• WHITEPAPER

  Forum Sentry ZTA PEP

  DOWNLOAD

  Forum Sentry Cyber Secure PEP

Achieving Zero Trust Architecture (ZTA) using Cyber-Secure Policy Enforcement Points (PEPs)

The National Institute for Standards and Technology has issued a special publication NIST SP 800-207 defining the architecture and concepts for deploying successful ZTA.

“Zero Trust Architecture is an end-to-end approach to network/data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. Zero trust is an architectural approach that is focused on data protection.

…

In Figure 1, a user or machine needs access to an enterprise resource. Access is granted through a 365 Policy Decision Point (PDP) and corresponding Policy Enforcement Point (PEP).

…”

Risks of using insecure PEPs

While Policy Enforcement Points may claim that they provide access control, there are significant risks involved in deploying non cyber-hardened PEPs.  This is because in a Zero Trust Architecture, the PEP itself is a critical decision point, and becomes by nature of the architecture itself, the target of attack.

Issues with non-secure PEPs:

• Open Architecture  Without proper architecture design, open architecture solutions can be hacked or reverse engineered
• Not Hardened  The PEP solution must be hardened against compromise.  This includes a locked down, secure OS, self-health integrity checks, and inability to gain root or shell access.
• Agent Based   PEP agents are software shims that are not designed to be cyber-hardened and thus are susceptible to compromise by attacks directly on the PEP solution, or on the underlying code hosting the agent.
• Developer Centric  Agent and Adapter based PEPs rely on developer-centric security where repeatable security is difficult and case-by-case integrations increase risk.
• Limited Protocols Limits in the underlying technology of PEPs also limit the ability to include legacy systems in the ZTA architecture model, thus causing exceptions and other constraints to increase risk.

Forum Sentry Cyber-Secure PEP

Forum Sentry has achieved FIPS 140-2 Level II, Common Criteria EAL NDPP, and DoD PKI certification.  The product architecture is designed with tamper-proof self-health checks and Known Algorithm Test (KAT) validations to detect and prevent compromise.   Forum Sentry provides integrated PKI, IDP, DLP, AV, and deep context data analysis engines that combine with the built-in identity, access control, authentication and authorization capability for dynamic and secure PEP enforcement.   Furthermore, Forum Sentry captures transaction information bi-directionally into unique session identifiers for contextual logging, auditing, and real-time monitoring.   Forum Sentry provides integration with AI machine learning for advanced predictive analytics of PEP message flows.