Information sharing across security domains

Security is recognized as one of the main technological challenges in realizing the potential of Network Based Defence. In particular, cross-domain information sharing is subject to significant security concerns, especially when there is a larger security span between the domains. This report considers alternative approaches to enable sharing of information between security domains, with a focus on providing the necessary assurance in the information flow control. This includes transfer mechanisms such as one-way diodes, manual review, security filters, and guards, as well as access solutions providing users access to multiple security domains. Guards using security labels as part of the basis for their release decisions are found to provide the most general solution for two-way automatic information transfer between domains. The correctness of the security labels is then critical for secure information flow control. While cryptographic mechanisms can be used to ensure the authenticity of the labels, a more fundamental problem is how to ensure that the security labels are correct in the first place. The report considers different approaches to provide sufficient confidence in the correctness of security labels, using content and origin as the two bases for establishing the security properties (e.g., confidentiality classification) of a data object. Several mitigations are also identified to further enhance security in cross-domain transfer scenarios. The specific information exchange requirements of a given scenario, as well as the operational environment, provide the basis for choosing among the different cross-domain solutions presented. Domain isolation should still be the default unless information exchange requirements justify a cross-domain interconnection. Where a one-way information flow from Low to High is sufficient, a one-way diode is preferable. Where two-way transfer of information objects between security domains is required, a label based guard should generally be used although the use of a simpler security filter may be justified in lower risk scenarios. Provided that security labels can be trusted to be correct, a label based guard can provide significantly better protection against data exfiltration attempted by a human insider or targeted malware being present on the High side, than a simpler security filter. However, in many scenarios, it can be a significant challenge to assure the trustworthiness of security labels. Access solutions, providing access to multiple security domains from a single machine, have the advantage of limiting actual information transfer between security domains and do not require labelling of information. However, a centralized approach seems to be required in the case of many users. The report also contains two appendixes:Appendix A provides a survey of existing solutions and literature with regard to guards, security filters, and security labelling. While many solutions are available providing a wide range of functionality, most solutions are found to be based on operating systems providing limited assurance (evaluated at EAL4), indicating that they are not certifiable at higher assurance levels. Appendix B provides an overview of concepts, technologies, and products that can potentially be used in order to build cross-domain solutions, including a survey of high assurance operating systems, hardware security mechanisms available on commodity platforms, and Attribute Based Access Control.