At its core, the main purpose of a cross-domain solution (CDS) is to enable the sharing and transferring of data between differing security classification domains. But because not all data on classified networks needs to be — or can be — shared between devices, a CDS must also adhere to and include a number of secure data management tools and practices to ensure and limit the safe transfer of information to only where it is needed.

What is traditional secure data management?

Secure data management is a common practice within digital and IT security that specifically focuses on safeguarding digital assets such as documents, videos, photos, software-specific save files, system information and other forms of data that may be of value to adversaries. An overall framework for protecting this kind of information involves establishing and adhering to policies around the handling of data, including:

• Restricting data access to only authorized users
• Continuous monitoring of the system to detect modifications and corruption during data transfers
• Encrypting data both in transit and at rest
• Monitoring for software alterations, tampering and malware
• Data retention to ensure valuable information is not lost by action or accident

The need for secure data management

Secure data management is crucial to protect information that can be sensitive, such as personal, health, financial or mission-critical intelligence. Organizations should protect data from unauthorized access, breaches, and misuse, and must ensure regulatory compliance. Certain industries like healthcare, finance and defense face some of the greatest data security challenges because their organizations rely heavily on this sensitive data.

Healthcare: In order to maintain patient privacy and data integrity, the healthcare industry follows Health Insurance Portability and Accountability Act (HIPAA) compliance requirements, mandating strict guidelines for handling, transmitting and storing patient data. However, healthcare data breaches are on the rise, according to reports to the U.S. Office for Civil Rights with the largest ever exposure occurring in 2024 with the data of 190 million individuals having their private information exposed. This demonstrates the growing need for this sector to better secure its data.

Finance: The financial sector also has data management requirements. For example, the Gramm-Leach-Bliley Act requires that financial institutions safeguard sensitive data and explain their information sharing practices with customers. However, these regulations are often considered broad and can lead to data vulnerabilities. As financial and transaction data are often targeted for illicit activities like fraud, identity theft or money laundering, financial firms account for nearly one-fifth of cyber incidents, according to a 2024 International Monetary Fund (IMF) report. The IMF also warns that such incidents could threaten financial and economic stability because critical payment networks could be disrupted or eroded trust can lead to runs on banks. This underscores the importance of improving this sector’s infrastructure and improving its resilience.

Defense: Government and defense-related systems not only need to manage sensitive and mission-critical information, but they also contain data across three main classification levels — Confidential, Secret and Top Secret. To properly manage the security and access of this extremely sensitive data, these systems must meet or exceed the cyber and digital security requirements set by the federal government. Cross-domain and multilevel solutions help fulfil these management requirements.

Secure classified data management of cross-domain solution devices

Networks that hold U.S. classified data must follow strict rules regarding the storage, authorization, maintenance and accessing of information. This includes using only hardware and software that is authorized for classified processing; regular auditing of physical assets and users; limiting access to only those with both the proper clearance and a need to know; and using classification markings on both certain physical network hardware and on all digital data files. These examples show other complications involved in the handling of classified data.

• Classified networks or systems are usually program-specific, meaning they may only handle information related to a specific program or technology. Moving data from one Top Secret network to another Top Secret network, for example, can be a security violation if both networks are not authorized to handle that specific information.
• Classified networks form an umbrella specific to their classification, meaning a Top Secret network may contain all classifications below it — Unclassified, Confidential, Secret and Top Secret — while a Confidential network would only be allowed to contain Confidential and Unclassified information.
• The mere act of putting non-classified or lower-level classified materials onto the same network could, under certain circumstances, increase the classification of certain data. For example, if two files marked Confidential reveal additional context and sensitive information when read together, they may both become Secret-level documents.

These complexities, combined with the fact that CDSs by default are designed to do what classified systems are designed not to do (seamlessly share classified data), requires the use of advanced data protection and management techniques, such as:

• Using cryptography and mandatory access control (MAC) to isolate networks and data flows
• Filtering data to ensure compliance while in transit
• Sanitizing data before transfer to ensure only necessary information is transferred
• Using hardware-based data diodes that allow data to transfer in only one direction
• Establishing bi-directional guards that monitor and control data flow in both directions to ensure only authorized data is being shared
• Limiting access and data transfer between domains via strict user authentication and authorization requirements
• Predefining data exchange policies to ensure every exchange adheres to regulations and policies

Future secure data management with AI, quantum computing and zero trust

With the arrival of Artificial Intelligence (AI) and continuing advancements in quantum computing, it is critical to consider the future of data management.

AI is a threat to data security because it can be used to bypass traditional security measures and carry out more effective attacks, using adaptive and sophisticated malware and phishing techniques and avoiding detection. For example, through deepfakes, AI can make emails or images look convincing and authentic, leading individuals or businesses to divulge sensitive or identity information. This demonstrates a serious data breach risk that can have severe financial, identity, reputation and national security consequences.

To combat this threats, AI also needs to be part of the solution. For example, AI can enhance threat detection processes, automate response, enforce protocols, and monitor data usage and flows across domains.

The threat quantum computing poses to the future of data management is similar to AI, if not more. Data storage and transfers utilize cryptography to keep the data secure. In the coming decades, quantum computers are projected to be able to break currently used encryption algorithms and therefore introduce the potential for quantum attacks on cross-domain data transfers. This means that information that is currently encrypted could be decipherable in the future, and therefore no longer secure.

While quantum computing is still years away from its full potential, organizations should not wait to start implementing post-quantum cryptography solutions to provide secure data management. The National Institute of Standards and Technology (NIST) has introduced quantum-resistant standards regarding encryption algorithms and National Memorandum 10 set out strategies for the transition.

With traditional security approaches appearing to be insufficient for future — and even current — data security needs, organizations can also start taking other steps now such as the implementation of zero trust architectures. Traditional approaches tend to rely on perimeter-based security, which is becoming increasingly insufficient for CDS and the complex environments in which they operate.

Zero trust addresses these potential system vulnerabilities because it is a philosophy that assumes that security risks are present inside and outside of the network and therefore nothing is trusted by default. This means that every user and device on the network needs to be verified before gaining access to data and applications. This helps reduce the risks of data sharing across domains, which is critical for CDS.

The combination of AI, post-quantum computing and zero trust approaches can all be integrated to better secure our data, now and in the future. Improved encryption practices, automated AI threat detection and continuous access authentication can create a layered defense that is data-centric, as opposed to just focusing on securing the network. In addition to implementing secure systems and technology discussed here, it remains critical for future data management to continue conducting ongoing security and vulnerability assessments and to engage staff with training and awareness practices.

Ensuring the integrity of a cross-domain solution

Although advanced secure data management techniques help ensure the protection of classified data, there is another risk the cross-domain solutions must be designed to protect against: tampering or manipulation of the CDS itself. Learn more about how CDSs are designed to protect against tampering and how CDSs function.

Agile cross-domain solutions ensure Top Secret, Secret and unclassified information can be securely shared between forces, and are critical to the military’s Joint All-Domain Command and Control (JADC2) strategy.