Keep in mind that their gaps concerning data protection (e.g. backup/restore, archiving, BC/BR/DR/HA and security) can have different meanings depending on its context.
Data protection gaps can refer to applications, information and data that are not completely protected (e.g. holes or gaps in coverage). On the other hand, data protection gaps can refer to some separation between primary data and a protection copy based on some point in time (e.g. timer interval, version, recovery point) as well as distance. Distance can be as simple as having a protection copy on another device, system or server, as well as site or location including cloud, on-line, near-line or off-line.
There is another type of data protection gap that builds off of the above to create an air gap between your complete data protection implementation (e.g. addressing coverage while leveraging time and distance). An air gap can be thought of as an extension of an off-line copy by making sure that not only the media or medium holding the protection copies are safe and secure. Also, the environment and data infrastructure itself are safe and secure.
The reason for a data protection air gap is to provide protection of protection copies so that when you go to use them that they are consistent, have data integrity and are not corrupt, hacked, infected or in any other way compromised.
How much of a data protection gap do you need or can you tolerate?
That depends on the value and dependency of your data and applications to prove information to your organization. The more time-sensitive and dependency on your applications and data, the smaller the gaps in coverage, and larger gaps (distance and time) between your primary copies and protection copies.
Likewise, if your environment or specific applications are vulnerable and so need to be safeguarded with additional protection, introducing an air gap between your primary copy and an alternate protection copy may be an option. For example, if you are concerned about your backups, snapshots, replicas or other protection copies becoming corrupted, or an undetected virus, perhaps bit rot or something else that compromises the data integrity, having a separate protection copy and associated data infrastructure can be an option.
Having a separate protection copy and associated data infrastructure environment can also be used for running comparison or read verification of your main protection copies should that be a concern.
How much protection you need for your data and applications is going to depend, as everything is not the same across different environments. The question is, what are the applicable threat risks that could prevent your organization from accessing applications and data, or, from being able to use protection copies only to find out they have been compromised or disabled by a hacker or attacker.
Keep in mind the fundamental data protection rule or guide, which is 4 3 2 1 or at least four versions (or time intervals) of your data (also, make sure application software and settings are protected), at least three copies (preferably not all the same version) with protection copies stored on at least two different systems (or servers) with at least one of those being off-site including cloud.
To implement a comprehensive solution you could extend the 4 3 2 1 to include at least one of those protection copies off-line or separated by some air gap from being accessed or compromised.
