What is the Air Gap Backup Strategy? Air Gap Cyber Security, Network and Systems

Introduction

The threat of cyber attack is real today as ever, with the number of data breaches and cybercrimes growing at an alarming pace with every passing year. In fact, these growth rates are so troubling that Cybersecurity Ventures predicts a ransomware attack happening somewhere on the planet every 2 seconds by the year of 2031, with the annual ransomware costs being a massive $265 billion. With data security being this big of a priority for the past few years (and because the trend in question shows no signs of stopping) – it is easy to see why data security has become one of the most prioritized topics for most companies worldwide.

The traditional security approach often had issues protecting data not stored inside the “security perimeter” around the company’s internal network. In its place, a data-centric security approach was presented to these issues. The data-centric security method uses a lot of context to protect the data itself rather than the fixed perimeter.

The definition of air gapping and air gapped backup

Air gapping is a relatively old concept in the context of data security. It is also often the last line of defense against either system failures or malicious acts against a company’s sensitive information. Air gapping is a security measure that uses physical isolation from other devices and networks to prevent unauthorized access to sensitive information.

The shortest way to describe how air gapping works is the word “isolation”. Air gapping implies the physical separation of a device or a network of devices from outside influence, including physical and wireless connections – meaning that FTP clients, browsers, and email clients within this network are entirely disconnected from the rest of the world.

Airgapped backups follow the same logic – these are system backups stored in a very particular manner, completely severing the ability of airgapped data to be connected with the rest of the infrastructure. It is one of the most basic protections against modern forms of ransomware that can now find and affect backups alongside original files.

Different types of air gapped systems

There is not only one single air gap security standard that should be followed. In fact, there are different types of air gap backup strategy, such as:

1. Logical air gapping is a somewhat unusual or “impure” type, since the very definition of air gapping implies that there needs to be a physical isolation for the concept to work. However, logical air gapping aims to keep the devices or systems within the same network physically – but separates them logically. There are multiple ways to perform this kind of separation. Most require  advanced systems and technologies, such as a combination of RBAC (role-based access control) and data encryption.
2. Isolated air gapping is having a system located in the same environment as the rest of the devices but not connected to the same network. This arrangement can be useful in some cases but also defeats the purpose of air gapping to a certain degree.
3. Physical air gapping is the leading case we discussed above – a complete physical separation of a system or network, including hardware and software. A complete separation of hardware is for this air gapping type, and there are also many cases when additional security measures are installed for this new remote location – mostly revolving around physical access restrictions.

Variations of an air gap backup strategy

Air gap backup strategies can be tricky since only so many storage methods can support this technique. We can use two main categories to explain different variations of air gap backups: cloud and tape.

Cloud

Cloud storage, both public and private, fits within the definition of air gapping on a technicality since the data in question is stored within a cloud storage separate from the original physical infrastructure. That way, ransomware cannot travel from the physical infrastructure to the cloud storage.

Some cloud storage providers also have specific services for long-term data archival as a direct countermeasure against ransomware. It is usually cheaper and takes longer to retrieve when necessary. However, the fact that this data cannot be accessible immediately is another layer of protection that technically fits within the term “air gapping”.

Tape

Tape backup is often considered the “original” air gap backup strategy since it readily lends itself to physical separation from any network when the actual tape is removed from the drive. Therefore, tape storage is a perfect environment for offline, air gapped data storage. To be clear, the tape itself can even be ejected from the tape storage after the writing process is done – creating a complete physical separation between the data copy and its original version.

The need for manual interaction with tape storage is not always in harmony with the ongoing digitalization and automation of the backup industry, where there has been a trend towards “always on” IT architectures. However, that trend developed before the massive increase in ransomware attacks, and it is a small price to pay for a highly effective data protection measure against ransomware and other attack types.

On that note, another backup tactic is worth mentioning in the context of air gapping, even though it is not the same process. The tactic in question is called data immutability.

Immutability vs air gapping

Air gapping as a topic shares plenty of similarities with another element of the backup industry – data immutability. Both immutable and air-gapped backups are supposed to provide some form of protection against ransomware while also adhering to necessary compliance frameworks. However, there are several differences between them, as well.

Immutable storage’s most significant potential factor in cost increases is the company’s exponential growth and the subsequent data storage volume growth. Alternatively, air gap backups would have a cost increase in the long run because of the need to maintain the proper physical state of the air-gapped storage (such as tape).

The recovery time objective values also differ significantly between these backup strategies. Immutable storage is faster on average but also susceptible to many issues that air gapping does not have to deal with, be it impersonation, network failure, etc.

At the end of the day, both strategies contribute significantly to a successful backup strategy. They do not have to be mutually exclusive, either – there are plenty of examples of immutable backups and air gapping technologies operating in unison for better data protection, improved data resilience, and so on.

Air gap security vulnerabilities

Air gapping provides a considerable and highly significant level of protection for your backups against cyber threats. However, it is important to understand that air gapping is not a solution to every backup security problem. Air gapped backup systems have their issues and vulnerabilities, even though most of them are extremely case-specific and are unlikely to be used by anyone without actual malicious intent.

As we have mentioned before, while infecting or influencing an air gapped backup system using wired or wireless networks is extremely difficult, there can actually still be (albeit rather exotic!) ways of breaching air gapped backups. For example, a solution called AirHopper was presented in 2014, showcasing a way to transfer data from an air gapped backup system to a mobile phone with a bifurcated attack pattern transferred via FM frequency signals.

Another method (published in 2015) called GSMem uses a similar idea of extracting data from an air gapped system – but this one uses cellular frequencies to do so, using a standard internal bus that can be connected to almost any regular computer.

There are also multiple pieces of research on how infected USB devices can leak data from air gapped systems – ProjectSauron is one such example, being discovered in 2016 (even though it operated undetected for about five years before that) and showcasing how hidden Windows partitions can be used as transport channels from an air gapped system to a regular computer.

Near-field communication (NFC) was also a technology transformed into a gateway for air gapped systems, with a solution called NFCdrip that was presented in 2018. It also showcased how NFC has far greater capabilities than most people think of – offering up to 100 meters of effective range in specific cases.

Of course, these are just a few examples of how a person can theoretically access air gapped systems experienced enough in these technologies. However, it is worth noting that much of this research was performed as a proof-of-concept rather than a ready-made solution for breaking into air gapped systems.

Benefits of an air gapped backup system

• Immunity to most security threats. The biggest reason why air gap backups are considered advantageous in terms of security is rather simple – the overwhelming majority of security threats are spread via either the Internet or the ability of workstations and regular PCs to connect, as well as to all kinds of other, different devices.
• Helpful addition to existing backup security measures. The overall state of an air gapped system that acts as a backup copy is also a great way to counter some of the more unconventional methods that ransomware or insider threats may bring. One such problem is when a virus or a malicious person attempts to sabotage every copy of the company’s data before tampering with the original – to ensure no recovery is possible from a ransomware attack or a data deletion event. As such, the isolated nature of an air gapped system makes it much harder for this kind of sabotage to be 100% successful, improving the company’s chances of recovering. However, it should be made clear that some vendors describe their product as “Air Gapped” when there is no actual physical separation of the storage device. Bacula urges readers to beware of this claim.
• Easier legacy hardware or software deployment. On the topic of air gapping advantages, one of them can be regarding legacy software. The lack of Internet connection can make it possible to deploy sensitive legacy software in a more reliable way when it is in an air gapped environment, ensuring that it would not be able to accidentally update itself to a newer version and potentially become unusable for its intended use. The use of legacy software does have its risks; however, it is difficult for some software types to be updated often enough to keep up with the overall speed of technological development, especially when it comes to particular software or hardware.

Another advantage of air gapping is its complementary qualities in ensuring that at least one copy of a company’s data survives no matter what. In this context, air gapping is integral to the well-known “3-2-1” backup strategy already used by many organizations.

Backup strategies: 3-2-1 and 3-2-1-1-0

The gist of the “3-2-1” backup rule is that there should always be at least three copies of your data at all times, with at least two different storage mediums involved in storing your backups, and at least one copy of your data is always stored offsite – away from your company’s internal network and physically far from the main office’s location. The last part of this rule – a backup copy stored offsite – is a perfect use case for air gapping to be implemented, ensuring that your data cannot be lost completely, no matter what kind of issue you encounter.

Of course, the “3-2-1” backup strategy was introduced long ago, and the industry has changed multiple times since then. Air gapping is just one of many examples of how new technologies are being introduced in this field to improve data security. In this context, new versions of existing strategies also start appearing. One such example is the “3-2-1-1-0” backup strategy, acting as an extension of the previously mentioned “3-2-1” strategy.

The strategy in question expands upon the logic of the “3-2-1” strategy. It adds the need for at least one copy of data to be completely offline and air-gapped while also performing data integrity checks on backed-up data to ensure no corrupt or missing elements. That way, the ransomware attempts to affect backup data, and potential human errors are either solved or severely mitigated.

However, it is also important to remember that air gapping is not necessarily a perfect solution to all security problems. There are multiple issues that the air gap security approach has, ranging from general inconvenience to a significant downside in the form of the human factor.

Shortcomings of an air gapped backup system

• Difficulties interacting with an air-gapped backup storage. The problem in question includes potential extra work involved in adding, modifying, and removing data from an air gapped storage device. Since all of the wired and wireless connection interfaces are removed, the only way to access these storage devices is to use some sort of external attachable method of data transferring – and of course, that’s the whole point of air-gapping.
• “Human factor”. Since the entirety of interactions with an air gapped system typically relies on human input in the first place, there is always a chance that one of the security measures in place may not be reset correctly or secured properly enough, creating a gateway for attackers to use. Examples could be an unlocked door, an unguarded USB port, or even a malicious employee. There are also problems with regular security updates and IoT appliances near the server. However, both can be worked around if enough attention is put to the task.
• Problematic management. The issue here is the sheer practicality of managing such a system, systems, or standalone networks that need to be air gapped. An example of that could be a large military airport. A worker or a third party with malicious intent could affect or compromise it. The sheer volume of people and IT Systems increases the danger of compromise; large military airports typically have processes that often require dozens, if not hundreds, of people within their physical perimeters; it is easy to see how this becomes a problem for the concept of an air gap. It may be difficult to implement and continuously enforce security measures (such as air gap backup strategy), including monitoring and controlling everyone near USB ports or tape drives.

As such, there are both advantages and disadvantages to an air gapped system. It has the potential to be an excellent security option. However, the amount of work needed to strengthen it is why some organizations only use air gapping for some of their most critical data.

Examples of air gap cyber security systems

Here are some examples of air gapping use cases:

• Both state-level and national lottery game servers have to be completely isolated by default to exclude any possibility of lottery fraud.
• Stock exchanges and other financial computer systems have to be air gapped for a similar reason: the possibility of fraudulent information being distributed.
• Life-critical systems in many forms have to be air gapped – and there are many examples of such systems, from computerized medical hardware and aviation control systems to nuclear power plant controls. The disastrous consequences of even one of these systems being compromised illustrate why all of them may have to be air gapped.
• Industrial control systems in various fields must have only the best possible security measures for several reasons. A good example is the field of Oil and Gas production, with SCADA (Supervisory control and data acquisition) systems needing protection.
• Many government-related networks and systems must be air gapped, as well as military networks, nuclear power stations, etc.

Note, some versions of these systems may not be considered as truly air gapped anymore because some of them have added features that allow them to establish a temporary connection to either the Intranet, or the public Internet – be it for the sake of security updates, monitoring, or data transfer.

Air gap backups and compliance

The recommendation – or even requirement – for using the 3-2-1 rule (and air gapping as its extension) is included in multiple well-known compliance frameworks. Some of the most popular examples are HIPAA, GDPR, PCI, and NIST. In our example, it would be wise to explain the reasoning behind such a necessity using one of these frameworks – NIST.

The National Institute of Standards and Technology Cybersecurity Frameworks exists to provide all kinds of businesses with a clear and concise understanding of how sensitive information of theirs can be protected and managed. It is a voluntary framework by nature; it acts more as a set of guidelines on what practices and methods businesses can use to safeguard their information, focus on potential weak spots, etc.

It is worth noting that backup solutions may have different interpretations of NIST standards, offering better (or worse) tools and methods for being NIST-compliant. For example, air gapping and immutability can have different interpretations in the context of various backup software. Another good example is the variety of data types the solution can seamlessly work with.

Meeting various compliance requirements in the context of air backups specifically and backup security as a whole requires a qualified and comprehensive backup solution with several approaches for specific IT requirements, various backup-centric tools, support for many storage types, etc.

Conclusion

Air gapping is a concept that offers a practically unprecedented level of security for a company’s most essential and sensitive data. Air gapping remains a popular data security approach to this day, safeguarding the information of hundreds and thousands of companies. As a result of frequent ransomware attacks – that even target backup and recovery systems themselves, air gapping is, to some extent, back in the spotlight.

For the many organizations that require air gapping as part of their security strategy and business continuity needs, Bacula Enterprise offers especially secure, advanced and flexible software to quickly and easily provide highly secure backup and recovery, integrating air gapping methodologies into even the most complex IT environments.

Bacula is used by some of the largest defense organizations in the world, as well as a large number of medium and large companies that treat security and Business Continuity as paramount. Bacula’s software architecture and specific security features make it exceptionally robust against ransomware and other malware, when compared to other backup and recovery vendors. Bacula recommends that any organization’s data protection is taken exceptionally seriously; please contact Bacula to speak with a senior expert in highly secure backup and recovery software.