Skip to main content
Data diodes - an effective alternative to airgaps

Data diodes - an effective alternative to air gaps

24 Oct 2023

Do you have sensitive systems or sensitive data that needs to be protected? Have you chosen not to connect the systems to the outside world, i.e. have you used air gaps as your solution? Reconsider! There is an alternative to air gaps that is more secure and more cost-effective. Read more about how data diodes provide the same level of security but at the same time make it possible to connect the systems!


Network security for sensitive systems and sensitive data

If a device can be accessed over the network by unauthenticated users or systems, it can be hacked. The security work often aims to make devices, or the important data stored on them, more difficult to reach for the people or systems that should not have access.

There are several different tools to keep potential attackers at bay – everything from encryption, VPN and various multi-factor authentication systems to network segmentation and principles such as defence-in-depth and zero-trust. But sometimes, some systems must contain data so important that no risk of a network-based attack, however small, can be tolerated.

In situations like this, a common action is to ensure that the system or network in question is not connected to any other systems or networks – at least not over any network that does not itself have extremely stringent security controls in place. Sometimes it may even be necessary to completely physically isolate the systems, completely forgoing the benefits of interconnecting systems.


Confidential data


Air gap – a common solution to protect sensitive networks

Air gap, air wall, air gapping, or isolated network is a network security measure used on one or more computers to ensure that a secure computer network is physically isolated from other networks, such as the public Internet or an insecure local area network. This means that a computer or network has no network interfaces connected to other networks. It is thus isolated from other systems connected to unsecured networks.

The only way to transfer data to and from an air gapped system is via portable media – sometimes called a "walknet". Practically, this is done by people, which means you become dependent on well-trained staff who would probably rather be working on other more qualified and stimulating tasks. But even well-trained personnel with a high security awareness can unfortunately also make mistakes or take shortcuts, which despite all security measures exposes the systems to risks, e.g. that you get malware into your system.


Data diodes – a more secure and more cost-effective solution

A data diode is a cybersecurity solution that ensures a one-way flow of information. This hardware product, with its high assurance, maintains both the integrity of the network by preventing intrusion and the confidentiality of the network by protecting the most protective information. Thanks to its high assurance, a data diode protects the assets of actors active in critical infrastructure, ICS/SCADA and the defence industry. Digitalisation and the increase in sophisticated cyberattacks means that every organisation that works with sensitive information needs a data diode to be able to protect its valuable information and to be able to exchange data in a secure way.

A data diode is placed between two networks and acts as a check valve whose function only allows data to be sent in one direction while blocking all data in the opposite direction. Since the security is not based on software, there are no vulnerabilities in the form of software bugs, nor can it be attacked by malicious code. Hardware-based security means that you can be sure that data diodes meet their security requirements with a high level of assurance.

A hardware-based data diode is to be equated with physical separation in the reverse direction, which means that if you have requirements for physical separation, it can actually be fulfilled (in the reverse direction) by a data diode but at the same time enable a network connection in the forward direction.


Data diodes - an effective alternative to airgaps


Data diodes - a calculation example with ROSI

Using a data diode is a cost-effective way to protect sensitive information. ROSI (Return on Security Investment) is about calculating what the lack of security can cost and what the most cost-effective solutions are – this in order to know what to spend on security.

You can calculate ROSI using the formula below. You get a percentage of your return on the security investment. It is based on Annualised Loss Expectancy (ALE), estimated risk reduction and the cost of the solution:

(Reduced monetary loss – Cost of the solution) / Cost of the solution


A simple calculation example

An air gapped system is manually updated once a week with upgrades to the operating system and other software including antivirus software. Since the updates are not made more frequently, and since the manual work risks not being carried out completely correctly in all parts, it is expected that every two years it will be affected by malicious code entering the system. Each attack is estimated to cost SEK 800,000 to fix, including the cost of any lost information and the cost of certain systems being down. Note that this is an estimated cost average and that some attacks are easy to clean up after while others involve significantly greater costs.

By installing a data diode and importing and applying updates more frequently every night, you reduce the probability of attacks by 80%.

In this example, the data diode costs SEK 200,000 and is followed by an annual MSA of 25%. The installation cost is SEK 50,000 and the annual maintenance cost is 20 working hours. We assume that the labor cost is SEK 1,000 per hour and that the data diode has a lifetime of 10 years.


The one-time cost of the data diode:

SEK 200,000 + SEK 50,000 = SEK 250,000


The total annual cost including MSA and maintenance:

SEK 250,000 / 10 years + 200,000 x 0.25 + 20 x 1000 = SEK 95,000.


Estimated annual loss without the data diode:

SEK 800,000 x 0.5 = SEK 400,000


The data diode solution reduces this by 80%, thus:

SEK 400,000 x 0.8 = SEK 320,000


This gives ROSI according to:

(Reduced monetary loss – Cost of the solution) / Cost of the solution = (320,000 SEK – 95,000 SEK) / 95,000 SEK = 2.37 (237%)

ROSI is thus 237%, which can also be described as that for every krona you invest in the solution, you get back SEK 2 and 37 öre, which can be considered a really good investment.

In addition, you also save money on the manual work with the updates that are now handled more automatically, allowing your staff to do more productive things.


Read more about data diodes and how much you earn from having a data diode!

Do you want to invest in data diodes? Welcome to contact us!