A. Cross-domain Transfer
The proper treatment of classified data has always been important throughout this nation’s history. Classification of data was present even in the early period of the American Revolution when the Continental Congress passed a resolution in September 1774 to keep its proceedings secret . It wasn’t until March 1940, before World War II, when the formal classifications of secret, confidential, and restricted were established. Many executive orders since then have refined the treatment of classified information .
Over the past ten years, leaks (whether intentional or unintentional) have made major news headlines. Examples include the release of classified documents and emails by WikiLeaks since 2007 [3, 4] and the leakage of classified information by Edward Snowden in 2013 . Data must be properly handled and protected in accordance with its classification level. It is widely regarded that the proper treatment of data commensurate with its classification level is important now more than ever. In this digital age, the access of information is lightning fast, and proper security protocols must be established and followed to prevent future leaks.
To ensure proper safeguarding of classified data, isolated domains/networks are used, such as the Non-secure Internet Protocol Router Network (NIPRNet), the Secret Internet Protocol Router Network (SIPRNet), and the Joint Worldwide Intelligence Communications System (JWICS), as well as other domains specific to missions and coalition partners. The domains are separate and isolated to protect their information. However, isolated domains create the problem of information isolation—the inability to share information. Classified information is useless unless it can be visible to the people that make decisions based on its facts. To transfer this information effectively and securely, an electronic capability with built-in security protocols is needed between the domains—that is, a cross-domain transfer solution.
B. ISSE Overview
ISSE (Information Support Server Environment) is a system with a long history that has evolved to become a premier cross-domain solution (CDS). It is a cross-domain transfer solution developed, maintained, and installed by the Information Handling Branch of the Air Force Research Laboratory (AFRL) Information Directorate in Rome, New York. It is also on the Unified Cross Domain Services Management Office (UCDSMO) baseline list, and it is fully accredited according to CNSSI 1253, NIST SP 800-53, and ICD 503 requirements.
ISSE was originally released as the USAFE (United States Air Forces in Europe) Guard in 1988 by the Rome Air Development Center. USAFE Guard’s sole purpose was to disseminate threat update messages. It operated on a Harris Nighthawk computer with CX/SM MLS operating system. The system was officially re-branded and certified as ISSE in 1995. This work was done ahead of key government actions, such as the establishment of the multi-level security (MLS) working group by the Defense Information Systems Agency (DISA) in 1997. In 2001, Top Secret/Sensitive Compartmented Information (TS/ SCI) and Below Interoperability (TSABI) and Secret and Below Interoperability (SABI) were coined in order to create categories of flow between domains with distinct security requirements.
ISSE provides the capability to transfer data bidirectionally between domains in either TSABI (commensurate with TS/SCI to/from Secret) or SABI (commensurate with Secret to/from Unclassified) cases. In either TSABI or SABI, the domain with the highest level of security is called the Controlling Security Domain (CSD) and the other domains are called Non-controlling Security Domains (NCSDs). At the time of publication of this paper, over 140 structured and unstructured files types can be transferred, including Microsoft Office files, images, video, databases, and chat.
While transferring data is the main purpose of a CDS guard, security is equally (if not more) important. As seen in the publicized leak cases, the insecure transfer of data between domains can have adverse effects for national security. The security posture of ISSE is aggressive and well developed for preventing malicious activity. Additionally, ISSE enforces the security policies of the host unit. ISSE filtering criteria which are established by the host unit identify and flag issues when transferring files. When caught by the filters, the file is immediately pulled from the transfer queue and placed in a reviewer inbox. ISSE filters are highly configurable, based on the host unit’s requirements. In addition to key word searches, ISSE parses, inspects, filters, and sanitizes. Each data path, i.e. thread, may be configured with different security policies. The thread filters check for viruses, malcode, file type, and digital signature. ISSE leverages commercial off-the-shelf software called Purifile© to inspect Microsoft Office file types, while the other filters are programmed by the ISSE software developers.
The ISSE architecture is fairly straightforward. The ISSE Secure Trusted Automated Routing (STAR) is the “guard” component at the domain boundaries that acts like a secure tunnel between security domains. Threads are established at the time of installation for data transfer in each direction. For instance, to conduct transfers between the CSD and NCSD bi-directionally, two threads are needed. The threads operate concurrently and independently from one another; that is, they operate in parallel and can be configured with different security policies. The STAR connects to the ISSE Proxy Server (IPS) of each domain. The IPS is composed of multiple Protocol Translators (PTs) and the ISSE Web Server (IWS). The PT acts to protect the STAR, compose and send email, relay COTS email, execute file transfers, and exchange data with the clients, IWS and STAR. The IWS can be configured for Reliable Human Review (RHR) and single/dual review for enhanced security. Additionally, an Application Programming Interface (API) can be configured in the STAR for mission applications that bypass the IPS. Examples of mission applications include Multi-level Database Replication (MLDBR), Full Motion Video (FMV), and Large File Slicer, which will be elaborated upon below. Two optional components for the ISSE system are Parallel Audit Review and Analysis Toolkit (PARAT) and Security and Workflow Enforcement Services (SAWES). PARAT provides near-real time audit collection and analysis. It collects, organizes, and presents the audits collected by ISSE to the administrator. It may be used to monitor the file transfers, users’ activity, and send alerts to the administrator. SAWES is an upstream review and orchestration engine which allows the user to self-review work, receive feedback from the automated filters, and make adjustments as needed.
The ISSE Program Management Office (PMO) oversees the entirety of the system acquisition. These activities include site survey, installation, training, and support from the Core Configuration Management (CCM) help desk. In order to acquire ISSE, customers in the Intelligence Community (IC) typically contact the DoDIIS Crossdomain Management Office (DCDMO). DCDMO and DISA will discuss requirements to arrive at the best CDS for the organization’s needs. Other U.S. government agencies may reference the UCDSMO baseline list or contact the ISSE PMO directly. When ISSE is selected as the best solution, the ISSE PMO conducts a site survey to determine the details of the site’s cross-domain requirements. Subsequently, the system is installed by the ISSE installers. On-site training is conducted for site administrators and trainers, and an out-brief is completed. At this point, the ISSE system is ready to use. Should any questions or concerns arise, agencies can call the 24/7 help desk. Most of the questions can be adjudicated immediately. If it is a more serious problem, the PMO engineers work with the site to resolve the problem. Additionally, training is offered at the PMO site in Rome, New York, several times per year. The annual support fee also covers one site visit per year.
There are several mission applications and capabilities that have been added to ISSE as user requirements have arisen. Three that will be discussed here are Multi-level Database Replication (MLDBR), Full Motion Video (FMV) adapters, and the Large File Slicer. MLDBR provides real-time, automated database replication between security domains for Oracle, DB2, MS SQL, and Sybase formats. MLDBR uses ISSE for cross-domain replication of database information; one MLDBR host can even interface with multiple ISSE systems. It leverages XML formatted messages to replicate databases between the CSD and NCSD(s). Database replication is a common user requirement leveraged by numerous organizations.
The FMV v1.0 capability was a special user request and was tested in the Unified Vision 2014 exercise . At the exercise’s central location in Ørland Air Station, Norway, ISSE provided 12 channels for video transfer to participants in Norway and Germany. ISSE was connected to an unclassified network and a coalition partner network. FMV performed well in this real world exercise by exhibiting exceptional video quality and less than 0.5-second latency.
Finally, ISSE is programmed to accept files less than 2 GB in size. Should the need arise to transfer files larger than this requirement, i.e. very high resolution photos, the Large File Slicer can be used. This application uses the ISSE API to communicate with the STAR. First fielded in January 2015 and demonstrated continually since then, it has human and machine interfaces that display the progress of the transfer. It operates by creating small ISSE packages from the larger file for a nearly infinite transfer capability. It sends the packages in parallel through the STAR while checking for security and malware, and compiles the pieces into the original file on the receiving end.