Forum Sentry Cyber Secure PEP
Achieving Zero Trust Architecture (ZTA) using Cyber-Secure Policy Enforcement Points (PEPs)
The National Institute for Standards and Technology has issued a special publication NIST SP 800-207 defining the architecture and concepts for deploying successful ZTA.
“Zero Trust Architecture is an end-to-end approach to network/data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. Zero trust is an architectural approach that is focused on data protection.
In Figure 1, a user or machine needs access to an enterprise resource. Access is granted through a 365 Policy Decision Point (PDP) and corresponding Policy Enforcement Point (PEP).
Policy Enforcement Point (PEP): This system is responsible for enabling, monitoring, and terminating connections between a subject and an enterprise resource.
Risks of using insecure PEPs
While Policy Enforcement Points may claim that they provide access control, there are significant risks involved in deploying non cyber-hardened PEPs. This is because in a Zero Trust Architecture, the PEP itself is a critical decision point, and becomes by nature of the architecture itself, the target of attack.
Issues with non-secure PEPs:
- Open Architecture Without proper architecture design, open architecture solutions can be hacked or reverse engineered
- Not Hardened The PEP solution must be hardened against compromise. This includes a locked down, secure OS, self-health integrity checks, and inability to gain root or shell access.
- Agent Based PEP agents are software shims that are not designed to be cyber-hardened and thus are susceptible to compromise by attacks directly on the PEP solution, or on the underlying code hosting the agent.
- Developer Centric Agent and Adapter based PEPs rely on developer-centric security where repeatable security is difficult and case-by-case integrations increase risk.
- Limited Protocols Limits in the underlying technology of PEPs also limit the ability to include legacy systems in the ZTA architecture model, thus causing exceptions and other constraints to increase risk.
Forum Sentry Cyber-Secure PEP
Forum Sentry has achieved FIPS 140-2 Level II, Common Criteria EAL NDPP, and DoD PKI certification. The product architecture is designed with tamper-proof self-health checks and Known Algorithm Test (KAT) validations to detect and prevent compromise. Forum Sentry provides integrated PKI, IDP, DLP, AV, and deep context data analysis engines that combine with the built-in identity, access control, authentication and authorization capability for dynamic and secure PEP enforcement. Furthermore, Forum Sentry captures transaction information bi-directionally into unique session identifiers for contextual logging, auditing, and real-time monitoring. Forum Sentry provides integration with AI machine learning for advanced predictive analytics of PEP message flows.