Cross-Domain Solutions

Create a data and device transfer process that delivers security and trust across the entire perimeter.

Cross-Domain Solutions in Critical Infrastructure

How can file transfers be secured across the entire enterprise, especially between uncontrolled devices? Transferring files into, across, and out of secure environments is a potential avenue for malware and/or data breach. Files entering via portable media and transient devices create opportunities for infection. Stored files may have zero-day attacks, temporarily unnoticed and dormant on servers. Allowing files to exit secure environments risks sensitive data leakage.

This video provides tips and best practices for securely managing data transfer into an air-gapped network.

Cross-Domain Solution Benefits

Breach Prevention with Multiscanning

Malware continues to bypass existing defenses because cybercriminals are developing threats with dynamic sophistication, yet enterprises are often deploying static protection measures. It is not uncommon for Zero Day viruses to penetrate a single vendor’s anti-virus and heuristics engine. Sensitive data as well can be intentionally stolen or transferred accidentally. OPSWAT safeguards sensitive data and minimizes cyber risk proactively through controlled workflow policies and analyzed validation through up to 30+ anti-malware vendor engines.

Cybersecurity Compliance

Compliance requirements can come from self-imposed national or international cybersecurity standards or from mandated regulation. Cybersecurity compliance is designed to establish a level of due diligence and thereby minimize system breaches and privacy violations. OPSWAT supports compliance processes, comprehensive visibility, and detailed reporting for NIST, HIPAA, PCI DSS, GDPR, NERC CIP, NEI 18-08, ISA/IEC, ISO/IEC and a wide range of other standards and regulations.

Digital Perimeter Control with Automated Device Blocking

Perimeters can be virtual, physical, or mobile. OPSWAT securely controls the transfer of files and devices in between security levels, systems, and physical transfer points.

The global increase of remote employees, BYOD, and contractors has resulted in an exponential rise in unmanaged devices. Blindly connecting devices to an internal or cloud network exposes enterprises to significant risks. OPSWAT blocks untrusted devices from accessing physical and virtual environments until they are thoroughly inspected and remediated.

Secure File Transfer with Automated Media Blocking

Files risk infection, while in transit. OPSWAT enforces secure file transfer processes, continuously scan for malware, and add digital signatures to ensure file integrity.

Tools work most effectively when combined with informed decision-making. OPSWAT products instill simple, effective processes. Employees will know how to safely bring in, store, transfer, and extract data across the enterprise, while staying in compliance with security policies. If unsanctioned portable media is purposefully or accidentally brought into the environment, safeguard processes will block the media from accessing devices and networks.

98% of U.S. nuclear power facilities trust OPSWAT for cybersecurity and compliance.
Opswat Logo Rgb White@2X

How OPSWAT Can Help Manage Cross-Domain Security

OPSWAT offers several products to support a wide range of use
cases and manage cross-domain security and compliance.

MetaDefender Kiosk

MetaDefender Kiosk acts as a digital security guard - inspecting all media for malware, vulnerabilities, and sensitive data. The Kiosk is designed for installation at the physical entry point of secure facilities.

MetaDefender Vault

MetaDefender Vault is a secure file storage and retrieval solution that protects critical files. The Vault works alongside the Kiosk to provide a secure and efficient way to manage threat protection.

MetaDefender Drive

MetaDefender Drive is a portable USB-based solution to inspect transient devices for malware, vulnerabilities, and sensitive data before they enter or leave any organization. The Drive is designed for use where portability is valued and connection to an external network is not available.


OPSWAT Client blocks all unauthorized removable media usage on all endpoints and scans them for malware before any files are copied over to the internal systems. The client can also enforce the usage of any media only processed and approved by MetaDefender Kiosk at the entry of your organization.

Central Management

Central Management offers a single pane of glass for globally managing multiple OPSWAT deployments, updating policies and settings, monitoring health of all instances in near real-time.

Cross-Domain Solution Deployment Scenarios

MetaDefender Kiosk - Standalone

A common portable and removable media protection mitigation that meets and exceeds NIST, NEI, NERC CIP, ISO/IEC, and ISA/IEC requirements is to place OPSWAT MetaDefender Kiosks at key check point entrances, critical SCADA network locations, and research facilities to verify all media before use.

OPSWAT MetaDefender Kiosk software security policies are enforced to require that all portable media be scanned, sanitized, and approved prior to use in the facility.

The kiosk confirms the user, the source, and the file types; looks for any malicious partitions and malware; and determines whether the device is secure or if it requires further inspection.

  • Whitelisting: An administrator can also add enforcement (whitelisting) of the specific media devices that are allowed into the facility. The kiosk can restrict media usage to specific pre-screened vendors and types.
  • Client Certified Media: Organizations can also provide their own certified media for the copied destination of all sanitized/validated files. In this case, only these media devices would be allowed into the facility with the employee/contractor or under escort.

MetaDefender Kiosk – Standalone with Closed Loop Media Control

Other popular use cases are available to further enhance compliance. Specifically, the kiosks provide “closed-loop” media control via the OPSWAT software client or the OPSWAT USB Firewall. A closed-loop system prevents any introduction of malicious content or changes to content while in transit from the kiosk to the destined system.

For critical environments where software installation could affect vendor warranty on existing systems, the USB Firewall provides a no-install option for closed-loop control.

MetaDefender Kiosk can be obtained as a turnkey system or installed on the client’s preferred hardware or VM based systems.

MetaDefender Kiosk to Vault

The 3rd Closed Loop option for MetaDefender Kiosk provides for the security of Data at Rest and Data in Transit. In this use case, the Kiosk enforces provides workflow control where files are sent to an internally hosted MetaDefender Vault for processing.

OPSWAT MetaDefender Vault provides tiered supervisory authorization and approval, authentication, and audit reporting for cross domain transmissions, storage, and retrieval of files.

  • Users enter all media into the Kiosk and select MetaDefender Vault as the destination
  • File processing begins immediately by Vault in parallel to the facility entry workflow so the user does not need to wait on local processing but can proceed into the facility
  • The Kiosk Ticketing system provides the user with a unique temporary printed code that provides timed network access to the validated/sanitized files stored in MetaDefender Vault hosted by the client from within the facility

All files in MetaDefender Vault are AES encryption secured, monitored, and checked for malware using 30+ anti-malware engines, sanitized, and quarantined based on configuration and workflow policies.

MetaDefender Vault to Kiosk (Data Loss Prevention)

Vendors and contractors often need to extract files from a facility for debugging and analysis purposes. In this use case, the data flow originates with MetaDefender Vault and flows to the Kiosk where the authenticated and authorized user can extract the files using approved media. Data Security and Data Privacy rules are enforced through pre-defined data redaction rules assigned to the relevant workflow(s).

These data redaction and workflow rules are designed to enhance GDPR, NIST, HIPAA, HITRUST, ISO/IEC, and ISA/IEC data security and data privacy compliance. All data transfers and workflow configuration changes are logged for detailed audit reporting.

  • Data Diode Option: For high security “Security-in-Transit” environments, an additional layer of data security (Data Diode) can be added to further secure network transfers from MetaDefender Kiosk to Vault. This network device can be added to secure traffic as one-way only and guard against the potential misconfiguration (intentional or malicious) of firewalls.

Two devices can also be used to secure traffic in both directions to enable data flow control and assurance for Data Security and Data Privacy rules.

MetaDefender Vault to Vault (Data in Transit Protection)

Whether you are working with NIST, NERC CIP, AWIA, ISO/IEC, or ISA/IEC, cybersecurity standards generally recommend that systems be profiled and grouped according to risk (threats, vulnerabilities, and consequence of compromise). These grouped systems share similar security profiles and therefore can be more efficiently and effectively secured.

System groupings are referred to in various industries with differing nomenclature. The more common terms are “Security Domains” or “Security Zones”. Data in Transit between these Domains or Zones are then referred to as “Cross Domain” or “Security Zone” transfers, respectively.

For operational purposes, files will need to be securely transferred between these security zones in a controlled, monitored, and logged process.

With OPSWAT MetaDefender Vault installed in each Security Zone, movement of files between zones can be multi-tier supervisory approved, secured in transit, audited, and secured at rest.

MetaDefender Drive

5 Drive 01

MetaDefender Drive can be used to scan laptops, workstations, and servers to identify any risks associated with malware, sensitive data loss, vulnerable binaries, and foreign country originated software. This can include remote use laptops, assets from employees, contractor machines, etc.

  • OPSWAT Central Management: A detailed audit report is provided and can be centralized for multiple instances via the OPSWAT central management software.
  • MetaDefender Vault: Drive can use MetaDefender Vault as a destination target.
  • Forensics: Drive can copy all good files to another USB device
  • Critical Infrastructure: MetaDefender Drive can handle older resource constrained systems as low as 1G RAM.

Use cases include:

  • Inspection: Inspect all transient assets coming from outside the entity’s digital security perimeter which are intended to be reconnected to secure systems and networks.
  • Supply Chain Final Check: Final inspection of purpose-built turnkey systems to be shipped to other entities.

Why Choose OPSWAT Cross-Domain Solutions

Cyberthreat Prevention Without Relying on Detection

Deep Content Disarm and Reconstruction (CDR)

Cyberthreat prevention without relying on detection - OPSWAT Deep CDR is an advanced threat prevention technology that does not rely on detection. Deep CDR assumes all files are malicious and sanitizes and rebuilds each file ensuring full usability with safe content. We call it “Deep” because we do it recursively, completely regenerate all files, and support 100+ file types).



Advanced threat prevention with simultaneous anti-malware engines - OPSWAT Multiscanning is an advanced threat detection and prevention technology that leverages the power of up to 30+ anti-malware engines to increase detection rates, decrease outbreak detection times and provide resiliency to anti-malware vendor issues. Detection rates can be increased up to 99% vs. 40-80% for many single engine solutions.


Proactive Data Loss Prevention (DLP)

Sensitive data detection and blocking in files and emails - OPSWAT Proactive Data Loss Prevention (Proactive DLP) can help prevent potential data breaches and regulatory compliance violations by detecting and blocking sensitive data in files and emails, including credit card and social security numbers. OPSWAT Proactive DLP supports over 30 file types, including Microsoft Office, PDF, CSV, HTML and image files.


File-based Vulnerability Assessment

Detect application vulnerabilities before they are installed - File-Based Vulnerability Assessment technology detects application and file based vulnerabilities before they are installed. We use our patented technology (U.S. 9749349 B1) to correlate vulnerabilities to software components, product installers, firmware packages and many other types of binary files, which are collected from a vast community of users and enterprise customers.

Vulnerabilities 3

Country of Origin

Detect risks in your supply chain - One of the abilities within MetaDefender Drive is to scan binaries on the target system and determine which country the publisher resides. Many organizations are experiencing heightened requirements to examine the supply chain security of the software running on their systems, particularly ones from Foreign Adversaries. With this Country of Origin capability, you can automate what was previously a time consuming and tedious process.

Filebased Slide
"Our MetaDefender Kiosks give us the added confidence in our ability to help keep our network malware-free."

Ed Koeller

Security Analyst, Ameren

Schedule a demo