Jump to content

Controlled interface

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Sandstein (talk | contribs) at 10:26, 6 January 2011 (Wikipedia:Articles for deletion/Controlled interface closed as merge to some other article). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In a multilevel security system, a controlled interface is a system component that is used to implement security constraints on the transfer of data between security domains. The data to be transferred may theoretically move in either direction; the task of the controlled interface is to ensure that the data meets the security criteria for transfer. In general, data can move from a lower-security doamin to a higher-security domain. For transfer in the opposite direction, it has to be ascertained that the data is of sufficiently low security sensitivity; for example, data classified as "Secret" should not be allowed to leak into a domain that is merely "Restricted".

The Committee on National Security Systems (CNSS) publishes the 'NATIONAL INFORMATION ASSURANCE (IA) GLOSSARY', also known as CNSS Instruction No. 4009. In this glossary, a Controlled Interface is defined as follows: "Mechanism that facilitates the adjudication of different interconnected system security policies (e.g., controlling the flow of information into or out of an interconnected system)".

Within the US government, the Director of Central Intelligence Directive 6/3 (DCID 6/3) states that multilevel security systems must meet the requirements for Protection Level 4 and 5 (PL-4 and PL-5), Integrity-High and Availability-High.

While some controlled interfaces are very complicated, others are very simple. A simple example of a controlled interface is a one-way data transfer system that moves data from a low-security network to a high-security network while not allowing any data transfer in the opposite direction. One-way controlled interfaces are also called data diodes. For example, a fiber Network Interface Controller (NIC) with only one optical path can be used as a data diode. However, all Internet protocols involve two-way data traffic, and if there is a need to access the Internet from a high-security system, such a simple solution cannot be used.

High Assurance Guards

A controlled interface whose security has been certified through the Common Criteria process is known as a High Assurance Guard (HAG) or High Assurance Controlled Interface (HACI).

Stub icon

This computer science article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Controlled_interface&oldid=406256552"