hamburger icon close icon
Ransomware Recovery

Logical Air Gap Backup with BlueXP Backup and Recovery

Ransomware attacks target data, rendering it unusable and forcing organizations to pay hefty ransoms to get back up and running. Often, the only way out of this type of situation without paying a ransom is doing a point in time restore from a good backup copy. However, ransomware attacks have evolved to target backup copies as well, creating a need for a comprehensive ransomware recovery strategy involving backup protection via air gapping.

In this blog, we’ll explore the nuances of an air gap backup solution and how BlueXP backup and recovery offers this feature to help protect data from ransomware attacks.

Keep reading or jump down to a section in this post:

What Is an Air Gap?

An air gap is a ransomware backup strategy and security measure that isolates a system or data from other systems or networks to protect it from potential attacks, such as malware, ransomware, keylogging, or any attack with malicious intent. There are three type of air gap implementations that help protect your environment:

  • Physical air gaps: Systems or applications are deployed in physically isolated environments to implement a physical air gap strategy. These deployments could be segregated by restricted physical access and isolated at the network layer as well.
  • Isolated air gaps: An isolated air gap network is implemented by placing the systems in the same environment but on distinct networks, establishing a level of segregation between systems even if they’re hosted together.
  • Logical air gaps: Systems are segregated logically using techniques such as access restrictions, encryption, or geographical separation. This strategy can be applied to systems connected to the same network.

What Is an Example of an Air Gap?

Systems deployed in different data centers and networks are examples of physical air gap implementations. Systems in the same data center or even rack, but in different networks is an example of isolated air gap implementation. When systems are deployed in a connected network, but in different geographical locations with role-based access restrictions, it is an example of logical air gap technology implementation.

What Is an Air Gap Backup?

Backup data should be treated just as any primary data since it, too, can become a target for ransomware attacks. This is why logical air gap implementation is a recommended solution to protect backup copies as well. With logical air gap implementation, backup data is stored securely and isolated from the primary data source to prevent attack vectors from tampering with it.

How to Get Air-gapped Copies with BlueXP Backup and Recovery

BlueXP backup and recovery provides air-gapped backup copies that are disconnected from the primary data source. This provides an additional layer of data protection for a point-in-time recovery of data that can be done to restore business functions.

BlueXP Backup and Recovery Air Gapping Features

BlueXP backup and recovery features help build a foolproof ransomware cloud backup solution for on-premises as well as cloud-native organizations using an air gap technique. Data remains in the target cloud object storage, isolated and protected from ransomware attacks on the primary data source, whether it resides on-premises or cloud. These are the features that allow that to occur.

  • Off-site backup storage: BlueXP backup and recovery helps to create an off-site copy of the data residing in a different location. These backup copies are remote and independent of the primary ONTAP. The destination can be object storage in the cloud or on-premises StorageGRID®. Backup copies are air-gapped and protected from any ransomware attacks in the primary ONTAP system. Any attempts to access the backup data from a compromised ONTAP system are thwarted as backups are stored separately in offsite storage.
  • Cross-region storage: BlueXP backup and recovery can store backup copies in a different cloud region. This configuration helps in protecting backup copies from any ransomware attacks impacting a specific cloud region. It’s also helpful in protecting data from outages or hardware failures that impact the primary cloud region. The backup copies can be restored in the target region to bring applications online with minimal downtime.
  • Cross account: BlueXP backup and recovery offers a logical air gap solution through access restrictions to the backup copy. You can use different accounts with fine-grained role-based access control for protecting the backup copy. If an account is compromised due to a cyber attack, attackers wouldn’t be able to access the backup copy using the credentials. Backup copies can be kept secure by keeping them in a different location with limited access to a different set of accounts. A different cloud service provider can also be used to store backup copies as BlueXP backup and recovery can be integrated with AWS, Azure, and GCP.

Additional BlueXP Protection Features

Along with the air gapping capabilities discussed above, BlueXP offers a host of additional features that protects your backup data copy.

Object storage: Backup copies are stored in object storage at the destination. Object storage uses a different format compared to the primary ONTAP system. If an attacker manages to access the primary data, the same attack strategy won’t work for the backup copy in object storage as it’s stored in a different format, providing an additional layer of protection for your backup data, and aligning with the 3-2-1 backup strategy.

Object locking and ransomware protection: BlueXP backup and recovery supports ONTAP SnapLock® capabilities for WORM (Write Once, Read Many) storage. This ensures that once written to the storage, data is protected from further updates or deletion. It also supports DataLock, where the WORM capabilities of the target object storage can also be integrated with the service, providing end-to-end data locking. Along with DataLock, BlueXP backup and recovery provides a native ransomware protection feature to detect any attempts by ransomware to tamper with your backup data.


Depending on an organization's needs, users have the flexibility to adapt the level of security they need by leveraging the air gap capabilities of BlueXP backup and recovery. ONTAP customers with on-premises, cloud-native, hybrid or multicloud deployments can protect their data using BlueXP backup and restore.

The air gap security capabilities of BlueXP backup and recovery ensures that data can be quickly restored without delays and help you adhere to your defined RTO requirements. Read more on how to increase cyber resilience here.

Watch the BlueXP backup and recovery demo to learn more.

New call-to-action
Semion Mazor, Product Evangelist

Product Evangelist