The term air gap’ originally referred to a physical gap between two systems with no electrical connection. In IT security, it describes the complete physical separation of a storage system from the network — so that no protocol, no port, no API endpoint is active while the system is in its offline state.

It is important to distinguish this from terms that use air gap’ loosely: cloud providers market as a virtual air gap’, and backup software vendors call network segmentation a logical air gap’. Neither qualifies in a technical sense. A genuine air gap requires three conditions: no active network connection after the backup window, no addressable network interface in the offline state, and a hardware-enforced separation that cannot be overridden by any compromised system.

In the context of ransomware protection, the physical air gap is the only protective measure that works even when an attacker has gained full domain administrator rights. Software-based immutability — , cloud immutability policies or software-controlled functions — can be deactivated by an attacker with compromised admin credentials in many scenarios. A physically non-addressable storage medium, by contrast, can neither be encrypted, deleted nor exfiltrated.

Automated hardware air gap systems like the Silent Brick System with Max Air Bricks achieve this protection without manual intervention: after the backup job completes, an integrated hardware controller physically disconnects the network connection. The system is unreachable until the next backup window begins. This cycle runs fully automatically — no tape swap, no manual process, no risk of human error. Recovery time on disk-based systems is typically 4 – 8 hours — significantly faster than tape-based solutions, which require 24 – 96 hours.

Frequently asked questions

A physical air gap separates a system from the network at the hardware level — after the backup window, it has no active network interface. A logical air gap refers to network segmentation through firewall rules, VLANs or software policies. The key difference: logical separations only exist as long as the underlying configuration is correct. An attacker with compromised admin credentials can change a firewall rule — they cannot override a physical network separation at the hardware level.
No. Object Lock stores data immutably — but the storage system remains reachable via API endpoints. An attacker with compromised cloud IAM credentials can lift Object Lock protection in many configurations (especially Governance Mode). A physical air gap has no reachable network interface in the offline state — the comparison is not appropriate.
On disk-based air gap systems, the typical Recovery Time Objective (RTO) is 4–8 hours for a complete system restore. Tape-based air gap solutions require 24–96 hours, as tape drives only offer sequential read access. The advantage of disk-based air gap systems lies in direct access to any data region.
No. Hardware air gap systems integrate via standard interfaces (FC, iSCSI, NFS, SMB, S3) with all major backup software — Veeam, Commvault, Acronis, SEP Sesam and others. The backup software addresses the air gap system like a normal backup target; the physical separation occurs automatically at the hardware level after the job completes.