Data isolation is physical, network, and operational separation of data to keep it safe from external cyberattacks and internal threats, and it can have many forms. While traditional air gaps isolate data physically and electronically yielding strong security, they do not support the recovery time objectives (RTOs) nor recovery point objectives (RPOs) of today’s 24/7 organizations.
The solution is a modern data isolation strategy with ‘virtual air gap’ technology that protects backups with temporary network connections and very strong access controls, while further isolating data with the cloud, as needed. This method provides a tamper-resistant environment with the extra protection needed to ward off ransomware and insider threats.
Along with ransomware, data theft and sabotage represent urgent risks for organizations. Cybercriminals leverage stolen data for fraud, identity theft, and extortion. These challenges create a mandate for vendors to introduce and organizations to adopt strong security for data management. In practice, that means a data management platform that can resist and actively defend against data-centric threats. To support these requirements, new data isolation technology and techniques have emerged as key capabilities to support cyber resiliency, including isolated or air gapped backup data stored in the cloud or at another location with temporary, but highly secure, connections.
Data isolation is a security strategy based on the idea that disconnecting data from the network and creating physical distance between it and the rest of the organization’s IT environment can add an impenetrable barrier against harmful events or people. With data isolation—via an cloud air gap, air gapped backup, or an air gapped copy of data—it becomes extraordinarily difficult to access, steal, or corrupt data.
In situations where valuable data has been destroyed or encrypted for ransom, organizations that practice data isolation can remain resilient because they always have a pristine copy of data that has been safely kept separate from the compromised environment.
Organizations can implement varying degrees of data isolation. These range from completely disconnecting systems (physically and virtually) to having transient network connections coupled with layered access controls. The key is to balance the isolation method with business continuity needs. Each isolation technique boosted by air gap technology must support the organization’s RTO/RPO objectives.
Innovative isolation solutions that leverage strong access controls and temporary network connections have emerged because complete physical and electronic isolation (i.e., the textbook air gap definition) does not support most needs for today’s enterprises.
You can physically isolate data by putting units-of-measure distance (e.g., kilometers, miles, etc.) between the original environment and the location where copies of that data are stored, making it impossible to access this off-site data through the network because no connections exist. Backup tapes are an example of physical data isolation. Once the tape is taken out of the drive and transported to an off-site warehouse, it is isolated until it is needed. The advantage of a physical data isolation scheme is that the data can’t be accessed, corrupted, or overwritten unless someone has access to the actual tape.
However, physically isolating data has its challenges. Enterprise data has grown so large that it requires a lot of tape or other physical media to completely back up. Then, there is the cost of transporting and storing the media in off-site repositories. This must be done at minimum on a daily basis for the isolation to deliver value. Moreover, recovering data from a physically isolated spot is slow—too slow when a system crash or cyberattack has encrypted, corrupted, or destroyed production data.
Other data isolation methods are available, however. Specifically, there are virtual ways of isolating data, including cloud air gap. Most of these involve making immutable copies of data, which prevents them from being maliciously overwritten or deleted.
Isolation or air gapped backup is achieved with temporary (versus persistent) connections and strict access controls for both data access and backup settings. Optionally, data can be further isolated to cloud storage, creating an cloud air gap. This is a much cheaper and easier way to protect and manage data, while allowing organizations to recover their data quickly in case of a problem.
Cloud computing is becoming a popular method for enterprises to ensure data isolation. By trusting a public cloud provider to protect replicated data that can only be accessed by a secure connection brought up and down in the same instance, enterprises gain confidence. Should ransomware or disaster strike, their off-site data (or air gapped data copy) would be available in near real time in an cloud air gap.
Cohesity has pioneered an approach to data isolation that starts with a patented, distributed file system. keeps backup data in immutable snapshots—where data can not be deleted or changed until the user-defined expiration of the data is reached. The data can be accessed in read/write mode by cloning those immutable backup snapshots.
By using write-once, read-many (WORM) technology, Cohesity offers another layer of protection against ransomware attacks. This capability enables the IT operator to create a time-bound lock to a snapshot and achieve a higher order of immutability for protected data—something that even security officers and admins cannot modify or delete.
In addition, Cohesity has pioneered the Quorum capability that requires two or more people to allow changes to configurations and settings. This prevents unilateral changes from any single administrator or user.
Finally, Cohesity enables policy-based data isolation of organizations’ mission-critical data to another Cohesity cluster/site/cloud location where an immutable replica of the snapshots can be stored.
Unlike legacy isolation approaches, where isolation and air gap technologies can be compromised due to replication of encrypted or ransomware-affected data in an air gap, replicating data to another remote Cohesity cluster or site does not affect the air-gapped copy because of the immutable snapshots on that site or cluster.
Isolate your data to strengthen your security posture.