The National Institute for Standards and Technology has issued a special publication NIST SP 800-207 defining the architecture and concepts for deploying successful ZTA.
“Zero Trust Architecture is an end-to-end approach to network/data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. Zero trust is an architectural approach that is focused on data protection.
…
In Figure 1, a user or machine needs access to an enterprise resource. Access is granted through a 365 Policy Decision Point (PDP) and corresponding Policy Enforcement Point (PEP).
…”
While Policy Enforcement Points may claim that they provide access control, there are significant risks involved in deploying non cyber-hardened PEPs. This is because in a Zero Trust Architecture, the PEP itself is a critical decision point, and becomes by nature of the architecture itself, the target of attack.
Issues with non-secure PEPs:
Forum Sentry has achieved FIPS 140-2 Level II, Common Criteria EAL NDPP, and DoD PKI certification. The product architecture is designed with tamper-proof self-health checks and Known Algorithm Test (KAT) validations to detect and prevent compromise. Forum Sentry provides integrated PKI, IDP, DLP, AV, and deep context data analysis engines that combine with the built-in identity, access control, authentication and authorization capability for dynamic and secure PEP enforcement. Furthermore, Forum Sentry captures transaction information bi-directionally into unique session identifiers for contextual logging, auditing, and real-time monitoring. Forum Sentry provides integration with AI machine learning for advanced predictive analytics of PEP message flows.
Built-in Forum Sentry PEP Security Features |
PEP Cyber Security Protection
Content-Aware Threat Prevention Intrusion Detection and Prevention Data Leakage Prevention Integrated Antivirus and BASE64 scanning PEP Access Control Authentication and Authorization Multi-Context Access Control Role-Based Access Control Attribute-Based Access Control Content Based Access Control PEP Accelerated Cryptography SSL/TLS Termination and Initiation Digital Signatures and Encryption Centralized PKI Key Management |
PEP Data Conversion
Content Encryption and Decryption Transformation Data mapping Protocol conversion PEP Rate and Size Throttling User-based service level assurance Application throughput DOS protection Monitoring and Alerts PEP Real-time Monitoring Real-time view of traffic and events Alert Management Analytics |