What is Air-gap?
As ransomware attacks have become a common threat to every business, the term air-gap is often mentioned as a security strategy. But what is air-gap? Air-gap is a widely used term with far too many definitions to explain in a short blog, but data protection vendors often define the term simply as the isolation of protected data from production data.
Air-gap can be any of the following when discussing data protection:
- A complete network air-gap in the form of backup tapes being sent off-site to a service like Iron Mountain
- Secondary copies of backups sent to cloud storage accounts disconnected after uploads are completed (aka virtual air-gap)
- Sending backups directly to an external, vendor managed, cloud data protection service completely isolated from your on-premises or cloud environments.
Is Air-Gap Enough?
While air-gap strategies isolate backup data from production data, they often overlook the need to isolate management access of data protection platforms too. 90% of cyber-attacks occur via social engineering access into production environments (deloitte.com). Once inside the production environment, it is not difficult for bad actors to infiltrate data protection systems. Should protected data be deleted or rendered useless by hackers via management interfaces (GUI, SSH, CLI, or API) they have a much better chance at exfiltrating and/or damaging production data, along with extorting a ransom from you. Thus, it is critical to consider both the isolation of protected data and isolation of management access when designing your air-gap strategy.
To secure management access many of our customers utilize several security best practices, including:
- Session timeouts
- Short term passwords
- Least privileged access
- Role-based access controls
- Vaulting of encryption keys
Utilizing and auditing all of these measures on an ongoing basis are great first steps towards hardening access. However, they can be difficult to maintain over time. The most secure path forward when architecting management of your data protection platform is to isolate management completely outside your access controls. If hackers gain access to your Active Directory or manage to get past your SSO/MFA, they can spread east-west into your prod environments and data protection platform. They can also head north-south to secondary copies of backups sitting outside your production sites or cloud accounts. Don’t forget – your data protection platforms have access to any systems they protect too. If bad actors can gain access there first, they can quickly extend attacks to your production systems.
Plug Security Holes
The P1 Technologies engineering team has helped many customers patch holes in their access control strategy. This is particularly true when outsourced resources manage data protection. By taking a ground up approach we discover all data protection platforms in use (often there’s more than one); whom has access; how they authenticate; and what authentication methods are in use. The next step is to limit the amount of privilege end users have to data protection platforms and removal of stale accounts for administrators no longer employed (you’d be surprised). We also work with our customers to ensure data protection admins authenticate to protection platforms via a second, non-production AD tenant. Enabling password expiration, session timeouts, MFA/SSO and performing monthly audits of access are all part of our best practices. By taking such an approach we separate attack vectors for accessing data protection platforms and production data systems.
We suggest you take isolation a step further to the physical layer. Many platforms give you the opportunity to isolate specific traffic types to physical or virtual network interfaces. For example, there are few reasons to allow ssh connectivity over the same interfaces (physical or virtual) as GUI access being used for day-to-day management. It is also important to understand where your outbound/inbound connections are going to and coming from and why. Countless times we enable outbound notification systems to hit endpoints like Slack or Microsoft Teams not fully understanding what the connection does, how long it is maintained nor if there are security risks involved with the connection. Consider many of the recent cyber security attacks that used 3rd party vendor holes to get into a secure production environment. SolarWinds comes to mind as a commonly used tool that had gaping access/security holes. Many monitoring tools have active direct access to systems. This is yet another attack vector into your production systems. Air-gap, isolation of management access and security auditing are all part of the architecture we utilize for our own Data Protection as a Service offering, P1 Protect.
Getting Data Protection Right Has Never Been More Important
Modern data protection platforms are complex to architect, deploy, manage, and maintain. Especially now that data protection is is a key security and compliance requirement, and not just about operational backup and recoveries. This fact prompted several of our customers to ask that we completely take over their data protection for them. So, we have. P1 Technologies utilized our collective expertise and focus to build a Data Protection as a Service platform, P1 Protect, for customers struggling to keep up with modern day requirements. We handle architecture, deployment, day to day management and maintenance in an as a service model. We not only air-gap your protected data from your production data, we also remove access to management completely from your organization’s access controls. So, if you are compromised, hackers must also compromise P1 Protect to gain access to your protected data. Free up your valuable resources to focus on moving your business forward and let P1 Protect focus on secure data protection for you. If you’d like to dive deeper into the service, we would be happy to show you what we’ve built