Physical vs logical:

Which air gap is right for your backups?

   

Wednesday 22nd September 2021 | 4 minute read

Air gaps offer an additional layer of security by taking your backups offline. With no direct link from the outside world, they are safe from being overwritten, corrupted or unauthorised access.

There are currently two variants of air gap – physical and logical. We’ll help you understand the differences between them, and which is right for your data protection strategy.

What is a physical air gap?

A physical air gap places a disconnect between the production environment and the backup location. It is physically impossible to access the backup store through your network because there is no link.

Backup tapes are an excellent example of what a physical air gap looks like. Once the backup job completes, the tape is ejected from the drive and taken off-site for safe keeping until it is required.

The benefits of physical air gaps

The only way to access the backup set is by placing the tape back into the drive, thereby ‘closing the gap’. A physical air gap is probably the most secure way to protect your backup because it cannot be accessed, corrupted or overwritten without access to the actual media.

There are no backdoors, forgotten network connections or zero-day exploits to be concerned about. The backup is also impervious to loss in the event of a localised disaster or a ransomware attack.

The pitfalls of physical air gaps

Although secure, the overheads of managing physical air gaps must not be underestimated. The modern data estate typically exceeds the capacity of a single tape, requiring multiple media for every backup job. They must then be cycled away from the backup environment, whilst also ensuring there are enough tapes available for every job.

With so many ‘moving parts’, the physical air gap becomes more complex to manage and run – eventually requiring several people to keep everything running smoothly.

Recovering data from a physically air-gapped backup is also relatively slow because the media must be retrieved from its off-line storage location first.

What is a logical air gap?

More recently, businesses have begun implementing ‘logical air gaps’ to protect backups. These backups are placed in a physically separate location, but they are not completely disconnected. Instead, the backup software marks each backup as ‘immutable’, preventing them from being overwritten or deleted.

The benefits of logical air gaps

The logical air gap is relatively quick and easy to set-up with the right backup tools. And because data does not need to be moved manually, the process is much easier to manage.

Logically air gapped backups can be brought back online and accessed within a matter of moments. For example, restoring a production environment that has been compromised by ransomware can be initiated in a matter of seconds, dramatically reducing your Recovery Time Objective (RTO).

The pitfalls of logical air gaps

Because logically air gapped backups are accessible online, there will always be a small risk that hackers are able to compromise the network perimeter and take control of your backup software. Should that happen, your archived data is at risk.

Depending on your archiving requirements, the costs of logical air gapped backups can quickly mount up. You may accrue months or years of backups that cannot be deleted and consume valuable storage. Off-loading to cloud cold storage is a possibility, but this will increase RTO and you still have to pay for the storage consumed, even if the backups are never used. You will need to seriously consider the correct size of your environment, factoring in immutability to protect against ransomware.

Assessing your options

Physical or logical, there's a solid case for using either type or a mixture of approaches in your data protection strategy. But in the age of ransomware, a gap between live systems and archived backup data is essential.

With technology evolving all the time, it’s important to review your backup policies and procedures. If it’s been a while since you last did yours, you could benefit from a free backup health check to help ensure they continue to be fit for purpose.

To learn more about air gaps and which is right for your organisation, have a chat with one of our team.

Speak to an expert