BlueSpace

A framework designed for creating MLS end user applications

The BlueSpace Client Framework is the first commercial-off-the-shelf (COTS) framework specifically designed for creating multi-level secure (MLS) applications for end users.  It supports rapid development of applications that combine data from different classification levels and networks into a ‘mashup’ for the end user, while still preserving the security of separate networks.

The Client Framework can help to reduce the time and investment required to build, maintain and support both custom MLS applications and MLS versions of existing COTS software products.

The Client Framework is designed to support multi-level applications, which provide end users with a single interface while operating simultaneously at multiple security levels.  The Trusted Service Bus facilitates administratively-controlled application messaging between security levels and content elevation to build unified views.  However, when a user creates content - for example, composing a mail or starting an IM chat session - the framework can ensure that the user does this at the appropriate network label and classification level.

This MLS approach is more secure than traditional cross-domain solutions (CDS), in which the user interface operates at a single security level.  With CDS transfer, all content is elevated to the highest level to provide a unified view.  This ‘elevation’ of content poses a risk of infection to higher security levels.  When the user creates content, a CDS system must downgrade that content through a data guard to allow it to go out over a lower level network.  This is typically preceded by a ‘dirty word’ scan in an attempt to prevent leakage of higher level, classified content.

The BlueSpace Client Framework leverages the accredited and certified capabilities of the underlying trusted operating system to enforce Mandatory Access Controls (MAC) over content.  So ‘copy and paste’ is allowed only within a single level, the file system is properly segregated into separate levels, and separate controls persist with content across the entire lifecycle.

A key component of the Client Framework is the BlueSpace Connect application.  The Connect application runs in each of the Windows domains on the client desktop, and connects out to Application Appliances in the cloud (which contain the Mashup Server and Trusted Service Bus as well as Application Servers for the end user web interfaces).  The Connect application at each domain persists a session at that domain with the Application Appliance, sending messages that require cross-domain actions such as opening an email in Unity or performing a search in Discover.  The Connect application is also responsible for orchestrating seamless application windows at each security domain on the client workstation.