A rack with three Oakdoor Enterprise Diodes atop each other.

What are cross domain solutions and why use them for data protection?


Cross domain solutions
Data Diodes


Data is the most valuable untapped resource in most organisations. It can help uncover insights that accelerate decision-making when tackling complex challenges like sustainability or changing consumer needs. And that means it can unlock significant new growth opportunities.

Considering this opportunity, data security has never been more important.

Yet, while access to data is improving, it’s becoming ever harder to protect. Historically, ringfencing a network was the norm. But today’s world requires bidirectional communication to, for example, enable remote working or take advantage of cloud services hosted externally. And that opens a greater attack surface, with new routes for malicious actors to reach sensitive information.

To answer this challenge, organisations that hold particularly sensitive information, such as government departments, recognise ‘high’ and ‘low’ trust domains depending on the security classification of the data within. For example, a police force will have databases on witnesses and suspects contained in a high domain, but the officers with access to that data will likely also need access to services like email housed on the low domain.

High domains contain strict security controls for data transfer, so a cross domain solution (CDS) manages the movement of data to or from a low domain to ensure sensitive information can’t leak out or be stolen.

What are cross domain solutions?

The UK’s National Cyber Security Centre defines CDSs as holistic solutions that incorporate “architectural techniques and supporting technologies to build secure end-to-end connectivity between IT systems that you trust differently.” The goal is to connect different domains to each other to enable information flow while mitigating cyber attacks and data loss.

This philosophy isn’t new – much of the focus on information security today involves implementing the principle of zero trust to mitigate risks of cyber attacks and data loss, and many companies already use firewalls to segregate their networks. What makes CDSs more secure is that they expand security principles to the hardware level to deliver network protocol attack protection, content-based attack protection, and unauthorised export protection.

Should you implement a cross domain solution?

CDSs aren’t simple. Implementing these philosophies can require an extensive understanding and honest assessment of your IT infrastructure. Yet cyber threats are increasing and the cost of data breaches is rising – fines from regulators are getting larger and the reputational damage can be devastating.

Starting small by implementing CDS principles incrementally and incorporating existing technology helps spread the investment while improving data security. For example, you can start by defining the most critical components of your infrastructure as the most highly trusted domain and implement a CDS there before expanding as necessary. Or you could apply principles such as semantic and syntactic validation at a software level on your firewall.

The important thing is to get started. With the increasing importance of data, it will become ever more important to ensure its security. Highly sensitive organisations have already proven how CDSs provide that assurance, so now’s the time for more data-driven businesses to join them.

Network protocol attack protection

When importing data, the CDS hardware forces a protocol break that terminates a transmission path, extracts the information from the data flow, and starts a new transmission path. This removes any malicious attacks embedded in the connection protocol headers and wraps the information in known good protocol headers before transmitting it into the high domain.

Content-based attack protection

Validation hardware uses semantic and syntactic verification to confirm the content in PDF files or Word documents coming into the network is malware- and error-free. Using hardware to conduct this verification makes it much harder for malicious actors to modify the validation method, decreasing the likelihood of malicious actors sneaking malware into the network.

Protection against the unauthorised export of information

This uses hardware (typically a data diode) to enforce a one-way data flow, and separate import and export data flows. The data diode also can act as a policy enforcement point to ensure only authorised types of data are entering and leaving the high trust domain through that connection. As such, attackers can no longer use that connection to steal information or perform command and control operations.

Get in touch

Whether to request a demo or discuss your cybersecurity requirements, we look forward to hearing from you.