Short answer? Very important. When customers are talking to us about the security of their backups, there are some phrases that come up again and again. The unforgiving reality of ransomware attacks is beginning to sink in, and ‘if’ has become ‘when’. So, whilst your backup environment might be the recovery repository of your last resort, it’s important to ensure that environment is also uncompromised.
So, what about those terms and phrases that we keep hearing? You won’t be surprised to know that a lot of our customers are asking about immutable backups and airgaps. Sometimes, they’re considering going old school and making a copy of their data to tape, just to be on the safe side. And with an increasing threat vector, we think it’s great that people are becoming more aware of these issues. Even if you haven’t fallen victim to ransomware, it’s important to consider how your business would respond in the event of a disaster.
What is an airgap?
But what is an airgap? In short, an airgap is a security measure that ensures a secure network is isolated from an unsecured network. In which case, there’s no doubt that you should be thinking about them. And, more importantly, considering whether a physical or virtual airgap is the right choice for you and your business. A physical airgap will undoubtedly give you a greater measure of security and resilience against ransomware, but you may have to make compromises around data availability. So, you need to be asking yourself: which risk is the most important to mitigate?
Physical airgaps
Your tapes can only get written to when they are mounted on a drive, but there are good reasons why organisations have moved away from tape; the lack of speed when it comes to recoverability and a reduction in costs for disk-based backup to name just two. But if you are only storing your backup data on disk, you’re going to run into some issues eventually, even more now than ever before. If you’re storing your critical backup data on a filesystem that’s within your current infrastructure, you’ve got to do your best to make sure that it’s not open to the same risks.
- Is your data stored on a standard Windows filesystem?
- Is that system regularly patched?
- Is that system on the domain and thus accessible by the same domain IDs that can access other machines on the network?
It probably sounds like we’re telling you to assume the worst. And you’d be right, that’s exactly what we’re telling you to do. Always suppose that somebody unauthorised will try to get into your systems, and then make it as challenging as possible for that to happen. If that makes it harder for Backup Administrators to get into the infrastructure as well, good. It’s a job well done.
Virtual airgaps
But what about a virtual air gap? And can it give you the same level of security that you’d get from a physical airgap?
Let’s consider the scenario where you’re starting to use a connection to cloud infrastructure. You continue to store the copy of your data on a Windows based infra on the cloud. In this case, although you may be taking advantage of the distance and the http cloud connection, your windows server is still going to be at risk. Ask yourself the following questions about your data security:
- Is it accessible via public IP?
- Are you ensuring the patching of that server is up to date?
- Is it as secure (or more secure) than your on-premise environments?
Rather than storing the data on a traditional filesystem within the cloud, you’ll get more security if you’re storing the additional copy of the data on Object Storage using the S3 Protocol. You can take advantage of redundancy or snapshots on offer from the Cloud Provider, and the data is generally only going to be accessible if you have access to it via API. That’s less exposed than relying on AD authentication. Whilst it doesn’t give you the full immutability that you’d have if you were storing that copy on offsite tape, you might find that it’s the compromise that you’re willing to take between Data Availability and Data Security.
Fancy learning more about airgaps or what you can do to ensure your networks are kept secure? Give our experts a call here or drop us an email at info@predatar.com