Air-Gapped Backups – what you should know
If you’ve been reading marketing literature backup companies have been putting out, you’ve probably run into the term “Air Gap”. I’ve had a number of prospects ask us if we also do “Air Gapped” backups. From what I can tell – there’s only a very superficial understanding most people have about this – so I thought it would make sense to write a short blog post and explain Air Gaps, how they work, and also introduce alternative approaches that are equally effective.
What is Air Gapping?
Wikipedia defines an “Air Gap (Networking)” as follows:
An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interfaces connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.
Essentially air-gapping is the act of physically isolating a system (Computer, Network, Storage) from any type of network access. The simplest way to do this is to actually pull the LAN cable out of such a device and disable any form of short or long range wireless connectivity. The thesis is that if a potential attacker has no way to access the system, then they can cause it no harm.
Highly secure systems – related to defense, stock exchanges, nuclear reactors and the like – are indeed air-gapped as a matter of design.
But the very act of protecting systems this way – also makes them less accessible for legitimate uses. Legitimate data exchanges then need to take the form of physical/human access via removable media which is governed by physical security measures.
Highly secure systems – related to defense, stock exchanges, nuclear reactors and the like – are indeed air-gapped as a matter of design. The only way to breach such a system would be take advantage of the physical/human process to smuggle information in or out via the removable media used during such processes (as in the case of the Stuxnet attack).
But defense locations, nuclear reactors and stock exchanges have the discipline, processes and rigor to Air Gap perfectly. In most other settings, it is difficult to achieve the level of perfection in execution with human interactions. And since any legitimate data exchanges in such a system require human activity – that often becomes the point of greatest vulnerability – which gets exploited by an attacker. A famous example of this is the Stuxnet APT attack that occurred back in 2010 when an air-gapped Iranian nuclear reactor was breached using a USB drive.
Air Gapping and Backups
Air Gapping in the context of backups isn’t new – although the term is now being increasingly applied to a backup context – and almost all the time in relation to a ransomware defense. In theory, the idea is logical and valid. Keep your backups safe – so ransomware can’t get to them and ruin your ability to recover your data. And what better way to do that than to use the most stringent security measure possible – Air Gap your backups.
The most practical way to Air Gap backups is to use offsite media. Like Tape. And people have been air gapping their backups that way for several decades now – so the concept isn’t new at all. But with tapes and other removable offsite media falling out of favor – the challenge now is to effectively air-gap online backup targets. And that is not so simple.
When you’re backing up Terabytes or Petabytes of data in a large organization – there isn’t much “down time” to “flip OFF” storage targets.
There are several approaches I see being thrown around such as storage targets in the cloud or on-premise that can be automatically “flipped ON” only when needed, and once backups are completed, they get “flipped OFF” – making them inaccessible. But in reality, when you’re backing up Terabytes or Petabytes of data in a large organization – there isn’t much “down time” to “flip OFF” storage targets. Storage targets will tend to be online for several hours in a day to service the multitude of data sources that are streaming backup data – more than enough time for ransomware to find its way in there.
Backing up to the Cloud
What is often overlooked is that by backing up to object storage in the cloud, most modern backup solutions offer the same benefits as Air Gapping, albeit in a different form, and without the risks or downsides.
The most important thing to know is that when writing to object storage in the cloud, backup software overcomes several barriers and works it’s way through a set of checks and balances – which ransomware can’t negotiate.
- Authentication – Most object storage targets don’t just let programs write data to them like they are a mounted SAN/NAS drive. The backup software needs to have authenticated using a secure, modern protocol such as OAUTH 2.0 and received a token. These tokens also have limited validity periods – and need to be refreshed by the backup software by re-identifying itself repeatedly as a valid user of such a token. No ransomware variants have been found that authenticate themselves to object storage targets – for the simple reason that it is hard to do so. There are much easier targets for ransomware authors to go after. In fact, object storage targets are one of the few types of data repositories that have remained immune from ransomware attacks.
- Protocol change – Local data backups from the data source to the backup servers may make their way over a LAN in the form of ethernet packets, but when writing to object storage, the data is most likely written over https using REST APIs. This is a change in protocol that ransomware can’t easily negotiate.
- Small Access Window – Good backup software will preserve the connection to object storage for only the time required to complete the backup or restore operation. It will remove the access token used for the backup or restore session once completed, thwarting any possibility of an extraneous agent using the token for illegitimate use. This is almost the same as the “flip ON” and “flip OFF” storage approach.
- Warning mechanisms – Cloud object storage systems also have ways to detect en masse operations like a large number of file deletions – which is typical of ransomware – and issue warnings.
- Permissions – Cloud object storage also permits restrictive permissions to be set so only a very specific user ID (e.g. the backup software) has permissions to read and write.
An infection on a single endpoint, can quickly spread its encryption into such cloud targets, and in turn destroy data in several other endpoints – all in a matter of minutes.
Cloud storage vs Object Storage
But it is important not to confuse all cloud storage with object storage. For example, there are many users of software such as Dropbox, Google Drive and OneDrive for Business who think they have safe backups in the cloud. But, due to their very nature– which is to sync file data – such software could result in accelerating the spread of ransomware rather than deter it. An infection on a single endpoint, can quickly spread its encryption into such cloud targets, and in turn destroy data in several other endpoints – all in a matter of minutes.
Examples of true object storage targets are Amazon S3 buckets, Azure Blob Storage, Google Cloud Platform object storage, IBM Softlayer object storage etc.
Air Gapping vs Cloud Backup
So, the next time you hear a backup vendor advertise air-gapping, dig deeper. Are they talking about tape or similar removable media based backups? Or are they air-gapping online storage targets. And if so how? Learn about the technology. How reliable is it? What is the level of complexity you’ll need to deal with? And is it worth the trade-off you make in terms of costs and ease of use?
Remember that backups to cloud object storage give you quite the benefits of Air Gapping with far less complexity.