Securing Data Vaults with Owl Data Diodes

Securing Data Vaults with Owl Data Diodes


Recognizing the need to isolate and lock down all data sets for maximum effectiveness, modern ransomware threats have taken to seeking out data vaults, backups, and archives ­first in their attacks. This leaves organizations with basically only two choices – pay a hefty ransom to unlock the data, or their operations and record keeping will have to start from scratch. Standard data backup solutions fail to secure backups as they rely on RBAC, passwords, and other basic credentials that can be skimmed, socially engineered, or bypassed by determined threat actors.


  1. Mitigate ransomware threats to archives and backup repositories.
  2. Segment the business network from the backup archive or vault.
  3. Allow one-way data flow into the data vault backup without external access.
  4. Transfer data files or database records to off-site data vault, backup and/or isolated enclave.
  5. Provide versioning of files/records to prevent overwriting with corrupted data.
  6. Enable high-speed data flow to back up data as close to real-time as possible.

Use Case Assumptions

  • The data inside the IT/corporate network will be the most likely point of corruption (phishing, etc.).
  • The data will be “as it is” once it leaves the send side of the one-way connection from the source network.
  • The data vault (secure backup or archive) will be isolated from the source network with air-gap level segmentation.
  • Different versioning methods will be required for different data types (database, files, etc.)

Use Case | Before


Designed for a physically-enforced optical separation and one-way only data transfer, Owl data diodes provide extremely high security assurance and reliability. Their drag and drop usability and unhackable nature make them an ideal protection mechanism for protecting on- or off-site data vault backups and archives. Unlike traditional backup solutions, data diodes cannot be bypassed with a skimmed password or other stolen credentials.

  • Air-gap level network/system segmentation and security
  • Deterministic, hardware-enforced one-way data transfer of nearly any data type
  • Payload only transfer with non-routable protocol break
  • High bandwidth throughput of up to 10 Gbps

Use Case | After


  1. Extremely secure high-speed data backup solution effectively mitigates ransomware threats
  2. Eliminates IP probing and lateral movement, with zero side channel leakage
  3. Integrates seamlessly with most IT networks, systems, and protocols, including cloud environments
  4. Data can be transferred offsite and/or to a trusted network
  5. Far less management overhead compared to standard software firewall
  6. No bypass capability – one-way transfer prevents all unauthorized external access