The Risk of Air Gaps
As some readers of this blog know, from this month onward I'm on a leave of absence from my academic post to head the Greek Ministry of Finance General Secretariat of Information Systems. The job's extreme demands explain the paucity of blog postings here. I'll describe the many organizational and management challenges of my new position in a future blog post. For now let me concentrate on a small but interesting technical aspect: the air gap we use to isolate the systems involved in processing tax and customs data from the systems used for development and production work.
This is my current understanding of how the system works. Systems involved in data processing of tax and customs data live in a walled garden lacking a physical connection to the internet: they are isolated from it through a so-called air gap. To transfer data between all other systems, such as servers providing internet-facing e-services, development workstations, and computers used by administrators, somebody has to perform a physical action, for instance transfer the data using a tape or unplug one cable and plug another. The main advantage of this system is the apparent simplicity of its security properties. If a computer isn't connected to the internet it's difficult for it to get attacked from it or leak data to it. However, this draconian measure brings problems that may be worse than the solution.
First, I suspect that the separation is not as absolute as advertised. There may be back channels, such as email links or automated procedures for transferring data between systems that can still enable a determined attacker to compromise the system. Second, this separation is extremely inconvenient. Those whose workstations live in the walled garden can't browse the internet, can't collaborate easily with the developers living outside the garden, and, can't even access internet-based applications that we offer as e-services to citizens. I came across this problem when I organized an internal wiki as a collaboration facility; I quickly realized that about half the employees were excluded from it by design. Also, each new deployment has to be designed taking into account this separation. For instance, the provision of a WiFi service for the building's visitors, which I recommended, has stumbled on the fact that employees may use USB WiFi cards to tap into it from their walled-garden machines, and thereby compromise the air gap. (Yes, I know that USB peripherals can be prohibited by applying an appropriate security policy or epoxy, but this is not my point.)
My main fear is that the sheer inconvenience of having the air gap is forcing some employees to maneuver around it using dubious methods. These may involve switching a machine's network cables, setting up a second IP address, installing a second network card, or even connecting a 3G modem. Because these all are unauthorized hacks no one has thought about their security implications: the trustworthiness of the specific machine, the risk of specific applications or operations, the lack of auditing. So the air gap may be making our facility less secure.
I have been told this is a long-standing difficult problem that nobody has dared to tackle. I understand that for higher-ups (such as myself) when a security breach occurs an improperly run security theater is easier to defend than an apparently more risky laxer policy. The security theater allows you to pass the blame to the employee who ignored the procedures established for protecting the air gap.) Yet, I'd like to find and deploy a more practical and secure setup. Perhaps the answer lies in the use of virtual machines and some sort of bridging. Sadly, these days I can't find the time to think deeply about such technical issues. Your ideas are welcome!Read and post comments, or share through