Simplify software updates in air-gapped environments
An Air Gap is a rather old but still relevant high security concept. The basic idea of an Air Gap is to isolate a system from the outside world through it. In IT, this means that the system has no network connections to the outside world.
Since even air-gapped systems are not 100% secure, the biggest challenge with such systems is to keep the software used there as up-to-date as possible. This is because using outdated software makes it easier for attackers to spread throughout the system in the event of a successful attack; not to mention the better user experience provided by up-to-date software with new features. The less effort it takes to update software, the more likely it is that updates will be implemented, thereby improving security within the system.
The challenge of software updates in air-gapped networks
Networks located behind an Air Gap are separated from other networks and the Internet. The reduced exposure increases the security of the network (you can learn more about the air-gap-concept in our glossary article on it, but makes it more costly to keep software up to date within the network. Automatic updates of software are difficult due to the lack of an Internet connection. New versions must therefore be downloaded manually and physically brought into the network via data media and then distributed within the network. The more different software applications are operated in an air-gapped network, the greater the update effort. Not only can updates be performed differently for applications, depending on their technology (for example, performing updates for Java applications is different than for Ruby on Rails applications), but updates can also contain breaking changes, making manual steps necessary.
Simplified updates in air-gapped Networks with the Cloudogu EcoSystem
To reduce the effort for updates in air-gapped networks, it makes sense to reduce manual steps by unifying the update processes and providing resources centrally.
An example of unified update processes is the Cloudogu EcoSystem (CES). By default, it already brings standardization to the installation and update processes for all applications running in it. In order to perform updates for a CES running behind an Air Gap, resources still have to be brought into the network manually. However, the migration of data from tools required for updates is automated and required resources are unified. This means that once resources are behind the Air Gap, tools can be installed and updated very easily; with high scalability. In addition, all new versions of applications in the CES must pass integration tests beforehand, which prevents unexpected problems caused by breaking changes. Updates and new installations of tools are therefore doable with very little effort.
There are many options for storing resources in an air-gapped network. In projects with our customers, we have already made experience with the use of Harbour or Sonatype Nexus Repository for storing resources. Feel free to contact us if you are already using another tool or if you have no idea which tool you will use.
Allow-Listing instead of Air Gap
If your security requirements allow it, it is also possible to "soften" an Air Gap by allowing access to the Internet, but strongly restrict it by allow-listing. With this approach, you can limit access to trusted sources; the fewer the better. When using the Cloudogu EcoSystem, the advantage is then that only access to the central backend of Cloudogu is required for all tools. Hence, you don't need to find a trusted source for each tool individually. By unifying updates with CES and having a central source for the resources you need, you can strike a good balance between security and efficiency.
Contact us if you would like to run the Cloudogu EcoSystem behind an Air Gap.