By design, a blockchain business network securely shares information between different organizations by distributing ledger transactions to peer nodes located throughout the business network, including nodes physically located within a competing organization’s security environment and domain. The same blockchain security design features that enable these secure cross-organizational information transfers are also ideally suited to ensure the safe, efficient and cost-effective transfer of information across different government and military network security domains — for example between classified and unclassified military networks.
The big idea
The security controls and assured sharing inherent to The Linux Foundation’s Hyperledger Fabric hosted on high assurance off-the-shelf hardware infrastructures, can provide secure, timely and consistent end-to-end sharing of information within and across disparate security domains. A blockchain-based cross-domain solution is likely to be less complex, more effective and less expensive than traditional, special-purpose cross-domain guards when mitigating the high stakes security risks of cross-domain information transfer.
The security challenge
Public, private, government and military organizations classify, label and protect information commensurate with the security risk it poses if disclosed without authorization. For example, unclassified information poses no risk if disclosed while inadvertent disclosure of top secret information could be expected to cause exceptionally grave damage. The most rudimentary form of protection is segregating information of different security levels on completely separate IT infrastructures and communication networks. These separate networks, however, hinder day-to-day work because typically real-world work and business processes require accessing and exchanging information at varying classifications.
Traditionally, highly specialized IT systems known as cross-domain guards sit at the boundary of each security domain reading files from a designated source location in one security domain and applying a pre-approved filter for that specific source to each file. These filters and controls verify the integrity and contents of the file to satisfy security policies then write the file to a designated target location in the other security network. These cross-domain data flows are either low-to-high — lower security classifications to higher ones — or high-to-low.
The concern for low-to-high guards is preventing the introduction of dangerous computer files like viruses or malware, and preventing a reverse flow of data. The chief concern for high-to-low guards is preventing unauthorized leakage of higher classification data to the lower classification network. High-to-low data transfer rates and volume are typically much slower and smaller than low-to-high because the data must be manually verified as appropriately classified prior to sending to the lower classification network.
Traditional cross-domain solutions (CDS) are expensive due to lengthy and complex approval and implementation processes, and specialized equipment and skill sets. Any changes to a data flow also require extensive, expensive, and lengthy approval and implementation processes. These frictions inherent to traditional CDS’s hinder effective and timely information sharing.
The blockchain solution
In a blockchain network, the role of cross-domain guard would be performed by a blockchain network peer installed on a high assurance platform, referred to as a High Security Business Node (HSBN). Data movement within the distributed cross-domain blockchain business network takes the form of cryptographically secured transactional updates to a shared ledger held by each node in a specific members-only channel of the business network.
The other peer nodes of the blockchain business network reside in one or the other security domains, either high or low, receiving the protected blocks of endorsed ledger transactions. Endorsed ledger updates to peers located on the opposite security domain occur via the border HSBN to provide assurance that the Blockchain-provided security controls cannot be bypassed or overridden.
The value to you
A blockchain cross-domain solution reduces frictions to your information exchange process and improves accessibility, accountability and traceability of information exchange. Specifically, it provides:
A single shared view of each asset throughout its life cycle regardless of the network domain.
In a standard cross-domain guard, there is no way to ensure the information residing on each side of the guard remains in sync over its lifecycle. The scope of the guard’s visibility and control is limited.
Auditable control and oversight of asset information throughout the life cycle.
The shared ledger provides a definitive, unalterable record of what was shared and by whom, even across network security domains. This eliminates trying to track and tie together the separate guard-only data flows.
Information sharing rather than merely moving data.
Data controls and sharing occur naturally and directly via the shared ledger as part of the normal blockchain business network. A traditional guard merely moves data. Extending information sharing to other security domains is easily done by deploying additional HSBN-hosted nodes and channels.
Reduced cost with higher security.
The technology leverages commercially maintained open source blockchain rather than proprietary, one-off, special-purpose, limited market guard technologies. A larger user base translates to more demand, faster detection of shortcomings, and shorter innovation and repair cycle.
Explore more about how blockchain can be deployed as your cross-domain solution through the IBM Developer.
I look forward to more great conversations on the advantages of blockchain as a cross-domain solution.
