Humphrey Browning by Humphrey Browning | | Blog

In early August, the Straits Times reported that the Singapore Government was instructing eleven critical services sectors to review their connections with untrusted external networks

The guidelines, issued by Singapore’s Cyber Security Agency, included the recommendation that those who were able to justify the need for such connections should secure them using uni-directional data diodes or secured two-way informational gateways.

Here at Deep Secure we’ve long been convinced that while data diodes sound great in theory, they actually introduce more problems than they solve. Here’s why.

In normal operation, networked machines are capable of both transmitting and receiving data. When connecting between two networks, one of which is untrusted, a data diode physically removes one of the transmit/receive channels and enforces a unidirectional flow at a hardware level. Sounds great in theory but there’s a couple of problems.

Firstly, data diodes simply stop the flow of all data in one direction, they don’t do anything to combat malware in content.  As such they do not offer any protection from the possibility of there being malicious content in the data that is allowed into or out of the business. Secondly, if you isolate a system or network with a data diode you tend to isolate it from information, the lifeblood of any business process. So in many instances the diode acts as an inhibitor rather than an enabler of business and in this connected age, that’s just not acceptable.

So what’s the alternative? The two-way information gateways alluded to by the Singapore Cyber Security Agency are fine but so many of them focus on trying to detect known malware and as we have seen time and again, these fail to protect the organization. The determined cyber criminal finds detection based defences easy to penetrate using zero day exploits concealed in content to compromise the network.

In response, here at Deep Secure we decided to take what’s good about the data diode paradigm (assured one way data flows enforced at a hardware level) and combine it with a revolutionary approach to transforming content that ensures malware concealed in content simply cannot pass.

Deep Secure’s information eXchange (iX) Content Threat Removal product uses a unique process of content transformation that sees content intercepted at the boundary and then re-created from scratch, clean and safe on the other side.  Nothing travels end-to-end but safe content and any threat is removed.

One way flows of transformed (and safe!) content across the boundary are enforced with a High Speed Verifier (HSV).  This is an FPGA based device, which offers no software or operating system to attack or bypass but just runs a logic check over the simple data structures which are passed to it by the Deep Secure Content Threat Removal iX product. With the High Speed Verifier (HSV) the verification process is simple and directly implemented in hardware logic. The HSV contains no processors and so there is no software that can be attacked. The absence of network devices, operating systems and application software means the attack surface is not only moved but made vanishingly small.

This iX and HSV combination, delivers the benefit of a hardware enforced uni-directional data flow (like a data diode) with none of the drawbacks. It also uses content transformation – rather than attempts at detection – to ensure that the content it transforms is 100% threat free.

Data diodes have their place. But if your business needs to interact with untrusted networks and you need certainty that the business content you are consuming is threat free, it’s time to consider displacing the diode and deploying a Deep Secure iX and HSV architected solution – for the best of all worlds!

Humphrey Browning is a Deep Secure Sales Manager. Catch him on Stand K14 at the DIT Pavilion, Singapore International Cyber Week – 18th – 20th September 2018.

View all posts