Most organisations have learned — often the hard way — that backup storage must be isolated from production networks. You would not put your backup repository on the same network segment as your production workloads, reachable by the same ransomware payload that just encrypted your primary environment. That is not a backup. That is a second copy waiting to be destroyed.
Yet a significant majority of those same organisations hand both their production IT management and their backup infrastructure to the same managed service provider. The physical and logical controls are there. The service-layer single point of failure is not.
This is the services air gap problem — and it is increasingly a compliance issue as well as a security one.
The Threat Model
MSPs occupy a structurally privileged position in their clients' environments. They hold administrative credentials, have access to management tooling, and frequently operate with broad lateral movement capability across production and backup systems simultaneously. That privilege is why they are useful. It is also why they are a target.
The pattern is well documented. MSP-targeted ransomware campaigns have been a consistent feature of the threat landscape since at least 2018. Attackers compromise an MSP's management tooling — remote monitoring and management platforms, professional services automation tools, or administrative credential stores — and use that foothold to deploy ransomware across every client in that MSP's portfolio simultaneously. The economics are straightforward: compromise one entity, reach hundreds.
Supply chain attacks follow the same logic. Injecting malicious code or backdoors into software widely deployed by MSPs gives attackers access to every client that provider manages. The attack surface is the provider relationship itself, not any individual client's defences.
Insider threat follows the same structural path. An employee at your MSP with access to both your production environment and your backup infrastructure is — from a security architecture perspective — a privileged insider across your entire resilience stack. Your carefully isolated backup storage offers no protection against someone with legitimate administrative access to both sides.
The question is not whether these attack patterns exist. They do, and they are well documented in NCSC and CISA guidance. The question is why organisations apply rigorous isolation thinking at the infrastructure layer but accept a shared service relationship that eliminates it at the operational layer.
The Regulatory Dimension
Two frameworks now make this more than a security architecture conversation.
DORA — the Digital Operational Resilience Act — came into force across EU financial services in January 2025. Among its requirements is a specific obligation to assess and manage ICT concentration risk: the risk that over-reliance on a single provider or a small number of providers creates systemic exposure. A single MSP managing both production and backup environments is a concentration risk by definition. DORA requires firms to identify this, assess it, and demonstrate they have addressed it. It applies to financial services organisations operating in the EU and to their critical third-party ICT providers.
NIS2, the EU's updated Network and Information Security directive, extends supply chain security obligations to a significantly broader set of sectors than its predecessor. It requires organisations to assess the security practices of their supply chain and to evaluate the security of the service relationships themselves — not just the technical controls those providers maintain. A backup provider that is structurally the same entity as your production provider is a supply chain dependency that warrants specific scrutiny under this framework.
Both frameworks point in the same direction: provider-level concentration and supply chain risk are regulatory concerns, not just security architecture preferences. Organisations subject to these frameworks — and organisations in sectors that will face equivalent UK requirements as regulation continues to evolve — need a defensible answer to whether their resilience function is genuinely independent.
The Services Air Gap
The principle is straightforward: the provider responsible for your backup and recovery capability should be structurally independent from the provider managing your production environment. Not just contractually separate. Structurally separate — different ownership, different personnel, different tooling, different access paths.
This is the services air gap. It is the operational equivalent of the network isolation you already apply at the infrastructure layer. If your production provider is compromised, your backup provider is unaffected. If there is an insider threat at one, it does not reach the other. Supply chain attacks against one provider's tooling do not propagate across both environments.
The principle extends beyond regulated sectors. Any organisation that takes resilience seriously — and any that would prefer not to explain to its board why a single supplier incident destroyed both its production environment and its recovery capability — should be asking whether it has a services air gap in place.
Where IronFell Fits
IronFell is a specialist data protection provider. We manage backup and recovery, and nothing else. By definition, we cannot be the same provider managing your production environment. That structural independence is not a product feature — it is the architecture of the service itself.
If your current setup puts production management and backup management in the same hands, the question worth asking is not whether that is a problem. It is when it becomes one.