An air gap is a security measure that involves isolating a computer or network and preventing it from establishing an external connection). An air-gapped computer or network is one that has no network interfaces, either wired or wireless, connected to outside networks). Air gaps protect critical computer systems or data from potential attacks ranging from malware and ransomware to keyloggers or other attacks from malicious actors. There are generally three types of air gaps: total physical air gaps, air-gapped systems isolated within one environment, and logical air gaps.
- Total physical air gaps are air-gapped systems in which hardware or software is physically isolated in its environment. This type of air gap separates a system completely from other systems and networks.
- Air-gapped systems isolated within one environment are systems that are not connected to the internet or other networks but are still connected to other systems within the same environment.
- Logical air gaps refer to the segregation and protection of a network-connected digital asset by means of logical processes. For example, through encryption and hashing, coupled with role-based access controls, it is possible to achieve the same security outcomes that are available through a physical air gap.
Air gaps are used to protect critical computer systems or data from potential attacks ranging from malware and ransomware to keyloggers or other attacks from malicious actors. Air gaps are also used for backup and recovery. When data backups are air gapped, the security measure can aid in recovery efforts. For example, if an organization uses air gapping as part of its backup strategy and its network is hit by a ransomware attack, the air-gapped copy of data can be used for recovery.
It is important to note that air gaps are not easy to set up and sustain. In addition to being threatened by accidental connections or enterprising hackers, air gaps suffer from a variety of human-centric risks. Input/Output is the root issue. Air gap or not, users typically need to add, modify, or download data from the system.
