Hardware-based security is often misunderstood. Many people think of it only as a place to secure keys and cryptographic operations or a hardware-enhanced capability to do secure boot operations. While those are certainly important and valuable functions, there are hardware-based security technologies that go far beyond those limited capabilities. One such technology is data diodes, devices that act as one-way data valves allowing data to flow out without a way back in.
Given that software-based security is more widely adopted (but also much more vulnerable), myths have evolved around the lesser-known yet far more secure data diode technology: that it’s cost-prohibitive, hard to deploy, doesn’t support two-way protocols, and more. Such myths are exactly that—fiction. The reality is that data diodes are compact, affordable, and highly capable devices that support a wide range of data security use cases.
Let’s deconstruct the top three misconceptions.
1. Data diodes are complex and expensive
Data diodes can be highly economical. Contrary to belief, a single-purpose data diode can cost just a few thousand dollars. Providing more reliable protection and a lower total cost of ownership than the alternatives, they are a great value.
Data diodes can be installed by a non-cyber-savvy customer in as little as a few hours, without extensive training or onsite support. That’s a far cry from unidirectional gateways (a technology that some people confuse with data diodes) which can take weeks or months to install. They’re also standalone devices that don’t require software patches, updates, or other maintenance. Unless a data flow needs to be modified, a data diode never needs to be updated at all. That’s much more economical than firewalls and unidirectional gateways which require constant monitoring and updating.
2. Data diodes can only handle single data flows and one-way use cases
While data diodes are one-way flow control devices, they can easily drop into two-way networks and support two-way protocols without opening a threat vector.They can scale from a single data flow to hundreds, simultaneously supporting multiple protocols. Data can originate from many sources and be transferred to many destinations concurrently, without risking inbound threat exposure for the source systems.
3. Firewalls provide the same level of protection
No doubt, firewalls are very important security solutions. They are widely deployed for good reason. But because they are software-based, they inherently have a broad range of vulnerabilities and no ability to provide a protocol break.
Data-diode security is hardware-based and deterministic. It’s impervious to malware, zero-day attacks, and configuration mistakes by design. Traffic goes through a protocol break and transfers only the payload, not the whole packet. The high-speed, circuit-based inspection and validation of individual packets stops attacks from spreading and protects the original IP address. That level of protection goes well beyond what firewalls can do.
A data diode’s built-in protocol break is especially important when considering recently-discovered software flaws like Ripple20 and Amnesia:33, through which vulnerabilities are exploited with malicious packet fragmentation or inappropriate values in packet headers. Firewalls typically don’t detect those issues, but a diode’s protocol break and hardware-enforced separation will ensure that the malicious data does not propagate.
Data diodes have been trusted by critical infrastructure operators, military commands, and intelligence services for decades. No other technology delivers the same combination of security, value and flexibility. With the constant barrage of new cyber-threats that disrupt business and push security staff to their limits, now is a great time for all enterprises to consider a hardware-based data-diode solution to elevate the protection of any data that is important to them.
By Brian Romansky, chief innovation officer, Owl Cyber Defense
