Air-Gap vs Immutable Backup

According to 2023 Data Protection Trend’s Report, 85% of the 4,200 organizations surveyed suffered at least one ransomware attack in 2022. What was even more startling was that 39% of an organization’s production data was either encrypted or destroyed during the attack and victims averaged only being able to get back half (55%) of what had been affected. With cyber threats showing no sign of slowing down, it’s not surprising that most companies have adopted immutable and air-gap (i.e. survivable storage) technologies to ensure their data recovery efforts are not hindered by ransomware. This blog aims to discuss the differences between air-gap and immutable backup technologies and how organizations can leverage these solutions in their cyber resiliency strategy.

Overview of Cyber-Resilient Strategies

Step 1 – Ensure Survivable Backup Targets

For decades, air-gap storage for backups was the most trusted option that companies could leverage to protect their critical assets from most threats. Write Once, Read Many (WORM) via tapes or rotating hard drives ensured that data, once ejected and moved offsite, would allow organizations to recover their data in event of disaster. Resilient data storage like tape has since evolved due to companies leveraging more secure architectures and hybrid cloud approaches. Immutability has become more common as it offers similar functionality as WORM, less overhead for managing the media, but is not traditionally unreachable on the network. When building cyber resilient and disaster recovery strategies, both air-gap and immutable can have their own pros and cons. However, you can use both technologies in conjunction with one another to have an ultra-secure resilient copy.  

First, it has always been recommended that, in the event of a production site outage, to ensure that you have a secondary copy that cannot be affected. The traditional “3-2-1 Rule” recommends 3 copies of your data, using at least 2 media types, with 1 copy being off-site. For most Veeam deployments, your production data is [Copy 1, media type=disk], the backup data on the local repository is [Copy 2, media type=disk] and a third for disaster recovery off-site [Copy 3, media type= disk, cloud, or tape]. Most organizations have adopted this practice and expanded beyond the 3-2-1 Rule into 3-2-1-1-0 Rule to incorporate immutability and testing as well due to mandates and the ever-growing risk of cyber threats. The added 1-0 to the rule suggests that 1 copy be “offline” (inaccessible via air-gap or immutable) and 0 errors (tested and validated). This helps to ensure the highest level of data recoverability from any type of disaster.

Step 2 – Reduce Access Opportunities

Now, it’s all about access and making it difficult for bad actors to not only gain access to systems but attempt to destroy the backups  you need for recovery as well. Therefore, we recommend that you adopt a cyber-resilient architecture.

Here, everything on your production site has proper access controls in place. You can monitor the production environment for suspicious activity and run reports to ensure all your workloads are protected and have an immutable backup. Next, define user account roles for having access to the backup environment. Enable multi-factor authentication (MFA) on your Veeam Backup Server can help provide a more secure environment that protects users from being compromised. Following, use an

immutable target as your first backup media to allow for recovery in the event of bugs, cyber threats or accidental data deletions. Most importantly, testing these backups often to verify their data content and that you won’t have any unforeseen issues at time of restore. These storage devices can range from purpose-built hardware, deduplication devices, and S3 integrated hardware. Finally, we have our 3rd party copy that should be off-site, encrypted, AND offine or air gapped. Natural disasters and physical unauthorized user access are not the only reason why it’s beneficial to keep a siloed copy offline and offsite. Data integrity, legal disputes, as well as data compliance/retention rules may not be typical data loss events, but they make certain you have a copy of clean data that can be used for any data driven needs.  

What Is an Air-Gapped Backup?

An air-gap is a way of isolating your critical data by separating a copy either physically (removing the tape out of the drive) or not accessible from the network (e.g. network ports or routes disabled). There are many benefits of air-gap backups including:            

Protection against ransomware and other malware since these backups are not accessible from the backup server or elsewhere on the network. For bad actors to possibly corrupt this data, a person would need to be physically present and have the proper access credentials to delete the data. If these backups are being properly ejected/isolated, and cared for (e.g. temperature controlled, dirt/dust, humidity, etc.) the chances of a failed recovery are low.

 Prevention of unauthorized access and data breaches with encryption. When considering any backup, but especially those that have been air-gapped or are otherwise offsite, it becomes even more important that the devices or media be encrypted. Imagine having backed up your domain controller without encryption and then a bad actor restoring your backup on their server. They now can leisurely farm your credentials to prepare for an attack on your production systems. Encryption of the backups (especially those off site) is a critical step in protecting the company’s sensitive data from being accessed by unauthorized users.

 Preservation of data integrity, which ensures that contents have not been altered in a malicious form. Both accuracy and consistency are crucial not just for regulatory compliance but for reliable recovery as well. For organizations in Healthcare, Government, Finance, etc. keeping various types of data for long-term can range from years to indefinitely and require maintaining a secure chain of custody in some cases. Depending on regulatory compliances from a state or federal level these requirements if not met, can have a legal impact that can result in hefty fines for organizations unable to produce the data in completeness and accuracy.

Immutable Backups

An immutable backup is a copy of data that has role-based access controls and other types of authentications and cannot be changed or deleted until a set time has expired. However, it is not “offline” like an air-gap backup is, as it is still connected and accessible from the network. There are multiple technology vendors that leverage this type of immutability whether on-premises or in the cloud and can include object-lock, secure snapshots, and the hardened repository from Veeam. For more information check out this blog post.

Air-Gapped vs. Immutable Backups

Since an immutable backup address some of the same ‘survivability’ goals as an air-gap backup, there are both similarities and differences. Both are going to offer resistance against ransomware and data compliancy but here is where they begin to differ:

A traditional air-gap backup, like tape, can incur an additional cost for managing the media and working with vendors to store the media properly. This also holds true for immutable storage as well as it can grow exponentially if data policies change.

Recovery Time Objectives (RTO) are also a variable depending on the storage media used. For example, a customer who tested their restore speeds from cloud back to on-premises had noticeable network constraints that made it slower for them to recover the same data set that they had previously recovered from tape. It was taking weeks vs the few days they were accustomed to recall tapes. Increasing the download speeds was an option, but it required them to do an overhaul of their current network for an additional cost. On the contrary, another organization was able to perform restores directly to the public cloud provider and save weeks’ worth of downtime after a cyber event when they lost access to their on premise infrastructure due to forensic investigation. For them to wait for the investigation to complete would have cost a month of downtime.

In both cases, customers were able to build a data resilient strategy that worked for them. However, it is not an either-or situation and one shouldn’t replace the other. Very similar to how vm replica’s are not backup’s and vice versa. Both technologies exist to help organizations recover data faster and leveraging both in tandem only increases the chance of successful recovery after a cyber event.

Protect Your Data With Veeam

In the 2023 Ransomware Trends Report, 82% of the 1200 organizations who had previously suffered cyber-attacks now leverage immutable cloud technologies, while 64% are using immutable disks, and tape is still relevant with 14% stating it’s use in their data protection strategy. As organizations look to adopt more cyber resilient data protection strategies, Veeam continues to form strong partnerships with hardware and cloud vendors to make it easier to adopt immutable backup repositories, air-gap solutions, or (as a best practice) both. With the latest release of v12 which included immutability with Microsoft Azure, Direct to S3 with Immutability, and enhancements to tape, an organization can quickly adopt adding another defensive layer to help against ransomware.

Try it yourself by clicking the link below!