“We’re doing Zero Trust.” You hear it everywhere. And to be fair, Zero Trust is still a strong and necessary security approach. But in one specific, and increasingly common, use case, it often falls short in practice: when information needs to flow from OT to IT, without any possibility of IT ever sending anything back. We’re talking about this topic with Willemijn Rodenburg, Government Relations at Sentyron and Troy Gratama, Partner Manager at Sentyron.
What is Zero Trust architecture?
Willemijn is clear about what Zero Trust is, and what it isn’t: “Zero Trust isn’t a product. It’s a way of working. In practice, that means you don’t assume anything is safe just because it’s inside the network. Instead, every access request becomes a decision based on context: who is asking, from what device, to what system or data, and under what conditions. For me, Zero Trust is an interesting starting point. But you’re not done after that.”
Troy describes the underlying motivation as the alternative to operating without visibility. “If you don’t monitor and don’t control access paths, then you have no view of what is happening. Zero Trust is about making sure you do have that visibility, and can prove who did what, and why access was allowed.”
Key Zero Trust principles
- Never trust by default. The old idea that inside equals safe doesn’t hold up anymore, especially when attacks can also originate from within.
- Verify explicitly. Validate each request using identity and context such as MFA, device posture, location and behaviour.
- Least privilege access. It is more than minimal privileges. It is also about who gets access to what, how you maintain it, and how far an attacker could get if something is compromised.
- Assume breach. Design as if an attacker could already be inside, and focus on containment.
- Limit lateral movement through segmentation. If someone gets in, the question becomes how far they can go.
- Continuous monitoring and improvement. If you rely on controls, you need to keep validating them, because otherwise you lose visibility again.
Why Zero Trust often fails in practice
Willemijn stresses that Zero Trust can be powerful, but also demanding: “If you really want to move towards Zero Trust, it’s quite complex. It creates a lot of operational pressure. Organisations may agree with the principles, but not always have the capacity to implement and maintain them at the level required.”
Troy brings it back to basics: “Zero Trust still depends on people and hygiene. If an organisation allows weak passwords, skips MFA, or shares accounts, then someone gets in through a trusted account, and the attacker can still move through the organisation. If ransomware can still spread across the business, you are still in trouble, even if you intended to run a Zero Trust model.”
The reality in critical environments: OT often gets hit via IT
In industrial and critical infrastructure settings, Troy comes back to one pattern: “The problem often starts in IT and then moves towards OT. Phishing, stolen credentials, a compromised supplier, an infected endpoint. Once the IT side is compromised, the OT side becomes reachable if there is any return path.”
That is why the core question becomes unavoidable. Can anything ever flow back from IT into OT? If the answer is in principle no, unless, then the unless is exactly what attackers will exploit.
Willemijn zooms out and calls this part of a broader reality. “Zero Trust is a good start, but there are threats that can undermine it, such as supply chain compromise, attackers getting smarter, and the possibility that someone is already using the privileges of such an account. That is why the conversation should not stop at ‘we do Zero Trust’. It should continue into what else prevents escalation when things go wrong.”
What a DataDiode can guarantee
A DataDiode exists for one purpose: hardware enforced one way data flow. Troy explains it as a simple, non negotiable rule: “OT can send information to IT, but IT can never send anything back. Not by accident, not through a misconfiguration, and not because a security tool fails.”
This is where the story shifts from risk reduction to path removal. As Troy puts it: “A DataDiode does nothing else than what it’s made for, no exceptions.”
So the difference becomes fundamental:
- Zero Trust reduces risk through policy, tooling, and operational discipline.
- A DataDiode removes an entire class of attack paths through physical enforcement.
From the OT to IT perspective, the point is that the promise becomes absolute. No data can flow back from IT to OT, regardless of whether your IT security stack is perfectly configured or fully up to date. In environments where availability, confidentiality, and continuity outweigh convenience, that certainty matters.
Why a DataDiode is always safe
A lot of trust in modern security comes from software and configuration. But with a DataDiode, it’s a hardware approach. It’s built so the direction is physically enforced, meaning there is not the same remote bypass story that exists with policy controls and software layers.
Willemijn and Troy are both careful not to position it as a replacement for everything. Troy says: “It’s the full picture. You need everything. The DataDiode is not a substitute for good architecture, hygiene, or firewalls. It is an extra layer that remains reliable even when something else fails.”
When is a DataDiode the best, or only logical, choice?
The absolute guarantee is strongest in the one way OT to IT scenario. If the IT environment only needs to passively receive information, for monitoring, dashboards, logging, or reporting, and must not modify the OT source, then the DataDiode is the cleanest way to enforce that requirement.
Willemijn broadens the relevance beyond OT and IT alone. The same thinking applies when you are protecting crown jewels like intellectual property or highly sensitive data stores. But she insists on the real starting point: “It begins with knowing what your crown jewels are. What is crucial for your organisation? Which data and systems truly must be protected? From there, the logic follows. Minimise connectivity to those crown jewels, apply the highest level of control, and where it makes sense, enforce one way flow physically. Zero Trust reduces risks. A DataDiode eliminates them.”
“We’re doing Zero Trust.” What should you do differently tomorrow?
If an organisation is already investing heavily in Zero Trust, Troy does not tell them to stop doing what they’re doing, his point is the opposite: “It’s the full picture. But I do think it’s good that organisations think differently about what they are trying to achieve for their most critical assets. Are you aiming to detect and respond faster, or do you want to remove attack paths entirely where possible?”
Willemijn’s practical advice is to go back to the architecture. “Know your crown jewels, look at how they are connected, and ask where you can reduce connectivity and enforce stronger boundaries. In OT environments, where mistakes are simply not acceptable, that often means adding a layer that does not depend on day to day operational perfection.”
Both acknowledge that implementing a DataDiode properly can take work. New segmentation routes, redesigned data flows, and careful integration. But the outcome is exactly what many organisations are looking for in critical environments: more certainty, fewer attack paths, and ultimately more peace of mind.