Air-Gapped Backup: Everything You Need To Know

An air-gapped computer or network is one that is not connected to any other network, by wired or wireless means. Air-gapping is a security measure that prevents malicious actors from accessing networks and data, or at least limits the amount of damage that can be done if a network becomes the target of a cyberattack.

What is air-gapped backup?

When you airgap your backup infrastructure, you separate your backed-up data from the rest of your network, protecting it from online threats. There are two main types of air-gapped backup: 

• Physical air–gapping. Traditional backup methods such as tape or disk involve physical airgaps – the tape or disk is removed and stored offsite; the backed-up data is separated from both a device and the production network. Physical airgaps are getting rarer; as we become increasingly reliant on internet connectivity and cloud services, we are reducing our usage of traditional backup devices like tape, external hard drives and USB sticks.
  These traditional methods have a major drawback in that they rely on human behaviour: you have to remember to move the tape/disk from one location to another. On the other hand, given the sheer ubiquity of ways we can connect to the internet, it’s arguable that physical airgaps are the only ‘true’ airgaps.
• Logical air-gapping. A logical airgap does not require a different physical location. A logical airgap uses network settings and user access controls to separate the backed-up data, essentially creating two networks: one for production (day-to-day operations and data processing) and one for backup. Logical air-gapping provides a kind of ‘one-way street’ – data can be transferred to the isolated backup network but otherwise cannot be accessed or deleted without the right user permissions. The increase in data storage tools that cannot be physically separated from devices has driven the need for logical air gaps.
  With the right backup infrastructure, logical airgaps are relatively easy to set up, and backing up does not rely on human behaviour. Logical airgaps are also beneficial for Disaster Recovery strategies – it’s quick and easy to restore data after an incident. However, because logical airgaps are not fully offline, the risk of malicious actors gaining access is small but still present.

What is a virtual airgap?

Virtual air-gapping is simply a sub-category of logical air-gapping. Backup providers offer backup infrastructure with immutable capabilities – i.e. the backed-up data cannot be changed or accessed by anyone who does not have the correct permissions and credentials.

Why is air-gapped backup important?

Airgaps make it harder for malicious actors to access your data, and they also prevent malware from spreading if it does find its way onto your networks. Ransomware is a major cyber threat, and attacks are becoming increasingly common. In the 2022 report ‘The State of Ransomware’ by Sophos, 66% of organisations reported they had been hit by a ransomware attack in the preceding 12 months – a 78% increase on the previous year. Verizon’s 2022 Data Breach Investigations Report found that in 2021, ransomware breaches went up by 13%, which they noted was an increase as big as the preceding five years combined.

A common tactic for ransomware attackers is to target backup infrastructure and backed-up data. The attackers will corrupt or delete the backup first, and will only then go after the primary data – which obviously leaves the victim of the attack in a very difficult situation. If a business is unable to restore backed-up data, it jeopardises their chances of recovering fully from the attack.

But even if a cyber-attacker doesn’t wipe out the backup first, a ransomware attack can infect backed-up data anyway, if that data has not been isolated from the rest of the network. Essentially, air-gapping boosts your existing backup and recovery infrastructure, as it adds an extra layer of protection.

Air-gapping also forms part of your 3-2-1 backup strategy, which in its simplest form is where you have three copies of your data, stored across two different devices, with one backup kept offsite away from the rest of your network that is immutable – i.e. air-gapped.

Air-gapped backup from BackupVault

As with all security measures, you should not rely on air-gapping alone to protect your backups. If you’re looking for a backup provider, choose a service that offers both encryption and virtual air-gapping to ensure maximum protection for your data.

Here at BackupVault, we secure your data during transfer and at rest with enterprise-grade encryption. Our backup solutions are powered by the most reliable software on the market, Redstor and Veeam – both of whom provide virtual air-gapping.

Redstor’s backup is virtually air-gapped by default with backups saved to their platform, so malicious actors cannot corrupt or delete the backed-up data. Veeam offers ‘insider protection’ functionality which, in simple terms, enables backups to be written to disk but not deleted or altered, ensuring protection from attacks.

Find out how we can protect your business data from accidental deletion, human error and cyber threats – contact us today to safeguard your critical data.

BackupVault: what have you got to lose?