on-prem air gap

By Jason English (@bluefug) – Intellyx  |  Part 2 of the Intellyx On-Prem Innovation Series

When I think of the most mission-critical on-premises secure installation scenario of all time, my mind immediately wanders to silos. Missile silos, to be exact. 

If there ever was a reason to be absolutely 100-percent-sure a system was inaccessible to the outside world, and thus positively unhackable, it would be to prevent an unauthorized launch.  Any software update that happens in that control room had better be hand-installed from a disk and checked by a high-security clearance individual.

Granted, most of us don’t have to sweat the global consequences of a Wargames-style nuclear brinkmanship event if our business software isn’t securely air gapped.

Still, it wouldn’t hurt to take a page from the missile-command playbook in thinking about your organization’s mission-critical environments to understand when on-prem air gap installations provide the best balance of risk avoidance and value for critical systems.

What are some of the most compelling use cases for on-prem air gap software installations?

On-prem prospects for software vendors

I hear rosy cloud-based growth projections from independent software vendors (ISVs) on a daily basis. Every one of them touts the impressive sales growth stats of their latest SaaS or cloud offerings in relation to their existing on-prem business.

You can’t blame vendors for wanting to position themselves as ‘modern’ for IT analysts and investors, touting that they are selling service-based software — but for security, compliance, and control reasons, real-world businesses demand modern software delivered on-premises.

Among many other surprising facts revealed in this 2021 State of On-Prem study was the fact that almost all ISVs — 92% even — are reporting increased sales of on-prem software to customers — and at least half of them reported ‘strong growth’ in sales!

on-prem growth

For an ISV, securely compiling, packaging, and distributing runtime software on-premises — and into an air gapped environment — is rapidly becoming a requirement for many critical customer use cases. 

The side benefit? Effective air gapping also solves the complex problems of ensuring the software configuration was consistently performed, that IP is protected as needed, and usage is properly privileged at the point of distribution. 

Have you ever used software with a ‘remote update’ feature that routinely checks for updates and licensing status — only to cut off the session if for some reason the registration server is unavailable, or the network connection is down? 

That vendor is telling its customers that they don’t trust their own installation packages, and topping it off prevents them from doing their work. Talk about the fastest route to customer abandonment! 

Fortunately, many leading commercial and open source vendors offer modern on-prem air gap installations that fit some unique customer form factors.

Mission control: installing in a new frontier

If you thought my missile command story was a hypothetical story, how about mission control for satellites?

Kubos is a fascinating vendor tightly focused on delivering a more responsive cloud-native ground control system (called Major Tom, if you get the Bowie reference) to allow operators to interface with satellites, control them, and gain insights into real-time telemetry data from space.

Some of their customer’s ground control environments — as you might expect with such expensive hardware on the line — are entirely locked down. There are no open sockets for an install. While communication and control work happens via APIs and SaaS-style approaches, their control gateway software and updates must sometimes be remotely installed into an air gap environment.

Kubernetes, by nature, provides an excellent start to unlocking this exact problem as it can act as a reference architecture of containerized microservices. It’s cloud-native, yes, but it doesn’t need to run in a cloud. Bespoke customer installs can be tightly specified as code, configuring complete multi-tier operating environments that can be bundled and consistently delivered to customers as ready-to-deploy K8s packages.

More endpoints, more use cases

Wherever there is a need for secure data and secure operations, there’s probably an identifiable need for some aspect of that environment to be air gapped.

  • Government development teams, especially those working on military or intelligence technology, often prefer to have their team’s work environments and software packaged for delivery into an on-prem air gap system cordoned off from the internet. This ensures only approved components can be used by high-clearance developers and contractors, preventing software supply chain attacks.
  • Pharma research teams conducting clinical trials can do their surveys and calculations on air gapped software, complying with HIPAA and PII statutes while preventing the leak of both patient data and proprietary research information.
  • Financial software such as fraud detection algorithms and predictive stock trading tools are ideal for software air gapping to prevent any outside parties from attempting to gain an edge or ‘game’ these high-value decision support tools.

The Intellyx Take

Just press play to start the install. It’s time to shoot down the pundits who tell you everything will move from on-prem to cloud or SaaS models.

I predict a migration to securely contained modern on-premises computing environments for our most mission-critical applications, with Kubernetes as the enabler for this encapsulation.

The market for modern on-prem is bearing this reality out today, with a renewed focus on air gapped software installations where security and total compositional assurance are of the highest priority.

© 2021, Intellyx, LLC. Intellyx retains editorial control over this content. At the time of publishing, Replicated is an Intellyx client. Image credits: Photo by Nina Ž. on Unsplash