Cross-Domain Information Exchange

The Problem

Government Organizations have traditionally employed Cross Domain Solutions (CDSs) to enforce security policies between disparate information systems residing in different classification levels. These Cross Domain Solutions have been certified and accredited to protect the sensitive domain from attack and to protect sensitive information from being leaked across classification boundaries. However, with XML becoming the de facto language of information exchange, governments have begun looking at XML and Service Oriented Architecture (SOA) enabled technologies and products, like Web Services and Enterprise Service Buses (ESBs). Unfortunately, the current generation of XML-based cross-domain solutions fails to completely support Web services-oriented standards. Therefore, to enable service-oriented business processes to span security domains and organizational boundaries, a new technology is required that can protect, connect and validate transactions across these boundaries.

Why This is Hard

In the private sector, when secure cross boundary information sharing is required, organizations look solely to firewall-type devices and a defense in depth network architecture to meet their requirements. In the government however, where classification domains are prevalent, this concept is further complicated with the need for high assurance guards, processes, policies, and governance organizations like the Unified Cross Domain Management Office (UCDMO).

The Layer 7 Solution

The availability of COTS XML firewall products provides the opportunity to improve existing ASCII-based high-assurance CDSs by offloading SOA approaches and technologies such as Web Services (UDDI, SOAP, and WSDL), REST, AJAX, and Web 2.0 to a purpose-built device. In addition, the standards-based capabilities of XML firewall products substantially improves the standards compliance of CDSs. An integrated CDS/XML firewall solution is capable of processing SOAP, WSDL, WS-Security, XML Encryption, XML Digital Signature, and Security Assertion Markup Language (SAML).

The ultimate goal for the CDS community is to achieve the single box vision of an XML CDS (XCDS). Due to the cost and complexity involved in creating a standards-compliant XCDS, no vendor currently offers an off-the-shelf product. Compared to existing CDSs, XML firewalls with their SOA, Web Services, and Web 2.0 integration and content processing capabilities may offer the best starting point from which to cost-effectively achieve the XCDS XML-Aware Cross Domain Solutions. In the meantime, a hybrid approach that combines the high assurance of a CDS with the XML capabilities of an XML firewall remains the best option.