Air-gapped networks offer dependable ransomware protection to business workloads by isolating key volumes from the main environment. This makes them a must-have feature for all hyperconverged infrastructure (HCI) and backup and disaster recovery (DR) systems.
In this part, we will discuss air-gapping, how air-gapped backups function, the role of air-gap in the 3-2-1-1-0 data protection rule, and the built-in air-gap features found in various systems.
What Is Meant by Air Gap Backup?
Air-gapping is a sophisticated data security feature that isolates and detaches target storage volumes from insecure networks, production environments, and host systems. Backups are kept on air-gapped volumes.
Air-gapped volumes are “turned off” by default, making them unavailable to programs, databases, users, and workloads operating in production. Air-gapped data storage is only available after it is “turned on.”
Depending on the program and provider, the ability to switch on and off air-gap volumes may be done manually or automatically using user-defined rules. Additionally, air-gap volumes may be delivered on-premises or in the cloud, depending on the manufacturer.
What Are the Types of Air Gap Backup?
Air gap backups may be divided into two sorts according to how they are configured:
- Logical Air Gaps: The target storage is physically linked but logically isolated/disconnected from the network, known as logical air gapping. It is crucial to highlight that although the logical air gap volume is physically linked, it is separated by various logical processes such as role-based access rules, software-defined networking, etc.
- Physical Air Gaps: Physical air gapping refers to physically isolating or disconnecting target storage from the production network. For example, DR365VIVA may turn off when no data is being read/written. When switched down, the air-gapped node has no physical network connection to the production environment.
How Does Air Gapping Work?
Air-gapped backups use target storage volumes to store backups, snapshots, replicas, and redundant copies of mission-critical volumes. Air-gapped volumes, switched off and unavailable by default, protect the stored backup data from any calamity that may damage the primary production environment.
In the case of a catastrophe, air-gapped volumes may be powered on, and the data held inside them can be utilized to restore operations swiftly and smoothly – without fail.
Air-Gapped Systems: On-premises and in the Cloud
How Are Air-gapped Backups Configured On-Premises?
Storage administrators employ two popular techniques when setting up on-premises air-gapped systems:
- Offline tape arrays or secondary storage devices that need manual attachment and detach. Most data security experts advise against this procedure since it is error-prone and insecure.
- Purpose-built air-gapped backup appliances with built-in networks and power controllers that automatically isolate and power down the appliance from the production network based on user-defined factors.
- Use software-defined networking to create virtual air gap target storage repositories, also known as logical air gaps, on VMware, Hyper-V, KVM, or Citrix (previously XenServer), which may be connected or detached automatically based on user-defined rules.
How Are Air-gapped Backups Set Up in the Cloud?
Air-gapped backups are not equivalent to redundant data storage. Air-gapped storage adds an extra degree of protection against cyber attacks. More than creating and keeping a backup copy is required for this purpose.
Air-gapped repositories in the cloud, like software-defined on-premises air-gapped backups, are configured on an isolated network and are initially offline. The storage volumes are only connected to the main repository to store vital data before being removed based on user-defined settings.
The Importance of Air Gap Backups
With the growing requirement for security and compliance, the benefits of air-gapped backups cannot be emphasized. Air-gapped storage volumes are inaccessible to programs, databases, users, and workloads operating in production environments.
Air gap backups perform two key functions. First, they ensure that at least one backup copy is neither modified nor deleted. Second, they contribute to faster restorations since the integrity of an isolated, air-gapped backup can be trusted.
The rationale behind air-gapping backups is that if all of the data on a main system is compromised, a fail-safe resource can be utilized to recover data. Backups are essential to any organization’s data recovery strategy and should be safeguarded at all times.
Air gapped backup is one of the finest methods to keep sensitive information private while ensuring that a solid copy of the previous backup is available when you need it the most. Because air-gapped backups do not have network access, even if someone hacks into a network, they cannot access or update the backup unless they are physically present at the backup’s location and have the necessary credentials.
Furthermore, air-gapped backups reduce infection to some extent. In a data center with numerous servers backed up, if one server gets infected with ransomware, the virus may spread to the other backups on the network. An air gap solution ensures that at least one backup copy is always separated from the network, allowing administrators to perform a secure and speedy recovery.
3-2-1-1-0 Air Gap Backup Strategy
The 3-2-1-1-0 rule is a sophisticated data security approach that uses backup and disaster recovery (DR) capabilities to achieve high availability, recoverability, and near-zero downtime.
According to the guideline, you must have three separate copies of data saved on two storage media, one offshore, and one air gap backup copy.
While traditional approaches use tape arrays or physical storage media to make the offline copy, air-gapped volumes provide an automated, software-defined, manageable, and cost-effective alternative. Furthermore, logical air gap backups are less expensive than tape arrays, require less time to build and operate, and are unaffected by human mistakes.
Conclusion
The ideal approach nowadays is to be honest about air gaps. They can function and are successful when used as part of a backup and recovery plan. It is critical, however, not to adopt a naive attitude and conclude that it is air-gapped; thus, consequently, it is secure. Instead, it makes sense to thoroughly consider the intended goals, risks, and vulnerabilities of a given air gap application. For example, if the purpose is to safeguard backups, encryption is essential for a functioning air gap. Also, a logical air gap may be the best option. A physical separation may not be necessary. When used effectively, an air gap offers a powerful layer of cyber security.