Cross-Domain Solutions 101
How to securely share information for mission operations in Enterprise Environments
WHAT IS A CROSS-DOMAIN SOLUTION?
A Cross-domain Solution (CDS) is a mechanism to access or transfer information between two or more networks of different security classifications.
WHY ARE CROSS DOMAIN SOLUTIONS NEEDED?
Cross-domain Solutions are needed to enable secure information sharing – getting the right information to the right people at the right time. In fact, the lack of information sharing was a key reason behind the 9/11 attacks. Information sharing, however, must be done securely in order to maintain the necessary data characteristics of Confidentiality, Integrity and Availability (CIA).
WHERE ARE CROSS DOMAIN SOLUTIONS USED?
Cross-domain Solutions are often used in large enterprise data centers where there are many different networks and security enclaves, each with a different classification and/or releasability. A CDS may also be deployed at the tactical edge in order to meet site or mission specific needs.
HOW DO CROSS-DOMAIN SOLUTIONS WORK?
A CDS must simultaneously protect the confidentiality of high-side data, protect the data integrity and protect the availability of high-side resources. In layman’s terms, a CDS must prevent both data spills as well as attacks against classified networks. A CDS will use cryptography and mandatory access control (MAC) mechanisms to isolate different networks and data flows. Additionally, a Transfer CDS will use various filters to inspect data in transit to ensure compliance with security and releasability policies, as well as to reduce the risk of attack from embedded content.
HOW AFRL CAN HELP
AFRL has designed, developed and revolutionized secure information sharing and cross domain technologies for over 30 years. AFRL offers both cross domain access and transfer solutions to meet your mission needs. AFRL Cross Domain Solutions include:
- SECUREVIEW – A Cross Domain Access solution that supports multiple classifications on single machine using both “Thick” & “Thin” VM clients simultaneously
- ISSE Guard – A Cross Domain Transfer solution that enables bi-directional and uni-directional secure information flows, with extensive message filtering capabilities for both structured and unstructured data
- X-ARBITOR – The Next Generation Transfer solution, featuring secure yet flexible Filter Orchestration Engine and Protocol Adapter plug-in architecture
- V2CDS – The Voice & Video Cross Domain Solution from the CCOLT PMO enables users to make secure cross domain one-to-one audio or video calls, as well as audio conference calls
* Please contact us today to discuss your specific cross domain requirements find out how AFRL can revolutionize your mission!
WHAT TYPES OF CROSS DOMAIN SOLUTIONS ARE THERE?
There are two basic categories:
- Access solutions allows a user to ACCESS differently classified networks from a single machine. In the desktop Access model, users can have separate Virtual Machines, each at different classification levels and accessing separate, isolated networks. A site’s Virtual Desktop Infrastructure (VDI) can also be supported.
- Transfer solutions send or TRANSFER data between different security domains. There are several sub-categories, including Diodes (a one-way transfer) and bi-directional Guards that can support the transfer of different data types and applications between multiple (3+) domains. There is also a special case of Transfer Solution known as a Multi-Level Security CDS, which uses mandatory labeling to store data at different classifications and allows users to query and retrieve the data based upon their security domain and credentials.
WHEN TO USE AN ACCESS vs. A TRANSFER CDS?
The type of CDS used depends on the mission requirements. For example, does information need to be transferred between security domains, or do users simply need to access resources within multiple/different enclaves?
- Additonal criteria to consider when selecting a CDS include:
- The environment where the CDS will be hosted
- Number of networks to be supported and their classifications
- Interoperability with existing applications and infrastructure
- For an Access CDS, is there a VDI in place or planned?
- For a Transfer CDS, what data types and protocols are required?
WHAT IS THE ACQUISTION PROCESS FOR A CDS?
The acquisition process for a CDS depends on many factors, including the agency, Authorizing Official (AO), networks involved and other criteria.
For Agencies and Organizations that require Top Secret and Below Information requirements, the AO will be integral to the process, and it would be best to enage the AO and CDS provider.
For DoD Agencies that have Secret and Below Information requirements, it is best to first contact your Cross Domain Service Element (CDSE).
Generally speaking, if possible, first use an enterprise Cross Domain service or enterprise-hosted CDS. If this option is not possible then use an existing CDS solution without modification. Finally, if neither of those options are possible, modify an existing CDS solution to meet the mission requirements (e.g. define new data filters to support new data types).
Email: [email protected]
Phone: (315) 330‐7657
ISSE and X‐ARBITOR PMO
Email: [email protected]
Phone: (315) 330‐7838
Email: [email protected]
Phone: (315) 330‐4887