How Air Gapping Can Protect IP

In today’s hyperautomated world, organizations connect various environments, applications and databases to one another, creating complex infrastructures. Security professionals discuss the difficulties inherent in securing cloud environments, and the risks that third-party vendors pose to a company’s increasingly IT-dependent business structure. Malicious actors continue to target critical information through increasingly sophisticated supply chain attacks. While customers’ sensitive personally identifiable information (PII) and financial data must reside in the cloud for business operational efficiency, organizations have the opportunity to pause and reconsider the value air gapping brings to intellectual property data protection.

The Hard-Hit Supply Chain

Looking back on the last six months of information security news, the SolarWinds hack dominated headlines. From the initial point of entry throughout the SolarWinds supply chain, it’s clear that intellectual property was and is at risk.

The SolarWinds hack, which impacted national and global supply chains, is an example of how hyperautomated systems failed organizations. Hackers managed to gain access to the cloud server to insert malicious code into software that all clients thought was secure, tested and reliable. The delivery mechanism for the attack preyed on the automation.

Not only that, but hackers were able to move to SolarWind’s customers, using administrative privileges obtained from the update software. Getting access to SolarWinds’ intellectual property was bad enough, but then the malicious actors viewed and exploited Microsoft intellectual property.

In short, the SolarWinds and Microsoft examples remind organizations that protecting intellectual property is equally important as protecting customer data.

Take a Step Back

Perhaps it is a bit of nostalgia speaking, but hyperautomated infrastructures often take the “people” out of “people, processes, and technology.” In some ways, the on-premises infrastructure that organizations used before cloud became ubiquitous worked better. For certain types of data, these processes that put the people back into the picture may still be useful.

Before cloud, organizations used on-premises servers, physically locked away, to protect their intellectual property. Air gaps naturally existed throughout the network and established strict processes for handling data. While it lacked efficiency, this process nevertheless made it very hard to attack an operation because the air gap existed. Moving from this clumsy environment to hyperautomated, no-human-intervention-required models removed the air gap, or, at the very least, reduced the number of air gaps dramatically. Because of this, attackers can do more damage more easily.

Organizations need to take full advantage of cloud, yes; they also need to consider ways to implement air gapping models. Organizations can build the appropriate level of security with both physical and software-defined air gapping techniques to leverage cloud agility while maintaining the necessary security.

Choosing the Right Data

Not all data is suited for an air gapping model. However, organizations need to remember that digital transformation causes friction. For everything that cloud enables, it also slows things down and creates expenses, like hiring employees with the right skill set.

Choosing the right data to be air gapped means thinking about information that is critical to the business but that may need to be available continuously. For example, the Department of Defense dedicates an entire network to classified information. The network has no access to the internet. Attackers have no way to go from unclassified to classified, or the other way around. The DoD isolated complete infrastructures based on data type. Corporations can, and possibly should, do the same.

Trade secrets provide a perfect example. The organization needs to keep its secrets locked down, but it may not need to have continuous access. The cost of losing the information is far greater than the friction involved for the end user.

Creating a Modern Air Gapped Network

After deciding on the most important intellectual property assets, the organization needs to consider how to balance access with security. The traditional “lock the laptop away in a room” approach may not work, or may not be necessary. However, some air gap strategies still work well.

Find a Safe Physical Location

Many companies still have their own data centers. Small, midsize and even large enterprise organizations often have data centers that still qualify as cloud, but which can only be physically accessed by a handful of employees. Walling these locations off physically is the first step to creating a modern air gapped infrastructure.

Consider Locking Down the Software Signing Server

The software signing server is the heart of a technology company’s intellectual property. Leaving this on a cloud server that can be reached via the public internet increases the risk. Someone scanning domain services can likely locate it. In many cases, it’s possible to place this “off the grid,” so to speak. Put the server in a location that requires a hardware key design, not a software key. While this might be a step back in agility, for certain data it might be the necessary step forward for security.

Create One-Way Traffic by Design

While an organization may not be able to put a physical lock and key around cloud assets, creating a well-architected, software-defined network can create a digital air gap. SD-WAN creates direct internet connections between resources. Intelligent SD-WAN recognizes users and devices, driving those using public internet to more secure connections. However, for organizations that lack SD-WAN, architecting secure one-way data transfers can also air gap sensitive data.

Organizations can create architectures where they use a one-way pipe to send critical intellectual property to a safe zone. No data can travel backward from that safe zone. For example, data diodes are network devices that organizations can use to create one-way data transfers. For example, a software company might use one of these devices to push out its software to the client portal without the ability for malicious actors to travel from the portal back to the organization.

The key part of this architecture is that the client portal has no access to the software signing server, testing environment or development environment. Creating multiple air gaps to protect data prevents the customer portal from become a data leakage point that attackers can use to degrade the code or weaponize it.

Air Gapping Opportunity

Agility is the word of the moment, and cloud provides that opportunity. However, at the same time, organizations need to consider whether the security price they pay is worth the benefit they receive.

Protecting intellectual property from attackers will be even more important now that malicious actors have successfully and publicly pulled off these types of hacks. Organizations that develop software need to factor in this risk, looking at where a real attack can come from and the real damage that can be done. To mitigate this risk, one-way pipes or air gapping through that environment may be the way back that gets companies to the future.

Avatar photo

Brian Hajost

Brian Hajost is the President & CEO of SteelCloud LLC, a company that develops technology for automated remediation of endpoints to the DISA STIGs and the CIS Security Benchmarks. Mr. Hajost has transformed SteelCloud into a recognized pioneer in delivering new technologies that allow government customers and commercial enterprises to effectively meet the compliance mandates of RMF, DIACAP, NIST 800-53, NIST 800-171, and IRS Pub 1075. Brian’s technical career has spanned over thirty years, primarily with leading-edge technologies in regulated industries. He holds three patents in IT security and two patents in mobile security. Mr. Hajost is an active contributor to the DC Chapter of the Armed Forces Communications and Electronics Association (AFCEA), currently serving as VP and a board member. Brian is also a member of AFCEA International’s Technology Committee. Brian Hajost is a 30-year veteran of the hardware/software industry with extensive experience focusing on government and federal integration, financial and the securities, and mobility markets. Mr. Hajost is currently the President and CEO of SteelCloud LLC. He has served as the Chair of the AFCEA DC Defense and Intelligence Mobile Steering Committee and is currently on the AFCEA DC board of directors. Mr. Hajost is a member of the NIAP core Technical Community developing the protection profile requirements for Mobile Device Management. Previously, he served as a board member of Leadership Fairfax. Mr. Hajost has held various executive and management positions with TREEV, CheckFree, Wang, GEISCO, and Unisys. He has three current patent applications covering systems and information assurance and secure mobile application distribution. Mr. Hajost graduated with a BS in Industrial Marketing from Miami University, Oxford, Ohio. Mr. Hajost has active DoD and civilian security clearances. He has three patents covering systems and information assurance and secure mobile application distribution. Mr. Hajost holds a BS in Industrial Marketing from Miami University, Oxford, Ohio. Mr. Hajost has active DoD and civilian security clearances. SteelCloud is a leading provider of capabilities to automate policy compliance, configuration control, and Cloud security that offers patented software compliance suite that allows anyone to quickly establish a STIG (Security Technical Implementation Guide) and or CIS (Center for Information Security) - cyber security compliant environment. www.steelclloud.com

brian-hajost has 1 posts and counting.See all posts by brian-hajost