Hi to everyone,
I am going to start writing some stuff about what I see in the AWS announcements that interest me. The first is that AWS backup will provide a logically air-gapped vault as part of the Product. This feature was announced recently at the following link: AWS Backup logically air-gapped vault (Preview) (amazon.com)
It’s in Preview at the moment in US East 1
Before I go into the deeper dive I just want to say this is cool for data protection and security and I am very pleased AWS have this now.
What is an Air-Gapped Vault
Air gapping, in the context of cyber security, is a term used to isolate devices from other devices on the network or internet to protect data. Air Gapping has 2 types:
- Logical – Physical connections are still present but data segregation is achieved through logical processes and segmentation.
- Physical – Effectively it severs any physical links from point A to point B in an environment. This can include removing any LAN Cables or the use of a Faraday Cage (which blocks any EMF traffic and prevents wireless connectivity)
An Air-Gapped Vault in the context of what AWS have in Preview uses a Logical Air Gapping Process.
Ransomware, Cyber Security and Backups
Ransomware is more than just a buzz word now. In the past it might have been more common to see ransomware on CSI: Cyber (Remember that show?) than in reality. Thats no longer the case. Ransomware is so prevalent now that over 50% of organizations with a public presence on the internet are reporting attacks against their infrastructure.
And years ago when I saw my first ransomware attack, no one really posited that backups could be target. Everyone just assumed backups were clean and could be recovered from, even if it was slow. That’s also no longer the assumption. Online backups (because most things are online now are vulnerable if not protected.
And the 2 ways to protect that data is to Copy it to an effectively offline location (air-gap) or to make the copy unwritable (immutable) and in both cases you need to check it against errors and malware (data integrity) because what’s the point of backing data up if it is unreadable and unrecoverable?
The 3-2-1-1-0 Rule from Veeam
The Backup Golden Rule has been the 3-2-1 rule which dictates:
- 3 Copies of data
- 2 different media
- 1 copy stored off site
However, in order to maintain a more comprehensive cyber security approach I would highly recommend following the Veeam blog 3-2-1-1-0 Golden Backup Rule | Veeam Community Resource Hub
This acknowledges that in order to ensure better cyber security it is NOT simply valid to store a copy off site as bad actors are getting smarter and smarter but it is necessary to ensure that the secondary copy is either IMMUTABLE (cannot be changed after written) or air-gapped.
I will discuss how Amazon S3 provides support for immutable backups in my upcoming blog on Veeam Hybrid Cloud Backup Security but for now let’s focus on the Veeam Rule
- 3 Copies of Data
- 2 different media
- 1 copy off-site
- 1 copy is offline or immutable
- 0 errors in the backup data
What the AWS Backup Air-Gapped Vault Offers
So where the AWS Backup air-gapped vault comes into play is on the 4th item which provides that one copy is offline (or immutable). In Physical terms this means after the data is written it is disconnected (ie this could mean a tape being ejected and shipped to storage or a network cable unplugged). In the context of Cloud based backups a Logic Air-Gapping is general sufficient as it is designed to provide a similar segregation but without the physical approach.
How to do it.
Since this process is in preview at the moment and you need to enroll to get access at this stage I dont have pictures to show but you can see some at this AWS blog: Introducing AWS Backup logically air-gapped vault | AWS Storage Blog (amazon.com)
From a practical standpoint the steps are fairly straightforward for people who have AWS backup already.
- Create a New Vault and give it a name
- Specify the Type of vault as “Logically air-gapped vaults – preview”
- Assuming an existing backup plan, add a rule to copy data and set the new Logically Air-Gapped vaults as a target
Sharing the Vault.
AWS through Resource Access Manager has provided the ability for Organizations to share MULTIPLE resources across environments. This can include an Air-Gapped Vault.
The use case here is where there are multiple AWS accounts running AWS Backup for their resources and you would like the option to isolate and centralise that second copy of backups. You could create an Air-Gapped vault in a restricted backup account and then use Resource Access Manager to share it to any AWS account in the Org (or limited number of trusted accounts where backups occur). These accounts could then add the air-gapped vault as a target for second tier backups.
What about Backup Vault Locks?
This Air-Gapped Backup Vault concept is different from Backup Vault Locks but they do also help meet item 4 of the 3-2-1-1-0 rule. Vault Locks provide immutability of the backups. It is what is referred to as WORM (Write Once, Read Many) where an object is written and cannot be deleted or altered until the lock period expires. There are 2 modes for it (Governance or Compliance).
Governance Mode uses IAM permissions to limit the number of users who can alter or change the locking of a vault. Administrators can turn locking off as needed. This is in line with the Australian Cyber Security Center’s Essential Eight Maturity Model | Cyber.gov.au Maturity model Level 2 for Data protection
Compliance Mode locks the object for the entirety of the retention period or immutability period which prevents any users (even administrators or account owners from deleting or changing data once it is set. This is in line with the Australian Cyber Security Center’s Essential Eight Maturity Model | Cyber.gov.au Maturity model Level 3 for Data protection.
Either option is a good option but having both available ticks all the boxes in my view.
Wrap Up
Don’t forget that if you are testing this for learning purposes you should delete any resources created to stop losing money.
Data Security is my bread and butter these days and as such I am pleased when any products come out with features that enhance cyber security of data. AWS already has a good track record in this with S3 Object Locks, Glacier Locks and AWS Backup Vault Locks but there can never be too many methods to enhance security so adding this is a very good thing
Lee Murphy is an AWS APN Ambassador working for Datacom Systems (AU) based in Melbourne, Australia. He has 20+ years IT infrastructure experience as well as 10+ years experience with Public Cloud and automation. He holds AWS Solutions Architect Professional, DevOps Engineer Professional, Advanced Networking Specialty Certifications and the Equivalent Microsoft Azure Expert level certifications. In his off time he does enjoy old fashioned music from the 50s-80s and is an avid TV and movie junkie.