Air-gapping is becoming more and more common in the data protection and backup and disaster recovery (DR) industry. You will find a lot of content about it, and you will hear cyber-security experts recommend it – almost aggressively. It does sound like hype, but is it? That’s the question we’ll be looking to answer in this article.
Before we take a closer look at air-gapping, let’s talk about the data security of your digital assets in the cloud.
Is your data stored in the cloud secure?
The common misconception is: “If it’s in the cloud, it’s safe.” That’s not entirely true. Cloud Service Providers (CSPs) ensure that your data is always available with SLAs guaranteeing eleven nines of durability. However, that’s not the same as ensuring it’s safe from ransomware, malware, and human error.
According to Microsoft Azure, it’s a shared responsibility model. They make sure that the infrastructure hosting your data is secure and always available. At the same time, you ensure that you’re using the appropriate data protection measures for your critical workloads.
For example, if you’re using replication services to write data into a cloud repository, anything that happens to your data will be replicated over. If a file is corrupted on-prem, the corrupted version will be uploaded to the cloud. The CSP will make sure that whatever you write to their hardware is accessible. You need to make sure that it’s not corrupted, or worst — maliciously encrypted by ransomware.
For more on the shared responsibility model, check out this blog by Diana Kelley: Driving data security is a shared responsibility model; here’s how you can protect yourself. The author has written a car analogy to explain it – it’s an exciting read.
Now that we’ve established that storing data in the cloud doesn’t secure it let’s talk about air-gapping.
What are air-gapped backups, and do you need them?
Air-gapping is the practice of isolating and detaching a target storage repository from the primary network. The repository can be a physical, virtual, or cloud-based server(s). There are many ways to add it to your existing IT system depending on the storage media. We’ll talk about integration later in this article.
An air-gapped repository is inaccessible to applications, server(s), and other clients when isolated. This is the critical capability of an air-gapped system. It is disconnected by default and only turns on when you intend to use it.
By storing critical backup data, snapshots, and replicas in air-gapped volumes, you’re protecting them from threats that can use the connected network to access and attack them, namely ransomware and virus. Unfortunately, another similar threat also includes human error, which accounts for the majority of data loss incidents experienced by companies worldwide.
Do you need air-gapping?
As a reliable data protection measure against ransomware, air-gapping is necessary for any organization that relies on digital assets for its day-to-day operations.
Cyber threats do not differentiate. They target all industries regardless of scale. However, Verizon noticed that the gap between ransomware attacks on significant companies and SMBs is smaller this year. This implies that if you’re a small-to-medium-sized business (<1000 employees), you’re a potential target for ransomware – and you need to prepare for it.
If you do not prepare for ransomware, you can end up in the 40% that experienced an average of 8 hours of downtime.
According to Nordlocker, the following industries faced the most ransomware attacks in descending order:
- Construction
- Manufacturing
- Finance
- Healthcare
- Education
- Technology and IT
- Logistics and transportation
- Automotive
- Municipal services
- Legal
If you’re a company offering products and services in any of the above industries, you need to prepare for ransomware attacks and have a way to recover from it quickly without losing data.
How to add air-gapping to your IT infrastructure
You can add air-gapping to your current IT system(s) in a number of ways.
- Air-gapped nodes – These are purpose-built physical appliances with automated network and power isolation and management. You can connect them with your backup server(s) and production environment(s).
- Air-gapped volumes – Virtual isolated volumes that can be provisioned on mainstream hypervisors such as VMware ESX/ESXi and Microsoft Hyper-V.
- Cloud Air-Gapped – Leverage Infrastructure as a Service (IaaS) and Storage as a Service (STaaS) to provision air-gapped volumes in the cloud.
- Tape storage – Depending on how often tape storage arrays are connected to your primary production environment, you can also use them as air-gapped repositories. However, using tape for data protection is not recommended as it involves manual processing, which is error-prone and less reliable than automated air-gapping.
The ability to provision and effectively manage air-gapped volumes depends on the software you choose. As the concept of air-gapping is currently abuzz in the backup and DR industry, most software vendors already have or are working towards adding air-gapping to their list of features.
If you’re looking for purpose-built air-gapped nodes, currently StoneFly is the only vendor in the market offering that solution.
Conclusion
With data breaches becoming increasingly common, it is more important than ever to make sure your organization’s critical information is safe from malicious actors such as ransomware and hackers.
Air-gapping can be used as a way of securing this data by separating the system from the primary environment. There are many different ways to do so, with each solution having its own pros and cons.
Before choosing which deployment works for your business, do consider that when it comes to data protection one size does not fit all. Analyze your data lifecycle and talk to a cyber-security expert before making the final decision.
