Designing a Protocol Agnostic Rule Engine for a Cross-Domain Solution
Holmala, Olli (2019)
Holmala, Olli
2019
Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2019-05-21
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tty-201905031471
https://urn.fi/URN:NBN:fi:tty-201905031471
Tiivistelmä
Data protection is an ever-growing concern for businesses and consumers. Industries are digitalizing their business processes at a rapid rate with business transactions increasingly taking place in the digital domain. Particularly in the context of sensitive information it is critical that information be available only to those whom it concerns. Any information access by unauthorized individuals (i.e. data leakage) can cause irreparable harm to the reputation of the company re-sponsible for safekeeping the leaked information.
Communication between software applications that contain varying degrees of sensitive information poses additional challenges for data protection. A security level difference between two applications may result in incompatibility, as data from one domain may not be suitable for another domain. In practice, the only manner of enabling communication between the two domains is filtering out transmitted data from the first domain that is inappropriate for the second domain. Manual filtration of data can prove a tedious and persistent undertaking, therefore automation of the filtering process can prove to be an attractive alternative. A cross-domain solution (CDS) is a software application placed between two security domains of differing security levels that automates data leakage prevention.
The purpose of this thesis was to design a protocol agnostic rule engine for a cross-domain solution. A rule engine provides customizability for the filtering logic of the CDS, so that its users can dynamically determine what to filter. As the communicating applications can transmit data using a variety of protocols, the objective was that the rule engine would function in a similar manner regardless of the chosen protocol.
The design of the engine was based on the architecture of existing business rule engines. Comparing the existing rule engines revealed their commonalities, differences and best practices. These practices were then customized and applied to the rule engine of this thesis.
Additionally, the input and output of the CDS was demonstrated with two example protocols that the CDS supports: ASTERIX and the HLA. The structure of both protocols was examined in order to provide a better understanding of the type of data the CDS processes. Furthermore, comparison of similarities and differences revealed the challenges with achieving protocol agnosticism.
The rule engine was designed using the C4 model for architecture design. Architecture was illustrated with diagrams at multiple levels of abstraction, beginning at the system context level and ending with the component level. The design was constrained by a set of both business and regulatory requirements, which the resulting implementation adequately fulfilled. Ultimately, the resulting implementation was able to perform filtering operations on both example protocols in a protocol agnostic manner.
Communication between software applications that contain varying degrees of sensitive information poses additional challenges for data protection. A security level difference between two applications may result in incompatibility, as data from one domain may not be suitable for another domain. In practice, the only manner of enabling communication between the two domains is filtering out transmitted data from the first domain that is inappropriate for the second domain. Manual filtration of data can prove a tedious and persistent undertaking, therefore automation of the filtering process can prove to be an attractive alternative. A cross-domain solution (CDS) is a software application placed between two security domains of differing security levels that automates data leakage prevention.
The purpose of this thesis was to design a protocol agnostic rule engine for a cross-domain solution. A rule engine provides customizability for the filtering logic of the CDS, so that its users can dynamically determine what to filter. As the communicating applications can transmit data using a variety of protocols, the objective was that the rule engine would function in a similar manner regardless of the chosen protocol.
The design of the engine was based on the architecture of existing business rule engines. Comparing the existing rule engines revealed their commonalities, differences and best practices. These practices were then customized and applied to the rule engine of this thesis.
Additionally, the input and output of the CDS was demonstrated with two example protocols that the CDS supports: ASTERIX and the HLA. The structure of both protocols was examined in order to provide a better understanding of the type of data the CDS processes. Furthermore, comparison of similarities and differences revealed the challenges with achieving protocol agnosticism.
The rule engine was designed using the C4 model for architecture design. Architecture was illustrated with diagrams at multiple levels of abstraction, beginning at the system context level and ending with the component level. The design was constrained by a set of both business and regulatory requirements, which the resulting implementation adequately fulfilled. Ultimately, the resulting implementation was able to perform filtering operations on both example protocols in a protocol agnostic manner.