I have heard of Stonefly but never used their services. Airgap to me is still using tape which is not dead, and I believe is going to make a comeback. We use it for some services, and they are only growing.
Anything that can be taken offline in some fashion could be considered airgapped.
Immutability is another thing to ensure you enable as well as airgap backups too.
The most secure air-gap solution is tape with tapes regularly taken out of the library and put into a safe or another location. Then the data on the tapes is absolutely not accessible from other systems. But this means a lot of manual intervention.
You can do a google search, there is a tape library vendor (I don’t mention the name here..) that has a vault integrated into their libraries, this gets you some more security. You should try this how it cooperates with Veeam, I don’t have hands-on experience with this function.
Other solutions are not really air-gap, but you could for example setup a storage system which has their network connection opened when they are needed only….
It depends on multiple things.
Your budget, the amount of storage you have, and your current infrastructure.
AirGap has transformed in the last few years to “Immutable”. There are storage companies like object first, ExaGrid, that will give you immutable backups that can not be deleted or modified. Companies like Wasabi and BackBlaze do this in the cloud.
You can also install a Linux repo on a host, and use almost any object storage to do the same efffect. These companies just make it super simple with the VeeaMover integrated. Plus they usually scale nicely and provide redundancy etc.
StoneFly has an “Air-gapped Node” that will Disconnect itself from power and network automatically. It sounds like it sets a timer on the storage to bring itself up.
“Air-gapped nodes are physical backup and disaster recovery appliances purpose-built to provide air-gapping and immutability for your critical backups, snapshots, and replicas.
The air-gapped nodes leverage Veeam-integration and enable storage administrators to set policies which automatically isolates the nodes using the built-in network and power controller.
As the backup data stored in air-gapped nodes is isolated from your production and backup environments, it is protected from threats such as ransomware attacks, accidental/malicious deletion, virus, etc.”
I use Tape. With large amounts of data it’s the cheapest, and nothing says AIRGAP like removing it from the library. I can take backups offsite as well. If it’s plugged in, it can be compromised. If a bad actor was in your network and had access to your Veeam infrastructure, it wouldn’t be hard to see the time for the backup window. They could then plan an attack on the “Air-Gapped Node” during that window.
That being said, if it is ALSO immutable and your Veeam environment is secure, any added security measures are a good thing. It at least makes the attack window smaller. The attack window for my exported tape jobs is 0 seconds though. Hard to beat.
Immutability and VHR is a great option but there’s no replacement for tape really. I have one client on tape currently, but they’re also looking at Object First OOTBI’s nodes.
For a little customer I recommend to use a workstation with 7 usb disks used as repo with rotated disks.
I don’t love the idea of USB disks but that would qualify as air-gapped. For small customers that want immutability, it's either Wasabi or the weird setup of running Ubuntu as a VM on a Synology NAS and using some of the local storage as an XFS volume. I don’t love that solution, but we had two different guys deploy two of these for clients, and I’m playing with it locally.
Hi Folks,
I would re-designate this threat as “safer backup solutions” but not Air Gap.
Air Gap cannot have automatic transfer of data. Only Human manual transfer. So unless you are manually copying the Veeam backups they will never be Air Gap.
Air Gap:
“An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).”
I asked one of the Comptia security folks at the conference in Chicago about why this was included in the Air Gap definition and the answer was that automation was a very strong weak link in the equation.
One of the problems he said was that people can get a false sense of security from terminology, especially when Marketing enters the fray.
I must admit I used to take these official definitions a bit too lightly but with the ransomware threat growing I am being more careful now.
Air Gap Definition can be found here: https://csrc.nist.gov/glossary/term/air_gap
https://datatracker.ietf.org/doc/html/rfc4949
I almost forgot one of the other things that was said in relation to insurance and audits, so you get hit by ransomware and during the post mortem you are asked by auditors etc, what protection did you have in place? “we had air gap” reply “no sorry you did not”. That another aspect as well.
Hi Folks,
I would re-designate this threat as “safer backup solutions” but not Air Gap.
Air Gap cannot have automatic transfer of data. Only Human manual transfer. So unless you are manually copying the Veeam backups they will never be Air Gap.
Air Gap:
“An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).”
I asked one of the Comptia security folks at the conference in Chicago about why this was included in the Air Gap definition and the answer was that automation was a very strong weak link in the equation.
One of the problems he said was that people can get a false sense of security from terminology, especially when Marketing enters the fray.
I must admit I used to take these official definitions a bit too lightly but with the ransomware threat growing I am being more careful now.
Air Gap Definition can be found here: https://csrc.nist.gov/glossary/term/air_gap
https://datatracker.ietf.org/doc/html/rfc4949
Hi @Geoff Burke ,
You're right about air gap. During last Italian Community virtual event I explained that immutability is not air gap. I think air gap is not a possible scenario for backup. Anyone can say me:" You're forgetting tape library". My reply is simple. Have you a technician during Saturday and Sunday morning are available to get out a tape out of your datacenter? I'm sure is not possible in all customer scenarios. So during that days backup are not air gapped.
Hi Folks,
I would re-designate this threat as “safer backup solutions” but not Air Gap.
Air Gap cannot have automatic transfer of data. Only Human manual transfer. So unless you are manually copying the Veeam backups they will never be Air Gap.
Air Gap:
“An interface between two systems at which (a) they are not connected physically and (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control).”
I asked one of the Comptia security folks at the conference in Chicago about why this was included in the Air Gap definition and the answer was that automation was a very strong weak link in the equation.
One of the problems he said was that people can get a false sense of security from terminology, especially when Marketing enters the fray.
I must admit I used to take these official definitions a bit too lightly but with the ransomware threat growing I am being more careful now.
Air Gap Definition can be found here: https://csrc.nist.gov/glossary/term/air_gap
https://datatracker.ietf.org/doc/html/rfc4949
Hi @Geoff Burke ,
You're right about air gap. During last Italian Community virtual event I explained that immutability is not air gap. I think air gap is not a possible scenario for backup. Anyone can say me:" You're forgetting tape library". My reply is simple. Have you a technician during Saturday and Sunday morning are available to get out a tape out of your datacenter? I'm sure is not possible in all customer scenarios. So during that days backup are not air gapped.
Yeah I have to admit in the past I was pretty lax when it came to these terms .
When it comes to ransomware I think it is best to leverage as much as you have. I have seen tapes being the saving grace, but at the same time as you said RTO is really slow.
I guess if you make a backup then manually copy the files to tape or a rotating drives then it would formally comply with the meaning.
Either way another big benefit of this type of discussion is it focuses us all on the details which for me always helps focus on every little step of the process. I have found during emergency restores, when the pressure is on, the better I knew every little step in detail, the more likely I would be successful and not make a mistake.