A recent Cyber Security Breaches Survey revealed that approximately 22% of UK businesses and 14% of charities had experienced cybercrimes in the last 12 months, and that is with cyber protection measures in place.
This underlines the need for organisations to consider multiple layers of cyber protection and different forms of security measures for specific types of data – according to their level of sensitivity. Without this approach, ensuring robust cyber protection is far from certain.
There is, however, a more ‘radical’ solution in the form of air-gapping – a security measure that isolates a computer and prevents it from establishing any external connection. The objective here is to prevent unauthorised access or cyberattacks because no access means no hacking.
But, in practical terms, what does air gapping actually cover? True physical air gapping occurs when applications and data are isolated from network connectivity and exist completely offline. The objective is simple: to protect systems against unauthorised access, cyberattacks such as ransomware, and data breaches.
In these circumstances, the only way to transfer data in and out of a physically air-gapped system is through manual methods, such as via a USB flash drive or other removable media. This approach is considered highly secure because it significantly reduces the attack surface for cyber threats.
However, air gapping has also come to mean different things to different people, with some qualifying the term by adding a ‘logical’ or ‘virtual’ prefix. In this context, air gapping depends on the use of supplementary technologies, such as backing up data to the cloud. The issue here is that no air gap actually exists because, by definition, there has to be a connection between the user and cloud service at some level.
A logical air gap, for example, uses software and configuration strategies to create a separation or isolation between systems or networks. This does not remove the physical connectivity but uses technologies such as firewalls, virtual LANs (VLANs) and other network segmentation techniques to control and limit access between isolated systems and the wider network or internet.
While logical air gaps can reduce the risk of unauthorised access or data leakage between the segregated parts of a network, the fact that systems remain physically connected means security is not as robust as a physical air gap. The relative convenience of a logical air gap (compared to a physical version) also comes at the cost of increased vulnerability to sophisticated cyberattacks that can potentially bypass logical controls.
In any circumstances, even a brief connection to the Internet can introduce significant risks. If an air-gapped system is connected temporarily, for example, during patching, it opens up the possibility of an attacker injecting malicious software that could lie dormant until the system is connected again.
Air gapping is particularly relevant for organisations following the 3-2-1 rule, whereby 3 copies of data are created, with backup copies kept on 2 different types of storage, including any combination of on-premises, cloud or offline options. To complete the process, 1 backup copy is stored at an off-site location, such as a public cloud server. Air gapping can strengthen the 3-2-1 rule by providing a location to store immutable copies to limit access to data even further.
Clearly, it’s completely impractical for air gapping to be used everywhere – most contemporary technologies need to be online otherwise they wouldn’t meet functional requirements or user expectations. In addition, air-gapped systems are inherently inflexible, as they are designed to limit data transfer and communication functionality. In certain situations, this can create some awkward and inefficient operational inefficiencies.
And, as with any IT architecture, there is always the risk of human error or malicious insider risks that could introduce vulnerabilities or bypass the isolation provided by air gapping altogether. Air-gapped systems require manual updates and maintenance, which can be cumbersome and time-consuming, while the relative complexity these processes require increases the risk of improper configurations or delays in applying critical updates, leaving systems vulnerable to risk.
Alternatives to physical air gapping do exist and include the use of a data diode where one-way data transfer is enforced, such as the case with some military or critical infrastructure networks. This ensures that even if the receiving network is compromised, it cannot send malicious data or commands back to the air-gapped systems.
But ideally, air gapping should be used in conjunction with other security technologies and processes to deliver a multi-layered approach. In doing so, organisations can apply the appropriate level of protection as part of a wider zero-trust approach to deliver the maximum levels of resilience to the wide range of cybersecurity and data protection challenges they will inevitably encounter.