--- title: "Isolated Recovery Environment: Building a Protected Recovery Zone" date: 2026-05-25T10:40:00+02:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/isolated-recovery-environment-aufbau-einer-geschützten-recovery-zone" section: "Entries: Articles" --- ### The IRE Concept [\#](#the-ire-concept "The IRE Concept") An IRE is the protected recovery zone in a cyber resilience architecture: - **Zone 1:** User workstations (high attack risk) - **Zone 2:** Production servers (medium risk) - **Zone 3:** Isolated Recovery Environment (minimal risk, through physical or logical isolation) - **Air gap backup tier:** the isolated backup copy that feeds the IRE, separated from the network The idea: if your production network is compromised, you can restore systems in the IRE without the attacker having access. Isolation is an absolute prerequisite. ### Technical Requirements of an IRE [\#](#technical-requirements-of-an-ire "Technical Requirements of an IRE") #### 1. Physical or Logical Isolation [\#](#1-physical-or-logical-isolation "1. Physical or Logical Isolation") **Physically isolated** means: - Separate hardware (not virtualized in the same cluster as production) - No network cables to production - Physically in a different room or even a different building **Logically isolated** means: - Virtual machines in a separate hypervisor cluster - No access to production storage - Separate network switches, separate VLANs - Firewall rules that strictly separate the IRE from production Physical isolation is stronger but more expensive. Logical isolation is more practical for many organizations, as long as the implementation is strict. #### 2. No Active Directory Connection [\#](#2-no-active-directory-connection "2. No Active Directory Connection") This is critical: the recovery environment runs **without production AD**. Why? If production AD is compromised (and in a cyberattack it often is), and the recovery environment is connected to the same AD, the restored systems are immediately compromised as well. Instead: - Separate local accounts on recovery systems - Or a separate, isolated directory only for the IRE - No trust relationships with production AD #### 3. Separate Admin Credentials [\#](#3-separate-admin-credentials "3. Separate Admin Credentials") The IRE has its own admin accounts with its own password vault. An administrator who manages thousands of systems in production has access in the IRE only to systems currently being restored there. This limits the damage if production credentials are compromised. #### 4. Limited Network Connectivity [\#](#4-limited-network-connectivity "4. Limited Network Connectivity") The IRE has minimal connectivity: - **No internet:** Restored systems cannot access the internet (no contact with attacker command-and-control servers) - **No production access:** The IRE cannot reach production systems (prevents lateral movement) - **Air gap backup access:** The IRE can access the air-gapped backup copies, via a protected connection or by physically attaching the media. With the Silent Brick System, SB Pro bricks can be physically moved to the recovery infrastructure; SB Max Air connects via galvanic separation without physical removal. - **Manual transfers only:** If files must move between production and the IRE, this happens via a controlled manual transfer, not automatically This is not maximum connectivity. It is the minimum necessary access. #### 5. Verification Infrastructure [\#](#5-verification-infrastructure "5. Verification Infrastructure") The IRE must have tools to check restored systems: - **Antivirus / EDR:** Scan the restored server for malware - **Integrity check tools:** Verify that files have not been manipulated - **Application testing:** Test that restored applications function correctly - **Data validation:** Check database integrity and file integrity The idea: before a system leaves the IRE and returns to production, you know it is clean. ### The Recovery Workflow with an IRE [\#](#the-recovery-workflow-with-an-ire "The Recovery Workflow with an IRE") **Scenario:** A ransomware attack has compromised your production network. The ERP server, file server, and Active Directory are encrypted. **Step 1: Detection and Containment** - The attack is detected (alert in SIEM) - The production network is disconnected from the internet - The air gap backup is clean, because it was separated from the network **Step 2: Recovery Preparation** - The backup admin connects the air gap storage to the IRE - The recovery environment is started (separate hardware, separate credentials) - Recovery software is launched **Step 3: System Restoration** - The ERP server is restored from the air gap backup into the IRE - Duration: typically a few hours, depending on data size - The server runs in the IRE, not in production **Step 4: Verification** - Antivirus and EDR scan the restored server - An admin tests ERP functionality - Database integrity is checked - Recovery is **verified**, not just hoped for **Step 5: Controlled Production Migration** - Only now is the clean server connected to the (cleaned) production network - With heightened monitoring - EDR and SIEM watch for suspicious activity **Step 6: Parallel Forensics** - While production resumes, a separate team analyzes the compromised systems (still offline) - Goal: understand how the attack happened, also as input for the incident reports NIS2 requires (24-hour early warning, 72-hour notification, final report within one month) This is not the fastest possible path, but it is **verifiably secure**. A fast restore into a still-compromised network is slower in the end, because you do it twice. ### Common Mistakes When Building an IRE [\#](#common-mistakes-when-building-an-ire "Common Mistakes When Building an IRE") **Mistake 1: Insufficient isolation.** ​“We have a separate hypervisor cluster for recovery,” but the same SAN, the same admins, the same internet access. That is not an IRE. **Mistake 2: Dependence on production AD.** ​“Our recovery VMs are joined to production AD.” That defeats the purpose. Separate accounts at minimum. **Mistake 3: Insufficient capacity.** ​“Our IRE can only host one server at a time.” That is too slow for a real incident. Plan for multiple simultaneous restorations of your most critical systems. **Mistake 4: Never tested.** ​“We built an IRE but never ran a real recovery exercise.” Then the IRE is an assumption, not a capability. Test quarterly. ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can an IRE be in the cloud?** Theoretically, but it is the weaker option and should not be the primary approach. You depend on the provider’s infrastructure and access model in exactly the moment you need full control. An on-premises IRE, fed from on-premises air-gapped secondary storage, keeps the entire restore path in your own hands. **How much does an IRE cost?** It depends heavily on scope. A physically isolated IRE with dedicated hardware is a significant investment; a strictly implemented logically isolated IRE in the same data center costs a fraction of that. Both are small compared with the cost of an uncontrolled recovery: industry reports put average ransomware recovery costs, excluding ransom, in the seven-figure range. **Do we need an IRE for all systems?** No. Only for critical systems that must survive ransomware: file server, ERP, AD, email. Non-critical systems can be restored later, directly into the cleaned production environment. --- ### Further Resources [\#](#further-resources "Further Resources") → IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Assume Breach Architecture Principle (/en/blog/assume-breach-architekturprinzip/) → Multi-Tier Backup Architecture (/en/blog/mehrstufige-backup-architektur/) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery)