Securing Financial IT Infrastructure with Data Diodes | OPSWAT

As we see an increase in the frequency and sophistication of cyberthreats against financial institutions, cyber defense must go beyond traditional security measures to protect their critical IT systems. Proper network segmentation is paramount to defending critical IT systems from cyberthreats, and data diodes offer greater security than other network security solutions.

Originally developed for military and defense systems, data diodes are finding new relevance in the financial sector, where data integrity, confidentiality, and regulatory compliance are paramount.

A data diode is a hardware-enforced, network security device that enforces one-way data flow between two networks. Unlike a firewall or software-based security system, a data diode is engineered to ensure that data can only travel in one direction, eliminating the risk of remote exploitation propagating back to critical IT infrastructure.

The one-way security policy of a data diode is enforced in hardware and cannot be compromised. By creating a one-way communication path, data diodes segregate high-value assets from less secure environments while still enabling critical data transfer.

A second and equally important security benefit of a data diode is the protocol break it enforces between the source and destination networks. Data diodes were originally designed to meet Department of Defense cross domain communication requirements, which include maintaining complete network confidentiality between the source and destination.

Unlike a firewall that opens a TCP or UDP connection between networks, data diodes only transfer the data payload. Proxy software on the source side of the diode strips off routable information in the data packet header and transfers only the payload to the destination side of the diode. The software on the destination side rebuilds the data packet and through separate provisioning and routes the packet to the correct endpoint.

Widely deployed to secure classified networks, nuclear power generation infrastructure, and many other critical systems, data diodes solidify network segmentation strategy and secure cross-network domain communications.

As with other industries, financial institutions have developed complex IT infrastructure to support their business processes, which involve the sharing of data between different departments as well as outside partners and vendors. Often, data sharing is one-way, but the network infrastructure carrying the data is bidirectional, opening potential threat vectors to the organization.

There are many examples where data diodes can be applied to securely share data. The following are a few examples:

1. Backup and Archiving Sensitive Data: Financial institutions back up data from operational systems to archive facilities in order to ensure business continuity in the event of system failure. Data diodes can transfer files, replicate databases and move system event information into an archive facility as well as securely retrieve data from the archive facility.
2. Secure Transfer of Market Data to Isolated Networks: Trading environments rely on real-time market data feeds from Bloomberg, Reuters, and others. This data is a one-way push into typically isolated trading environments. Data diodes can be deployed at the network boundary, transferring real-time video and other new feeds with minimal latency and without opening a reverse communication channel.
3. Regulatory Reporting: Financial companies submit compliance reports to regulatory agencies from secure environments. This is a one-way push of data that is often sent over bidirectional networks. Data diodes can be provisioned to automatically send files to the appropriate destination, ensuring sensitive regulatory data is transmitted without risking the integrity of the source environment.
4. Secure SEIM Integration: Splunk to Splunk Replication: In the financial services industry, Splunk is primarily used to unify data into a single "pane of glass" supporting back-office real-time monitoring and analytics operations. It is used to support security, operational efficiency, and customer experience. Securing the transfer of data to Splunk using data diodes protects the integrity of business operations such as:
   1. Transaction Monitoring & Fraud Detection: Splunk supports fraud detection systems. Transaction logs from banking systems need to be securely transferred to Splunk in real-time. Data diodes maintain required network segmentation while supporting real-time data transfer needed for anomaly detection.
   2. Regulatory Compliance System Health: Data diodes secure data transfers to Splunk, supporting necessary audits.
   3. Data diodes transfer system logs and alerts to Splunk over a highly secured network connection
5. Financial Intelligence Sharing: As with applications within the Department of Defense, data diodes can be used to share information between departments within an organization or with other partner institutions. Data Diodes maintain complete business continuity while avoiding compromise of internal secure networks.
6. Cloud Data Transfer: Financial institutions can use data diodes to replicate data to cloud platforms for processing, analysis, or storage, without compromising the security of their internal networks.