Cross Domain Solutions

Cross Domain Solutions

Cross-Domain Solutions (CDS) are solutions for information assurance that provides the ability to manually or automatically access or transfer between two or more differing security domains.[1] They are integrated systems of hardware and software that enable transfer of information among incompatible security domains or levels of classification. Modern military, intelligence, and law enforcement operations critically depend on a timely sharing of information. CDS is distinct from the more rigorous approaches, because it supports transfer that would otherwise be precluded by established models of computer/network/data security (e.g. Bell-La Padula and Clark-Wilson). CDS development, assessment, and deployment are based on risk management.

The three primary elements demanded from cross domain solutions are:

  1. Data confidentiality (most frequently imposed by hardware-enforced one-way data transfer).
  2. Data integrity (content management using filtering for viruses & malware; content examination utilities; in high-to-low security transfer audited human review) and
  3. Data availability (security-hardened operating systems, role-based administration access, redundant hardware, etc.)

The acceptance criteria for information transfer across domains may be simple (e.g. antivirus scanning before transfer from low to high security domains) or complex (e.g. multiple human reviewers must examine and approve a document before release from a high security domain). One-way data transfer systems (One-Way Traffic systems, data diodes, DualDiode(R)), are often used to move information from low security domains to secret enclaves while assuring that information cannot escape.

Unintended consequences

In previous decades, Multi-Level Security (MLS) technologies were developed and implemented that enabled objective and deterministic security, but left little wiggle room for subjective and discretionary interpretation. These enforced Mandatory Access Control (MAC) with near certainty. This rigidity prevented simpler solutions that would seem acceptable on the surface. Automated Information Systems have enabled extensive information sharing that is sometimes contrary to sharing secrets with adversaries. The need for information sharing has led to the need to depart from the rigidity of MAC in favor of balancing need to protect with need to share. When the ‘balance’ is decided at the discretion of users, the access control is called Discretionary Access Control (DAC) that is more tolerant of actions that manage risk where MAC requires risk avoidance. Allowing users and systems to manage the risk of sharing information is in some way contrary to the original motivation for MAC.

The unintended consequences of sharing can be complex to analyze and should not necessarily be left to the discretion of users who may have a narrow focus on their own critical need. These documents provide standards guidance on risk management:

1.) The US National Institute of Standards (NIST) SP 800-53 Rev3 Aug. 2009 - "Recommended Security Controls for Federal Information Systems & Organizations"

2.) The Committee on National Security Systems CNSS Instruction No. 1253 - "Security Categorization and Control Selection for National Security Systems

References

External links


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Solutions Architect — A Solutions Architect is a practitioner in the field of Solution Architecture. This role title has a wider meaning in relation to solving problems, but is more often used in the narrower domain of Technical architecture the context for the… …   Wikipedia

  • Proposed top-level domain — The Domain Name System of the Internet consists of a set of top level domains which constitute the root domain of the hierarchical name space and database. In the growth of the Internet, it became desirable to expand the set of initially six… …   Wikipedia

  • Time-Domain Thermoreflectance — is a method by which the thermal properties of a material can be measured, most importantly thermal conductivity. This method can be applied most notably to thin film materials (up to hundreds of nanometers thick), which have properties that vary …   Wikipedia

  • XTS-400 — Infobox OS name = XTS 400 website = [http://www.baesystems.com/ProductsServices/bae prod csit xts400.html www.baesystems.com] developer = BAE Systems source model = Closed source latest release version = 6.5 latest release date = August 2008… …   Wikipedia

  • Multiple Single-Level — or Multi Security Level (MSL) is a method of separating different levels of data by using separate PCs or virtual machines for each level. It aims to give some of the benefits of Multilevel security without needing special changes to the OS or… …   Wikipedia

  • CDS — CDS, CDs, Cds, etc. may refer to:Computing and electronics* Content delivery system is a computer based system, often web based, for collecting and coordinating electronic documents and communications. * Cockpit display system, in Avionics, is… …   Wikipedia

  • Information assurance — (IA) is the practice of managing information related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non… …   Wikipedia

  • System High Mode — (also referred to simply as System High) is a mode of using an automated information system (AIS) that pertains to an environment that contains restricted data that is classified in a hierarchical scheme, such as Top Secret, Secret and… …   Wikipedia

  • CyberCIEGE — Developer(s) Naval Postgraduate School and Rivermind, Inc. Publisher(s) Naval Postgraduate School Platform(s) Windows …   Wikipedia

  • NIST Special Publication 800-53 — NIST Special Publication 800 53, Recommended Security Controls for Federal Information Systems and Organizations, and catalogs security controls for all U.S. federal information systems except those related to national security. It is published… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”