Air Gapping Your Way to Cyber Safety
by Tova Osofsky
Posted on April 17, 2024
Want to interview Tova?
Contact
Having a “virtual air gap” — a separation — between your users and their devices and the internet is an important part of modern cybersecurity.
The term “air gap” originates in physical contexts, specifically in plumbing systems where it is important to prevent backflow of contaminated water into the clean water supply. A simple way to prevent the possibility of backflow is to create an air gap between the source of clean water, such as a bathtub faucet, and the place where water collects the bathtub, in this case. That’s why faucets are always placed well above the level to which the water fills in a bathtub or sink. That very physical air gap ensures that there is no way for dirty water in the tub to get sucked back up into the faucet and contaminate the water system.
Physical air gaps are also used in magnetic circuits and on electronic integrated circuits. In magnetic circuits, an air gap allows greater levels of energy to be stored in an inductor. In 2007 IBM introduced the concept of an air gap in semiconductors, as a way to improve insulation between components by way of an empty space — the air gap.
Air Gapped Network
The concept of a physical air gap is widely applied in cybersecurity as well. Most often, an air gapped network is one that is not connected to the internet. Traditionally, the goals of physically air gapped networks were:
- To ensure availability of pristine backups to restore systems in the event of a disaster, breach or malfunction
- To protect vital systems from external access, so that malicious actors or malware cannot disrupt vital system functions or exfiltrate sensitive data, whether for criminal and ideological purposes.
In the first, more widespread case, only the backup system is air gapped. Backups are not connected to either the organization network or the internet. Backups are stored offline and often even offsite to provide further protection in case of a physically threatening event such as a fire or flood. In the event of a catastrophic cyber breach, an air gapped backup can be a final defense that allows a company to recover and restore operations quickly.
In the second type of air gapping, networks controlling all or some essential operations are fully disconnected from the internet. This application of air gapping has increased along with the growth in cyberattacks and is widely employed by national security organizations and essential infrastructure business like oil refineries and electric companies.
Remember the Iranian uranium enrichment centrifuge meltdown back in 2010? Even then, the computer system used to manage the centrifuges was air gapped from external access. That is, it was not directly connected to the internet. In that case, while the air gap was insufficient to protect the centrifuges from attack, it did force the attackers to resort to a riskier approach for loading the Stuxnet virus onto the system, delivering a USB drive that has been called “the world’s first digital weapon” to the facility.
Air Gapping Goes Virtual
Virtual air gapping is similar to physical air gapping in that it isolates different activities, devices or networks from each other to preserve the security and integrity of data or processes. Virtual air gaps provide superior levels of cybersecurity versus firewalls, anti-virus and other detection-based approaches without the inefficiencies inherent in physical air gaps.
One approach is to create separate virtual machines (VMs) on users’ physical devices to enable air gapping projects or tasks from each other and, if needed, from the internet: One VM for surfing the web, one for the corporate network, and perhaps a third that is air gapped from the web for working with highly confidential material. In this way, the corporate network is separated from the dirty internet and truly sensitive data and apps are isolated from both.
This approach presents a number of issues. First, it requires agents to be deployed on each device — a heavy lift for IT teams and a solution that is inconvenient, at best, for contract or remote workers working on their own devices. In addition, while the virtual machines are air gapped from each other, and some may be air gapped from the internet, they all share the same physical platform. If malware “escapes” the sandbox or the virtual machine, it can compromise the endpoint and potentially move to other virtual machines and/or enterprise networks.
Internet Air Gapping via the Browser
As the wide-open conduits for most interaction between the web and organization networks, browsers are the antithesis of an air gaps. Several approaches, however, apply sophisticated techniques to enable selective air gapping that protects organizations from internet-delivered threats while still enabling secure access to the internet resources that are essential for today’s organizations. The two most common implementations are enterprise browsers and remote browser isolation (RBI).
Enterprise browsers, which are installed on user devices and used only for work-related internet access, are a modern solution for air gapping enterprise applications from malware on user devices, as well as from possibly harmful user action. In addition to sharing some of the downsides of virtual machines, such as requiring deployment on each device and sharing the same physical platform, they are also inconvenient for users, who must manage different browsers for different tasks.
Remote Browser Isolation, and its flip side, Web Application Isolation, are zero trust based virtual browser approaches that combine true air gapped separation with productivity-enhancing transparent access, without burdening users or IT staff.
Remote Browser Isolation
Remote Browser Isolation virtual air gap technology allows users to safely surf the internet without concern about accidentally exposing their device to malware or cyberattacks. When they access the internet via their regular browser, content is routed via a virtual browser located in an isolated container in the cloud, where site code is executed.
Any malicious code from the website is harmlessly executed in the isolated container where it can do no harm and remains in the cloud container until it is destroyed. While user devices are fully air gapped from internet content, RBI allows them to interact with web sites just as they normally do, via safe rendering data that’s sent from the virtual browser to the browser on their device.
Ericom’s implementation of RBI includes Content Disarm and Reconstruction (CDR). Any files or mail attachments the user downloads are scrubbed of malware within the air gapped environment before they are passed on to the user, effectively stopping any potential malware. Significantly, within the air gap enabled by RBI, policy-based controls can be applied to restrict what content users can access and which activities they can undertake as well as restricting what data they can enter into a site – or in the case of phishing sites, whether they can enter data at all.
Web Application Isolation
Web Application Isolation (WAI) is RBI in reverse. Instead of isolating users’ devices from the internet to protect them from malware, it isolates your apps from the users to protect them and your data from breaches, malware and attacks.
When a user accesses an organization’s private, web or SaaS application via the web, interactions with their device browser are routed via an isolated container in the Ericom Global Cloud, where granular policy-based controls are applied. Users (and any malware on their devices) have no direct access to the app or its code. Moreover, upload, download, clipboarding functions and other requests that might result in data loss are mitigated by the cloud-based controls.
WAI is especially valuable for enabling contractors or employees with unmanaged devices to safely access corporate apps. Ericom’s clientless approach works with any standard web browser the user prefers and is transparent to users.
Conclusion: Air Gapping Your Way to Cybersecurity
Cyberattacks are growing more aggressive every day, accelerated by the use of artificial intelligence to create new malware that is sophisticated and hard to detect. The old approach to cybersecurity, relying on detection-based defenses and user training, is completely inadequate in the face of these new threats. Traditional physical air gapping is highly secure, but extracts a productivity tax that most organizations cannot afford.
Virtual air gap technologies such as Ericom Web Isolation and Web Application Isolation are therefore key capabilities of state-of-the-art zero trust Security Access Service Edge (SASE) platforms.
Contact us to learn more about Ericom virtual air gap technologies and our Cloud Security Platform.
About Tova Osofsky
Tova Osofsky, Ericom Director of Content Marketing, has extensive experience in marketing strategy, content marketing and product marketing for technology companies in areas including cybersecurity, cloud computing, fintech, compliance solutions and telecom, as well as for consumer product companies. She previously held marketing positions at Clicktale, GreenRoad and Kraft Foods, and served as an independent consultant to tens of technology startups.Recent Posts
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.
Guarding Against the Storm: Insights from Australia’s Cyber Threat Report 2022-2023
Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.