Back to Features

Features / Air-Gapped Security

Air-Gapped Security

Complete network isolation for your critical backup data. Ransomware can't reach what it can't see.

Quick Stats

0

Network Paths to Backups

100%

Lateral Movement Prevention

Separate

AWS Organization

Get Started

Start Free Trial

Why Air Gap Matters

Modern ransomware attacks use lateral movement to spread across your infrastructure, seeking out and destroying backups. If your production environment and backup environment share network connectivity or AWS accounts, attackers can compromise both. True air-gap isolation eliminates this attack vector entirely.

Cross-Organization Architecture

Air Gap Recover deploys in a completely separate AWS Organization from your production workloads. This provides true organizational isolation with separate:

  • AWS Accounts - Different account IDs, credentials, and billing
  • IAM Identities - No shared users, roles, or trust relationships
  • Service Control Policies - Independent governance and compliance controls
  • CloudTrail Logs - Separate audit trails for forensic analysis
  • VPC Networks - Zero network connectivity between organizations

How It Works

One-Way Replication

Data flows from your production AWS Organization to the Air Gap Recover organization using AWS-native replication mechanisms (S3 Cross-Region Replication, EBS snapshot copies, RDS snapshot copies). The replication is one-way only—the backup environment cannot initiate connections back to production.

Break-Glass Access

During normal operations, there is no standing access from production to backups. When recovery is needed, authorized administrators use a secure "break-glass" process with multi-factor authentication to access the backup environment. All access is logged and audited.

Network Isolation

The backup AWS Organization has no VPC peering, Transit Gateway attachments, or other network connectivity to your production environment. Even if attackers gain full access to your production AWS account, they cannot reach the backup environment over the network.

Defense in Depth

Air-gap isolation is one layer of our security model. Combined with immutable storage, encryption, and access controls, you get defense-in-depth protection:

  • Layer 1 - Network isolation (air gap)
  • Layer 2 - Account isolation (separate AWS Organization)
  • Layer 3 - Storage immutability (WORM locks)
  • Layer 4 - Encryption (AES-256)
  • Layer 5 - Access controls (MFA, break-glass)

Compliance Benefits

Many compliance frameworks require logical or physical separation between production and backup systems. Our air-gap architecture satisfies requirements for:

  • PCI-DSS backup isolation requirements
  • SOC 2 Type II logical separation controls
  • NIST Cybersecurity Framework (PR.IP-4)
  • GDPR data protection measures

Related Features

Immutable Storage

WORM ransomware protection

Cross-Region Replication

Multi-region redundancy

Instant Recovery

Fast break-glass recovery

Ready to protect your AWS infrastructure?

Start your free trial today. No credit card required.

Start Free Trial Book a Demo