What is an air gap?

An air gap is a backup and recovery security method that isolates data, systems, and networks and keeps them disconnected to prevent unauthorized intrusion.

Traditionally, air gapping has involved the moving of data from a computer or network to an offline device via a magnetic tape, jump drive, or other removable device while limiting authorized access to the data or system being isolated. This traditional model of data isolation, while highly secure, has become incompatible with modern digital business requirements to recover data rapidly to meet service-level agreements.

In contrast, an air gap built for the cloud era serves a modern 3-2-1 backup strategy—three copies of data, on two different media, with one of them in an off-site environment—and effectively balances organizations’ security and agility priorities by safeguarding an immutable copy of data in a managed cloud vault in isolation. Data can then be quickly and easily recovered back to the source or an alternate location in cases of a data disaster and the need for rapid disaster recovery.

Why use air-gapping technology?

The primary reason organizations invest in air-gapping technology is to prevent bad actors—often using ransomware—from stealing sensitive data and bringing operations to a standstill. The use of air-gapping technology is especially important in industries with highly sensitive personally identifiable information (PII) such as healthcare and banking. If digitally attacked, an organization that has invested in air-gapping technology could refuse to pay the ransom because it has access to its data offline in a secure vault and can use that information to quickly resume operations.

Air gapping is an effective way to counter threats and meet recent U.S. Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Federal Bureau of Investigation (FBI) guidance about how to protect against ransomware, including these mitigations:

• Back up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device. This information should not be accessible from the compromised network.
• Secure backups and ensure data is not accessible for modification or deletion from the system where the data resides.

What are the benefits of air gapping?

There are several benefits to organizations that invest in air gapping solutions, particularly if they adopt an as-a-service model. They include:

• Refusing to pay ransom — An air gap can be like an insurance policy for important data because it’s stored where few people can access it so if and when other data is compromised, air-gapped data can be immediately brought in to resume operations.
• Fast recovery that meets business SLAs — During a ransomware attack, seconds count and teams can use an existing air gap to recover business-critical data quickly and easily to a location of their choice.
• Confidence in data recovery effectiveness and lower costs — Despite teams doing their best to build and maintain do-it-yourself (DIY) data vaults, where IT teams deploy parallel infrastructure to maintain an isolated copy of their data, these setups can be complex and costly to keep updated, reducing budgets and confidence in their effectiveness should an attack occur.

What are air gapping disadvantages and challenges?

By definition, air gaps are disconnected systems, which can present real challenges for teams tasked with keeping them operational and effective, especially DIY-built cyber vaults. Some of the top challenges are:

• Inconsistent patching and updates — Internal teams building and maintaining air gaps must continually check them to be certain software and hardware updates and patches are installed and current. They must also stay knowledgeable about evolving threat vectors and ransomware types. This oversight can become taxing on already overworked IT staff.
• Insider threats — Individuals responsible for moving data between production systems and external media such as jump drives for air gapping safety could potentially make a second copy of the data or inject ransomware into the air gap if they are disgruntled or compensated by cybercriminals to do so.
• Accidental compromise — Humans make mistakes and air-gapping technology that relies on people to physically move data is always subject to the possibility of human error, including the leaving open of a port that allows a connection to remain persistent when the DIY system should have been manually disconnected.
• Cybercriminal inventiveness — Bad actors today are working to infiltrate every aspect of the hardware and software lifecycle and supply chain, therefore, they may find ways to deploy ransomware into the air-gapping process in the future.

What are the types of air gaps?

Organizations have a choice when it comes to instituting air gaps in their computing environments, including these types of air gaps:

• Complete physical air gap — This is the traditional method of moving data to be secured in a completely different, physically isolated environment with zero network connections than production systems. Typically miles from the original source and locked behind physical security boundaries, this data can only be swapped out or used for recovery if someone physically goes to the destination and makes the switch or retrieves it.
• Isolated air-gap systems — Digital businesses need to speed up processes should the worst-case scenario of a ransomware attack occur, which isolated air-gap systems do by safeguarding data in separate systems in the same environment. These systems can be in the same data center, even rack, but their data and operations remain isolated because they are connected to different networks.
• Logical air gaps — Another method of air gapping in better alignment with the need for digital businesses to meet stringent recovery SLAs is a logical air gap. In this case, separate systems stay within the same network but are distanced using methods such as encryption, four-eyes or quorum for changes and role-based access control to maintain logical air gaps.
• Virtual air gap ­— In conjunction with the two digital options above, a virtual air gap is created through a secure and temporary network connection that is cut off once the data has been vaulted.

How to set up an air-gap network?

The simplest way to set up an air gap network is to choose an as-a-service option that enables the organization to safeguard data effectively while also being able to rapidly restore it in the case of a ransomware attack, insider threat, or other disaster—natural or manmade. This data isolation option can improve cyber resiliency by putting an immutable copy of data in a managed cloud vault via a virtual air gap. Moreover, data kept safe this way can be quickly and easily recovered back to the source or an alternate location if and when needed.

Cohesity and air-gap security

Cohesity is advancing air gapping—also referred to as data isolation and recovery technology—for the modern cloud era. Instead of making organizations choose between data security and recovery speed, Cohesity supports both with an air-gap model that uses physical, network, and operational isolation to ensure that the vault data and policies are inaccessible to external and internal bad actors, limiting data exfiltration vectors. Its software as a service (SaaS) solution for a wide range of data sources—from virtual machines (VMs) to databases, files and objects—also supports rapid recovery point and recovery time objectives (RPOs/RTOs) with customizable protection policies.

Cohesity FortKnox features air gapping in its software as a service (SaaS) cyber vault, data isolation, and recovery solution to improve cyber resiliency. The solution, which features an immutable copy of data in a Cohesity-managed cloud, significantly simplifies backup operations while lowering costs. As operationally simple as connect, vault, recover, FortKnox enables organizations to both prevent and recover swiftly from cyberattacks.

These are some ways the Cohesity FortKnox solution keeps data safe:

• Creates a virtual air gap through a secure and temporary network connection that is cut off once the data has been vaulted.
• Supports tamper resistance via immutability, WORM, data-at-rest and data-in-flight encryption, AWS Object Lock to prevent changes in retention policy, and separate workflows for vaulting and recovering data.
• Enables access controls through RBAC and MFA to prevent unauthorized access of vault data, and requires at least two authorized personnel to approve critical actions or changes.
• Advances anomaly detection with Cohesity machine learning intelligence, which could indicate a possible ransomware attack.
• Creates operational isolation through Cohesity or customer-managed KMS to prevent authorized users who have access to the backup cluster from accessing or restoring vault data.

With Cohesity, organizations gain a virtual air gap that provides an extra layer of protection for mission-critical data from both external and internal bad actors.

As part of the Data Security Alliance, an organization of more than a dozen security industry heavyweights, Cohesity also is teaming with partners to deliver comprehensive advanced data protection and reliance solutions and strategies.