Separation between two
information security zones

The data diode is designed to prevent information leakage

This is probably one of the most common uses of data diodes and it is also the most straight-forward example. Consider two different information security zones with different levels of security. Assume one zone handles only Open information and the other handles up to Secret information.

The Open system could be a data collection service; it doesn’t contain any information which isn’t available to the public. The data itself can however be correlated either with itself or with other sets of data, and the correlation is deemed to be classified as Secret. In other words, the data in Open can, and indeed should, be sent to Secret, but no data in Secret must reach Open.

To solve this, a data diode can be placed on the data link between the two information security zones. (The system architect will have made sure that this is the only data channel between the two systems).

A few key points

  • The primary role of the data diode is to stop information flow from Secret to Open.
  • As long as the systems in the Secret zone are properly isolated, it doesn’t matter what kind of code is running in the Secret zone, no data can leave it through the data diode.

Note that the actual physical data diode device must be protected with at least the same level of physical protection as the systems containing the data in Secret. Or, to put it in the language of a system architect: The data diode must be part of system Secret. (In reality it’s a part of Secret’s boundary, but with regards to physical security it’s in Secret). This follows logically, but in case it’s not clear why an expanded reasoning follows:

The Role of Trust and Security in Data Diode Implementation

The personnel working within Secret must be trusted to handle the information which is classified as “Secret” – this follows by definition; if they can’t be trusted with it they might just as well just copy the information on to a memory stick and bring it with them, making the data diode completely irrelevant. Though in practice even trusted personnel are often subject to additional layers of security, such as not having physical access to their computers (they may be only using a remote terminal which is connected to the computer in a locked server room), and similarly the data diode is part of the system’s secure data center.

If the data diode would be placed in the Open zone then its operators – who may not be authorized to handle Secret information – could simply bypass the data diode and access any traffic originating from the Secret zone. It should also be pointed out that there’s a strong assumption that the data diode can not leak information through any side-channels. Even under an assumption that an attacker has managed to install malicious code into the Secret zone, and is able to listen to the physical data diode link from in the Open zone, they are still unable to extract any information from the Secret network.