The Hradec Králové Region has strengthened data protection with a cyber vault

The Regional Authority of the Hradec Králové Region is the executive body of the region, ensuring the functioning of local and state administration in the region. It administers areas such as education, healthcare, transport, the environment, social services, and culture, while also supervising and methodically supporting the activities of municipalities. It also takes care of regional property, handles requests under the Freedom of Information Act, resolves complaints, administrative proceedings, and public procurement. The office prepares materials for decision-making by the regional council and assembly and plays a key role in the development of the entire region.

The Hradec Králové Region has decided to significantly strengthen its resilience to cyber threats. The need to protect key systems and backups from external and internal risks led to the decision to implement a solution that would enable critical data to be stored in a secure, physically separate environment. The main goal was to implement a system that would enable data recovery in the event of an incident without direct dependence on the production environment, with physical separation protecting backups from unauthorized deletion and the spread of compromise to auxiliary systems—although the risk of replication of already compromised data cannot be completely ruled out.

Based on a public tender, Aricoma implemented a solution that fully met the required parameters for security, isolation, and automation of operations. From the beginning of the project, as a technology partner, we focused on a conceptual design of the architecture that took into account the operational needs of the region while guaranteeing the highest level of security and reliability.

Aricoma specialists, in cooperation with the IT department, designed and implemented a solution that uses two separate data centers. One for the operational backup infrastructure and the other as a so-called data vault. The key principle of the solution is the maximum separation of the production and vault environments, both physically and in terms of networking.

The data vault remains fully isolated in terms of communication in its default state. If a backup copy needs to be made, a one-way communication channel is automatically opened and closed immediately after the process is completed. The vault is not connected to the regular LAN network and operates independently of the selected backup software.

For administration, the vault is equipped with a rack console (KMM – keyboard, mouse, monitor) and access control is ensured by physical presence. Traffic monitoring is performed via a DataDiode device, which allows only one-way data flow to the customer's monitoring system. The internal infrastructure of the vault is built on a 10GE network and uses DELL PowerEdge servers and DELL Data Domain storage, which offers advanced deduplication and a lock function to prevent backup deletion.

Aricoma was responsible for the implementation project, planning, and execution. As part of the implementation project, technical obstacles were identified and removed before the actual implementation. Thanks to smooth cooperation with regional representatives and professional management by Aricoma, the installation went smoothly despite the challenges associated with the summer season and delays in the delivery of some components.