what is an air gap?
secure backups
Do you remember the scene from Mission Impossible when Tom Cruise repels into a top-secret CIA vault? It's an incredible moment in cinematic history that conveys the intensity of the moment on the big screen. It's also a useful tool that can help us understand air gaps. In this scene, our hero repels into a controlled vault in an attempt to access top-secret information. Why didn't Tommy simply hack into the computer and steal this sensitive data? Why did he repel into the room like a ninja? First, simply hacking into a computer isn't appropriate in a summer blockbuster; it demands panache. Second, this vault was not accessible to the internet. The data in question was restricted, or air gapped, from the outside world. Tom's only opportunity to steal the data is to physically access it.
You might ask yourself, "What does an A-List celebrity on a preposterous journey to save the world from tyranny have to do with protecting data?" I'm glad you asked! Buzz words creep into the industry and catch fire. Trend setters introduce new terminology, which is quickly copied by marketing departments. "Air gap" became one of those phrases that manufacturers and vendors include to catch your eye, while often neglecting to define terms. There are three basic flavors of air gap for your backups. NIST defines air gap as,
An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).
Sources CNSSI 4009-2015 from IETF RFC 4949 Ver 2
Flavors of Air Gap
When you think of "air gap" backups, you likely envision copies of your data that are offline, or disconnected, from your network. You're probably thinking of a backup strategy that is extremely difficult to access. Security is crucial! Here are a few ways that this is achieved today.
Total Physical Air Gap
Imagine the CIA's vault from Mission Impossible. Under this model, the data is stored in an environment that is physically isolated from your network. This includes all hardware and software. There are no network connections, which means you must physically access the data. It is common for there to be restricted physical access to these environments, as well.
Fun fact, faraday cages are used in some instances to block electromagnetic fields and signals. Faraday cages can be utilized in your physical air gap strategy. You can read more about faraday cages here.
Segregated Systems
This flavor of air gaps isolates the systems that store your backups from your network. This environment could potentially be in the same rack, but it is not plugged into the same network.
Logical Air Gaps
Finally, logical air gaps utilize means such as encryption and hashing in conjunction with role-based access controls to create a logical segregation of your data from other network-connection assets. This is likely the solution your organization will utilize if you're looking for a modern air gap strategy for backups, especially under a BaaS model.
Three Questions about Tape
Is tape an example of total physical air gap? Yes, it is!
Do people still use tape? Yes, they do!
Would you describe tape as fun? No, I would not! While tape can be cost effective, it also increases manual processes and it can be slow to restore. Your admins will not look forward to maintaining that cool tape library in the basement, but it's a viable option.
Conclusion
Purist will tell you that the gold standard for backup strategies is the 3-2-1 plan. Under this model, you retain a copy of your data locally, offsite and an air gapped, or offline, copy. While this model increases the complexity and expenses related to your backup strategy, it also provides the greatest level of protection.
Did you know that "air gap" is borrowed from the world of plumbing? Air gap refers to an effective solution that prevents the contamination of a potable water supply. What an incredible concept that beautifully translates to information technology.
Your business' strategy for air gap backups should incorporate the technology and processes that reasonably protect your data from contamination.
Let's protect the data,
DB