One should never underestimate the importance of backing up your data.
Although there appears to be no impact on day-to-day transactional systems when backups are missing or incomplete, this critical operational function often lives on the periphery of your IT production environment. However, the consequences of a misaligned backup strategy could suddenly be catastrophic for your business.
Backing up your data isn't a task, but a continuous process.
First and foremost, you need to ensure you're backing up all your data which means constantly monitoring your environment to establish all data, no matter where it's stored, forms a part of your backup scope. Furthermore, you need to confirm your backup recovery and restore points align with your business objectives. More importantly, you need to make sure you can restore your data when you need to.
Backups are not infallible
Even though backups exist to form the failsafe policy of your overall IT strategy, they're not infallible. Like other IT systems, they need management, maintenance, and protection. The ability to successfully restore your backups is crucial as they're the last line of defense against a data loss incident. You need to put measures in place to ensure you can confidently and successfully restore your data when the need arises.
Because backups form a part of your larger IT environment, they're connected in some way to your IT production infrastructure. Backups need connectivity to your network to execute successfully. However, if we take a hard look at the security of this architecture, the connectivity backups need is a vulnerability that could be exploited, resulting in your backed-up data being compromised.
If your backups are accessible remotely, they're vulnerable to several threats from both external and internal sources. Hackers or even disgruntled former employees could gain access to your data and compromise its integrity or destroy it. Ransomware which can spread via the network is also a real risk, especially when backup infrastructure is directly connected and accessible via your production infrastructure.
Air-Gapping protects your backups by storing them offline
To truly protect your data, you need to have a solution in place where backups are secured by being offline but still accessible when you need them, and air-gapped backups provide this solution.
But what are air-gap backups exactly and how can they help protect your data? To answer this question, we first need to define an air gap.
Air-gapped systems isolate one device from another to protect it, essentially severing any connectivity which may exist between the two devices. An air-gapped backup is therefore a backup that's stored on an isolated and protected device.
Air-gapped backups aren't a new technology. In fact, backup tapes, which for many years were the industry standard backup storage medium, can be defined as an air-gapped backup solution as your data is stored on a storage device that's isolated and not directly accessible.
Cloud-based backups have transformed the data protection solution industry by providing organizations with the ability to back up their data offsite with relative ease and at an affordable price point. However, even though cloud backup solutions tick many security boxes, they're still remotely accessible and as such vulnerable.
A solution is therefore needed which allows you to take advantage of the security and business benefits cloud backups have to offer while giving you the ability to protect your data with some form of air-gap solution.
What are the different types of air gaps?
There are three types of air gaps, which include:
Physical air gaps
A physical air gap physically separates your backup site from your production site. In other words, it keeps your critical backup copies in a remote, isolated physical environment that’s not connected to the internet. Implementing a physical air gap means that the data can only be accessed if someone physically goes to the data’s location and extracts it themselves.
Other than the physical network connection barrier, a physical air gap may also include other physical security barriers that prevent unauthorized users from accessing the data.
Logical air gaps
With a logical air gap, your digital assets and backups are isolated from the network, but not necessarily isolated physically. Both your primary and target storage systems exist within the same physical environment while being logically disconnected.
Logical air gap backups can be achieved with software-defined networking, role-based permission controls, and other measures.
Air gaps segregated in the same environment
Other than implementing a physical or logical air gap, one may simply disconnect a device from the network to isolate it. For example, if you’re operating two servers on the same rack, you can isolate one of them by making it inaccessible from the network, forming an air-gapped system.
What are the benefits of air gaps?
Air gaps provide both data protection and prevention. By keeping your mission-critical data backups isolated, you’re preventing malicious threats from destroying them. At the same time, you’re protecting your sensitive information from malware.
An air-gap strategy can provide additional protection for your sensitive data backups. By isolating your target storage, you’re basically making it harder for cybercriminals, malicious insiders, and intruders to access, delete, or encrypt your data.
Ransomware, in particular, can pose a major threat to your production network as it can rapidly propagate and encrypt everything, including production hosts, primary and backup servers, connected storage devices, and cloud-based repositories. According to IBM, the average cost of a ransomware attack was $4.54 million in 2022; a big enough cost for medium and large-sized enterprises to go out of business.
Moreover, implementing an air gap ensures that your data will never be completely compromised. By keeping your backups secure, you can successfully failover to your primary site and resume your processes normally.
Plus, air gap backups help you meet compliance requirements for industry standards, like HIPAA/HITRUST, FISMA, FINRA, and GDPR.
What are the potential downsides of air gaps?
While the air gap technique presents numerous opportunities for your business, it’s not flawless.
Think of air gapping as your last line of defense. It’ll surely provide an additional benefit, but similar to other preventive and protective data security techniques, hackers can find their way around it.
For example, since air-gapped backups are stored on offline storage devices, an unethical employee may be able to leak or steal data if the implemented physical security measures are limited. However, such a threat mostly exists with physical air gaps only. Since logical air gaps utilize role-based access controls, unauthorized access is much more difficult.
Another problem with air gaps is the associated labor and resources required to implement them. Air-gapped backups can’t be automated, which means that someone has to perform them manually. For physical air gaps, you usually need to hire people to physically travel to the backup target location to fetch the data when required. Of course, this also comes at the expense of extended downtime and slower data recovery in case of disasters.
Adopting a 3-2-1-1-0 air gap backup strategy
The 3-2-1-1-0 backup and recovery strategy is based on the principle that you need to keep two copies of your data stored on two different storage media. One offsite copy should be stored in a remote location, in addition to one air gap backup copy.
The 3-2-1-1-0 strategy has proven to be successful for businesses that need to maintain high availability, recoverability, and maximum protection for their mission-critical backup data.
Honeycomb Cold Storage – Air-gapped backups in the cloud
Honeycomb Cold Storage from Probax is a simple and cost-efficient data solution that offers advanced automation capabilities when used with Veeam Backup & Replication. Built using an air-gapped architecture, our AaaS (Archive as a Service) solution powered by Wasabi for long-term data retention provides additional protection against accidental deletion, human error, natural disasters, and malicious actions.
Recognized as one of the industry’s most innovative AaaS solutions by Veeam Software, Honeycomb Cold Storage automatically archives your GFS restore points from your primary backups in Hot Storage, while also maintaining air gaps along with minimum expiry times.
Each time your cloud backups are copied to Honeycomb Cold Storage, the data is stored in an isolated container that isn't directly accessible or connected to your primary cloud storage, effectively providing you with an air-gapped backup solution in the cloud. Furthermore, this data cannot be modified or deleted by an unethical employee.
With Probax Honeycomb Cold Storage, you can enjoy the benefits cloud-based backups have to offer while ensuring your data is totally protected with a true air-gapped data storage and protection solution.
Contact us to learn more about our award-winning Honeycomb Cold Storage and how it can protect your organization!
You need DRaaS in your MSP toolkit
Traditional backup only protects a segment of data, and a data protection strategy based on backup alone presents a significant risk to most organizations.
That's why our practical and free white paper Most MSPs Have Inadequate Disaster Recovery Solutions outlines everything your MSP needs to know about the importance of DRaaS.
*This blog post was updated on 10 February 2023.