry – data immutability. Both immutable and air-gapped backups are supposed to provide some form of protection against ransomware while also adhering to necessary compliance frameworks. However, there are several differences between them, as well.
Immutable storage’s most significant potential factor in cost increases is the company’s exponential growth and the subsequent data storage volume growth. Alternatively, air gap backups would have a cost increase in the long run because of the need to maintain the proper physical state of the air-gapped storage (such as tape).
The recovery time objective values also differ significantly between these backup strategies. Immutable storage is faster on average but also susceptible to many issues that air gapping does not have to deal with, be it impersonation, network failure, etc.
At the end of the day, both strategies contribute significantly to a successful backup strategy. They do not have to be mutually exclusive, either – there are plenty of examples of immutable backups and air gapping technologies operating in unison for better data protection, improved data resilience, and so on.
Air gap security vulnerabilities
Air gapping provides a considerable and highly significant level of protection for your backups against cyber threats. However, it is important to understand that air gapping is not a solution to every backup security problem. Air gapped backup systems have their issues and vulnerabilities, even though most of them are extremely case-specific and are unlikely to be used by anyone without actual malicious intent.
As we have mentioned before, while infecting or influencing an air gapped backup system using wired or wireless networks is extremely difficult, there can actually still be (albeit rather exotic!) ways of breaching air gapped backups. For example, a solution called AirHopper was presented in 2014, showcasing a way to transfer data from an air gapped backup system to a mobile phone with a bifurcated attack pattern transferred via FM frequency signals.
Another method (published in 2015) called GSMem uses a similar idea of extracting data from an air gapped system – but this one uses cellular frequencies to do so, using a standard internal bus that can be connected to almost any regular computer.
There are also multiple pieces of research on how infected USB devices can leak data from air gapped systems – ProjectSauron is one such example, being discovered in 2016 (even though it operated undetected for about five years before that) and showcasing how hidden Windows partitions can be used as transport channels from an air gapped system to a regular computer.
Near-field communication (NFC) was also a technology transformed into a gateway for air gapped systems, with a solution called NFCdrip that was presented in 2018. It also showcased how NFC has far greater capabilities than most people think of – offering up to 100 meters of effective range in specific cases.
Of course, these are just a few examples of how a person can theoretically access air gapped systems experienced enough in these technologies. However, it is worth noting that much of this research was performed as a proof-of-concept rather than a ready-made solution for breaking into air gapped systems.
Benefits of an air gapped backup system
- Immunity to most security threats. The biggest reason why air gap backups are considered advantageous in terms of security is rather simple – the overwhelming majority of security threats are spread via either the Internet or the ability of workstations and regular PCs to connect, as well as to all kinds of other, different devices.
- Helpful addition to existing backup security measures. The overall state of an air gapped system that acts as a backup copy is also a great way to counter some of the more unconventional methods that ransomware or insider threats may bring. One such problem is when a virus or a malicious person attempts to sabotage every copy of the company’s data before tampering with the original – to ensure no recovery is possible from a ransomware attack or a data deletion event. As such, the isolated nature of an air gapped system makes it much harder for this kind of sabotage to be 100% successful, improving the company’s chances of recovering. However, it should be made clear that some vendors describe their product as “Air Gapped” when there is no actual physical separation of the storage device. Bacula urges readers to beware of this claim.
- Easier legacy hardware or software deployment. On the topic of air gapping advantages, one of them can be regarding legacy software. The lack of Internet connection can make it possible to deploy sensitive legacy software in a more reliable way when it is in an air gapped environment, ensuring that it would not be able to accidentally update itself to a newer version and potentially become unusable for its intended use. The use of legacy software does have its risks; however, it is difficult for some software types to be updated often enough to keep up with the overall speed of technological development, especially when it comes to particular software or hardware.
Another advantage of air gapping is its complementary qualities in ensuring that at least one copy of a company’s data survives no matter what. In this context, air gapping is integral to the well-known “3-2-1” backup strategy already used by many organizations.
Additional benefits of air gapping
Air gapping as a technology is not just about malicious attack protection and similar security-related advantages. Being able to restore information in a convenient fashion after an accidental deletion or a software error is a significant additional option, albeit not necessarily directly related to information security. Any form of data corruption is also less likely in air-gapped storage due to the lack of external connection, which is where all malicious software comes from.
Air gapping can be a critical capability with some types of compliance audits or certifications. If the audit results are published, such a demonstration of data security levels can also build trust with stakeholders and end users. Any comprehensive data backup strategy should have air-gapped backups in some shape or form. Air gapped storage is one of the few security measures that can remain clean even if an entire production system has already been compromised or damaged.
Backup strategies: 3-2-1 and 3-2-1-1-0
The gist of the “3-2-1” backup rule is that there should always be at least three copies of your data at all times, with at least two different storage mediums involved in storing your backups, and at least one copy of your data is always stored offsite – away from your company’s internal network and physically far from the main office’s location. The last part of this rule – a backup copy stored offsite – is a perfect use case for air gapping to be implemented, ensuring that your data cannot be lost completely, no matter what kind of issue you encounter.
Of course, the “3-2-1” backup strategy was introduced long ago, and the industry has changed multiple times since then. Air gapping is just one of many examples of how new technologies are being introduced in this field to improve data security. In this context, new versions of existing strategies also start appearing. One such example is the “3-2-1-1-0” backup strategy, acting as an extension of the previously mentioned “3-2-1” strategy.
The strategy in question expands upon the logic of the “3-2-1” strategy. It adds the need for at least one copy of data to be completely offline and air-gapped while also performing data integrity checks on backed-up data to ensure no corrupt or missing elements. That way, the ransomware attempts to affect backup data, and potential human errors are either solved or severely mitigated.
However, it is also important to remember that air gapping is not necessarily a perfect solution to all security problems. There are multiple issues that the air gap security approach has, ranging from general inconvenience to a significant downside in the form of the human factor.
Air gapping implementation recommendations
Implementing air-gapped backups correctly can be slightly challenging, but a few recommendations make the process easier. First, air gapping should only be applied to the most sensitive and vital information, so identifying this information is an excellent place to start.
The data in question must be transferred to external storage before being disconnected from the rest of the network. While this technically concludes the entire process of air-gapping, plenty of other steps need to be taken for the data to remain safe and secure for a long time – starting with backup scheduling.
Depending on the type of information stored within air-gapped storage and several other factors, companies might need to either use manual backup methods or automate the entire backup process (or even a combination of the two). The former leaves better control over the whole process with a transparent chain of responsibility. The latter allows the end user to configure how often a backup is performed while also setting up additional safeguards for future backup processes, such as detailed logging (for better troubleshooting) and encryption (for enhanced security).
Automation tools can offer significant advantages to the backup process. However, it is still important to document the entire process and configuration of the backup system as thoroughly as possible to restore the process and set it up again when necessary.
Other potential recommendations for implementing air-gapped backups include using MFA and holding regular training sessions. The former offers additional protection against unauthorized access, while the latter is necessary to ensure that all team members are aware of the importance of air-gapped backups and enhance their effectiveness even further.
Shortcomings of an air gapped backup system
- Difficulties interacting with an air-gapped backup storage. The problem in question includes potential extra work involved in adding, modifying, and removing data from an air gapped storage device. Since all of the wired and wireless connection interfaces are removed, the only way to access these storage devices is to use some sort of external attachable method of data transferring – and of course, that’s the whole point of air-gapping.
- “Human factor”. Since the entirety of interactions with an air gapped system typically relies on human input in the first place, there is always a chance that one of the security measures in place may not be reset correctly or secured properly enough, creating a gateway for attackers to use. Examples could be an unlocked door, an unguarded USB port, or even a malicious employee. There are also problems with regular security updates and IoT appliances near the server. However, both can be worked around if enough attention is put to the task.
- Problematic management. The issue here is the sheer practicality of managing such a system, systems, or standalone networks that need to be air gapped. An example of that could be a large military airport. A worker or a third party with malicious intent could affect or compromise it. The sheer volume of people and IT Systems increases the danger of compromise; large military airports typically have processes that often require dozens, if not hundreds, of people within their physical perimeters; it is easy to see how this becomes a problem for the concept of an air gap. It may be difficult to implement and continuously enforce security measures (such as air gap backup strategy), including monitoring and controlling everyone near USB ports or tape drives.
As such, there are both advantages and disadvantages to an air gapped system. It has the potential to be an excellent security option. However, the amount of work needed to strengthen it is why some organizations only use air gapping for some of their most critical data.
Examples of air gap cyber security systems
Here are some examples of air gapping use cases:
- Both state-level and national lottery game servers have to be completely isolated by default to exclude any possibility of lottery fraud.
- Stock exchanges and other financial computer systems have to be air gapped for a similar reason: the possibility of fraudulent information being distributed.
- Life-critical systems in many forms have to be air gapped – and there are many examples of such systems, from computerized medical hardware and aviation control systems to nuclear power plant controls. The disastrous consequences of even one of these systems being compromised illustrate why all of them may have to be air gapped.
- Industrial control systems in various fields must have only the best possible security measures for several reasons. A good example is the field of Oil and Gas production, with SCADA (Supervisory control and data acquisition) systems needing protection.
- Many government-related networks and systems must be air gapped, as well as military networks, nuclear power stations, etc.
Note, some versions of these systems may not be considered as truly air gapped anymore because some of them have added features that allow them to establish a temporary connection to either the Intranet, or the public Internet – be it for the sake of security updates, monitoring, or data transfer.
Air gap backups and compliance
The recommendation – or even requirement – for using the 3-2-1 rule (and air gapping as its extension) is included in multiple well-known compliance frameworks. Some of the most popular examples are HIPAA, GDPR, PCI, and NIST. In our example, it would be wise to explain the reasoning behind such a necessity using one of these frameworks – NIST.
The National Institute of Standards and Technology Cybersecurity Frameworks exists to provide all kinds of businesses with a clear and concise understanding of how sensitive information of theirs can be protected and managed. It is a voluntary framework by nature; it acts more as a set of guidelines on what practices and methods businesses can use to safeguard their information, focus on potential weak spots, etc.
It is worth noting that backup solutions may have different interpretations of NIST standards, offering better (or worse) tools and methods for being NIST-compliant. For example, air gapping and immutability can have different interpretations in the context of various backup software. Another good example is the variety of data types the solution can seamlessly work with.
Meeting various compliance requirements in the context of air backups specifically and backup security as a whole requires a qualified and comprehensive backup solution with several approaches for specific IT requirements, various backup-centric tools, support for many storage types, etc.
Air-gapped backup maintenance tips
Maintenance is a crucial part of any system or framework. This can be applied to air gapped storage and air gapped backups.
The most common example of maintenance tasks for air-gapped backups is regularly checking the integrity of backup files. Storing backed-up information in a secure location that is physically separated from the rest of the company’s infrastructure is always welcome as an additional layer of protection against theft or natural disasters. Versioning can also be helpful in this context, although its complexity would most likely be much higher due to the highly secure nature of the air-gapped storage.
Auditing can also benefit existing backup systems, ensuring that the backup and recovery processes operate properly from start to finish. A chain-of-custody process for backup media with thorough documentation can offer plenty of assistance in finding who and when interacted with backed-up data. Alternatively, tamper-evident packaging is another option here since it can be applied to storage devices to indicate a storage unit being tampered with if someone tries to access air-gapped storage without sufficient reason or security clearance.
Conclusion
Air gapping is a concept that offers a practically unprecedented level of security for a company’s most essential and sensitive data. Air gapping remains a popular data security approach to this day, safeguarding the information of hundreds and thousands of companies. As a result of frequent ransomware attacks – that even target backup and recovery systems themselves, air gapping is, to some extent, back in the spotlight.
For the many organizations that require air gapping as part of their security strategy and business continuity needs, Bacula Enterprise offers especially secure, advanced and flexible software to quickly and easily provide highly secure backup and recovery, integrating air gapping methodologies into even the most complex IT environments. Specifically, Bacula is storage agnostic, so a user can use it in conjunction with practically any tape (or other) technology they choose, and implement exactly the type of air-gapping methodology that is appropriate for their needs. This level of flexibility is key in high security environments, and is rare among backup vendors. The same is for Bacula’s immutability options, which go significantly beyond its peers. Bacula can be customized, scripted and architected to perform practically any diverse backup and recovery need. Contact Bacula for more information.
For these reasons, Bacula is depended on by the largest defense organization in the world, as well as a large number of medium and large companies that treat security and Business Continuity as paramount. The companies are from the defense, research, finance and government infrastructure verticals, besides many others that need the highest backup security levels. Bacula’s software architecture and specific security features make it exceptionally robust against ransomware and other malware, when compared to other backup and recovery vendors. Bacula recommends that any organization’s data protection is taken exceptionally seriously; please contact Bacula to speak with a senior expert in highly secure backup and recovery software.