High assurance data guard
Nexor Guardian provides a highly secure, high-throughput content checking capability that enables the sharing of information between networks with different levels of trust for data.
A data guard reduces the risk of malware getting into a network; of sensitive data leaking out; and ensures that appropriate controls are in place for the data to be released between networks.
Nexor Guardian has been designed and developed to protect organisations by validating that data flowing between networks complies with the security policy of the protected domain. Our data guards offer parallel processing of information, with high data processing speeds and low latency, even with deep content inspection.
Guards can provide the Validate component in our Secure Information eXchange Architecture (SIXA). They ensure the content (and in some cases protocol) conforms to the security policy.
Nexor Guardian makes use of the evaluated security functionality provided by the underlying platform to ensure an automated electronic exchange can only pass from one domain to the other via a trusted path.
The importance of data validation
The data guard, also known as the Validate component, ensures that data being transferred between networks conforms to a specified security policy. In order to do this, the Guard has to be able to provide detailed inspection of the data being transferred. The checks that a Guard could perform can be split into three categories:
- Format checks;
- Syntax checks;
- Semantic checks.
Data can claim to be of a given format in different ways, from the extension of a filename to parameters in encapsulating data (e.g. MIME types in an email). Format checks will verify that the data conforms to the format that it claims or appears to be.
The type that the data claims to be is important since this will determine the end application that opens and renders it. Data can masquerade as different types to fool an end application into opening it.
The format checks need to be designed to ensure that the end applications get the data that they can safely open. In order to achieve this, the end applications need to be known and thus they need to form an integral part of the overall secure information exchange solution.
In most scenarios, the checks need to go beyond verifying that the data is of the type it claims to be.
Additional checks should validate that the data conforms to the configured security policy so that an administrator can ban fields or portions of data formats that could potentially carry threats such as malware or hidden data leakage.
Equally, checks should ensure that all mandatory fields are present to ensure that end applications processing the data have everything that they expect.
Semantic Policy Checks
Knowing that the data is of a format that is acceptable and that the data conforms to a specified schema for that format will reduce the risk of incorrectly or maliciously formatted data from compromising applications in the destination system.
In addition to this, semantic checks ensure that the information transferred in the data conforms to the policy defined. Semantic checks ensure that the content of the data whilst valid strcturally, is also allowed.
Examples of these types of checks are:
- prohibited word checking;
- security label checks;
- and release authority decisions.
Complexity versus Assurance
Nexor Guardian makes use of the security functionality provided by the underlying platform to ensure an automated electronic exchange can only pass from one domain to the other via a trusted path.
In order to get a high degree of confidence that the Guard can perform these detailed checks, it is advisable to limit the degree of complexity of the data being transferred through the Guard. In this way, the checks can still be comprehensive, but are simpler to evaluate.
The Transform component, or Gateway, in our Secure Information eXchange Architecture (SIXA) can be used to transform more complex data into something that can be guarded with high assurance.
Dealing with non-conformant data
Non-conformant information is rejected and quarantined, preventing the potential damage caused by outbound data loss or inbound malicious content. Nexor Guardian includes an option for manual inspection and release if desired.
Nexor Guardian is a data guard providing a highly secure, high-throughput content checking capability that enables the sharing of information between networks with different levels of trust.
Nexor’s data guard is available in multiple versions, each optimised for specific business challenges. These include editions for chat, file transfer, web, voice, directory services and enterprise management.
We also provide Nexor Sentinel, a high assurance email guard, evaluated to Common Criteria EAL4+ and is listed on NATO’s NIAPC catalogue. It has been designed to protect organisations by validating that in-bound and out-bound electronic messages conform to the security policy of the protected domain.
Speak to us today to discuss how Nexor Guardian or Sentinel could best protect your organisation.
Download Benefit Sheet
Please fill in your details below to download the Nexor Guardian benefit sheet.
A full technical specification sheet for Nexor Guardian is available upon request.
We also recommend that you find out more about how data guards can perform the validate element in our architectural approach to secure information exchange. Our Secure Information eXchange Architecture (SIXA) is based on best practice design patterns from the National Cyber Security Centre (NCSC), the UK National Technical Authority.
Be the first to know about developments in secure information exchange