The threat landscape facing organizations and government departments is ever-growing. President Biden’s Executive Order on Improving the Nation’s Cybersecurity gave the NSA’s National Cross Domain Strategy and Management Office (NCDSMO) greater authority to stipulate the criteria CDS vendors must meet.
The NCDSMO created Raise the Bar (RTB) – an initiative designed to protect vulnerable systems from persistent threats and improve the cybersecurity of all cross-domain solutions. It introduced a number of stringent security standards that vendors must adhere to when shipping software into government networks.
For instance, any CDS vendors selling to the US government must now pass Lab-Based Security Assessments (LBSA). These are costly and time-consuming and are designed to ensure only those organizations that match the strict security standards set by RTB can ship a CDS into a government environment. This presents a number of challenges to CDS vendors including:
1 – There is a lack of LBSA-approved content filter providers that can easily and effectively work in tandem with a CDS:
Solution: Our zero-trust CDR file protection technology is tried and tested within the guidelines set by Raise the Bar. Glasswall CDR is already integrated within existing CDS platforms that have passed LBSA testing and have been successfully deployed within US Government networks. Any CDS vendors that utilize our technology as a content filter give their solution the best chance of acceptance within these highly classified networks.
2 – Wait times for LBSA testing can take as long as nine months – with testing taking up to an additional six months to complete:
Solution: While LBSA testing is a costly and time-consuming necessity for CDS vendors shipping into US Government networks, vendors can help streamline the process by ensuring the content filters they choose are already approved for use. Because our CDR technology has already been approved for use with Cross Domain Solutions operating within US Government networks, CDS vendors can rest assured they have at least one provider that will pass the rigorous testing of the NCDSMO.
3 – Raise the Bar requires CDS vendors to comply with challenging regulations:
Solution: The architectural standards set are designed to be challenging, as this pushes CDS vendors to develop their software to the best possible known-good standard. However, our CDR file protection capabilities can be easily embedded anywhere a file is in motion or at rest, providing CDS vendors with ultimate deployment flexibility for Glasswall CDR as a content filter within their architecture.
4 – Replacing legacy systems can be expensive and time consuming
Solution: Glasswall CDR is a fast-to-deploy and easy-to-manage security filter for CDS. Our intuitive APIs minimize financial and time-based costs when integrating it as a new filter. Our technology’s zero-trust approach to file protection also ensures that any security gaps left from the removal of legacy systems are plugged.
5 – Vendors are required to adapt to continually evolving security standards
Solution: Glasswall CDR already provides CDS vendors in the US Government space with a content filter capable of processing files at lightning-fast speeds, and our Kubernetes-based architecture can scale infinitely to meet the varied demands placed upon it.
Our flexible deployment options enable solutions to be agile and adaptable to any future changes to architectural requirements.
Glasswall is the market leader for Content Disarm and Reconstruction. Our CDR technology utilizes Kubernetes architecture to provide an infinitely scalable platform that helps organizations to comply with initiatives such as the NCSC’s Pattern for Safely Importing Data, the NSA’s Raise the Bar Initiative and the NIST Risk Management framework by the US Department of Commerce.
With 5 workload nodes in a Kubernetes cluster, our CDR technology produces unrivalled throughput performance:
- File throughput per hour – 186,000
- File throughput per day – 4,464,000
- MBs processed per hour – 116,522 MB
- MBs processed per day – 2,796,539 MB
- Median file processing speed – 815ms
- API success rate – 99.999%
Disclaimer: Cluster configuration assumes specific memory and compute allocations for containers. Production performance will ways depend on size and complexities of real-world files. Configurations can be optimised to favour throughput or file processing speeds. 20 business files ranging from 17 MB to 0.05 MB in size. File types include: PowerPoint, Video, Excel, Word, Image, PDF, Audio. Mean file size = 3.74 MB. Median file size = 0.64 MB. 5 Engines per node. 8 virtual cores. 28 GB Memory. Request concurrency to availability of resource is 1:1.
Glasswall CDR provides vendors with a way to safely and easily transform complex data formats:
The Glasswall CDR Engine can be embedded within a CDS to transform complex data formats (documents, images, media, and binary files) into more simple/verifiable ones (SISL/XML) and reconstitute them. This capability exposes a file’s internal structure, enabling third parties to carry out hardware/software syntactic and semantic verification. Here’s how it is done:
Complex data formats are broken down into their constituent components and converted into document object models (DOMs) presented as SISL/XML files
The simple format can then be verified and transferred across trust boundaries by hardware devices such as a syntactic verification diode or similar control .
The verified simple file format can then be recomposed into the original complex data format
Our CDR technology also provides security teams with additional capabilities that supercharge their CDS deployments with advanced file processing:
- Secure document, image and media file transfer
Glasswall CDR ensures the confidentiality and integrity of files being transferred between security domains is maintained. This removes the risk of sensitive information exposure or tampering during transfer.
- Image conversion to alternative formats such as bitmap
Alternative image formats, such as bitmap, provide a simpler and stronger way to carry out hardware validation for a file., helping to confirm with more certainty the structural integrity of an image-based file.
- Managed binary and CI/ CD pipeline transfer
Cross-domain solutions often involve the transfer of code, binaries, and continuous integration/continuous deployment (CI/CD) pipelines between different security domains. Glasswall CDR provides users with a secure mechanism to move these components while maintaining version control, traceability, and data integrity. Without these capabilities these capabilities errors in transfer could lead to code discrepancies, security vulnerabilities, and deployment failures.
- True file type identification
Accurate identification of file types is essential for maintaining the security of a cross-domain transfer. Glasswall presents the true nature of the files being transferred to the user - preventing malicious actors from disguising harmful content as benign files. Proper file type identification ensures that security protocols and processing mechanisms can be correctly applied to each file.
- Data loss prevention via methods such as word search and redaction
Often, there's a need to redact or filter sensitive information from documents and files.. Glasswall CDR gives users the tools needed to search for specific keywords or patterns within documents and then redact or prevent the transfer of such sensitive content. This prevents inadvertent leaks of classified information and ensures compliance with security policies.
Real world application:
Glasswall facilitates the cross-domain transfer of files at the petabyte scale
Glasswall CDR has been implemented across a wide variety of file-based cybersecurity use cases, including the challenges organizations face with the cross domain transfer of files – especially when this is at huge scale.
In the case of one leading technology company, they held a large quantity of data on-premises that they needed to transfer cross-domain to a classified cloud environment.
A major challenge, however, was removing malware from a gigantic set of files prior to migration – an issue that presented their security team with a challenge. Their existing sandbox deployments were far too expensive and time-consuming to be effective, while their antivirus and deep learning solutions relied on detection – meaning that they could only protect against what they had seen before. In addition, they knew these solutions would produce false negatives, which would put the organization's classified environment at risk from a data breach.
The security team also required a solution that could be flexible – they planned to work in bursts, creating large quantities of data without a regular pattern. To meet these needs, and as there were no suitable out-the-box solutions, they turned to Glasswall.
Glasswall developed a bespoke Content Disarm and Reconstruction (CDR) solution that utilized Azure elastic compute resources at scale to deliver a zero-trust cross-domain pre-processing capability. The solution was designed to enable the processing of files via Glasswall’s patented 4-step CDR process.
Intuitive API endpoints helped the security team to devise the most effective integration approach to meet their needs – enabling the organization to process gigantic amounts of data at lightning speed.
Glasswall worked with the technology company to successfully embed the solution within their Cross Domain framework – enabling our CDR technology to quickly process large quantities of files – securing them against any malicious content present prior to migration.
The folder receiving the sanitized files was designed to automatically mirror any changes made to the source data container – ensuring the folder and file hierarchy were reflected correctly. Data paths were also retained to support a ‘chain of custody’ approach to data and risk management.
The project's success acted as a catalyst for the further development of the solution and the Subsequent launch of Glasswall Constellations – a world-leading zero-trust CDR file import solution capable of producing gigantic throughput at lightning speed:
Disclaimer: Three Kubernetes node pools are recommended to achieve this illustration of throughput as part of an auto-scaling setup. A peak of 1,900 compute cores distributed across the node pools support this gigantic level of throughput.