Transferring sensitive files between geographic locations over insecure networks requires security considerations for file integrity, network security, and asset security to ensure that files have not been compromised. Likewise, sensitive networks and critical infrastructure systems need to be protected from potential intrusion.
Data Diodes and Digital Signatures
Data diodes have historically been used to provide air-gapped security between networks; however, transferring files between geographic locations raises security concerns for both the sending and receiving locations. This creates opportunities for man-in-the-middle attacks.
To enable secure file transfer between geographic locations, OPSWAT's optical data diodes use a combination of Digital Signatures, Signature Verification, and Mutual TLS. A typical solution includes two sets of Optical Diodes with digital signatures applied and then validated at each step of the transfer workflow.
How Data Diodes Workflows Work
In the following demonstration, there are two sets of optical diodes deployed at Site A (Blue A/Red B) and at Site B (Blue B/Red B), along with the file servers already deployed on the source and destination networks.
Optical Diode (Blue A) copies a file from File Server 1 and applies a digital signature on the incoming file. Users obtain private/public signing keys from a Certificate Authority or a self-generated pair. Blue A signs its hashed (SHA256) content using a Private Key. The file, along with its metadata containing the digital signature, is transferred across the optical diode from Blue A to Red A.
Once Red A verifies the digital signature on the incoming file, the file with its metadata is transferred from RED A to BLUE B over the untrusted network. To ensure confidentiality over the insecure network, Mutual TLS is utilized to secure communication between the sites.
After BLUE B receives the file, it verifies the hash and signature to check the file’s integrity, then transfers it from BLUE B to RED B, which verifies the file's signature by using the public key. Files with valid digital signatures are delivered from RED B to the destination File Server 2.
Industry-Leading Data Diodes and Unified IT/OT Security Solutions
The combination of optical diodes with digital signing and verification, and mutual TLS communication over insecure networks establishes a comprehensive security framework. This framework helps ensure file integrity and protects critical digital assets and sensitive networks.
MetaDefender Optical Diode™ solutions offer hardware-enforced one-way data transfer between IT and OT networks, supporting secure data replication and operational visibility without compromising network isolation.
To learn more about how OPSWAT can help reduce exposure risks and support securing your data transfers over multiple sites, talk to an expert today.
