A data diode is a cybersecurity solution that ensures unidirectional information exchange. This high assurance hardware device maintains both network integrity by preventing intrusion, as well as network confidentiality by protecting the most security sensitive information.
How does a data diode work?
Data diodes are the fail-safe way to protect sensitive systems and confidential data. A data diode is a security product that is placed between two networks and acts as a non-return valve whose function only allows data to be sent in one direction while blocking all data in the opposite direction. Since the security properties of the data diode are based on hardware and optical fiber, it can be shown that it is physically impossible for data to be transported in the opposite direction. Because security is not based on software, there are no vulnerabilities in the form of software bugs, nor can it be attacked by malicious code. Hardware-based security means that you can show that data diodes have high assurance.
Why do you need a data diode?
A common solution to keep sensitive or classified information safe from leakage or manipulation is to completely disconnect it from other networks. However, there are situations when data needs to be transferred to or from the protected network.
The most common device used for regulating information flow is probably a firewall. This is a device with the purpose to protect your network by only allowing certain traffic to enter it. It monitors and filters what traffic and data-packets that enter the network, and which are blocked based on a set of rules. However, if you need to transfer information to or from a security sensitive network a firewall is not the only product in your toolbox to enhance your cybersecurity. Though a firewall strives to protect the network, a high assurance addition in terms of a Cross Domain Solution is also needed. Cross Domain Solution (CDS) is a term used to describe the concept of maintaining secure information exchange between domains with different security or protection needs. This can be between databases, servers, applications, or combinations of these. CDS addresses the concept of communicating, sharing or moving information between domains and applies validation, transformation or filtering to the exchange. The data diode is a Cross Domain Solution.
By using a data diode, you can ensure that the transfer is done securely without jeopardising the integrity or the confidentiality of the network.
Who needs a data diode?
A high assurance data diode protects assets for operators within critical infrastructure (ICS/SCADA) and defence industries. However, along with digitalisation and the increase of sophisticated cyberattacks, every organisation that operates with sensitive information has great use of a data diode to protect its valuable information and securely exchange data.
Five things you can use data diodes for
If a data diode is directed out from the high security network towards a network with a lower security level, data can be transferred from the high security network while the high security network stays protected. By transferring information via a data diode, you are guaranteed that no one can use the same connection in the opposite direction to reach the high security network and disrupt the availability and integrity of the systems.
A data diode can also be directed towards the high security network. In these cases, it is most likely that you want to collect information of some kind from another network. The security issue, however, is how to collect the information and at the same time make sure that there is no leakage of sensitive data from your network through this channel. A data diode will ensure the confidentiality of the high security network by preventing any form of data leakage from happening.
There are more ways to use a data diode than you might think. You can use them for countless solutions, but here are five areas you may not have known about in which you can use data diodes:
- IoT sensor networks
- HTTP mirror
- Traffic tapping
- Video streaming
You can read more about how you can use data diodes in these five areas here.
Other solutions for segmentation
Bidirectional security gateways
A Security Gateway can be compared to a firewall as it regulates what traffic that can enter and exit a network. A Security Gateway only forwards received information when it complies with a certain policy which is derived from your organisation's information security policy. The policy implemented in the Security Gateway defines accepted structures, formats, types, values, and even digital signatures. When a message is sent from one security domain to another across the Security Gateway, information in the message is analysed and validated according to the configured policy. Approved parts of the received message are put into a new message which is sent to the intended receiver in the other domain. In this way, you know that only allowlisted information crosses this boundary.
Air gap means that a computer or a computer network does not have connections to the outside world. Physical security such as locks, guards and alarms prevent unauthorised access, as well as logical access control once you are at the computer. Information is moved in and out of the environment via portable media. The information must be checked before it is imported so that it does not contain malicious code, but also during export so that you do not accidentally export "wrong" information and thus risk revealing it. Air gap is thus a relatively manual system used to protect sensitive information and sensitive environments.
Strengths with a data diode
There are several strengths with a data diode:
- Their ability to ensure security in insecure systems, and to protect and preserve legacy systems. By using data diodes, legacy systems can be protected without overhauling the entire operational system.
- Its hardware aspect. By using a hardware system, data diodes remove, to a large extent, the possibility of user error.
- The long-term operating costs are low. After initial investment of purchase and system integration, the savings in maintenance and administration costs make the data diode an efficient network security solution in the long run.
- The way they reduce the cybersecurity risk. The diode's strict properties mean that you can completely rule out certain types of risks if you use a diode. For example. you know that the network can not leak information and can thus only focus on managing risks with privacy and malware.
Read more about how data diodes can be used in our Use Case #02 "Protecting information in critical infrastructure"!
Want to invest in your cybersecurity? Contact us today!