Cross-domain Solution
   HOME

TheInfoList



Click Here for Items Related To - Cross-domain Solution
OR:
Cross-domain Solution on:   [Wikipedia]   [Google]   [Amazon]

A cross-domain solution (CDS) is an integrated
information assurance Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, ...
system composed of specialized software, and sometimes hardware, that provides a controlled interface to manually or automatically enable and/or restrict the access or transfer of information between two or more security domains based on a predetermined security policy. CDSs are designed to enforce domain separation and typically include some form of content filtering, which is used to designate information that is unauthorized for transfer between security domains or levels of classification, such as between different military divisions, intelligence agencies, or other operations which critically depend on the timely sharing of potentially sensitive information. The goal of a CDS is to allow a trusted network domain to exchange information with other domains, either one-way or bidirectionally, without introducing the potential for security threats that would normally come with network connectivity. Although the goal is 100% assurance, this is not possible in practice, thus CDS development, assessment, and deployment are based on comprehensive risk management. Due to the sensitive nature of their use, every aspect of an accredited CDS must be rigorously evaluated under what is known as a Lab-Based Security Assessment (LBSA) in order to reduce the potential vulnerabilities and risks to the system itself and those to which it will be deployed. The evaluation and accreditation of CDSs in the United States is primarily under the authority of the National Cross Domain Strategy and Management Office (NCDSMO) within the National Security Agency (NSA). The three primary elements demanded from cross domain solutions are: # Data confidentiality; most often imposed by hardware-enforced one-way data transfer # Data integrity: content management using filtering for viruses and malware; content examination utilities; in high-to-low security transfer audited human review # Data availability: security-hardened operating systems, role-based administration access, redundant hardware, etc. The acceptance criteria for information transfer across domains or
cross-domain interoperability Cross-domain interoperability exists when organizations or systems from different domains interact in information exchange, services, and/or goods to achieve their own or common goals. Interoperability is the method of systems working together (inte ...
is based on the security policy implemented within the solution. This policy may be simple (e.g.,
antivirus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
scanning and
whitelist A whitelist, allowlist, or passlist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is ...
r "allowlist"check before transfer between peer networks) or complex (e.g., multiple content filters and a human reviewer must examine, redact, and approve a document before release from a high security domain). Unidirectional networks are often used to move information from low security domains to secret enclaves while assuring that information cannot escape. Cross-domain solutions often include a
High Assurance Guard {{Unreferenced stub, auto=yes, date=December 2009 A High Assurance Guard (HAG) is a Multilevel security computer device which is used to communicate between different Security Domains, such as NIPRNet to SIPRNet. A HAG is one example of a Contr ...
. Though cross-domain solutions have, as of 2019, historically been most typical in military, intelligence and law enforcement environments, there is also a use case for cross domain solutions in industry. Many industrial settings have control systems and analytic systems which are, or should be, in different security domains. One example is the flight control and infotainment systems on an airliner. Given the wide variety of use cases in industry, different levels of third party accreditation and certification of aspects of the cross-domain solution will be appropriate for different applications, and can be found among different providers.


Types of Cross Domain Solutions

There are three types of cross domain solutions (CDS) according t
Department of Defense Instruction (DoDI) 854001p
These types are broken down into Access, Transfer, and Multi-level solutions (MLS) and all must be included in the cross domain baseline list prior to Department of Defense specific site implementations. Access Solution "An access solution describes a user’s ability to view and manipulate information from domains of differing security levels and caveats. In theory, the ideal solution respects separation requirements between domains by preventing overlaps of data between domains, which ensures data of differing classifications cannot ‘leak’ (i.e. data spill) between networks at any host layer of the OSI/TCP model. In practice, however, data spills are an ever-present concern that system designers attempt to mitigate within acceptable risk levels. For this reason, data transfer is addressed as a separate CDS". Transfer Solution A transfer CDS simply offers the ability to move information between security domains that are of different classification level or different caveat of the same classification level. Transfer solutions must be evaluated to ensure the guard is capable of respecting all constrictions of the various domains that require protection. Multi-level Solutions "Access and transfer solutions rely on multiple security level (MSL) approaches that maintain the separation of domains; this architecture is considered multiple single levels. A multi-level solution (MLS) differs from MSL architecture by storing all data in a single domain. The solution uses trusted labeling and integrated Mandatory Access Control (MAC) schema as a basis to mediate data flow and access according to user credentials and clearance in order to authenticate read and write privileges. In this manner, an MLS is considered an all-in-one CDS, encompassing both access and data transfer capabilities."


Unintended consequences

In previous decades,
multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
(MLS) technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced
mandatory access control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
(MAC) with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface.
Automated information system An automated information system (AIS) is an assembly of computer hardware, software, firmware, or any combination of these, configured to accomplish specific information-handling operations, such as communication, computation, dissemination, proc ...
s have enabled extensive information sharing that is sometimes contrary to the need to avoid sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called
discretionary access control In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...
(DAC) that is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some way contrary to the original motivation for MAC. The
unintended consequences In the social sciences, unintended consequences (sometimes unanticipated consequences or unforeseen consequences) are outcomes of a purposeful action that are not intended or foreseen. The term was popularised in the twentieth century by Ameri ...
of sharing can be complex to analyze and should not necessarily be left to the discretion of users who may have a narrow focus on their own critical need. These documents provide standards guidance on risk management: # , SP 800-53 Rev3 # , Instruction No. 1253


References

{{reflist Unified Cross Domain Management Office (UCDMO), Cross Domain Overlay, 1 December 2011, ver 1.0; provides extensive security control guidance to implement CDS platform address security controls for hardware and software, enforced with advanced inspections. Computer security software