With their ability to isolate critical volumes from the primary environment, air-gapped networks provide reliable ransomware protection to enterprise workloads – making them a necessary feature for all hyperconverged infrastructure (HCI) and backup and disaster recovery (DR) solutions.
In this section, we explain air-gapping, how air-gapped backups work, the role of air-gap in the 3-2-1-1-0 data protection rule, and the built-in air-gap features included in StoneFly solutions.
Looking for purpose-built air-gapped nodes? Check out StoneFly DR365VIVA.
What is Air Gap Backup?
Air-gapping is an advanced data protection feature used to isolate and detach target storage volumes from unsecure networks, production environments, and host platforms. Air gap backups are backup stored in air-gapped volumes.
Air-gapped volumes are “turned-off” by default and are inaccessible to applications, databases, users, and workloads running on the production environment. Air-gapped data storage only becomes accessible when it is “turned-on”.
Depending on the software and vendor, the ability to turn-on and turn-off air-gap volumes can be manual or automatic via user-defined policies. Additionally, also dependent on the vendor, air-gap volumes can be provisioned on-premises and/or in the cloud.
Types of Air Gap Backup
Air gap backup can be differentiated into two types depending on how they are set up:
- Physical Air Gaps: When the target storage is physically isolated/disconnected from the production network, it’s called physical air gapping.. For instance, StoneFly DR365VIVA can be configured to power off when data is not being read/written. When powered off, there is no physical network connection between the air-gapped node and the production environment.
- Logical Air Gaps: When the target storage is physically connected but logically isolated/disconnected from the network, it’s called logical air gapping. It’s important to note that even though the logical air gap volume is physically connected, it remains isolated via various logical processes such as role-based access controls, software-defined networking, etc. StoneFly is the first to introduce logical air gap with the Always On-Air® Gapped backups.
How does Air Gapping Work
Air-gapped backups leverage air-gapped target storage volumes to store backups, snapshots, replicas, and redundant copies of business-critical volumes. As air-gapped volumes are turned-off and inaccessible by default, they keep the stored backup data safe from any disaster that may affect the primary production environment.
In the event of a disaster, air-gapped volumes can be turned-on and the data stored in them can be used to restore operations quickly and seamlessly – without fail.
Air-Gapped Systems: On-Premises & in the Cloud
How are air-gapped backups set up on-premises
Two common practices are used by storage administrators to set up on-premises air-gapped systems:
- Offline tape arrays or secondary storage systems that are manually attached and detached. This is an error-prone process and not entirely secure, which is why most data security experts advise against it.
- Purpose-built air-gapped backup appliances with built-in network and power controller that automatically isolates and powers-off the appliance from the production network as per user-defined policies.
- Leverage software-defined networking to deploy virtual air gap target storage repositories, also called logical air-gap, on VMware, Hyper-V, KVM, or Citrix (formerly XenServer), that can be attached or detached automatically as per user-defined policies.
How are air-gapped backups set up in the cloud
Air-gapped backups are not the same as redundant data storage. Air-gapped storage provides an additional layer of security against cyber-threats. To do so, simply creating and storing a secondary copy is not enough.
Similar to the software-defined on-premises air-gapped backups, air-gapped repositories in the cloud are set up on an isolated network and are offline by default. The storage volumes are only attached to the primary repository to store critical data and then detached as per user-defined policies.
Advantage of Air-gapped Backups
The primary advantage of air gapped backups is ransomware protection.
Ransomware attacks spread through the network to encrypt production hosts, servers, connected storage devices, and backup servers. Air gapped backups make sure that even if the rest of the infrastructure is compromised, the data stored in air gapped volumes is unaffected and available.
With air-gapped target volumes, organizations can protect their mission-critical structured, unstructured, and object workloads from threats like ransomware, virus, failed software-upgrade and human error.
Furthermore, air gap backups also help organizations comply with industry regulations, such as HIPAA/HITRUST, FINRA, FISMA, GDPR, etc., as it prevents data breaches and ensures data recovery.
3-2-1-1-0 Air Gap Backup Strategy
The 3-2-1-1-0 rule is an advanced data protection strategy that leverages backup & DR capabilities to ensure high availability, recoverability, and delivers near-zero downtime.
The rule states that you need to have three different copies of data, stored on two storage media, with one offsite copy, and one air gap backup copy.
While conventional practices leverage tape arrays or physical storage media to create the offline copy, air-gapped volumes deliver an automated, software-defined, easy-to-manage, and affordable alternative. Moreover, in comparison to tape arrays, logical air gap backups cost less, take less time to configure and manage, and are not impacted by human-error.
Fore more on 3-2-1-1-0 backup strategy, read Finding the Right Backup Strategy: 3-2-1 vs 3-2-1-1-0 vs 4-3-2
Air-Gapping in StoneFly Solutions: Air-Gapped Vault™ & Air-Gapped Fabric™
StoneFly air-gapped features are available as Air-Gapped Vault™ and Air-Gapped Fabric™.
- Air-Gapped Vault are target storage repositories that can be set up on-premises or in the cloud of your choice using StoneFly’s patented storage OS (StoneFusion and SCVM).
- Air-Gapped Fabric provides seamless data management of all air-gapped repositories deployed on-premises and/or in the cloud.
The StoneFly Air-Gapped Vault is available with two deployment options: air-gapped repositories and air-gapped controllers.
Air-gapped repositories can be deployed on popular hypervisors and in the cloud of your choice. Users can define policies to automatically turn-on (attach/connect) and turn-off (detach/disconnect) air-gapped repositories.
One pair of virtual storage controller and target repository are network-facing, always accessible and available to user-groups, applications, etc. The second pair of virtual storage controller and target repository are air-gapped, detached, and isolated.
Air-gapped controllers can be deployed on popular hypervisors and in the cloud of your choice. Users can define policies to automatically turn-on (attach/connect) and turn-off (detach/disconnect) air-gapped controllers.
StoneFly Solution with Air-Gapping
The following StoneFly solutions offer air-gapped data storage as a standard feature:
StoneFly HCI Solutions
- StoneFly Unified Storage and Server (USS™) HCI Appliances (link)
- StoneFly USS High Availability (HA) HCI Appliances (link)
- StoneFly Clustered TwinHCI Appliances (link)
Note: The above HCI appliances are ready-to-deploy systems that support VMware, Microsoft Hyper-V, KVM, and Citrix (XenServer) hypervisors.
StoneFly Backup & DR Solutions
- StoneFly DR365V – Veeam-Ready Backup & DR Appliance (link)
- StoneFly DR365 – DR Site in a Box (link)
- StoneFly DR365U – Universal Backup & DR Appliance (link)
- StoneFly DR365Z – Backup & DR Appliance for Zerto (link)
- StoneFly DR365VIVA – Purpose-built Air-Gapped Nodes for Veeam Backup Environments
Note: The above backup & DR appliances are ready-to-deploy systems that support VMware, Microsoft Hyper-V, KVM, and Citrix (XenServer) hypervisors.
How StoneFly Delivers Air-Gapping with Veeam (Demo)
Frequently Asked Questions (FAQs)
Is Azure Backup Air Gapped?
No, Azure backup is not air gapped by default. To set up air gapped backups in Azure, you need to purchase third party services. If you’re looking to set up Azure air gap backups, you can purchase StoneFly air gap and immutable storage in Azure directly from Azure marketplace.
Are Veeam backups air gapped?
Veeam backups are not air gapped by default. To set up Veeam air gapped backups you need to make sure that the target storage repository for Veeam backups, snapshots, and replicas is air gapped. StoneFly solutions that provide Veeam air gapped backup include DR365V, and DR365VIVA.
I already have a backup server. Can I add air gapped backups to it? If so, how?
Yes, you can add air gapped backups to your backup server(s). Here’s how you can do so with StoneFly solutions:
- Add a purpose-built automated air-gapped and immutable appliance to your network: StoneFly DR365VIVA (Veeam-Immutable Veeam Air Gapped).
- If you’re not looking for a physical air gapped node, we offer two solutions:
- Immutable and air gapped backups in Microsoft Azure cloud.
- StoneFly Storage Concentrator Virtual Machine (SCVM™) installs on most hypervisors, such as VMware, Microsoft Hyper-V, KVM, Citrix (formerly XenServer), and StoneFly Persepolis, and allows you to repurpose unused idle storage resources to provision air gapped and immutable repositories.