Cross Domain Solutions
Encyclopedia
Cross-Domain Solutions (CDS) are solutions for information assurance
that provides the ability to manually or automatically access or transfer between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible security domains or levels of classification. Modern military, intelligence, and law enforcement operations critically depend on a timely sharing of information. CDS is distinct from the more rigorous approaches, because it supports transfer that would otherwise be precluded by established models of computer
/network
/data security
(e.g. Bell-La Padula and Clark-Wilson
). CDS development, assessment, and deployment are based on risk management.
The three primary elements demanded from cross domain solutions are:
The acceptance criteria for information transfer across domains may be simple (e.g. antivirus
scanning before transfer from low to high security domains) or complex (e.g. multiple human reviewers must examine and approve a document before release from a high security domain). One-way data transfer systems (One-Way Traffic systems
, data diodes, DualDiode(R)), are often used to move information from low security domains to secret enclaves while assuring that information cannot escape.
(MLS) technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced Mandatory Access Control
(MAC) with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface. Automated Information Systems
have enabled extensive information sharing that is sometimes contrary to sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called Discretionary Access Control
(DAC) that is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some way contrary to the original motivation for MAC.
The unintended consequences of sharing can be complex to analyze and should not necessarily be left to the discretion of users who may have a narrow focus on their own critical need. These documents provide standards guidance on risk management:
1.) The US National Institute of Standards (NIST) SP 800-53 Rev3 Aug. 2009 - "Recommended Security Controls for Federal Information Systems & Organizations"
2.) The Committee on National Security Systems CNSS Instruction No. 1253 - "Security Categorization and Control Selection for National Security Systems
Information Assurance
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...
that provides the ability to manually or automatically access or transfer between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible security domains or levels of classification. Modern military, intelligence, and law enforcement operations critically depend on a timely sharing of information. CDS is distinct from the more rigorous approaches, because it supports transfer that would otherwise be precluded by established models of computer
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
/network
Network security
In the field of networking, the area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources...
/data security
Data security
Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of Information security.- Disk Encryption...
(e.g. Bell-La Padula and Clark-Wilson
Clark-Wilson model
The Clark-Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system.The model is primarily concerned with formalizing the notion of information integrity. Information integrity is maintained by preventing corruption of data items in a...
). CDS development, assessment, and deployment are based on risk management.
The three primary elements demanded from cross domain solutions are:
- Data confidentiality (most frequently imposed by hardware-enforced one-way data transfer).
- Data integrity (content management using filtering for viruses & malware; content examination utilities; in high-to-low security transfer audited human review) and
- Data availability (security-hardened operating systems, role-based administration access, redundant hardware, etc.)
The acceptance criteria for information transfer across domains may be simple (e.g. antivirus
Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
scanning before transfer from low to high security domains) or complex (e.g. multiple human reviewers must examine and approve a document before release from a high security domain). One-way data transfer systems (One-Way Traffic systems
One-way traffic
One-way traffic is traffic that moves in a single direction. A one-way street is a street either facilitating only one-way traffic, or designed to direct vehicles to move in one direction.-General signs:...
, data diodes, DualDiode(R)), are often used to move information from low security domains to secret enclaves while assuring that information cannot escape.
Unintended consequences
In previous decades, Multi-Level SecurityMultilevel security
Multilevel security or Multiple Levels of Security is the application of a computer system to process information with different sensitivities , permit simultaneous access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for...
(MLS) technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced Mandatory Access Control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
(MAC) with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface. Automated Information Systems
Automated information system
The term automated information system means an assembly of computer hardware, software, firmware, or any combination of these, configured to accomplish specific information-handling operations, such as communication, computation, dissemination, processing, and storage of information...
have enabled extensive information sharing that is sometimes contrary to sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called Discretionary Access Control
Discretionary access control
In computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) that is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some way contrary to the original motivation for MAC.
The unintended consequences of sharing can be complex to analyze and should not necessarily be left to the discretion of users who may have a narrow focus on their own critical need. These documents provide standards guidance on risk management:
1.) The US National Institute of Standards (NIST) SP 800-53 Rev3 Aug. 2009 - "Recommended Security Controls for Federal Information Systems & Organizations"
2.) The Committee on National Security Systems CNSS Instruction No. 1253 - "Security Categorization and Control Selection for National Security Systems