The secure transfer of data across trust boundaries is vital for government agencies. Cross Domain Solutions (CDS) enable the exchange of information between isolated and external networks, but traditional detection-based antivirus and sandbox solutions fall short of protecting departments against new and existing file-based threats. What’s more, the air-gapped nature of secure networks also makes it difficult to keep antivirus solutions updated, representing an additional security risk.
To address this challenge, there is a growing range of compliance and regulatory requirements implemented by government authorities around the world. For example, the National Cross Domain Strategy & Management Office(NCDSMO), that is part of the NSA, is the focal point for U.S. Government cross-domain capabilities and mission needs. Its ‘Raise the Bar’ strategy is designed to improve “cross domain solution security and capabilities from a design, development, assessment, implementation, and use perspective.”
As the Raise the Bar strategy points out, CDR has become the most used technique in CDS today to process complex document formats. In discussing its efficacy, the NCDSMO states that “CDR has been shown in both government (e.g., NSA and DHS CISA) and commercial testing to be highly effective at stopping malicious attacks, malware C2, malware augmentation, and malware initiated exfiltration.”
Glasswall CDR adds functionality to CDS, such as secure document, image, and media file transfer, data loss prevention, and transformation of complex data types into simple/verifiable ones for syntactic verification. Unlike detection-based solutions, Glasswall CDR is not dependent on antivirus databases to provide knowledge of new threats, making it perfect for air-gapped secure networks where regular patching and updating are difficult.
In the UK, the National Cyber Security Centre (NCSC) pattern for safely importing data provides guidelines to improve the security of cross-network data transfers. Glasswall CDR builds on this, offering an effective alternative to traditional detection-based solutions. Its zero-trust file protection treats all files as untrusted, validating, rebuilding, and cleaning each file to a safe and compliant standard, automatically removing potential threats.
The NCSC pattern for safely importing data recommends transforming complex file formats into simple/verifiable ones and preventing the running of active code on the destination system. Glasswall enables compliance with these guidelines by delivering hardware-based syntactic and semantic verification, while also removing active content from files.
With Glasswall, only safe, clean and fully verified files cross trust boundaries, securing departmental networks from file-based threats. There is no longer the need to accept the risk of data wrapping techniques and the shortcomings of traditional AV when importing files to secure networks. Complex file types can be securely transformed into simple/verifiable types, enabling hardware-based syntactic and semantic verification. Glasswall CDR also removes active content from files so they are transferred in compliance with the NCSC pattern for safely importing data.
Glasswall CDR case study: HM Government
A large UK government agency had terabytes of important data on an isolated network which could have contained malicious content. They required urgent access to this data, but the only option available to secure it was to ’sheep dip’ the data – use antivirus and analysis tools to test each file for malware on a separate computer. Understanding that antivirus detection only offers limited protection and not having the time or resources to analyze every file manually, they required a solution that didn’t rely on legacy detection-based methodologies.
A deployment of Glasswall CDR enabled the cleaning and transfer of files from the untrusted to the secure network. Glasswall was able to move fast, working seamlessly with the government agency. Terabytes of secure data were imported into the new environment within days, and the government agency had complete confidence that there was no malicious content in the data due to its zero-trust file protection capabilities.