What are data diodes, and what do they have to do with cybersecurity?
Formally known as unidirectional gateways, data diodes are network appliances that only allow data to move in one direction. While the typical network connection has a transmitter and a receiver, data diodes transmit only. Think of it as an on-air radio station. The station broadcasts content through the airwaves but doesn’t allow you to communicate back.
Data diodes are not new. They’ve been used for decades in high-security environments such as defense and intelligence. Whether used to move data from a high-security to a low-security network or the other way around, data diodes are designed to protect sensitive information and prevent the spread of malware.
Now, data diodes are emerging from the depths of secretive government agencies to see growing use in commercial environments. They’re being used as part of a zero trust security model, in which every network access request is considered suspect until authenticated and validated.
Emphasis on Network Segmentation
For years, security experts have pressed the need for zero trust security, and recent guidance from the National Security Agency (NSA) emphasizes the network and environment pillar of the zero trust model. Although most organizations take a defense-in-depth approach to security, they still focus primarily on perimeter security. Once inside the network perimeter, users, devices and applications have almost unfettered access to corporate resources. The NSA guidance stresses the importance of placing security controls inside the network to protect sensitive applications and data.
Network segmentation is a primary mechanism for isolating critical resources and restricting movement within the network. Macro segmentation breaks up the network into large components, such as individual departments or working groups. Micro segmentation is more granular, breaking up subgroups into smaller components. While macro segmentation might separate the marketing department from the accounting department, micro segmentation would not allow users in accounts payable to access the executive finance team’s resources.
The Role of Data Diodes
The NSA guidance does not mention data diodes specifically. However, they are useful tools for implementing network segmentation while ensuring that authorized users can access data.
Traditionally, organizations segment their networks using firewalls, virtual LANs (VLANs) and access control lists. They can then define security policies that limit communication between applications and workloads. However, these technologies can be time-consuming to implement and manage and are prone to human error. IT teams may be slow to make configuration changes to address emerging threats.
Data diodes enable network segmentation by definition while ensuring the integrity of the sender’s data and the privacy of the receiver. As such, data diodes enable the macro segmentation of operational technology (OT) and IT systems in a way that’s operationally efficient. Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICSs) can be isolated, but their data can still flow to other applications.
Multiple Applications
Not surprisingly, manufacturing, energy and other critical infrastructure sectors are among the biggest users of data diodes. These industries must figure out how to connect the OT systems that control pipelines, water supplies and other physical systems to IT systems that are highly vulnerable to attack.
While those are the primary use cases, data diodes can be utilized in any situation where critical data needs to be isolated. They can also be used to prevent Internet of Things (IoT) devices from being used as attack vectors. Technologent’s security experts can help you explore whether data diodes have an application in your environment. They can also help you apply the zero trust model to greatly improve your security posture.
Zero trust has become imperative in today’s threat environment, but many organizations still focus on perimeter security. Network segmentation reduces the attack surface, and data diodes can play a role in protecting critical systems without impeding the flow of data.
Comments