What are cross domain solutions and why use them for data protection?

Yet, while access to data is improving, it’s becoming ever harder to protect. Historically, ringfencing a network was the norm. But today’s world requires bidirectional communication to, for example, enable remote working or take advantage of cloud services hosted externally. And that opens a greater attack surface, with new routes for malicious actors to reach sensitive information.

To answer this challenge, organisations that hold particularly sensitive information, such as government departments, recognise ‘high’ and ‘low’ trust domains depending on the security classification of the data within. For example, a police force will have databases on witnesses and suspects contained in a high domain, but the officers with access to that data will likely also need access to services like email housed on the low domain.

High domains contain strict security controls for data transfer, so a cross domain solution (CDS) manages the movement of data to or from a low domain to ensure sensitive information can’t leak out or be stolen.

The UK’s National Cyber Security Centre defines CDSs as holistic solutions that incorporate “architectural techniques and supporting technologies to build secure end-to-end connectivity between IT systems that you trust differently.” The goal is to connect different domains to each other to enable information flow while mitigating cyber attacks and data loss.

CDSs aren’t simple. Implementing these philosophies can require an extensive understanding and honest assessment of your IT infrastructure. Yet cyber threats are increasing and the cost of data breaches is rising – fines from regulators are getting larger and the reputational damage can be devastating.

Starting small by implementing CDS principles incrementally and incorporating existing technology helps spread the investment while improving data security. For example, you can start by defining the most critical components of your infrastructure as the most highly trusted domain and implement a CDS there before expanding as necessary. Or you could apply principles such as semantic and syntactic validation at a software level on your firewall.

The important thing is to get started. With the increasing importance of data, it will become ever more important to ensure its security. Highly sensitive organisations have already proven how CDSs provide that assurance, so now’s the time for more data-driven businesses to join them.

When importing data, the CDS hardware forces a protocol break that terminates a transmission path, extracts the information from the data flow, and starts a new transmission path. This removes any malicious attacks embedded in the connection protocol headers and wraps the information in known good protocol headers before transmitting it into the high domain.

Validation hardware uses semantic and syntactic verification to confirm the content in PDF files or Word documents coming into the network is malware- and error-free. Using hardware to conduct this verification makes it much harder for malicious actors to modify the validation method, decreasing the likelihood of malicious actors sneaking malware into the network.

This uses hardware (typically a data diode) to enforce a one-way data flow, and separate import and export data flows. The data diode also can act as a policy enforcement point to ensure only authorised types of data are entering and leaving the high trust domain through that connection. As such, attackers can no longer use that connection to steal information or perform command and control operations.