Visual Content Security for Defense Organizations

Share This Post

For Department of Defense (DoD) organizations, transporting visual content over IP networks to multiple video walls in an operations center provides flexibility to meet changing mission or operational requirements. Whether the content is displayed via live intelligence feeds, real-time situational awareness, or PowerPoint, critical visual collaboration isn’t always feasible with traditional video distribution systems. Content sources often reside on networks that are isolated from one another due to security restrictions. In some cases, the value of networked media distribution is ignored because of this content security requirement.

The various content access requirements under Department of Defense Instruction (DoDI) 8510.01 and defined in NIST SP 800-53, REV. 5 are enforced using the Bell–LaPadula Model (BLP), expressed in three security properties:

  1. A subject at a given security level may not read an object at a higher security level.
  2. A subject at a given security level may not write to any object at a lower security level.
  3. Discretionary access control (DAC) is maintained using an access matrix.

The BLP Model is used in unidirectional security gateways which are put in place to allow file transfers from lower-level networks to higher-level networks, but these products are expensive and generally not suitable for video transport.

When translated into video distribution terms, the BLP model ensures that no data, in this case “content”, can be transferred to a network with a lower classification level. Since the purpose of the content transfer is to display video, the first two rules can be expressed as:

  1. A display at a given security level may not display a source from a higher security level.
  2. A source at a given security level may not send video to a display at a lower security level.
Adhering to the Bell-LaPadula Model

If the network that hosts the wall displays is at the highest level allowed by the facility, then there will be no opportunity to violate the BLP.

This still leaves the requirement for network separation which is achieved by networked video distribution. The audio visual (AV) network with the displays must be isolated from all other networks.  The content source (laptop, computer, etc.) for each video to be sent, is a workstation residing on a network at the appropriate security level. The content displayed on that workstation’s monitor retains the classification of the network. The signal to the display wall is split and put into a video encoder which resides on the potentially higher classification AV network.  Since the encoder only resides on the AV network, there is no data path between the networks to provide separation.

The Haivision MCS CineNet video wall management platform provides discretionary access controls that are compliant with the BLP Model allowing video outputs, grouped as video walls, wall sections, or displays to be configured so that access is limited.  For more information on content security requirements and mitigation techniques for DoD organizations that are planning to incorporate a video wall solution with IP distribution, check out our white paper Single-Site Multi-Enclave Distribution Best Practices. Request your free copy of this white paper.

Blog Posts

Browse our blog for educational insight into video wall system capabilities, components, technology, and utilization.

Start Planning Your Project

Connect with one of our experts and start exploring our industry leading technology!