ETAC Column: Preserving the Air Gap
by Josh Winterrowd, IT Manager, Montana PBS
In these days of always on always-connected storage, how do we preserve the tried and true method of keeping backups secure when your data may no longer reside on tape or even be on servers in your datacenter?
In a world of centralized backups and fully networked systems that are exposed to the Internet, how do we protect our data from hackers, disgruntled employees, and ransomware? In the old days we would move the physical backup tape or hard drive to an offsite location. That air gap meant hackers and ransomware would never be able to compromise or fully encrypt your data. Now backups are pushed to cloud storage providers and always available from your internal network. Hence if your network is compromised, potentially so are your backups.
There are a couple of solutions to this problem. You can continue to use traditional storage mediums such as removable hard drives and LTO tapes. These solutions are proven and do work but can be time consuming and require consistency on the part of the IT department to reliably change, test, track, transport, and store them. The other is to move to a cloud provider. There is one caveat to this: Make sure the type of storage you are using is immutable.
Immutable storage cannot be deleted or changed under any circumstances. This includes by System Administrators. By carefully setting retention parameters, your data can be protected from risk of loss, either from natural disaster or malicious intent.
In the last few months most major cloud storage providers have rolled out products that have some form of immutable storage option. These include Amazon, Azure, Google Cloud, Wasabi, and the list goes on. This type of storage prevents any single person, even a potential ransomware threat, from changing your data. With proper backup testing procedures this is an easier way of making sure backups are being performed according to best practices.
We can and should take advantage of cloud based storage tools to add another layer of protection to our backup strategies.