Air gapping: What is it and when is it the right security measure for you?

As more and more organizations commit their sensitive resources to the cloud, and consumers demand faster and easier access to their online data, so the issue of data security has become more important and relevant to users. There are many ways to increase digital security measures, from better passwords and multi-level authentication to encryption and segmentation of data. But one of the most foolproof, and least understood, security concepts is that of air gapping.

What is air gapping? According to reference site Whatis.com, an air-gapped computer “is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.” In addition to that physical removal from a network, a gap is specified between the computer and the outside walls, as well as between the wires servicing the air-gapped system and all the other systems in the physical space. By observing these rather extreme measures, the possibility of data being stolen or extruded via electromagnetic means is removed.

It stands to reason that when a computer is not connected to the Internet, or to a network that is connected to the Internet, the chances of data theft is extremely remote. That’s why air-gapped computers are often used in military applications, or in retail institutions that process large amounts of money via online transactions, and even in industrial situations that control critical infrastructure.

So how does data get into an air-gapped system in the first place? Very methodically, either by USB or by a removable storage device, which is disconnected as soon as the data is transferred. Until quite recently, air gapping was thought of as being an impenetrable form of security, due to the fact that physical access to a machine was the only way to breach its defenses, and that access could be carefully controlled. But the Stuxnet virus, which was designed to breach Iran’s nuclear program, laid waste to that notion. According to Wired magazine, “Computer systems controlling the centrifuges were air gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive.”

More recently, Israeli researchers found a way to use radio waves and devices to siphon off data from air-gapped machines, effectively proving that no system is utterly impregnable. Yet it is still a first-class security measure.

Are there cases when air gapping would be appropriate for a small business? Certainly. In an average small business that has 15 to 25 computers connected to the Internet, there is a good chance that the business has some sensitive data which it needs to protect closely. There would be a strong case for air gapping one particular machine which contains that sensitive data, and delegating one person to be in charge of importing and exporting data from that particular machine on a regular basis.

The physical distance between an air-gapped machine and a network, coupled with strict access of who interacts with that machine, is one more way to ensure that sensitive data is protected in this day and age.