Can Cross Domain Solutions be Virtualised?

The June issue of Military Information Technology discusses virtualisation of cross domain solutions.

The article discusses the on going migration to virtualised and cloud environments within military and intelligence agencies. Two questions posed in the article are how you provide cross domain solutions to these newer environments and can cross domain solutions be delivered in a virtualised fashion?
I am quoted as saying:

“At least at first, the next generation [virtualised / cloud based] of cross domain solutions will likely find greatest acceptance at lower classification levels.  As you go to the higher end you won’t see much change in how cross domain solutions are implemented. At the higher levels of classification, there is a reluctance to accept the risks associated with going to cloud solutions.”

This view is supported by the Nexor white paper The Role of Virtualisation in Cross-Domain Solutions from 2012.

Has the world changed since 2012? Do you think we are ready for new models of cross domain components?


2 thoughts on “Can Cross Domain Solutions be Virtualised?

  1. Mmm; simple answer is “technically yes, but you’ll probably land in a whole world of accreditation pain”.

    Personally, discussions I’ve had in the past with accreditors pretty much conclude with “and the cross-domain bit has to sit on bare metal”. However, that’s going back a little way, and these days it would be interesting to ask the question as to whether a cross-domain platform could sit atop a hypervisor with high EAL against SKPP, such as Green Hills INTEGRITY, without being considered “beyond the accreditability pale”.

    When you get to Cloud, of course, I don’t know of any implementations using INTEGRITY as their hypervisor. However, another approach could be to use so-called Metal as a Service (such as via the OpenStack Irony add-on); there are x86 assembler tricks which can be used to determine from a running OS whether it’s virtualised or not, so some provability for assurance that you’re running on bare metal is feasible. Provided all the domains in your cross-domain solution share a common Impact Level which the Cloud provider is approved for, I’d say the case can be argued with an accreditor for putting a cross-domain environment on a Metal as a Service provisioned box – provided, of course, that the cross-domain solution doesn’t need special hardware (I’m thinking diodes, here).

    Naturally, I’d be interested to hear about the outcome of any discussions suggesting this angle :-).


  2. …and you’d also need some further conditions around accreditability to be favourable, for this to be a workable approach. The one which springs to mind first, is whether or not it’s acceptable to the accreditor to have different domains segregated purely by VLAN, crypto and Diffserv, over the same piece of network cable to your Cloud-hosted box. If it isn’t, you’re far less likely to be able to get something approved in a Cloud environment – and this is why spanning multiple Impact Levels is almost certainly going to be off the menu. YMMV when it comes to the domains involved, too; an accreditor may well not be happy about a design involving a UK EYES domain and a multinational domain pushing traffic over the same cable, for example.

    Another effect of Metal as a Service, is that you’re very likely to get your own dedicated disks, living inside your newly-dedicated server – provided you don’t go with a Cloud provider who puts everything on a SAN. Getting away from the issues of multi-tenancy on spindles (such as the inability to Blancco them when the box gets retired) will help your accreditability cause. Of course, keeping anything other than the bare minimum on these disks needed for your box to operate, would be a Bad Idea.

    So, to answer Colin’s tweet following up my comment above:

    @labeledsecurity Thanks for the comment. Maybe possible, but certainly not routine. Accreditable? Commercially viable?

    I’d say “Possible, yes; modulo the environment and its accreditor. Routine; I agree, definitely not today, but possibly in the future, for some domain combinations. Accreditable; in the manner of Hamlet, ‘that is the question’. Commercially viable; if the accreditor is happy subject to the conditions above, almost certainly.”


Comments are closed.