Industry Trends

On Being "Water Gapped"

By Chris Dawson | December 10, 2015

I recently relocated from rural Massachusetts to the Pacific Northwest, leaving my snow shovel and bug spray behind in favor of a good rain coat. Although I'm thrilled to have literally increased my Internet speeds by 50 times and be closer than an hour and a half to the nearest airport, neither I nor my kids were ready to completely give up country living, so we bought a house on a sleepy little island. With fiber.

The fiber is another story for another day, although I continue to be amazed that just 75 miles from Boston the best we could do was 3mbps DSL while now, on an island in Puget Sound, 150mbps cable is the norm. What struck me today, though, as I waited at the local espresso stand was the sense of security this community enjoys. 

Security professionals often talk about air gapped systems - computers and servers that aren't connected to a network. Usually this is for security purposes. It's tough to hack into a server remotely when it takes an actual body standing at a local terminal to access it. My little island, however, is "water gapped". We don't have one of those newfangled bridges that some of the other islands built to supplement the ferry system. A few people have their own boats, but that doesn't really count.

As one local put it while we chatted in the rain with the world's friendliest barista, "We don't really have much in the way of crime here...if you do something wrong, they're probably going to catch you while you wait at the ferry dock." Good point.

Of course, not everyone can (or would want to) live on an island and not every server can be air gapped. But in our quest to deploy the latest and greatest network and endpoint security measures, we often forget about the critical role that physical security can and should play in our overall strategies.

When the tech from my ISP stopped by to get us all set up with the aforementioned speedy Internet connection, he tried to sell me on an Internet-connected home security system. I politely declined, noting that I lived on an island filled with artists, aging hippies, farmers, and telecommuting geeks, accessible only by boat. As cool as it would be to lock my doors from my mobile phone, I decided to save the cash and rely on physical security measures, i.e., two big dogs and the moat otherwise known as Puget Sound.

Don't get me wrong...I know that crime happens in the quietest of towns, just as attacks can occur on the smallest of networks. I lock my doors, even though my neighbors tell me not to bother. Layers of security and all that (moat, distant but watchful neighbors, locked doors, and intimidating dogs who would gladly trade my possessions for a burger). But, at the end of the day, physical security measures get the job done and mean that I'm happy to let my kids explore and I don't worry when I'm traveling for business.

And there we are again, talking about layers of security, strategy, and tradeoffs. Air gapping is generally reserved for the most sensitive of data, given the necessary tradeoffs in access and functionality. Firewalls, both at the perimeter and around key internal network segments (whether virtual or physical) generally do a great job of protecting network assets but are of limited utility if any Tom, Dick, or Harry can walk into a server room. If employees are duped into handing out network credentials by a savvy spear phishing campaign, security appliances might not pick up indicators of compromise until it's too late.

It's all about the layers. Bottom line, though, we shouldn't forget those physical layers when we're looking at shiny new network security hardware. The exact mix of physical, network, and endpoint security comes down to just what you need to protect and the resources you have to lock those assets down.