Cross-domain technology – what can we learn from the spooks?

Henry Harrison

By Henry Harrison

Commercial

Government

I spent the first two days of this week at a specialist event – a conference that brought together some very smart people from government, industry and academia to talk about some of the latest developments in “cross-domain technology”.

Most IT professionals, who don’t do any work with classified government systems, will at this point be wondering: “what on earth is cross-domain technology?” And probably also: “why should I care?”

If you’re an IT professional who minds about security, you probably should care. Although cross-domain isn’t part of your life today, there’s a good chance it will be in the future.

Let me try and persuade you.

Pretty much the definition of a classified system is one where security is paramount. If an attacker gets access to a classified system, the results will be messy. As a result, classified IT systems are architected around extremely high levels of security. Unfortunately, the usual side-effect of that high security is that efficiency suffers. Cross-domain technologies are all about re-introducing efficiency into those high-security classified environments.

This is almost the reverse of the mainstream IT environment. Here, efficiency has historically been paramount. But the result has been that security has suffered. With a now increased threat level, mainstream commercial IT is busy trying to increase security. In principle, one way of doing that might be to adopt the sort of techniques used by classified IT systems. In practice however, the impact on efficiency usually makes this a non-starter.

With good cross-domain technologies, might perhaps those efficiency issues be addressable, bringing high-security classified techniques within reach of the commercial world? Could it be that one day, commercial IT and classified IT will look the same, combining high security with high efficiency?

On the basis of this week’s discussions, I can tell you that that day is still some way off. But there are already elements that are starting to find their way into the commercial world. That’s why understanding some of the basics about cross-domain ought to be of interest to every IT professional.

The classified IT environment

In principle, if security is paramount, all IT systems ought to be engineered to be super-secure.

In practice, high security engineering is difficult. Users of classified systems need innovative new applications and can’t afford to wait for decades for those to be delivered using high security engineering. As a result, classified IT environments often run standard-issue software that’s just as vulnerable as the software within mainstream IT environments.

So in order to meet the security requirements, classified IT environments turn instead to the use of isolation – starting from the principle of complete physical air-gapped isolation. And the really critical implication that makes classified IT fundamentally different from mainstream IT is this: completely different physical terminals (PCs, laptops, etc) need to be used to access different information and systems. You can’t use the same terminal to access information on different isolated networks, because this would break the whole isolation principle: the terminal could get compromised when accessing systems on network A and then the compromised terminal could allow the attacker to get access to systems on network B.

Isolation doesn’t provide perfect security, but it’s a pretty good starting point for security that’s vastly stronger than that found in mainstream IT. The problem is – as I said earlier – that the implications for efficiency are horrible. Users might need to have multiple different physical terminals on their desks to give them access to all the different systems they need to work with, and a lot of work needs to proceed using what’s often known as “swivel chair integration” – because the brain of the human user is the only place where information from different isolated networks can be brought together.

Cross-domain technology

The role of cross-domain technology is to break down some of those efficiency barriers by allowing connectivity between isolated networks, without destroying the strong security model that was introduced by the isolation.

In principle of course, that’s impossible – you can’t connect and disconnect things at the same time! In practice however cross-domain technology is a core part of the way high security IT environments operate, and there are some exciting approaches that at least come close to doing the impossible.

The first challenge for cross-domain technology is to eliminate the need for multiple physical terminals. That means coming up with technologies that allow a terminal to access systems on another network in such a way that – with a very, very high degree of confidence – we can have confidence that the terminal cannot be compromised.

The second challenge for cross-domain technology is to minimise the need for swivel-chair integration. That means defining allowed flows of data from one network to another and putting technical controls in place to ensure that only permissible data can flow and that we can have a very, very high degree of confidence that the data flow cannot be used as a means of compromising the network that’s receiving it.

How does such technology get built? With great care…and while keeping in mind a number of principles:

  • Firstly, that while it’s not economically feasible to build all IT using high-security engineering techniques, it is appropriate to use these techniques for cross-domain solutions.
  • Secondly, that solution design should start from an assumption that nothing is permitted, and add permissions at the most granular level possible. Thus, where a traditional IT control might permit “UDP traffic on port 7789” a cross domain solution would define specific permitted business messages (for example, latitude-longitude pairs in a predefined format) and be precise about exactly what the format should be of each of the fields in each message.
  • And finally, that before any solution is deployed it should be analysed with a deeply sceptical eye, asking what could possibly go wrong.

Cross-domain technology in the commercial world

In practice, there’s already a lot of the commercial IT environment that looks like cross-domain technology – even a firewall is, at heart, a basic cross-domain solution. In some cases, bringing higher security to the commercial world is just about revisiting some of these implementations using “cross-domain” principles.

Where the really big difference lies is in the use of multiple terminals. In the commercial world, the use of different terminals for accessing different systems is almost unheard of. It is above all here that both sides are changing.

In the classified IT world, high-security solutions (often known as “browse-down”) are emerging that enable users to have a single terminal that can be used to access systems across a range of different networks. Meanwhile, in the commercial world, some organisations are starting to identify systems (typically web-based services) which are sufficiently risky that they really should not be accessed using terminals that also have access to sensitive data and systems. Here, high-security solutions (often known as “remote browsing”) then provide users with the ability to access those riskier systems without the need for a physically separate terminal.

That’s where Garrison comes in. We sell our technology both as “browse-down” in the classified IT world, and as “remote browsing” in the commercial world. It’s the same solution, just approached from a different direction: in one case, we’re helping customers to add efficiency. In the other, we’re helping customers to add security.

It’ll be interesting to see in 10 years’ time how much convergence there will have been. Will “remote browsing” remain primarily as a technology for providing access to risky web sites, or will commercial IT environments have added additional layers of isolation so that users will be relying on “browse-down” approaches for a much wider range of activities?