Data has never been more critical than it is now. IBM Institute for Business Value report COVID-19 and the Future of Business report1 found that 59% of companies have accelerated digital transformation – companies that were semi-digital pivoted to fully digital, while companies who are already fully digital expanded into new use cases. The current expectation of an entirely data-driven, digital business is a permanent shift in the business environment.
Data is now an enterprise asset
- Data for business platforms – Businesses look to orchestrate internal and external data generated by ecosystem partners and customers to design business and marketplace platforms to monetize data, expand market opportunities and reinvent competitive positioning2.
- Data for workflows – Business harness enterprise data to activate intelligent workflows and automate processes to improve customer experience and increase productivity and operational efficiency2.
- Data for experience – Companies use real-time data insights to elevate customer, employee and ecosystem partner experience into a personalised one for improved engagement with the digitally connected business landscape2.
Secure what matters to your organisation
Just like how organisations have locked warehouses, security personnel, gate barriers and surveillance cameras to ensure their valuable physical products and goods are not stolen, businesses need to ensure that their digital enterprise data will not be stolen or leaked.
When data is collected, they can be stored in the on-premises data center or sent to external networks, such as on cloud services or centralised data centres for processing, further analysis or storage. A poorly secured data architecture can be potential entry points for cyber criminals or malware, which could cost huge financial or reputational loss.
According to a report from VMware3, 50% of the cyber-attacks today target not only a network but also those connected via a supply chain. A 2020 report conducted by Sonatype also found that supply chain attacks on open-source software surged by 430%. Once the threat actors have a foothold in your network, they will attempt to move laterally to escalate their privileges and gain control over your systems. Or they will lie dormant for months to years at a time, collecting and exfiltrating data.
One way to mitigate these attacks is by implementing Data Diode in your security architecture.
Why Data Diode?
Data Diode is one solution that can be used for data transfer while maintaining the air-gap between the source and destination networks. In general, Data Diodes allow unidirectional transfer of data while any traffic in the opposite direction is prevented. To be 100% assured, the unidirectional transfer has to be enforced physically rather than logically, where the transmission can only occur from the source side and not from the other. This transmission is usually achieved optically, where the optical transmitter is placed only on one side while the optical receiver is placed on the other.
Data Diodes however, being unidirectional, may inevitably have issues with data integrity due to the lack of feedback path. This means that if there is an error during the data transfer process, such as data packets being dropped without any retransmission, it will lead to data loss or corrupted files.
Figure 1: Common Data Diode Deployment
The issue can be addressed by reducing the number of processing or stages. Generally, a Data Diode setup will consist of a TX (transmit) and an RX (receive) and proxy servers on both ends of the Data Diode hardware. The proxy servers act as the primary interface between the source and TX the RX and destination and are responsible for providing forwarding services as pre-configured, and facilitating protocol breaks and handling internal Data Diode communications. When the proxy server on the source side receives data from the source, it extracts only the payload data, and sends it across the Data Diode hardware, typically via User Datagram Protocol (UDP). The proxy server on the destination side then re-packages the payload and forwards it to the destination.
This typical way of deployment introduces unnecessary data paths and hardware, which ultimately reduces the efficiency and reliability of the whole data transfer process. Like in the game of Pass the Message, the more people are added to the chain, the more likely the message will be misinterpreted along the way.
Additionally, UDP as a protocol is also known to be unreliable. For UDP (and Transmission Control Protocol (TCP)), a large data set (i.e. a file) is broken down into individual packets and sent, hopping from one node to the next until they reach their destination. Once all packets have arrived, the data set is reconstructed and the file is back to its original state. However, unlike TCP, there is no acknowledgment and re-transmission in UDP, which means there is no guarantee that all packets will be received at the destination, to be reconstructed into files. This limitation was not an issue when Data Diodes were primarily used to transfer data of relatively small sizes, such as logs. Additionally, because there were so many logs generated every minute and every second, it is not crucial that every single log must be received successfully.
In today’s context, this limitation has become more prominent as organisations start to transfer large files between networks, such as images, videos or event databases. Having a few missing packets can no longer be tolerated as it translates to data losses during the transfer process.
Figure 2: Effective Data Diode Deployment
The way to address this is to implement Data Diodes that connects directly to the source and destination, without additional nodes, such as proxy servers, etc. This greatly reduces the possibility of data loss during transmission. Furthermore, there will also be a reduction of footprint, which means further cost savings in terms of power consumption, space and maintenance. In addition, Data Diodes that ensure full reconstruction and rebuilding of files at each stage will reach almost zero file loss, compared to those that forward data packets and only rebuild files at the destination.
Is Data Diode the only go-to solution?
Although Data Diodes can protect networks from all network-based attacks due to protocol breaks and prevents data leakage due to its unidirectional nature, it is stateless, and does not monitor nor analyze the full state of network traffic and data. This means that a Data Diode cannot ensure that the data being transferred is free of embedded malware.
Moreover, for use cases such as web applications, a single Data Diode alone may not address the requirements and security. For such cases, Cross-Domain Solution (CDS), which are integrated information assurance systems comprising specialised software and hardware, would be more suitable to allow for the transfer of information between two or more networks of varying security levels. For files transfer, a CDS may include file scanning or content disarm and reconstruction (CDR) software that automatically processes incoming files, ensuring they are free of embedded malware and safe before they are brought into the secured network. For web applications, a CDS will contain more specialized software, such as checkers, for deep content inspection to mitigate against threats like Structured Query Language (SQL) injections, Cross-Site Scripting (XSS), etc. This software would also need to be protected from being compromised, and Data Diodes provide that protection.
Figure 3: Example of Cross Domain Solutions
As we move into the age of 5G, we will continue to see an exponential increase in connectivity and data generation. Securing data and networks is paramount in ensuring that business operations do not get disrupted. Cybersecurity can no longer be a reaction to cyber-attacks when the stakes are high. As the saying goes, “Prevention is better than cure.”
References: