Implementing a Modern-Day Air Gap Network

Denis Mandich
Blog Post

Implementing a Modern-day Air Gap Network

As organizations shift to allowing more employees to work remotely, they find their company assets, such as laptops, in more and more employees’ homes, rather than an office environment. This leads to an ever-increasing attack surface and can make the transfer of secure files, even within your organization, a risky proposition. As such, an air gapped system should be considered as a way to protect your most important data.

Isolation is the foundation of all air gapped networks, which were perfected by global intelligence agencies for strict information compartmentation and handling. The simplest example is a stand-alone computer, with no wireless ability nor any ports for wired connections such as an ethernet cable. Traditionally, these were used inside a physically controlled environment called a SCIF (Sensitive Compartmented Information Facility) with an approved list of users. Information could only be input by the keyboard and read back on the screen because they lacked print capability. When not in proximity or in active use by authorized personnel, they were stored in a locked Mosler Safe – this protocol included any reason the user left the room. Any deviation was considered a reportable security violation and grounds for termination because the information could threaten national security and human asset lives.

This concept extended to micro networks of computers hard wired together inside a SCIF, but they frequently required data sharing with similar networks, geographically separated, often on other continents. Data had to be encrypted inside one SCIF, transferred to storage media like CDs, USBs, hard drives, even printed documents, before leaving the controlled environment for delivery to a second SCIF. Although trusted diplomatic couriers were used, the operating principle was the media would be surreptitiously copied in-transit and the encryption mechanism attacked by the brute force of computers.  Although expensive and having its own challenges, the one-time pad (OTP) cipher was the go-to security measure because it was unbreakable, even by quantum computers or any other advances in science.

Today’s systems are able to achieve the same protection by simply and securely transmitting OTP-encrypted data over the open and untrusted internet without risk and with the full knowledge it could be harvested by adversaries for later decryption.  If the SCIF is not compromised, the data is secure and efficient air gapped networks can operate anywhere in the world.

Regular internet connected laptops are used for standard business process like email, chats and other common functions, including transferring these secure files. Implementing an air gapped system means there is no chance of accidentally opening a nefarious link or phishing email and compromising the company’s IP at high financial cost. The attack surface is diminished and the consequences of a hack elsewhere on the network are mitigated.

You can learn more about securing your data at rest here – www.qrypt.com/data-at-rest.