The air gap, a cybersecurity countermeasure that isolates digital assets to put them out of reach of malicious actors, is the subject of many industry myths. Are you confused by all the myths around air gaps? Does it seem odd that logical air gaps are not considered air gaps in spite of their ability to defend against attacks? If you answered “yes” to these questions, you're likely not alone. To help clear up confusion, in this blog we’ll explore the different kinds of air gaps in use today and offer insights into what they offer in terms of security - debunking some of the most prevalent myths along the way.
First though, to get at the power of air gap mythology, it’s worth asking, where did the myth of physical separation being a necessity come from? Well, it goes like this: Before 1969 and the advent of the ARPANET, there were few effective or economical ways of linking computers into networks. The ARPANET, which became the Internet, while ushering in fantastic benefits of connectivity, also created the security nightmare that most of us are dealing with today. It can be seductive to harken back to those idyllic times, when computers sat in glass rooms, completely disconnected from the outside world. However, there is no going back. The air-gapped systems of yore will never return.
What is an air gap, anyway?
An air gap protects a digital asset by placing it behind an impenetrable barrier to prevent unauthorized access and modification. For some in the security field, an air gap is a minimum requirement in cyber defense. In fact, In certain segments, such as the military or critical infrastructure, air gaps may be mandated by a security policy. Cyber-insurance underwriters may also require an air gap as a condition of issuing a policy.
As the name implies, the most commonly used barrier is physical separation—placing a designated system in a separate room or building, without any network connections. In the world of backup and restore, this might mean shipping backup tapes to a secure offsite facility. No one is going to hack into an unknown secure place where they are unable to access the physical tapes. This tapes-in-a-cave approach may be referred to as an “offsite copy” or an “offline backup.”
Air gaps defend against both unauthorized access as well as unwanted modification. As such, Intrusion protection and data protection are overlapping, but pursue separate security objectives. This distinction is relevant because some air gaps exist to prevent a system breach, while others are designed to defend against damage to data or software.
Physical air gaps have their drawbacks. They can be costly to implement and cumbersome to manage. They also generally provide relatively slow Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) because data has to be manually, and securely, transported across the air gap.
Myth # 1: Only a physical air gap can ensure the highest level of security
It may have once been true that a physical air gap ensured the highest level of security. However, this, too, is largely a myth today. One issue relates to unknown connectivity. With literally billions of devices now connected to the Internet, it is possible, or even probable, that a device thought to be air-gapped is actually on the network. The problem is that no one knows. Indeed, many IT organizations are shocked, upon running network security scans, to discover previously unknown devices on their networks, along with accidentally connected air-gapped systems.
Physical air gaps also tend to lack protections against insider attacks, social engineering, and basic human nature. Today, the world revolves around data and thus, even an air-gapped system needs a point of physical access so users can add, delete or modify its data. Commonly known as a “sneakernet,” this access point exposes the air-gapped system to threats. A malicious insider, for example, or a hacker who impersonates a credentialled user can compromise it. Or, basic forgetfulness on the part of a team member may lead to ports left open, doors being unlocked, and so forth. As a result, the air-gapped system is vulnerable to unauthorized access.
Myth #2: An air gap must be a physical separation
Some would argue that one either has a physical air gap or “no air gap.” There is no law of the land or commandment from on high that establishes this truth one way or another, but in day-to-day terms, the notion that only physical air creates an air gap is a myth. As a countermeasure, an effective air gap can be instantiated simply by disconnecting a machine from a network. One could have two servers on the same rack, for example, with one on the network and one-off. The latter machine would be air-gapped—meaning it would be effectively impossible for a hacker to reach it over the network.
The “logical air gap” is an alternative, Zero Trust approach, which segregates and protects a network-connected digital asset on a logical, versus physical basis. A logical air gap achieves separation through a Zero Trust Architecture including encryption, which makes data useless to an attacker, and immutability, which prevents data from being changed. When coupled with role-based access controls and multi-factor authentication, the logical air gap can deliver the same or better risk mitigation as a physical air gap.
Myth # 3: Logical air gaps are not as secure as physical air gaps
Another myth holds that a logical air gap is not as secure as a physical air gap. With the right logical air gap implementation, this is simply not true. For one thing, a physical air gap can have many vulnerabilities. But, even assuming the best case, a well-designed and highly secure physical air gap is not necessarily more secure than a logical air gap.
The Rubrik logical air gap for data backup, for example, utilizes a multi-layered approach to security that renders it less likely to be breached than even a well-built physically air-gapped system. Rubrik does not use scannable protocols like Common Internet File System (CIFS) or Network File System (NFS) that make backed-up data easily detectable on a network. The stored data is effectively invisible to an attacker.
Then, the Rubrik Zero Trust Architecture prohibits any user (human or machine) from accessing the stored data except through certified Rubrik processes. A regular user, or hacker, cannot access or retrieve the data using standard data management processes. Rubrik’s distributed file system, known as Atlas, requires that processes be validated and secured through the exchange of certificates and tokens. This approach makes it extremely difficult for anyone to gain unauthorized access to data on Atlas.
If a malicious actor were to get access, somehow, they would find worthless encrypted data. The data itself would be subject to Rubrik’s methods of immutability.
Conclusion
The modern air gap is quite different from its predecessors. Not only has the technology and the overall threat environment evolved, but the design of air gaps has also changed over time. The myth that physical is better than logical and that is flat out wrong. In a more distributed and virtualized world, the logical air gap is more secure than the physical one.
For more information on data security and ransomware preparedness, check out the Rubrik Data Security Summit on-demand.