Segmentation, data diodes and NSA’s zero trust guidance

While the NSA’s recent guidance on fortifying the network and environment pillar of Zero Trust through segmentation is impactful, many organizations still have a demand for connectivity in the midst of digitalization and Industry 4.0. Connectivity is critical for organizations seeking to collect and share data as they increasingly rely on interconnected systems to optimize production, predict maintenance needs and make data-driven business decisions. While this connectivity enables productivity, cyberattacks continue to escalate in speed and velocity, which is why a secure network architecture is non-negotiable.

The NSA guidance stated, “Traditional network security has emphasized defense-in-depth approach; however, most networks invest primarily in perimeter defense. Once inside the network perimeter, end users, applications, and other entities are often given broad access to multiple corporate resources.” The guidance goes on to focus heavily on segmentation for the network and environment by isolating critical resources from unauthorized access. It relies heavily on the Zero Trust (ZT) security model, walking through each step and how it relies on the previous one to help organizations achieve better network security.

Better security through network segmentation

Network segmentation is the process of dividing a computer networking infrastructure into smaller parts to improve security and performance. The NSA’s focus on ZT architecture advises organizations to minimize trust levels and require verification for access to various parts of the network, even as a single user moves from one part of the network to another. This segmentation enables granular control over access traffic, allowing organizations to implement more restrictive security measures for sensitive data and critical systems. However, it’s important to both safeguard network integrity and preserve critical connectivity and data accessibility. 

Firewalls can help enforce access control policies between networks, as can virtual LANs (VLANs), demilitarized zones (DMZs) and access control lists (ACLs). However, these approaches can be resource intensive, error-prone and time-consuming, and may not stand up to evolving threats. In increasingly interconnected environments, organizations must deploy architecture that enables operational efficiency while allowing security teams to ensure that malicious actors cannot take advantage of two-way data transfer to compromise highly sensitive environments.

Data diodes: Enabling one way communication

Data diodes, common in high-security environments (such as defense and intelligence agencies) for decades, are increasingly deployed in private enterprises. These unidirectional security gateways are hardware cybersecurity solutions that enforce one way data transfers, from a high-security secure network to a network with a lower security level or from low security to high security networks. This enables organizations to securely import and export data while also mitigating security risks and minimizing the potential for introducing malware inherent in manual data transfers via portable media. This one-way data flow between networks not only aligns with the NSA’s guidance for network security but also ensures productivity and the preservation of data integrity. 


Microsegmentation is another network security technique that allows for fine-grained network segmentation. Traditional network segmentation might divide a network into subnets or VLANs; microsegmentation creates even smaller, more isolated security zones around individual workloads or applications. Organizations can then define security policies to restrict communication between specific workloads or applications, reducing the attack surface for a malicious actor. Even if an attacker gains access to one segment, microsegmentation limits the ability to move laterally and access critical resources. It can also help organizations to monitor and isolate threats more quickly by analyzing traffic in smaller individual segments. 

Diodes provide the macrosegmentation of operational technology (OT) that the NSA’s guidance addresses and still allow dataflow. Data diodes can also be used for microsegmentation to prevent lateral exploits, particularly when combined with more robust firewall and intelligent intrusion prevention systems that leverage machine learning for traffic inspection. This approach helps to identify suspicious activity more easily, enabling security teams to take quick action to contain the threat. 

What industries use data diodes?

Many industries increasingly rely on data diodes to transmit data securely in a single direction, including nuclear power plants, manufacturing facilities, healthcare systems and other organizations providing critical infrastructure. This allows these private enterprises to securely transmit data generated by industrial control systems (ICS), safety systems and supervisory control and data acquisition (SCADA) systems to other networks while still protecting these networks from attacks, even when transmitting data to the public internet. Unidirectional security gateways help organizations in these industries to align with compliance requirements such as NERC CIP in the power gen industry, as well as ensure the protection of classified information and intellectual property.

Maintaining security and productivity

As security experts increasingly see it as a matter of when, not if, there will be a cyber incident, it is vital to align with the NSA’s guidance on network segmentation and ensure secure one directional communication. And even if protected networks have been compromised, data diodes provide both macrosegmentation for protecting a perimeter and micro segmentation for preventing lateral movement within a network. And while network segmentation is at the core of this guidance, remember that a defense-in-depth approach is necessary to fully implement Zero Trust.