Air Gapping & Cybersecurity

September 21, 2021
IT Security

Air Gapping and Other Tactics for Enhanced Cybersecurity

Remember when backups were one of the best ways to protect your data against ransomware and other types of cyberattacks? They still are. The problem is that cybercriminals know their value, and are increasingly making them primary targets.

In fact, they’re frequently deploying ransomware variants that specifically enable them to identify and delete backup copies on servers, endpoint systems and storage targets. Besides, if ransomware can penetrate your network and your network is connected to your backups, how much harder can it be for cybercriminals to access those backups?

So, how do you protect this additional threat vector? As with overall cybersecurity, protecting your backups requires a layered strategy. Among the key components to include are air gapped data protection, isolated data, and immutable backups.

We can’t go into a lot of detail about each within the confines of a blog. However, this brief overview will provide some insight into how combining these tactics can strengthen your overall data protection strategy.

Air-gapped Backups and Isolated Networks

Air gapping backups entails taking a copy of your data and storing it offsite without any form of internet or LAN access. Without a connection to the internet or a LAN, the backup data can’t be remotely hacked or corrupted.

This can be as simple as backing up on tape and storing the tape in a location separate from where the production environment is. Of course, that option is expensive, tough to scale, and can have unacceptably slow recovery times if a disaster occurs.

The more convenient, secure option is to set up air-gapped backups in the cloud by segmenting and isolating your backup copies. The idea is to make them unreachable from the public portions of the environment using virtual LAN (VLAN) switching, next generation firewalls, or zero trust technologies. Backups are segmented and detached from the primary production environment by default. The data volumes are only attached to the primary repository to store critical data and then detached as per user-defined policies.

This means there is a limited attack surface. If a cyberattack occurs, the public portions of the environment may get infected. However, the isolated data won’t because it can’t be  accessed. If the backup data needs to be restored, the air-gapped volumes can be turned-on  to restore operations quickly and seamlessly.

Sounds easy enough . However, there are a few issues  to consider. Depending on the software and cloud service provider (CSP), turning air-gap volumes on and off can be manual or automatic via user-defined policies. Also dependent on the CSP is whether air-gapped volumes can be provisioned on-premises and/or in the cloud. The time and resources you must devote to dealing with air-gapped backups will make a difference.


Visibility, Immutable Backups and More

There’s also the chance that an air-gapped backup can be corrupted during the copy/replication process. Consider this scenario. You back up your data every evening. A ransomware attack occurs in the morning, encrypts your data and the attack isn’t caught before the next backup. The result: your latest backup will be of the encrypted data.

That’s why visibility into what’s happening on your systems is crucial. You need the ability to detect that ransomware or another type of attack has occurred so you can take appropriate measures. That includes preventing the replication of corrupted or encrypted data. Or, if your backups are corrupted, you need the ability to roll back to a known good state of your data.

If your backups are immutable, all the better. Immutable backup or storage means your data is fixed, unchangeable, and can’t be deleted. It ensures you always have the most recent clean copy of your data, safe and recoverable at any time. Especially important, it’s impervious to new ransomware infections.

Immutable backups are built by copying data bits to the cloud as soon you create them. After the data is stored in the cloud, you can set an immutability flag that locks the data and prevents accidental data deletion, malware infections, or data corruption. One of the good things about immutable backups is that you can set the flag for a specific timeframe. For example, if you set the flag for one week, you can’t delete or modify the data backup during that period.

It’s important to note that object storage can be made immutable with WORM (Write Once, Read Many) technology. Data can be protected in object storage for the retention period you specify. During that time, the data can’t be modified nor deleted, creating an additional security layer.

In addition, object storage targets use authenticated API calls over HTTPS for reading and writing data. Common protocols used by ransomware can be turned off, reducing the attack surface. The data backed up to the object storage device isn’t exposed when not in use. Only authenticated API calls can read and write to the storage target.


The 3-2-1 Plus 1 Rule

The 3-2-1 rule is considered the golden rule of data backups: three copies of data, stored on two storage media with one copy offsite. To better protect backups from ransomware and other cyberattacks, the better formula may be 3-2-1-1 rule, with the extra “1” denoting an air-gapped backup that makes use of isolation and immutability.

To learn how you can put this rule to work for your protecting your data backups from ransomware and other cyberattacks, contact US Signal. We offer a variety of solutions that can help you strengthen your data protection strategy, including:

Get started now. Call (866) 274-4625 or email [email protected].