Complete Guide · Secure Data Transfer
What are Cross Domain
Solutions?
Solutions?
Cross-domain solutions (CDS) enable secure, controlled data transfer between networks at different classification levels without compromising either environment. This guide explains what CDS are, how import and export flows work, which Security Enforcing Functions are required, and how GateScanner Security Dome delivers enterprise-grade CDS for government, defense, and critical infrastructure.
On this page
01
What is a Cross-Domain Solution?
Organizations face a persistent challenge: how to securely exchange data between networks at fundamentally different security levels — especially where classified information, sensitive business data, or compliance requirements demand strict separation between domains.
A Cross-Domain Solution (CDS) is the mechanism used to secure critical data and enable communication between different levels of classified or trust-differentiated environments, while enforcing the security policies governing each domain. Unlike firewalls or VPNs — which manage who can access a network — a CDS governs what data can move, in which direction, and in what form.
Working Definition — NIST
"A form of controlled interface that provides the ability to manually and/or automatically access and transfer information between different security domains." CDS are essential wherever operational collaboration spans security boundaries — from intelligence sharing between coalition partners to migrating data between classified environments and cloud infrastructure.
Key distinction: A CDS is not a firewall or data diode — it is a complete architecture combining hardware enforcement, content inspection, data sanitization, and controlled release mechanisms that addresses the full threat surface of inter-domain data transfer.
The Three Pillars of Cross Domain Architecture
Access Solutions
Allow users to view and manipulate information from domains of differing security levels from a single workstation, using isolated virtual machines per classification tier.
Transfer Solutions
Facilitate controlled movement of information between security domains — supporting unidirectional or bidirectional exchange depending on security requirements and risk assessments.
Multi-Level Security
Store all data in a single domain and use trusted labeling with Mandatory Access Control to mediate data flow according to user credentials and clearance levels.
02
Import & Export Flows
Data movement across a CDS follows one of two distinct directions, each governed by its own security requirements and enforcement controls. Understanding this distinction is fundamental to CDS architecture design.
Import Low → High Classification
1
Data IngestMedia, network share, or system input on the low side
2
Pre-Wash & PrepApply initial SEFs based on trust level
3
Protocol BreakData diode enforces one-way flow; protocols terminated
4
CDR Sanitization300+ file types rebuilt; sandbox analysis applied
5
Data LandingVerified clean file delivered to high-side destination
In an import flow, every file from the low-trust side must be treated as hostile. Content Disarm and Reconstruction (CDR) rebuilds files from scratch — defeating known threats, zero-days, and signatureless malware alike.
Export High → Low Classification
1
Release AuthorityAuthorized approval (human or system) to initiate export
2
Data CleansingRemove metadata, strip high-side markers
3
Release ControlDLP checks confirm data is authorized for release
4
Unidirectional ControlOptical data diode enforces one-way downward flow
5
Data LandingReleased data delivered to low-side destination
In an export flow, DLP and release authority controls prevent inadvertent exfiltration. The GateScanner Injector (optical data diode) enforces physical-layer unidirectionality — no back-channel possible.
03
Security Enforcing Functions (SEFs)
The right combination of Security Enforcing Functions depends on data sensitivity, flow direction, and operational requirements.
| SEF | Function | Flow | SASA Implementation |
|---|---|---|---|
| Content Disarm & Reconstruction (CDR) | Removes active content and rebuilds files to a known-safe structure — no threat detection required. | Both | GateScanner CDR — 300+ file types |
| Malware Scanning (Multi-AV) | Signature and heuristic scanning using multiple AV engines for known and emerging threats. | Both | GateScanner Security Dome |
| Unidirectional Control | Hardware-enforced one-way data flow; prevents back-channel communication between domains. | Both | GateScanner Injector (data diode) |
| Protocol Break | Terminates network protocols at the boundary and re-originates them, preventing protocol-level attacks. | Both | GateScanner Injector |
| Data Transformation & Normalization | Converts complex files to simpler formats — disrupting malware hidden in complex data structures. | Import | GateScanner CDR pipeline |
| Structural Verification | Verifies the rebuilt file is syntactically correct before delivery to the high-trust environment. | Import | GateScanner CDR pipeline |
| Data Loss Prevention (DLP) | Identifies and blocks classified information from export flows; prevents inadvertent exfiltration. | Export | Security Dome DLP / redaction |
| Release Control | Enforces authorization workflows; supports human-in-the-loop approval for export flows. | Export | Secure File Sharing workflows |
| Data Ingest & Sharing | Manages ingestion at the CDS boundary — from removable media, file shares, email, and web downloads. | Import | Security Dome, Kiosk, Mail Gateway |
| Data Flow Orchestration | Centralized management and control of data workflows across all SEFs — the coordination layer. | Both | GateScanner Security Dome workflow engine |
SASA's CDR-first approach: Rather than leading with detection, SASA leads with Content Disarm and Reconstruction — rebuilding every file from scratch regardless of threat signature. Detection layers add defence-in-depth on top. See CDR before/after file samples.
04
Why Static CDS Architectures Have Become Obsolete
Fixed, hardware-centric CDS deployments were built for simpler threat landscapes. Three forces are accelerating the shift to software-led architectures:
Increased Data Types & Volumes
Modern organizations transfer everything from standard documents to DICOM medical imaging and real-time telemetry. Static solutions cannot adapt to new formats on demand.
Nation-State Threats
Zero-day attacks, steganographic payloads, and supply-chain compromises specifically target the data transfer layer. Detection-agnostic CDR technology addresses this by design.
New Operational Models
Coalition ops, multi-cloud, and "dev low, deploy high" pipelines all demand dynamic CDS. See real-life examples.
GateScanner Security Dome's Active-Active CDR grid answers this need directly — modular, horizontally scalable, and zero-downtime by design.
05
CDS Use Cases by Sector
The following scenarios represent common high-security environments where a structured CDS architecture is essential.
Military & DefenseIntelligence Sharing Across Classification Tiers
Transferring products between TOP SECRET, SECRET, and UNCLASSIFIED networks. Security Dome's immutable audit trails satisfy accreditation requirements.
Military & DefenseRemovable Media for Field Operations
GateScanner Kiosk provides a managed ingest point — scanning every removable device before it enters the protected environment.
Critical InfrastructureIT/OT Network Segregation
The GateScanner segregation architecture with data diode ensures OT environments are never directly reachable from IT networks.
Defense Industrial Base"Dev Low, Deploy High" Supply Chain
Code developed in a standard environment is validated by CDR and multi-AV before crossing into a classified production system.
Intelligence / GovernmentSecure Email Across Security Boundaries
GateScanner Secure Mail Gateway sanitizes attachments and strips malicious content at the domain boundary.
Healthcare / Defense MedicalDICOM Medical Imaging Transfers
GateScanner Imaging Gateway applies CDR to DICOM transfers, protecting clinical systems in defense and government environments.
06
How SASA Software Addresses CDS Requirements
GateScanner neutralizes threats structurally through CDR — regardless of whether they are known or unknown — rather than racing to keep detection signatures current.
Featured Product
GateScanner Security Dome
Enterprise-grade secure file collaboration platform enforcing zero-trust on all file-based data flows through deterministic CDR — delivering detection-independent prevention against known, unknown, and zero-day threats.
Even NextGen and AI-based tools miss up to 10% of file-embedded threats. Security Dome's CDR rebuilds every file from scratch, blocking signatureless and morphing malware before execution.
300+ file types: MS Office, PDF, images, archives, password-protected
Active-Active CDR grid — zero-downtime horizontal scaling
Multi-tenant, multi-domain support for MSSPs and segmented organizations
MFT automation: SMB/CIFS, SFTP, FTPS, cloud storage (S3, Azure Blob)
Outlook add-in, browser extension (Chrome/Edge/Firefox), virtual USB kiosk
DLP / basic file redaction capability
RBAC with AD/LDAP, SAML 2.0, OpenID Connect SSO
Immutable audit logs with SIEM-compatible structured export
On-premises (VMware/Hyper-V), private cloud (AWS/Azure/GCP), or SaaS
RESTful API (OpenAPI/Swagger) for SOAR platform integration
Stop Threats Before They EnterCDR neutralizes known, unknown, and zero-day attacks before files reach the network.
Scale Without LimitsHorizontal scaling handles high-volume workloads with zero downtime.
Transparent to UsersCDR runs silently across Outlook, browsers, and network folders.
Prove Compliance InstantlyImmutable logs and SIEM export satisfy regulators and auditors.
Complete GateScanner CDS Product Family
Security Dome is the core orchestration hub, complemented by purpose-built components for each SEF function:
- GateScanner Security Dome — Core CDS orchestration; zero-trust CDR for all file ingress/egress; MFT automation; DLP; digital vault
- GateScanner Injector (data diode) — Unidirectional control and protocol breaks; optical hardware enforcement of one-way data flow
- GateScanner Kiosk — Removable media ingest point; USB and optical media scanning before data enters the protected environment
- GateScanner Secure Mail Gateway — Email-borne threat elimination; CDS-grade scanning of attachments
- GateScanner Imaging Gateway — DICOM-specific CDR for medical imaging at domain boundaries
- GateScanner Integration Server — API-based CDR integration for custom CDS workflows
- GateScanner Secure Browser — CDR-sanitized web downloads; eliminates drive-by threats
07
Regulatory Frameworks & Global CDS Standards
Government and defense CDS deployments are governed by national technical authority guidance and international standards — critical context for procurement and architecture.
🇬🇧 United Kingdom (NCSC)
The NCSC publishes Safely Importing Data, Safely Exporting Data, and the 13 Security Principles for a Cross-Domain Solution — defining a risk-based design philosophy for UK government CDS deployments.
🇺🇸 United States (NCDSMO)
The National Cross Domain Strategy and Management Office governs US CDS requirements through the Raise the Bar (RTB) program, NSM-8, and LBSA assessments for classified environments.
🌐 NATO / Alliance
NATO cross-domain operations are guided by STANAGs 4774, 4778, and 5636, and the Alliance Data Sharing Ecosystem (ADSE), governing data labeling and technical requirements across alliance members.
SASA Software holds multiple ISO certifications relevant to CDS deployments:
ISO 27001ISO 27032ISO 27017ISO 27018ISO 9001ISO 27799ISO 90003
For full certifications and compliance documentation, visit the Documents & Certifications page.
08
CDS Implementation Considerations
Effective CDS design requires balancing competing priorities. Key considerations for any implementation:
Risk-Based Design
Controls must be proportionate to risk — protecting without blocking legitimate operational workflows.
Usability vs. Assurance
Security Dome's CDR is transparent to end users across Outlook, browsers, and network folders.
Hosting Environment
The CDS host must be hardened (CIS/STIGs). Security Dome supports on-premises, private cloud, and SaaS.
Workload Type Separation
User workloads (documents, email) and system workloads (code, firmware) require separate SEF configurations.
Cloud & Multi-Site Scale
Security Dome's Active-Active grid scales horizontally. See GateScanner Multi-site for distributed deployment.
Hardware + Software Balance
Hardware diode for boundary enforcement; Security Dome for content inspection and orchestration above it.
Certification & Accreditation
Components in classified environments typically require formal evaluation under Common Criteria or national equivalents.
Operational Continuity
Active-active load balancing, redundant diodes, and zero-downtime updates are essential in operational environments.
Related Resources
Ready to Design Your Cross-Domain Architecture?
Speak with a SASA Software security expert to identify the right combination of SEFs and Security Dome capabilities for your environment.
