A backup environment isolated from the production system so normal production compromise does not automatically reach the recovery copy. In cloud terms, the gap may be logical rather than physical, but the goal is the same: separate trust boundaries and reduce shared blast radius.
Expanded Definition
Air-gapped backup is a recovery copy that is isolated from production so compromise of the live environment does not automatically compromise the backup. In practice, the “gap” may be physical, logical, or administrative, but the defining property is a separate trust boundary with limited or delayed connectivity.
For NHI and broader cyber operations, this matters because ransomware, stolen credentials, and automation abuse often move faster than manual recovery processes. A true air gap is stronger than ordinary offline storage, because the backup is not continuously reachable by the same identities, control plane, or tooling that protects production. Guidance varies across vendors on how strict the isolation must be, especially in cloud environments where object storage, vaults, and immutable snapshots may be described as air-gapped even when they are only logically separated. The closest standards lens is the control discipline in NIST SP 800-53 Rev 5 Security and Privacy Controls, which emphasizes access restriction, recovery, and resilience over marketing labels.
The most common misapplication is calling a routinely mounted backup “air-gapped” when production identities can still reach it through shared credentials or an always-on management plane.
Examples and Use Cases
Implementing air-gapped backup rigorously often introduces slower restore workflows and more operational overhead, requiring organisations to weigh rapid recovery against stronger isolation.
- A security team exports encrypted backup sets to offline media that is only mounted during scheduled recovery tests, reducing exposure to ransomware and credential theft.
- A cloud team keeps immutable recovery copies in a separate account with distinct administrative identities and no standing network path from production, which is a logical air gap rather than a physical one.
- An organisation protects its secret store and configuration archives separately after incidents like the State of Secrets in AppSec report highlighted that remediation can take 27 days on average after a leaked secret, creating a long window of exposure.
- During incident response, engineers compare restore viability against the assumptions seen in the DeepSeek breach, where exposed records and credentials showed how quickly attackers exploit weakly separated assets.
- Backup validation teams use recovery drills to prove that restore credentials, encryption keys, and retention controls are independent of production identity paths.
In mature programmes, the goal is not just keeping a copy somewhere else; it is ensuring the backup cannot be silently altered, encrypted, or deleted by the same compromise that hit production.
Why It Matters for Security Teams
Air-gapped backup is a resilience control, but it also becomes an identity control because the isolation is only real if backup access does not share the same trusted principals, secrets, or automation channels as production. That is why organisations should design recovery access with strict separation of duties, short-lived credentials, and tested restore procedures. NHI governance is especially relevant here: backup vaults, snapshot orchestration, and recovery scripts often rely on service accounts and API keys that become high-value targets after initial compromise.
Teams that treat backup copies as merely “stored elsewhere” often discover that ransomware operators, insiders, or compromised agents can still reach them through reused credentials or over-permissioned administration paths. The operational lesson aligns with NIST SP 800-53 Rev 5 Security and Privacy Controls: resilience depends on access control, recovery planning, and tamper resistance, not just storage location.
Organisations typically encounter the true value of air-gapped backup only after production encryption, deletion, or credential abuse has already disrupted recovery, at which point the separation becomes operationally unavoidable to prove.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | RC.RP-1 | Recovery planning covers backup isolation and restore readiness. |
| NIST SP 800-53 Rev 5 | CP-9 | Contingency planning includes backup protection and recovery safeguards. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Backup tooling often depends on secrets and service identities that must be isolated. |
| NIST Zero Trust (SP 800-207) | SA | Zero trust emphasizes explicit verification before any backup access is granted. |
| NIST SP 800-63 | Identity assurance principles inform strong administrative access to recovery systems. |
Build restore paths that stay usable after production compromise and test them regularly.