Implementing air gap security measures for data protection

What is an air gap?

An air gap is a backup and recovery security method that isolates data, systems, and networks and keeps them disconnected to prevent unauthorized intrusion.

Traditionally, air gapping has involved the moving of data from a computer or network to an offline device via a magnetic tape, jump drive, or other removable device while limiting authorized access to the data or system being isolated. While highly secure, this traditional model of data isolation has become incompatible with modern digital business requirements to recover data rapidly to meet service-level agreements.

In contrast, an air gap built for the cloud era serves a modern 3-2-1 backup strategy — three copies of data, on two different media, with one of them in an off-site environment—and effectively balances organizations’ security and agility priorities by safeguarding an immutable copy of data in a managed cloud vault in isolation. Data can then be quickly and easily recovered back to the source or an alternate location in cases of a data disaster and the need for rapid disaster recovery.

Why use air-gapping technology?

Organizations primarily invest in air-gapping technology to prevent bad actors—often using ransomware — from stealing sensitive data and bringing operations to a standstill. Air-gapping technology is especially important in industries with highly sensitive personally identifiable information (PII), such as healthcare and banking. If digitally attacked, an organization that has invested in air-gapping technology could refuse to pay the ransom because it has access to its data offline in a secure vault and can use that information to quickly resume operations.

Air gapping is an effective way to counter threats and meet recent U.S. Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Federal Bureau of Investigation (FBI) guidance about how to protect against ransomware, including these mitigations:

• Back up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure backups and ensure data is not accessible for modification or deletion from the system where the data resides.

What are the benefits of air gapping?

An air gap creates a physical separation between two systems, such as a secured system, and an unsecured system, such as the internet. This isolation prevents unauthorized access, data breaches, and cyberattacks that may occur through network connections. Here’s why an air gap is valuable:

1. Protection from external threats — By disconnecting systems from external networks, an air gap prevents malicious actors from infiltrating or attacking the secured environment.
2. Defense against cyberattacks — Air-gapped systems are inherently more secure against various cyber threats, including malware, viruses, and ransomware, as these threats typically require an online connection to propagate.
3. Data integrity — The air gap ensures the integrity of sensitive data by minimizing the risk of unauthorized access, tampering, or exfiltration, particularly in highly regulated industries such as finance, healthcare, and government.
4. Preservation of critical infrastructure — Air-gapped systems are commonly used to protect critical infrastructure, such as power grids, nuclear facilities, and military networks, from cyber threats that could lead to catastrophic consequences if compromised.
5. Enhanced confidentiality — Organizations handling sensitive or classified information rely on air-gapped networks to maintain confidentiality, as physical isolation significantly reduces the likelihood of data leaks or espionage.
6. Compliance requirements — In many industries, regulatory standards and compliance mandates necessitate the use of air-gapped systems to safeguard sensitive data and meet legal obligations regarding data protection and privacy.

What are air gapping disadvantages and challenges?

By definition, air gaps are disconnected systems, which can present real challenges for teams tasked with keeping them operational and effective, especially DIY-built cyber vaults. Some of the top challenges are:

• Inconsistent patching and updates — Internal teams building and maintaining air gaps must continually check them to ensure software and hardware updates and patches are installed and current. They must also stay knowledgeable about evolving threat vectors and ransomware types. This oversight can become taxing on already overworked IT staff.
• Insider threats — Individuals responsible for moving data between production systems and external media, such as jump drives for air gapping safety, could potentially make a second copy of the data or inject ransomware into the air gap if they are disgruntled or compensated by cybercriminals to do so.
• Accidental compromise — Humans make mistakes, and air-gapping technology that relies on people to physically move data is always subject to the possibility of human error. This includes leaving a port open that allows a connection to remain persistent when the DIY system should have been manually disconnected.
• Cybercriminal inventiveness — Bad actors today are working to infiltrate every aspect of the hardware and software lifecycle and supply chain. Therefore, they may find ways to deploy ransomware into the air-gapping process in the future.

What are the types of air gaps?

Organizations have a choice when it comes to instituting air gaps in their computing environments, including these types of air gaps:

• Complete physical air gap — This is the traditional method of moving data to be secured in a completely different, physically isolated environment with zero network connections than production systems. Typically, miles from the original source and locked behind physical security boundaries, this data can only be swapped out or used for recovery if someone physically goes to the destination and makes the switch or retrieves it.
• Virtual air gap via network isolation — Digital businesses need to speed up processes should the worst-case scenario of a ransomware attack occur, which isolated air-gap systems do by safeguarding data in separate systems in the same environment. These systems can be in the same data center, even rack, but their data and operations remain isolated because they are connected to different networks.
• Logical air gaps — Another method of air gapping that is better aligned with the need for digital businesses to meet stringent recovery SLAs is a logical air gap. In this case, separate systems stay within the same network but are distanced using methods such as encryption and role-based access control (RBAC). In cases where additional validation is required for access, four-eyes or quorum can be implemented.

How to set up an air-gap network?

The simplest way to set up a virtually or logically air-gapped network is to choose an as-a-service option that enables the organization to safeguard data effectively while also being able to rapidly restore it in the case of a ransomware attack, insider threat, or other disaster—natural or manmade. This data isolation option can improve cyber resiliency by putting an immutable copy of data in a managed cloud vault via a virtual air gap. Moreover, data kept safe this way can be quickly and easily recovered back to the source or an alternate location if and when needed.

Cohesity and air-gap security

Cohesity is advancing virtual air gapping—also referred to as data isolation and recovery technology—for the modern cloud era. Instead of making organizations choose between data security and recovery speed, Cohesity supports both with a virtual air-gap model that uses physical separation, network, and operational isolation to ensure that the vault data and policies are inaccessible to external and internal bad actors, limiting data exfiltration vectors. Its software as a service (SaaS) solution for a wide range of data sources—from virtual machines (VMs) to databases, files and objects—also supports rapid recovery point and recovery time objectives (RPOs/RTOs) with customizable protection policies.

Cohesity FortKnox features virtual air gapping in its software as a service (SaaS) cyber vault, data isolation, and recovery solution to improve cyber resiliency. The solution, which features an immutable copy of data in a Cohesity-managed cloud, significantly simplifies backup operations while lowering costs. As operationally simple as connect, vault, recover, FortKnox enables organizations to both prevent and recover swiftly from cyberattacks.

These are some ways the Cohesity FortKnox solution keeps data safe:

• Creates a virtual air gap through a secure and temporary network connection that is cut off once the data has been vaulted.
• Supports tamper resistance via immutability, WORM, data-at-rest and data-in-flight encryption, AWS Object Lock to prevent changes in retention policy, and separate workflows for vaulting and recovering data.
• Enables access controls through RBAC and MFA to prevent unauthorized access of vault data, and requires at least two authorized personnel to approve critical actions or changes.
• Advances anomaly detection with Cohesity machine learning intelligence, which could indicate a possible ransomware attack.
• Creates operational isolation through Cohesity or customer-managed KMS to prevent authorized users who have access to the backup cluster from accessing or restoring vault data.

With Cohesity, organizations gain a virtual air gap that provides an extra layer of protection for mission-critical data from external and internal bad actors.

As part of the Data Security Alliance, an organization of more than a dozen security industry heavyweights, Cohesity also is teaming with partners to deliver comprehensive advanced data protection and reliance solutions and strategies.