How does a virtual air gap work and is it effective?

What is the difference between an air gap vs. a virtual air gap?

Air gapping and virtual air gapping are both important strategies for keeping data safe by isolating it. These are some key ways the two processes differ.

Traditional air gapping refers to a security approach in which data on a storage device is physically isolated from any networks, such as the IT network or the public internet. Because there’s no direct network path to the isolated data, it’s extremely difficult for malicious or otherwise unauthorized actors, such as ransomware attackers, to gain access to it. Backing up data onto tapes and putting them in an off-site (and off-line) storage facility is a time-honored way of air gapping. The advantage of this physical separation is that the data can’t be accessed, corrupted, deleted, or overwritten unless someone has access to the actual physical tapes.

The advantage of virtual air gapping is the very high degree of security. The data transfer between an air-gapped system and another can be cumbersome and usually requires manual intervention, such as using USB drives. Although air-gapped systems are protected from many remote cyber threats, they are still vulnerable to physical threats and attacks that leverage the transfer of data into the system.

A virtual air gap is when a storage device holding data has an electrical connection to a network but is kept logically separate. Because of this, the data cannot be viewed, much less deleted or changed in any way, by anyone but those with validated credentials and successful multiple factors of authentication. The copy of the data is also encrypted and immutable. (Immutability means data can’t be altered, copied, or deleted in any way.)

Virtual air gapping is a much cheaper and easier way to protect and manage data than air gapping, allowing organizations to recover their data quickly in case of an issue.

How does virtual air gapping work?

Virtual air gapping is a much cheaper and easier way than air gapping to protect and manage data while allowing organizations to recover their data quickly in case of an issue.

Virtual air gapping simulates the isolation of a traditional physical air-gapped data set while making it easier—and much faster—to recover data when required. Although multiple backups might be on the same physical hardware or even connected to external networks, they operate as if they are separate. This is useful when complete physical data isolation is impractical or when there's a need for some connectivity but with tightly controlled and monitored access. With a virtual air gap, the combination of stringent controls, rigorous monitoring, and best practices can provide robust protection.

A virtual air gap is different from a traditional air gap—a backup security method that relies on physical data

Here’s how a virtual air gap works:

Many virtual air gap setups use virtualization hypervisors to create multiple but isolated virtual machines (VMs) or containers. Each VM or container acts like an independent system, even though they share the same physical hardware. Virtual local area networks (VLANs) or software-defined networks (SDNs) can also be used to segment a network in a virtual air gap backup.

A firewall (or multiple firewalls) is usually configured with stringent rules to restrict data flow. This often involves default deny rules, where all communications are blocked by default unless explicitly allowed. One-way communication gateways called data diodes are also used to ensure that data can flow in only one direction, further mimicking a physical air gap’s property. This is especially useful when data needs to be periodically extracted from a protected environment, but there should be no possibility of data going the other way.

When it comes to accessing data backups that are virtual air gapped, multifactor authentication (MFA) ensures that different segments or VMs can’t communicate with each other without going through tightly controlled points of entry using multiple forms of authentication.

Role-based access control (RBAC) or attribute-based access control (ABAC) are also required to ensure that only authorized personnel can access the isolated environment and are only able to perform actions they’re permitted to do.

Finally, continuous monitoring—often using artificial intelligence and machine learning (AI/ML—and extensive logging are critical to successful virtual air gapping. This ensures that any anomalies or unauthorized attempts to breach the virtual air gap can be detected and addressed promptly.

Is a virtual air gap an effective strategy for data protection?

Although physical air gapping offers the utmost in isolation by entirely cutting off any form of connectivity, virtual air gapping better balances the need to protect sensitive data with fast easy data restores.

Virtual air gapping gives organizations greater flexibility than physical air gapping while still offering robust security. It's most useful when complete physical isolation is impractical; when rapid recovery of backup data is essential to keeping the business operational; and when some degree of connectivity is required, albeit with strong and highly controlled authentication and access.

Does my organization need a virtual air gap?

With increasing threats on sensitive data—particularly the accelerating rise in ransomware attacks—there is little doubt that organizations need an air gap of some kind. Whether the company needs a physical or virtual one depends on several factors.

A physical air gap will provide a high degree of protection, but it is more expensive to implement and manage. Everything must be done manually. Moreover, manual steps raise the risks of errors or malicious actions by anyone involved in the process.

A virtual air gap gives the organization much of the same protection as a physical air gap while also allowing teams to access air-gapped data assets from anywhere in the world with proper authentication and role-based access control (RBAC). Organizations can create these air gaps in just a fraction of the time, operational costs are lower, and staff can restore data in time to meet the strict SLAs required by the modern business world.

But precisely because virtual air-gapped backups are accessible online, teams do have a risk that cybercriminals will succeed in compromising the network. That’s why it’s important to be sure the virtual air gapping solution includes encryption and immutability. Ultimately, a solid business case exists to perform virtual air gapping of backup data.

How does virtual air gapping work with a 3-2-1 backup?

Air gaps are an important aspect of the 3-2-1 backup rule, as well as the newer variants that evolved from it: 4-3-2 and 3-2-1-1-0 backup rules.

The 3-2-1 rule specifies that organizations should make three backup copies of their data. Two of them should be on-site, albeit on two different kinds of media. But one should be off-site, and preferably air gapped either physically or virtually. 4-3-2 and 3-2-1-1-0 also specify air gapping—which can be performed physically or virtually—as well as immutability as protective measures.

What are three myths about air gapping?

Myth #1

A physical air gap is a fail-safe security guarantee

Learn more

Myth #2

An air gap requires physical isolation

Learn More

Myth #3

A physical air gap is always better than a virtual one

Learn more

Myth #1

This is a myth because physical air gapping is vulnerable due to people. After all, air-gapped backup data stores require people to set them up and transfer data to them. If anyone in the process is not trusted, the entire system becomes suspect. This is why air gapping should be used as an extra step in the process of protecting data, not the only method.

There’s also the risk of unknown connections that may exist. Supposedly, a traditional air gapped backup is isolated and incapable of connecting wirelessly or physically with other devices. But sometimes, a backup thought to be air gapped is actually on the network. This can be because of human error, miscommunication, or poor documentation. This undermines the effectiveness of air gapping.

Finally, even the most rigidly air-gapped system needs an access point to modify or delete data—and there is always the possibility that it could be accessed by a bad actor or perhaps mistakenly exposed by a well-meaning but careless authorized user. Either way, the risk exists.

Learn more

Myth #2

The notion that only physical isolation creates an air gap is also a myth. A virtual air gap is another way to separate and protect data that is virtually connected to the network. It works by using a temporary (and strongly authenticated) access bridge along with immutability and encryption in case a cyberattack gets through.

Learn More

Myth #3

As noted, a traditional physical air gap can possess vulnerabilities. Yet even assuming it is done well, a traditional air gap isn’t more effective than a virtual one.

That’s because physical air gaps have limitations. They cost more and are difficult to manage, as everything must be done manually. They also can’t meet aggressive RTOs and RPOs because data has to be manually moved across the air gap. Physical air gaps also are not protected against attacks by malicious insiders—and basic human nature to make mistakes.

A virtual air gap offers the same benefits as a physical air gap but at dramatically less cost and faster SLAs. By adding immutability and encryption to the mix, virtual air gaps remain secure even if a cybercriminal outsmarts the virtual connection to the data store.

Learn more

Why virtual air gapping matters at Cohesity?

The growing volume and severity of cyberattacks drive businesses to strengthen their data backup security schemes. Many teams attempt to follow the NIST Cybersecurity Framework with a multi-layered, defense-in-depth strategy that includes immutability to avoid data modification or erasure, encryption, and virtual air gapping for data isolation. Organizations investing in Cohesity data security and management have a running start. Cohesity is a purpose-built platform for securing data backups in ways that include all these things and more.

Cohesity recognizes that data isolation through air gapping and virtual air gapping is not a replacement for other backup and recovery or disaster recovery (DR) solutions but a way of bolstering them up with an extra layer of protection. Air gapping, as defined by NIST, requires organizations to keep at least one copy of their data physically air gapped for extra security. However, Cohesity points out that this makes it difficult for businesses competing in the digital age to achieve the RTO and RPO objectives.

As a result, the data security and management leader has proposed virtual air gapping as a better alternative. With a virtual air gap, backup data is stored in the cloud or another location with a temporary and highly secure connection. This provides a tamper-resistant environment that protects against ransomware and insider threats and supports the organization’s stringent SLAs.

How does a virtual air gap work and is it effective?

What is the difference between an air gap vs. a virtual air gap?

How does virtual air gapping work?

Here’s how a virtual air gap works:

Is a virtual air gap an effective strategy for data protection?

Does my organization need a virtual air gap?

How does virtual air gapping work with a 3-2-1 backup?

What are three myths about air gapping?

Myth #1

Myth #2

Myth #3

Myth #1

Myth #2

Myth #3

Why virtual air gapping matters at Cohesity?

Benefits of virtual air gapping

Resources

Glossary

Air gap

Glossary

Data isolation

Glossary

Cyber resilience

Glossary

Backup and recovery