What You Need to Know About Air Gaps and Ransomware

Published On April 19, 2018

Air gaps help protect data against traditional physical threats, as well as emerging software-defined threats including ransomware. There are various types of data protection gaps including the good, the bad and the ugly.

Data protection exists to enable applications and their data to survive based on different threat risks. Those threat risks can cause full or partial loss, damage or theft of data. With ransomware, the data may not be destroyed or damaged, however, your access to it can be lost if you do not pay a fee — that is unless you have taken proactive data protection steps.

Traditional physical threat risks that data protection addresses include acts of nature (fires, floods and other weather-related events), acts of man and technology failures. Software-defined threat risks that data protection addresses include accidental or intentional deletion, destruction, damage or theft of data along with spyware, digital denial of service (DDoS) attack, malware and ransomware. As a refresher, ransomware software-defined threats infiltrate your data infrastructure and encrypt data, disabling your access until you pay a fee.

Good data protection gaps enable you to recover data (backups, checkpoints, snapshots, consistency points, versions) from a prior time. These recovery points (e.g. RPO) enable you to move forward when something bad happens. Another good gap for data protection is an air gap that isolates copies offline and offsite so nothing bad can happen to them.

A bad data protection gap includes a lack of coverage where data items are missing or not protected.

Then there are ugly data protection gaps. An ugly data protection gap occurs when you discover that copies you thought were recoverable (catalogs, index, metadata, settings, certificates, keys) are actually damaged or bad after it’s too late. Damage can include deleted, corrupted or infected copies as well as copies that fall victim to ransomware or some other malware.

Air gaps themselves are nothing new. In fact, they have been a favorite data protection technique for a while now — having been used for decades in support of archive, backups, business continuity and disaster recovery. What is new (besides the name) is the realization that these offsite, offline copies can also be a strong defense against modern software-defined threats such as ransomware. Air gaps help protect against ransomware and other risks by having a copy offline, not accessible to be damaged, so you can safeguard your recovery copies.

Having multiple copies stored on different systems and offsite is known as 4-3-2-1 data protection, an extension of the old 3-2-1 data protection rule. You should have at least four different versions of something, three different copies, in at least two different locations, one of which is offsite. But creating more copies of different versions of data stored on multiple systems, as well as having at least one or more of those stored offsite and offline, prompts cost concerns.

The costs can be concerning particularly if you’re approaching backup and data protection with traditional tools, technologies and techniques. However, when combined with various data footprint reduction (DFR) techniques, you can reduce your data storage footprint more efficiently.

Techniques include implementing DFR technologies, such as archiving, to reduce the footprint of inactive data or storing it offline with an air gap in case you need to recover it from a ransomware event (e.g., your regular defense protections failed). Other common DFR technologies include compression, deduplication, thin provisioning, space-saving snapshots, advanced parity RAID, erasure codes or local reconstruction codes (LRC).

A tip for defending your applications and data against ransomware is to be prepared and leverage good data protection best practices. Best practices include combing various data protection technologies, tools and techniques to defend against, as well as recover from, different threat risks. The following are some additional data protection best practices and tips to defend against ransomware along with other software-defined and traditional threats.

• Implement a 4-3-2-1 protection strategy so that you have flexibility options as to how far back in time (e.g., recovery points) you can recover from.
• Protect your data protection environment; back up your backup or data protection tools, metadata and settings.
• Implement virus and malware detection software, network intrusion detection software, and proactive and postmortem forensic tests.
• Secure digital erasure of HDD, SSD and tape-based media as well as local and cloud storage.
• Don’t pay the ransom, check with your local authorities as they may be interested to know what you encountered.
• Deploy robust antivirus, malware and related software and keep them updated.
• Supplement your DR strategy with an isolated recovery capability using a cloud-based data protection platform to secure a copy of critical data offsite and disconnect it from the network.

Now is a good time to verify not only that your data protection copies are working, but also that your recovery will enable good, instead of bad or ugly gaps. The best time to begin preparing to respond to ransomware or other software-defined and traditional physical threats is now.