The term air gap refers to a physical separation of IT resources. For example, the National Security Agency (NSA)...
once used air gaps to maintain unique servers and workstations for storing and accessing data at different security-clearance levels.
Air gaps make a lot of sense from a security perspective, but what about cost? I can see how the concept could easily lead to a lot of additional IT spending, especially on hardware. And I have to ask myself how modern concepts such as virtualization can affect the practice of maintaining air gaps.
Can the two concepts coexist? I think they can. In fact, the need to segment data is one of the primary drivers of virtualization adoption, because virtualization allows workloads on shared infrastructure to behave like unique physical servers.
Virtualization encapsulates unique operating systems into individual virtual hard disk files, and most hypervisors offer a variety of ways to separate network traffic between these virtual machines (VMs). Two VMs occupying space on the same server and storage can be configured to communicate on two different networks. In this case, the two VMs maintain the equivalent of an air gap while reducing the amount of hardware and infrastructure necessary. (Maybe this architecture should be called a “bit gap” instead.)
By nature, the NSA is more concerned with security than cost savings. But long before virtualization hit the mainstream, the agency said it was possible to have both. In 2001, the NSA partnered with VMware on a project called NetTop to allow secure and non-secure resources to share common hardware, reducing cost and complexity.
Now step away from the NSA use case and consider how this approach can benefit your organization. Even if you do not oversee national security, you are still responsible for data that’s critical to your organization and to your customers. You have a responsibility to keep that data safe.
Are you using air gaps to keep your public and private servers separate? This practice can have a significant effect on both your capital expenses and your operating expenses, requiring multiple server infrastructures and creating a crippling administrative burden.
IT security is not a subject to tackle lightly, and the NSA was quick to point out that different conditions may require different solutions. But in an environment with the highest of security concerns, the NSA was able to take advantage of virtualization to consolidate its infrastructure without relinquishing control over data. If you are not doing the same, it may be time to ask yourself how your security needs are different from theirs.
Dig Deeper on Virtualization security and patch management