Cross-domain solutions (CDS) consist of the secure exchange of information between security domains. This type of solution, which emerged as a technological answer to the need to share data between segregated or classified networks, has seen a sharp rise in demand due to its growing application in military command and control systems and critical infrastructure protection. The rise in digitalization has made modern societies highly dependent on the availability of digital infrastructure in strategic sectors, and there is a movement towards taking the protection mechanisms offered by this type of solutions and applying them in these areas.
The organization of a nation’s or agency’s confidential or sensitive information into tiers to control access to it is called an “information classification system.” Originally, confidential information was handled on paper and access was managed through physical and procedural controls. When computer networks emerged, the same criteria were followed. Information exchanges with these networks were carried out through human intervention, with some physical media and following strict procedures. With the increase in the volume of information and the number of formats, this approach was no longer operational, leading to the need to automate this process. Of course, this automation must not compromise the security properties of the networks between which the information is transferred.
To understand cross-domain solutions, as well as their evolution and the challenges of these information exchange systems, we must understand certain key concepts, such as security domains, interconnections, and asymmetry.
In classified information environments, networks that handle information of a certain classification level and are managed by a certain operational authority are known as security domains. There may be different security domains with the same classification level that cannot be directly connected because they are managed by different operational authorities. In military environments, this is common in mission networks and in the networks of multinational organizations. In both cases, they cannot be directly connected to the national networks, even if they are of the same or equivalent classification level. The concept of security domains can also be applied to networks that are kept isolated for convenience even if they don’t handle classified information and there are no formal obligations.
Interconnection is the set of information exchanges between two security domains. When there are two security domains between which there is a need for information exchange, the interconnection must be analyzed in terms of the general criteria of the risks and threats that such interconnection may pose to the information assets of both domains.
The criteria applied by each nation are not fully transparent and are, in general, themselves classified matters. There are NATO reference standards that establish general criteria and principles. However, they cover a wide range of scenarios, since many factors are involved, such as the difference in levels between the domains to be connected, operational needs, risks, etc.
In a broad sense, a cross-domain solution is not a single device or system, but rather a set of measures (hardware, software, organizational, etc.) that are deployed for a given interconnection. Strictly speaking, the term “cross-domain solution” is commonly used to refer to the core component of the interconnection that includes the physical medium of information exchange.
An important feature to take into account in cross-domain solutions is asymmetry: the greatest risk is the unauthorized outflow of information from the top-ranked domain. In typical classified information scenarios, where protecting confidentiality is the priority, outbound or downstream flows will be more restricted (sometimes even not allowed).
Current cross-domain solutions
A cross-domain solution must ensure that the flows through it are as intended and that there are no other parallel flows. It must fully control all flows between the two domains. Though there are varying approaches, all of them provide specific support for the permitted flows, rather like adding an ad hoc bridge for each of the supported data flows. This approach is radically different from that of a firewall, where only filtering is applied to decide whether a flow passes or not, but the flow is transferred as is.
There are a number of general criteria that apply to all current cross-domain solutions:
- Inter-domain flows must be defined and documented.
- Separation of inflows and outflows as much as possible.
- Complete breakage of the protocol stack.
- Prevent interactive communication between domains.
- Strict filtering of all exchanged data.
Based on the security properties of the assets to be protected, the following application scenarios for cross-domain solutions can be identified:
- Classic scenarios of classified networks: the main goal is to protect the confidentiality of data in the highest security domain. The most drastic approach is to completely limit the information output, for example, by using data diodes. In scenarios where this is not possible or necessary, greater restrictions will be applied to outflows than to inflows.
- Critical infrastructure scenarios: In these cases, the industrial control network is kept isolated to ensure its integrity and availability. However, data must be sent out of the network for management and operational monitoring. This case is traditionally solved through data diodes placed in such a way so as to allow flow out from the isolated network, but not the other way around.
- “Corporate” scenarios: This use case consists of keeping certain critical assets of an organization in an isolated network either for confidentiality or for availability or integrity. It involves taking segmentation one step further. The same solutions applied in the other scenarios can be applied here as well, adapting them appropriately to the particular case at hand.
Future prospects
As systems become more complex, cross-domain solutions must continue to adapt to meet new challenges. In this regard, there are several trends that will shape the future of CDS in the medium and long term. First, integration with multi-cloud architectures and distributed environments, where CDS is evolving to ensure secure interoperability between multiple clouds and dispersed networks, thus allowing companies and organizations to operate in complex environments while ensuring that data flows securely.
Secondly, it is important to highlight the need to ensure security in critical infrastructure and Internet of Things (IoT) environments, where cross-domain systems are crucial, as they must be able to manage large volumes of data in real time, ensuring that only authorized information crosses domains. Third, with the advent of quantum computing, CDS will have to adapt to new threats linked to cryptography. Future solutions will incorporate post-quantum cryptography, which offers new ways to protect the security properties needed in many parts of cross-domain solutions from the challenges posed by quantum computing.
The market for cross-domain solutions
There is a large cross-domain market in Europe due to the presence of multiple government organizations, military alliances such as NATO, and the need for interoperability between members of the European Union. CDS is crucial for defense, cybersecurity, and regulatory compliance in sectors such as critical infrastructure and financial services.
The European CDS market size is estimated to be growing at an annual rate of 10-12% until 2030. The CDS market is in a phase of accelerated growth at the European and global levels, driven by increasing digitalization, the need to protect classified and critical information, and regulatory compliance in strategic sectors. Defense cybersecurity, critical infrastructure, and the use of multi-cloud architecture will be the main drivers of this market in the coming years.
About the Author
Manuel Pérez Cortés has been an Aeronautical Engineer since 1982 and Doctor of Aeronautical Engineering since 1985 from the Polytechnic University of Madrid. He completed his training with an Executive Development Program at IESE. He is a Full Professor at the Technical College of Aeronautical Engineers at the Polytechnic University of Madrid since 1987. He is also the Director of the Spanish School of Flight Testing and Airworthiness at UPM (E4A).
His career has been tied simultaneously to the University, where he has taught since he completed his degree, and GMV, where he has worked since its creation in 1984. At GMV, he has worked in different fields, especially in the development of applications for the aerospace and defense and security sectors, both in satellite navigation systems and in training simulators, research, and engineering of different types of vehicles: command and control systems and, in general, information system integration. He has held a number of positions at GMV, and he is currently the Defense and Security General Manager.
