Most backup architectures marketed as air-gapped are not isolated. They are reachable systems with better storage controls. Shared identity, shared control plane, scheduled connectivity, and immutable-but-addressable storage all produce the same outcome: production compromise can still destroy recovery without touching backup data.
Data protection and blast-radius isolation are different architectural properties. Data protection answers whether backup blocks can be overwritten. Blast-radius isolation answers whether production compromise can destroy recovery capability entirely. The question that cuts through both: Can a compromised production control plane still issue a destructive command against recovery?
What "Connected Air Gap" Means
An air gap is not a storage property. It is a control-plane boundary — the architectural condition under which no production-privileged actor can reach, command, or disable recovery. Four conditions break that boundary without touching backup data: a shared identity plane, a shared management control plane, a scheduled replication window, and a storage tier that is immutable but still addressable by production-level credentials.
The Four Failure Modes
Failure Mode 1: Shared Identity Plane
The vault is separate. The credentials authenticating the backup agent are issued by the same identity provider as production workloads. A compromised domain admin or exfiltrated service principal can authenticate against the backup platform using production-derived credentials. If recovery shares production trust, recovery shares production blast radius.
Failure Mode 2: Shared Control Plane
Most backup platforms do not fail because backup storage is reachable. They fail because backup control is. The backup management API, reachable from the production management network, exposes purge operations and retention policy modifications without requiring backup credentials. Cloud backup vaults in the same subscription as protected workloads compound this: immutability protects the objects inside the vault. It does not protect the account that owns it.
Failure Mode 3: Scheduled Reachability
A replication window is a deterministic attack surface with a known open time. An attacker with persistent production access and visibility into the backup schedule can time destructive actions to execute during the open window. The backup data replicates. The target has been poisoned before isolation restores.
Failure Mode 4: Immutable but Reachable
If an attacker can revoke restore authority, destroy the catalog, or disable orchestration, the backup survives and recovery still fails. Immutability protects the object. It does not protect the account that owns it, the credentials that perform restores, or the catalog that maps recovery points.
The Control-Plane Test
"Can a compromised production control plane still issue a destructive command against recovery?"
If yes, the air gap is connected. Connected systems are reachable systems. Reachable systems are not isolated systems.
Where Vendor Claims Break Down
Vendors validate storage integrity. Architects need to validate blast-radius isolation.
| Connected Air Gap Condition | What the Vendor Validates | What Remains Exposed |
|---|---|---|
| Shared Identity Plane | Separate backup service account | Same IdP — production compromise traverses trust |
| Shared Control Plane | Dedicated backup network segment | Management API reachable from production subnet |
| Scheduled Reachability | Replication window with disconnection | Deterministic attack window during open phase |
| Immutable but Reachable | Object lock / WORM storage | Vault deletion, restore credential revocation |
Architect's Verdict
An air gap is a control-plane boundary, not a storage property. Every backup architecture that shares an identity plane, a management plane, or a replication schedule with the environment it protects has a connected air gap.
The failure is not a missing feature. It is a misplaced test. Run data protection and blast-radius isolation tests on the same architecture and they return different answers — because they are measuring different properties.
Recovery capability must be designed under the assumption that production is already hostile. Any architecture that shares trust, control, or command authority with production is not isolated. It is delayed compromise.
Originally published at rack2cloud.com
Top comments (0)