3 Common myths about OneDrive backup Learn More

Glossary Terms

What is an air gap backup?

What is an air gap backup?

An air gap backup creates a physical separation between your primary network and your backup storage. This isolation means that backup data remains completely disconnected from your production environment when not actively writing or reading data. It’s like surrounding your castle with a moat. If attackers can’t reach it, they can’t breach it.

Unlike connected backups that can be exposed to network-based attacks, air-gapped systems add a physical or logical separation that remote threats can’t cross. This approach transforms your backup strategy from a potential vulnerability into a true last line of defense.

How does air gapping work?

Air gapping works by establishing a controlled disconnection between your production environment and backup systems. When it’s time to back up data, a tightly controlled connection is briefly established, just long enough to complete the backup then fully disconnects. 

This intentional break is what makes the difference. Your backup lives in an isolated environment, untouched by network threats. Even if attackers gain access to your entire network, they’ll find no path to your air-gapped backups. In a physical air gap, you use removable media like tapes or drives and store them offline. For logical air gaps, you isolate your backup environment through segmented networks and control access points that open only during scheduled backups.

Why is air gapping important?

Air gapping has become essential today because of its increasing sophistication. When ransomware can spread laterally through networks in minutes, connected backups often fall victim alongside production systems. Organizations without isolation between networks and backups face consequences like:

  • Total data loss across all systems
  • Prolonged business disruption during recovery
  • Ransom payments that may exceed six figures
  • Damaged customer trust and brand reputation

Recent attacks demonstrate that cybercriminals specifically target backup systems first to eliminate recovery options. Air gapping directly counters this strategy by creating recovery points that remain untouchable during an attack. According to Sophos, 94% of organizations hit by ransomware reported that attackers attempted to compromise their backups during the attack. 

What are the types of air gapping?

When it comes to protecting your backups, you have two main types of air gapping to choose from. But most mature organizations implement a hybrid approach, maintaining both physical and logical air gaps for different recovery scenarios.

1. Physical air gaps

This is the old-school approach. Physical air gapping creates actual separation between networks and backup media. This includes:

  • Tape backups: Data written to magnetic tapes that are physically removed and stored offline
  • Removable drives: External hard drives or solid-state storage disconnected after backup completion
  • Isolated networks: Completely separate network infrastructures with no connection points to production.

2. Logical air gaps

Logical air gapping uses technical controls to create separation while maintaining systems within the same physical environment:

  • Network time-windows: Systems connect only during scheduled backup windows, with connections severed automatically afterward.
  • One-way data diodes: Hardware devices that physically permit data flow in only one direction
  • Policy-based isolation: Software-defined controls that strictly regulate what systems can communicate with backup storage.

How are air-gapped backups set up on-premises?

Setting up on-premises air-gapped backups requires proper implementation rather than complex technology. The key lies in establishing clear processes:

  • Dedicated backup infrastructure: Create physically separate backup servers and storage that connect to your production network only during scheduled backup windows.
  • Removable media rotation: Implement tape or removable drive backups with strict rotation schedules. Once written, immediately disconnect and secure media in protected storage.
  • Network segmentation: Establish a dedicated backup network with managed connections to production systems. Use hardware firewalls and one-way data diodes that permit only authorized backup traffic.
  • Access control: Limit physical and digital access to your backup infrastructure through strict authentication, including potential air-locked rooms for critical backup media.

There are organizations that combine these approaches, creating tiered recovery options with varying levels of isolation for different criticality levels.

How are air-gapped backups set up in the cloud?

Cloud air-gapping might seem contradictory at first. How do you disconnect what’s inherently connected? Cloud air-gapping works best when you combine some methods carefully. Regular testing ensures your backups stay safe even if hackers break into your main systems. The answer lies in creating logical rather than physical separation through these approaches:

  • Separate cloud accounts: Maintain backup storage in entirely different cloud accounts with distinct authentication credentials from your production environment.
  • Cross-region replication: Store backup copies in geographically distant regions that operate on separate infrastructure.
  • Write-Once-Read-Many (WORM) storage: Leverage cloud storage classes that prevent modification of data after writing, creating logical barriers against tampering.
  • Controlled access paths: Implement strict permissions that only allow your backup process to access storage, and only during specific time windows.

3-2-1-1-0 air gap backup strategy

The 3-2-1-1-0 strategy extends the traditional 3-2-1 backup rule. This approach builds defense-in-depth through multiple protection layers. Your air-gapped copy becomes your ultimate fallback. Implementing this strategy means distributing risk across multiple protection mechanisms rather than relying on any single approach. This redundancy ensures that no single point of failure can compromise your recovery capabilities.

3 – Maintain at least three copies of your data

2 – Store backups on two different types of media

1 – Keep one copy off-site

1 – Keep one copy air-gapped

0 – Ensure zero errors through regular testing

Air gap backups and disaster recovery

Air-gapped backups form the base of modern disaster recovery planning. When properly integrated into broader disaster recovery planning, air-gapped backups provide the foundation that makes recovery possible even in worst-case scenarios. This provides the assured recovery point that enables organizations to confidently reject ransom demand with “No, we won’t pay the ransom.”

Effective disaster recovery integration requires:

  1. Recovery time objectives (RTO) planning: Understanding how quickly you can restore from air-gapped media compared to more readily available options.
  2. Regular testing: Conducting periodic recovery drills that include restoring from air-gapped backups to verify procedures work under pressure.
  3. Documentation: Maintaining clear restoration procedures that don’t rely on systems that might be compromised during an incident.

Air-gapped vs. immutable backups

Air-gapped and immutable backups work hand in hand. They complement each other rather than compete.

  • Air-Gapped Backups focus on physical or logical isolation, creating separation between networks to prevent unauthorized access.
  • Immutable Backups focus on preventing modification—ensuring that once written, backup data cannot be altered or deleted, even by administrators.

The best protection comes when you use both immutability and air gapping together. Immutability helps when your backup needs to stay online but untouched. Air gapping adds another layer by keeping backups completely offline, away from any risk.

A lot of teams mix both. Some backups stay connected but can’t be changed (thanks to immutability). Others are locked away offline and untouched offering the highest level of data security. 

Related Glossaries
View all
What is hybrid backup?
May 13, 2025
Read more
What is Zero Trust Security?
April 24, 2025
Read more
What is cloud-to-cloud backup?
April 15, 2025
Read more
What is Bring Your Own Cloud (BYOC)?
April 3, 2025
Read more

CrashPlan provides cyber-ready data resilience and governance in a single platform for organizations whose ideas power their revenue. With its comprehensive backup and recovery capabilities for data stored on servers, on endpoint devices, and in SaaS applications, CrashPlan’s solutions are trusted by entrepreneurs, professionals, and businesses of all sizes worldwide. From ransomware recovery and breaches to migrations and legal holds, CrashPlan’s suite of products ensures the safety and compliance of your data without disruption.

© 2025 CrashPlan® All rights reserved.

TRUSTe