Skip to content

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
PA OPINION

Opening the doors to safer networks with Oakdoor data diode

If you run an IT network that looks after highly sensitive data – state secrets, patient records, customers’ bank accounts, critical national infrastructure – you’ll do whatever it takes (within reason) to keep it safe from cyber-attack. That probably means segmenting the network into a ‘low security’ side that connects to the internet and a ‘high security’ side that keeps the valuables well away from it. Even so, the two sides must still connect. Data travels from low to high and vice-versa – and in those moments, the high side is vulnerable to attack.

Data diodes or firewalls?

Then what? Until now, you’ve had two not-quite ideal ways to protect these connections: a firewall which uses software to protect the network, with potential software vulnerabilities a hacker could exploit, and a data diode which only lets certain types of data through, that’s highly effective, but prohibitively expensive to buy and run. Some organisations get around this by transferring data from one side of their network to the other manually using discs. But it’s cumbersome and the capacity is limited. And it’s not even fool-proof – malware can still jump onto discs.

This was the problem a client brought to us. Our answer is a new kind of data diode that’s low-cost and no-maintenance. We’ve called it Oakdoor. We believe it makes the a new level of security protection possible, even for the most sophisticated segmented networks that would need multiple diodes. And we believe it shows that complex problems can have simple solutions. 

To explain why, let’s look at our client a bit more closely.

They had a low side and a high side to their network. But like a bank that updates customers’ balances after each transaction, they moved data from the low to the high side. And like a business that shares audit information with the world at large, they also moved data in the opposite direction. As well as that, while the high side had its own memory and capacity, it needed software products and patches, which it got from the low side, increasing their vulnerability.

Our client had sophisticated firewalls in place, but wanted more protection. So they looked into data diodes.

Counting the cost of complexity

Data diodes have existed for decades, and they’re seen as one of the best barriers. Data can only travel one way through them, so hackers can’t exploit the connection by sending malware or other attacks in the opposite direction. But our client was quoted tens of thousands of pounds for a single diode, with a significant annual maintenance bill on top. In common with other organisations, they’d defined multiple segregated networks, with high sides partitioned into different areas. In all, they were going to need large numbers of data diodes to cover all their high-low network connections.

Even for organisations like government departments where security is paramount, this would be too big a pill to swallow. So rather than pin all their faith on firewalls, they asked our cyber security and engineering experts to think of a third option. Two years of development later, the result is Oakdoor.

Keeping it simple

Current data diodes have their own servers built in, along with extra services like virus screening. This comes with an underlying, and ongoing, maintenance cost. Oakdoor performs only the most essential function – keeping the flow of data one-way to protect high-side computers. So, it’s as simple as it can be – and the maintenance cost disappears.

No bigger than a paperback book, it connects to servers the organisation is already paying to maintain and needs no special extra components. Meanwhile, applications in other parts of the high network are already carrying out functions like virus screening. 

Electrical, not optical

Another difference between Oakdoor and other data diodes is that it’s electrical rather than optical. The received wisdom says data diodes have to be based on components that translate information into photons. But we’ve found that electrical components are simpler and just as secure. That makes for a less costly package and a faster interface. Electrical components are also a closer match with how other network components communicate.

Keeping cost down

All this means that, with our diode, the headline cost is only about a tenth of a conventional one - low enough to have multiple diodes connecting different segregated networks. This makes it well suited to modern networks, whose high sides are often divided into different parts (just like our client’s), for instance by country or sector. Ideally, each part needs a data diode to protect its link with the low side. While that level of protection has been off-puttingly expensive until now, we believe Oakdoor puts it within reach.

Oakdoor™ Data Diode keeps your organisation safe from cyber attacks. It enables safe remote browsing and data transfer.

Find out more

Contact the author

  • Tim Lunn

    Tim Lunn

    PA innovation Expert

    Tim is an expert in the delivery of complex technology projects and works with clients to deliver their requirements based on PA’s software, hardware and mechanical design expertise.

    Insights by Tim Lunn

Contact the product development and manufacturing team

×

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.