A cross-domain solution is a means of information assurance that provides the ability to manually or automatically access or transfer information between two or more differing security domains. They are integrated systems of hardware and software that enable transfer of information among incompatible security domains or levels of classification. Modern military, intelligence, and law enforcement operations critically depend on timely sharing of information. CDS is distinct from the more rigorous approaches, because it supports transfer that would otherwise be precluded by established models of computer, network, and data security, e.g., Bell–LaPadula model and Clark–Wilson model. CDS development, assessment, and deployment are based on risk management. The goal of a CDS is to allow an isolated critical network to exchange information with others, without introducing the security threat that normally comes from network connectivity. The three primary elements demanded from cross domain solutions are:
Data integrity: content management using filtering for viruses and malware; content examination utilities; in high-to-low security transfer audited human review
Data availability: security-hardened operating systems, role-based administration access, redundant hardware, etc.
The acceptance criteria for information transfer across domains or cross-domain interoperability may be simple or complex. Unidirectional networks are often used to move information from low security domains to secret enclaves while assuring that information cannot escape. Cross-domain solutions often include a High Assurance Guard. Though cross-domain solutions have, as of 2019, historically been most typical in military, intelligence and law enforcement environments, there is also a use case for cross domain solutions in industry. Many industrial settings have control systems and analytic systems which are, or should be, in different security domains. One example is the flight control and infotainment systems on an airliner. Given the wide variety of use cases in industry, different levels of third party accreditation and certification of aspects of the cross-domain solution will be appropriate for different applications, and can be found among different providers.
Types of Cross Domain Solutions
There are three types of cross domain solutions according to . These types are broken down into Access, Transfer, and Multi-level solutions and all must included in the cross domain baseline list prior to Department of Defense specific site implementations. Access Solution "An access solution describes a user’s ability to view and manipulate information from domains of differing security levels and caveats. In theory, the ideal solution respects separation requirements between domains by preventing overlaps of data between domains, which ensures data of differing classifications cannot ‘leak’ between networks at any host layer of the OSI/TCP model. In practice, however, data spills are an ever-present concern that system designers attempt to mitigate within acceptable risk levels. For this reason, data transfer is addressed as a separate CDS". Transfer SolutionA transfer CDS simply offers the ability to move information between security domains that are of different classification level or different caveat of the same classification level. Transfer solutions must be evaluated to ensure the guard is capable of respecting all constrictions of the various domains that require protection. Multi-level Solutions "Access and transfer solutions rely on multiple single level systems that maintain the separation of domains; this architecture is considered multiple individual levels of security. A multi-level solution differs from MILS architecture by storing all data in a single domain. The solution uses trusted labeling and integrated Mandatory Access Control schema to parse data according to user credentials and clearance in order to authenticate read and right privileges. In this manner, an MLS is considered an all-in-one CDS, encompassing both access and data transfer capabilities."
Unintended consequences
In previous decades, multilevel security technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced mandatory access control with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface. Automated information systems have enabled extensive information sharing that is sometimes contrary to the need to avoid sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called discretionary access control that is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some way contrary to the original motivation for MAC. The unintended consequences of sharing can be complex to analyze and should not necessarily be left to the discretion of users who may have a narrow focus on their own critical need. These documents provide standards guidance on risk management:
