Kloch secures operational data at the payload level first, then optionally enforces strict one-way flow for monitoring-only use cases. This approach removes the traditional tradeoff between encryption and data diode architectures.
With the optional data diode installed, KLOCH enforces a unidirectional data path from the protected environment to downstream systems. Traffic is allowed to flow outbound only. Inbound packets, acknowledgments, or signaling paths are physically and logically prevented.
Unlike traditional diode architectures that rely solely on flow direction for security, KLOCH applies encryption to the data stream with one-way enforcement. As a result, data crossing the diode is a protected at the payload level.
1
Outbound-only data transmission enforced at the endpoint
2
Physical barrier prevents external access to protected networks
3
Payload encryption occurs along with one-way flow enforcement
Operational telemetry exported through a data diode is commonly duplicated across historians, analytics systems, and cloud platforms. In many architectures, data is plaintext once it crosses the boundary, increasing exposure as it is stored, forwarded, or shared.
With KLOCH, exported data remains encrypted after it leaves the protected environment. Downstream systems may store, process, or forward the data, but confidentiality is preserved unless explicitly decrypted by an authorized endpoint.
1
Exported telemetry can be copied or forwarded without exposing plaintext
2
Compromise of downstream monitoring systems does not reveal raw operational data
3
Confidentiality is maintained independently of downstream boundaries
Traditional data diodes are deployed as fixed boundary appliances, requiring specific network topologies and dedicated choke points. KLOCH enforces one-way behavior at the endpoint, reducing dependence on centralized boundary placement.
This allows one-way export to be applied closer to the data source and enables multiple export paths without replicating diode hardware at each boundary.
1
One-way enforcement implemented at the endpoint
2
No requirement for topology-specific boundary gateways
3
Supports multiple monitoring export paths from the same source
KLOCH treats data diode behavior as a configurable operating mode rather than a permanently fixed architecture. Systems can be configured for strict one-way export where policy requires monitoring-only access, while retaining the ability to support encrypted bidirectional communication in other deployments.
This avoids the need to deploy separate products or redesign network architecture when operational requirements change.
1
Strict one-way export for monitoring and compliance use cases
2
Encrypted bidirectional operation supported outside diode mode
3
Security posture adjustable without replacing hardware
