Cybersecurity has become a top priority across virtually every industry sector, public and private — especially in light of recent research that shows cyberattacks are viewed as the United States’ greatest threat. As these threats grow more prominent, so does the need to create secure environments to limit the exposure of sensitive data. One of the best ways to minimize exposure to such threats is to isolate data by deploying environments that have no, or limited, connection to the internet — also known as an “air-gapped” cluster. While there are a host of challenges organizations are forced to deal with when creating an air-gapped environment for cloud-native applications, through careful planning, leaders can create an effective air-gapped environment that will limit exposure to breaches.
While there are some technologies that can’t be air-gapped, there are many opportunities and benefits for the technologies that can. This piece will outline a few key considerations organizations should take when adopting an air-gap-first mindset, and why this is an approach that, no matter the industry, companies should consider implementing to ramp up their security culture.
Why an air-gapped-first approach can help – even when you don’t think air-gap applies
It is an exciting time in technology, and nearly every enterprise is looking to move to the cloud, modernize, and innovate faster. Ubiquitous access to the internet and mobile applications have spurred the creation of more and more connected apps. This means that more and more services are deployed on clusters that need to place calls out to the internet and accept calls from the internet. Not only that, but in the world of containerization and Kubernetes, it is extremely common for deployments to be dependent on things like container registries. All of these trends have made it more and more common for clusters to be ‘connected.’ However, our increasingly connected world has opened up a host of new threats and organizations need to first prioritize protecting their environment. Ransomware, for example, is one threat that teams need to prepare for ahead of time, but it’s just one of many.
There are obvious use cases for air-gapping: sensitive government data, data that lives in remote locations that don’t have consistent internet access (i.e. a cruise ship or a car), financial systems to prevent fraud, among others. That said, even when it may not feel like it applies, taking an air-gapped approach can provide significant benefits. It will force security leaders to think about exactly what needs to be exposed to the internet, rather than assuming that everything should be. There are many ways to air-gap, and the type of air-gap approach a business should take is really dependent on its specific needs.
Where are the needs on the spectrum of air-gappedness?
Depending on organizational needs, different levels of air-gapping can prove to be successful. Below is an overview on when different types of air-gapping may be relevant for an organization:
- 100% air-gapped: there are many times when full air-gapping is appropriate, such as if there are no connections available due to remote locations or regulatory reasons. Most commonly, fully air-gapped environments are found in situations in which classified information is involved. This type of air-gapping is the best choice for sensitive information and environments that need to be completely secure.
- Occasionally air-gapped: often used in moving vehicles, occasional air-gapping make sense for cases such as cars or ships. As these vehicles are often in motion or in remote locations, the ability to occasionally air-gap is vital to their success.
- Logically air-gapped: hybrid solutions such as logically air-gapping is best when there is a physical connection, but protects network-connected digital assets through air-gapping. This can help to secure your software supply chain by ensuring that the cluster cannot fetch images from the internet, it can help protect from intrusion by locking down ports and paths not necessary
- Partially air-gapped: many companies can benefit from partially air-gapped infrastructures — one that provides the security of air-gapping while still exposing certain ports or paths for communication purposes. What’s key here is that this exposure is only by exception and therefore very controlled. This can allow information to still be reasonably accessible to the broader team, while still maintaining a level of security that protects this data.
Why security leaders should rethink their architecture to minimize security vulnerabilities
Any business that has big data centers is at risk because their entire organizations are exposed to cyber threats. Additionally, in an environment with a tremendous amount of complexity and growth, there are a plethora of new areas to protect. Taking security risks into account prior to creating an infrastructure is always best practice, but even established companies can take a step back and identify new ways that they can revamp their architecture to be even more secure. By first identifying what can be air-gapped or even intermittently air-gapped, businesses will be in a much better and secure position to protect their data.
As teams continue to face new security threats, an air-gapped mindset can help approach the challenge of overcoming them and ultimately create a more secure environment. Whether an organization implements air-gapped or intermittent air-gapped measures is up to their infrastructure needs, the type of data they’re protecting, and ultimately what is feasible for and aligned with their business goals.