Time to read:
If you run an IT network that looks after highly sensitive data – state secrets, patient records, customers’ bank accounts, critical national infrastructure – you’ll do whatever it takes (within reason) to keep it safe from cyber-attack. That probably means segmenting the network into a ‘low security’ side that connects to the internet and a ‘high security’ side that keeps the valuables well away from it. Even so, the two sides must still connect. Data travels from low to high and vice-versa – and in those moments, the high side is vulnerable to attack.
Data diodes or firewalls?
Then what? Until now, you’ve had two not-quite ideal ways to protect these connections: a firewall which uses software to protect the network, with potential software vulnerabilities a hacker could exploit, and a data diode which only lets certain types of data through, that’s highly effective, but prohibitively expensive to buy and run. Some organisations get around this by transferring data from one side of their network to the other manually using discs. But it’s cumbersome and the capacity is limited. And it’s not even fool-proof – malware can still jump onto discs.
This was the problem a client brought to us. Our answer is a new kind of data diode that’s low-cost and no-maintenance. We’ve called it Oakdoor. We believe it makes the a new level of security protection possible, even for the most sophisticated segmented networks that would need multiple diodes. And we believe it shows that complex problems can have simple solutions.
To explain why, let’s look at our client a bit more closely.
They had a low side and a high side to their network. But like a bank that updates customers’ balances after each transaction, they moved data from the low to the high side. And like a business that shares audit information with the world at large, they also moved data in the opposite direction. As well as that, while the high side had its own memory and capacity, it needed software products and patches, which it got from the low side, increasing their vulnerability.
Our client had sophisticated firewalls in place, but wanted more protection. So they looked into data diodes.
Counting the cost of complexity
Data diodes have existed for decades, and they’re seen as one of the best barriers. Data can only travel one way through them, so hackers can’t exploit the connection by sending malware or other attacks in the opposite direction. But our client was quoted tens of thousands of pounds for a single diode, with a significant annual maintenance bill on top. In common with other organisations, they’d defined multiple segregated networks, with high sides partitioned into different areas. In all, they were going to need large numbers of data diodes to cover all their high-low network connections.
Even for organisations like government departments where security is paramount, this would be too big a pill to swallow. So rather than pin all their faith on firewalls, they asked our cyber security and engineering experts to think of a third option. Two years of development later, the result is Oakdoor.
Keeping it simple
Current data diodes have their own servers built in, along with extra services like virus screening. This comes with an underlying, and ongoing, maintenance cost. Oakdoor performs only the most essential function – keeping the flow of data one-way to protect high-side computers. So, it’s as simple as it can be – and the maintenance cost disappears.
No bigger than a paperback book, it connects to servers the organisation is already paying to maintain and needs no special extra components. Meanwhile, applications in other parts of the high network are already carrying out functions like virus screening.
Electrical, not optical
Another difference between Oakdoor and other data diodes is that it’s electrical rather than optical. The received wisdom says data diodes have to be based on components that translate information into photons. But we’ve found that electrical components are simpler and just as secure. That makes for a less costly package and a faster interface. Electrical components are also a closer match with how other network components communicate.
Keeping cost down
All this means that, with our diode, the headline cost is only about a tenth of a conventional one – low enough to have multiple diodes connecting different segregated networks. This makes it well suited to modern networks, whose high sides are often divided into different parts (just like our client’s), for instance by country or sector. Ideally, each part needs a data diode to protect its link with the low side. While that level of protection has been off-puttingly expensive until now, we believe Oakdoor puts it within reach.