The Ultimate Guide to 
Air Gap Backup: 
Is Your Backup Strategy 
Ready?

Most IT professionals think about backups when they’re considering data security but is that really enough? Data can still be breached with a backup.  

There is way - the best way to protect data from being stolen is by implementing air-gapping and immutability along with backups.

Air gapping does for software what social distancing does for people—wards off infections. It’s a backup and recovery strategy that stops malicious agents from infiltrating, strengthens the security posture in hyper-converged infrastructure (HCI), and plays a crucial role in recovery procedures such as disaster recovery plans (DR). By isolating critical backups from network access, air gap method provides a crucial safeguard, ensuring vital data remains out of reach.

In this article, we will explore what air-gapped backups are, the different types of air-gaps and backup models and limitations, and more. 

First and foremost -  

What is Air Gap?

Air gap is a fundamental concept of storage and backup.  According to the National Institute of Standards and Technology (NIST), Air Gap is an interface between two systems which:

(a) are not connected physically, and  

(b) no logical connection is automated (i.e., data is transferred through the interface only manually, under human control).  

Now, in the past, air gaps were the gold standard for protecting operational technology such as thermostats or home appliances. Now that almost everything is connected, either via wireless or wired networks, the need for a stringent air gap process is critical in keeping a good copy of data available for recovery. In networked environments, hackers can exploit almost any entry point, even via a system with all wireless and wired signals disabled. In the most closed systems for data that is highly secure, many IT professionals disable all USB ports and use a Faraday cage to block all wireless transmission and prevent electromagnetic leakage. With their ability to isolate critical volumes from the primary environment, air-gapped networks provide reliable ransomware protection to enterprise workloads.

That brings us to, what is Air Gapped Backup?  

Air-Gap Backups: Fool-proof Vault Against Ransomware and For Business Continuity 
Read More

Understanding Air Gap Backup: Data's Underground Bunker

The concept of an air gap backup - a backup copy stored on a storage infrastructure that is not accessible from an external connection or the internet, has been around for decades. It is implemented by storing the backup data on a separate physical device, like an external hard drive or a tape drive, and disconnecting that device from the network or computer after the backup is completed. This physical separation ensures that the backup data is not vulnerable to threats that can infect and encrypt data on connected systems.

Organizations with high-security requirements, such as government agencies, financial institutions, and healthcare providers, often use air gap backup as an additional layer of protection against data loss or theft.  

Air gapped backup typically plays an important role in the 3-2-1 backup strategy, which calls for three copies of data, on two different types of media, with one copy off-site. Depending on how the air gapped backups are set up, they can be differentiated into 3 main types:

1) Physical Air Gaps: 

When the target storage is physically isolated/disconnected from the production network, it’s called physical air gapping. For instance, a power off configuration when data is not being read/written. When powered off, there is no physical network connection between the air-gapped node and the production environment.  

Another example being, with no WAN or LAN connection interfaces. In such a case, establishing a remote connection with that server by accident or deliberately with malicious intent is impossible. Additionally, this standalone air-gapped environment can stay secure and stable if an emergency occurs at the main site or data center.

2) Logical Air Gaps: 

When the target storage is physically connected but logically isolated/disconnected from the network, it’s called logical air gapping. It’s important to note that even though the logical air gap is physically connected, it remains isolated via various logical processes such as role-based access controls, multi factor authentication (MFA), software-defined networking, etc. Logical air gapping acts as a trade-off between security and convenience.

3) Cloud Air Gaps: 

What good is cloud infrastructure that’s not connected to the internet, right? It might just save the organization.

Cloud air gaps are operated by backup service providers. Organizations can send backup data to the cloud, and the providers will move the data to immutable storage stored on logically air-gapped volumes. Cloud air gaps add the extra benefit of offsite storage. However, users are obligated by specific practices of the provider. Many reputable service providers also offer a range of options and packages, to suit organizational requirements. Most hyperscalers are stepping up to fill the need for heightened security with air-gapped cloud solutions.

For instance:  

Amazon (AWS) has had its air-gapped Outposts and Snowball Edge products on the market for years now. Microsoft, meanwhile, offers an air-gapped version of Azure in the form of its Azure Government Top Secret cloud, which launched in 2021.

Google Cloud rolled out air-gapped infrastructure with the debut of Google Distributed Cloud (GDC) Hosted last year and followed up last month with the debut of an air-gapped version of Google Distributed Cloud Edge.

Air Gap and Immutable Backups: How Do They Differ?

We read the term “Immutable storage” above, but what is it?

Immutable storage is a way to store data, that once saved, might not be changed or deleted—either indefinitely or for a set period of time. Based on the concept of write-once-read-many (WORM) data security, immutable storage files might be viewed but never edited, altered or otherwise changed.

The difference between immutable storage and air gap backup is not a matter of the file storage itself, but the process of where and how that storage is kept. Indeed, the data stored in an air gap backup is likely to be immutable data. However, immutable storage by itself is not necessarily air-gapped and can be stored on a device that has network access.  

Air Gap Backups and Disaster Recovery: How Do They Relate?

In the context of disaster recovery, air gap backups serve a similar purpose as cloud storage or immutable backups. An air gap backup simply provides another redundancy by maintaining another immutable backup that cannot be altered or deleted.

What sets the air gap apart from other types of data backups is the physical or logical separation from network access. By keeping an air gap backup offline in a secure location, the threat of an attack or accidental corruption over the network is removed completely. 

Disaster Recovery Vs. Business Continuity Plans: Do You Need Both? 
Read More

The 3-2-1-1-0 Air Gap Backup Strategy in Disaster Recovery

Fairly new, compared to the 3-2-1 backup strategy, the 3-2-1-1-0 backup strategy is a widely recommended approach in DR for ensuring robust data protection. It dictates that an organization should have:

• 3x copies of data
• Stored on 2x different media types
• 1x copy kept off-site
• 1x copy air-gapped or offline
• 0x errors after backup verification.

Implementing an Air Gap Backup

Implementing an air gap backup involves several steps.  

• First, identify and sort the data that needs to be backed up. This typically includes mission-critical data and sensitive information.  
• Next, determine the backup medium – it could be an external hard drive, tape drive, or even a removable flash drive, depending on the volume of data to be backed up.
• Once the backup medium is chosen, copy the data to the device using backup software.  
• After the backup process is completed, disconnect the backup device from the network or computer, creating the “air gap.” It is crucial to store this device in a secure, offsite location to protect it from physical threats such as theft or natural disasters.
• Regularly update backups according to a predetermined schedule, connecting the backup device only during the backup process. Many experts also advise testing the recovery process periodically to ensure that data can be restored when needed. 

Air Gap Backup for Hybrid, Multi-cloud Landscapes: What, Why, How to Implement?
Read More

Remember, air gap backup is just one part of a holistic data protection strategy and should be complemented with other security measures, such as firewalls, antivirus software, identity and access authentications, and employee cybersecurity training.

Challenges of Air Gap Backup

It’s always good practice to examine both sides of a strategy to decide whether it’s right for you. There are some valid challenges to air gapped backups.

• Energy and Time Consumed: One of the largest complaints involves the extra energy and amount of time it takes to tend to an air gapped system. When a company is scrambling to recover important data, time is everything. Every second spent trying to restore information can be critical to disaster recovery efforts. While air gap systems are one of the most secure ways to recover data - mainly in physical air gap systems.
• Unsurety Around Type of Air Gap System: Another possible issue to consider when using an air gapped system is choosing which kind to leverage. Logical air gap system comes with online access. While security controls can be excellent measures for protecting data, the potential for network connectivity exists. This may require additional security measures and access controls.
• Safety of the Physical Object Storing Data: A possible downside is the actual physical structure of the system that stores the data. As information is stored in a specific location, and on removable devices, it creates an opportunity for others to corrupt or steal data. Some companies assign designated people, special clearance or responsibility for access to this system to lower the chances of it being compromised.

Air Gapped Backup: Is it Right for your Business? Are you Ready For it?

When trying to decide whether or not leveraging an air gap backup is right for your business, one must consider various factors. Several questions come to mind.

• How sensitive is the company’s data? If company data includes sensitive information that poses issues with privacy, government information, or anything else that needs optimal security and protection, one would want as much security as one can possibly get for the network.
• How confident is one about their employees? If the workforce is reliable and trustworthy, there may not be a need to be as concerned about systems being compromised.
• Is it a large or small business? Larger companies have more resources for securing their networks. If additional security measures are needed to protect data, larger companies may have the capital and IT staff to create a strong air gap strategy. They may also feel the costs outweigh the negative effects if they were to be in violation of Regulatory Compliance laws (GDPR, CCPA, CPRA, PCI, and many others). Smaller companies may not have the financial backing or expansive staff, but having fewer employees can be easier to manage. It could be easier to oversee an air gap system and, therefore, keep it secure.

Some more questions to consider would be:

• If the infrastructure is audited and it is determined which assets are network-connected? This is important information to have before instituting an air-gapped defense system.
• Commitment to implementing additional security measures—such as immutability or access control – to go alongside air-gapping itself?
• If there is realization and acceptance that air gapped backups are slower and may not match the high availability of cloud backups?
• If the budget is enough to accommodate the expense? Air gap systems may be costly to implement.

These are only a few questions an organization might want to consider. Ofcourse, every company is different, as are its needs. Security service providers can offer air gapped backups well for any system that needs ultimate protection, whether it is a company or an individual. MSSP, like Cloud4C comes with the expertise.

Cloud4C: Your Mission-critical Continuity Partner

Cyberattacks cost organizations millions and take nearly a year to detect and contain, implementing air-gapped protection is not a security measure to be taken lightly—it's an imperative.

As an expert MSSP, Cloud4C's air-gapped backup capabilities provide complete defense against data breaches and ransomware attacks by ensuring that backup data remains isolated from production environments. Utilizing a combination of physical and logical air gapping, multi-cloud strategies, and immutable storage options, Cloud4C guarantees that backup data is protected and recoverable even in the most severe scenarios. This approach not only improves data security but also ensures compliance with stringent industry regulations.

Beyond air-gapped backups, Cloud4C offers a suite of security solutions designed to strengthen an organization's overall data protection strategy. Our managed disaster recovery (DR) services, including Disaster Recovery as a Service (DRaaS), automate recovery processes across hybrid and multi-cloud environments. With features such as policy-driven data management, regular drills, and compliance consulting, Cloud4C ensures that businesses can respond to disruptions in no time, while maintaining operational continuity. Cloud4C also comes with certified expertise across leading cloud platforms like AWS, Azure, GCP, and Oracle, making us well-equipped to tackle the upcoming data security and recovery challenges head on.

Your air gapped backup, our experts. Contact us to know more! 

Frequently Asked Questions: