19309 winmeade dr. suite 446 leesburg, va 20176

1

19309 Winmeade Dr. Suite 446 Leesburg, VA 20176

ATARC Zero Trust Working Group

Vendor Questionnaire Forum Systems / TIAG Response

• Is your solution/solution set comprehensive, covering all of the defined Zero Trust pillars?

If not, which of the Zero Trust pillars does your solution/solution set cover? If there are gaps, do you have established relationships or partnerships with other vendors to fill those gaps?

The Forum Sentry™ API Security Gateway from Forum Systems is a state-of-the-art, rapidly scalable, rules-based security technology that will allow Federal organizations to deploy a best-in-class, nimble, agile, and highly performant enterprise Policy Enforcement Point (PEP) solution for a Zero Trust network model. Our approach utilizes an API Security Gateway technology model that unifies information assurance, continual dynamic authentication, and deep-content data analysis to achieve Zero Trust security. This comprehensive approach covers all six of the Zero Trust pillars. Forum Sentry is a uniquely qualified product built as a security hardened technology from the ground up. It combines authentication, authorization, data security, data privacy, data leakage, intrusion prevention, and full transaction audit logging. Forum Sentry is deployable in hardware or virtual formats (such as hardware appliance, VMWare Image, Amazon Image, Azure Image, Docker Image, Linux Image, Windows Image). We deliver Zero Trust by using the Forum Sentry API Security Gateway as the Information Assurance PEP to ensure continual authentication, authorization, and inspection of the devices, applications, and users to ensure only those who are allowed access can do so. The technology provides a logical abstraction of the application and performs traffic flow analysis without impacting the existing applications. This approach delivers on the NIST SP 800-207 Zero Trust tenants as indicated in the responses and the diagram below:

2


#1 - All data sources and computing services are considered resources. Forum Sentry utilizes all source, destination, and message content as resources, as well as utilizing

data sources and computing services in the ecosystem of the architecture for dynamic policy enforcement. The Forum Sentry Zero Trust API Security Architecture focuses on key aspects of the each session communication, such as where it is coming from (source, geography), what type of system it is (i.e. mobile device, laptop), where is it going (target application or computing service), who it is (person, machine), if it is allowed to go there (roles, policies), what data it is bringing with it (request information), and what data is coming back (response information). With these criteria in combination with dynamic policy assessment and integration with data sources and computing services, all are considered resources.

#2 - All communication is secured regardless of network location. Network location does not imply trust. Access to individual enterprise resources is granted on a per-session basis. The Forum Sentry API Security Gateway is a transaction-based, session-based, content-inspection

PEP intermediary. Forum Sentry inspects the network traffic regardless of network location. Forum Sentry dynamically inspects, enforces policy, and brokers communication on a per session basis regardless of network location based on the logical access control rules of the applications, users, APIs, and services involved.

#3 - Trust in the requester is evaluated before the access is granted. Forum Sentry has built-in adaptive access control which uses policy workflow rules to achieve any

combination of adaptive enforcement using meta-data from transaction properties and dynamic inspection. Detected conditions can then be enforced via real-time access control, future access restrictions, blocking/throttling, and quarantine. These adaptive policies have access to all of the inspected message properties (source, destination, request protocol headers, request message content, response protocol headers, response message content, X.509 attributes, identity attributes from LDAP/AD/SaaS IDP), and these policies can be defined directly on the Sentry system or dynamically leveraged from XACML, Databases, or Identity Repositories. Various levels of trust can be determined for access control, message redaction, dynamic encryption, and other schemes of multi-layer trust policy enforcement.

#4 - Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes. The Forum Sentry Zero Trust principles are embedded into the technology capabilities thereby

ensuring constant authentication, controlling access, directing inspection, and monitoring real-time information flows. This optimization and consolidation of technology architecture simplifies the footprint and the architecture. Forum Sentry correlates all of these attributes and metrics together (client identity, application, requesting assets) and access can be determined based on the contextual behavior of the transaction sessions.

3


#5 - The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. No device is inherently trusted. Mobile Device Management (MDM) solutions provide device-centric authentication and lifecycle

controls for app development and usage monitoring. Non-mobile devices are secured through endpoint security technologies. However, MDM and Endpoint protections do not provide security of the information exchanged among the devices and the applications/services. Forum Sentry is a Policy Enforcement Point (PEP) that provides this aspect of information assurance and Zero Trust as an inherent architecture component of request and response data integrity and security.

#6 - All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication. The Zero Trust principles are embedded into the Forum Sentry technology and inherent in the bi-

directional enforcement, authentication, authorization, and auditing. Every request and response is dynamically re-evaluated against the information assurance rules for continuous enforcement.

#7 - The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture. Forum Sentry includes agentless bi-directional transaction audit capture. The solution is optimized

to capture the request-response metadata necessary for advanced analytics. The solution tracks user, entity, and device metadata and metrics information with enforcement rules and auditing rules defined to defend and monitor data transaction behavior with user behavior analytics both as a means of auditing and heuristics and also as machine learning and artificial intelligence predictive analytics. These features enable the enterprise to collect information and improve it’s security posture of enforcement rules.

Forum Sentry includes user authentication data along with data inspection which provides the distinctly unique ability to have access to all of the information about a user’s behavior in single architecture checkpoints (the PEPs), which then combines the contextualization of the metrics and properties of each transaction into a comprehensive set of user behavior metrics and formats. This technology allows information to be defined to the level of granularity to track and integrate easily into any machine learning (ML) or artificial intelligence (AI) engine to build real-time heuristic profiles of user behavior patterns for historical analysis and auditing as well as for predictive analytics.

4


• Describe (in detail) how your solution addressed each of the covered pillars. Pillar #1 – Users Fast and easy authentication with Single Sign On (SSO) and Multi-Factor Authentication (MFA) Forum Sentry includes built-in IDAM, SSO, and Federation across for modern and legacy identity token variants including PKI, DSIG, WS-Security, WS-Trust, SAML, OAuth, OpenID Connect, AWSv4, and JWT. These integrated features allow seamless, agentless integration with any industry-standard ICAM platform as well as any SaaS based IdM to provide cyber-secure ICAM Policy Enforcement Points (PEP) anywhere in the network. Additionally, Forum Sentry can aggregate these identity formations to provide MFA and SSO across disparate technologies and Identity Policy Servers for single points of truth. Pillar #2 – Devices Zero Trust capability to manage, encrypt, and secure traffic between the mobile device and

backend enterprise and cloud systems. The API Security Gateway provides an integrated PKI engine and supports different transport protocols and message formats with encryption capabilies for both course-grained and fine-grained level encryption all the way down to individual message nodes. Bi-directional deep content inspection ensures threat-mitigation for data leakage and intrusion prevention. Forum Sentry has built in adapters for mobile, cloud, and on-premise technology communication formats to seamlessly manage, encrypt, and secure traffic across a disparate set of technologies, including mobile, legacy on-premise, and cloud systems. Evaluation of users and devices against internal baseline metrics and the ability to stop

mobile threats with immediate, on-device protection and remediation. Mobile Device Management (MDM) solutions provide device-centric authentication and lifecycle controls for app development and usage monitoring. MDM does not provide security at the information borders where information is exchanged between the mobile devices and the back-end applications. Forum Sentry provides mobile threat protection; universal token authentication; role-based, attribute-based, and content-based access control; request and response threat correlation; information assurance and content-validation; and centralized event monitoring and logging. It is not enough to have trusted users and trusted services. MDM solutions, augmented with Forum Sentry PEP capabilities form the basis of information assurance, presenting a secure ZT architecture and threat mitigation posture. Forum Sentry works seamlessly with any MDM solution to facilitate agile deployments with privacy, trust, and threat-based security enforced as Zero Trust architecture principles. The ability to defend against mobile threats with immediate, automatic protection that

resides on the device itself — no user action is required to install or update a security application.

Device-centric mobile security, such as MDM provisioned security, can only go so far. Threats also target the services and applications that the devices access. Protecting the applications and services that these mobile devices access is a necessary component of Zero Trust, meaning that the devices are never simply trusted to disseminate any data or information requested, but instead every request is continually authentication and verified.

5


Pillar #3 – Network A cyber-secure Policy Enforcement Point (PEP). This is the very definition of Forum Sentry. It is built as a certified-secure PEP. Zero Trust principles are embedded into the fabric of the product which has a secure internal architecture, and built-in mechanisms of self-analysis to ensure the PEP itself is not compromised. The Forum Sentry cyber-secure PEP combines continuous authentication and authorization with data analysis, and full bi-directional transaction auditing. Due to the comprehensive features, Forum Sentry facilitates optimization and consolidation of the overall ZT architecture by reducing the technology footprint. Additionally, the Forum Sentry PEP captures information and provides instant formatting in machine learning META data format which can be used to build advanced heuristics and predictive analytic models. Because Forum Sentry can correlate all of these attributes and metrics together, transaction behavior can be contextualized and viewed in a central auditing mechanism. Pillar #4 – Applications The ability to ensure that only trusted devices, applications, and users can access work

applications. Forum Sentry is a rules-driven enforcement product that works as a transparent PEP to abstract the devices and applications, but provide the ZTA rules to ensure only trusted devices, applications, and users can communicate. These trust rules can be dynamic, extracted from data sources, based on various types of policy criteria, and are fully extensible. The advantage is also that there is no need for rip-and-replace, as Forum Sentry can integrate with existing infrastructure devices, users, and applications without requiring them to be rewritten or redesigned. Pillar #5 - Automation Service Virtualization is a key best practice. Forum Sentry has built-in Service virtualization allowing services and applications to be virtualized in a variety of ways including API creation and abstraction, URL cloaking, WSDL virtualization, XML-to-JSON conversion, protocol conversion, and message transformation. Service virtualization is the core-feature of the Sentry capability as it provides reverse-proxy and forward-proxy capabilities to abstract and virtualize services from direct access. “Point and Click” policy creation. To strike the necessary balance of flexibility, integration, and security that can be achieved with Forum Sentry, it is necessary to utilize best practice configurations. The solution comes with an extensive library of pre-built policy templates based on over 18+ years of real-world security deployments in governments and enterprises worldwide. When implementing Forum Sentry with a new customer it is a matter of identifying which templates to use and simply make any necessary minor adjustments. There is no coding or custom software development required. Forum Sentry provides “point and click” secure GUI-based workflow rule creation within the Forum Sentry management console. Additionally, Forum Sentry allows for autonomous script-driven policy creation for automation of rules and dynamic on-demand deployments.

6


Easily scales to demand Form Sentry includes an integrated FIPS 140-2 certified PKI engine, accelerated protocol and message brokering, authentication and authorization acceleration. Forum Sentry can be vertically or horizontally scaled to support increased demand and all polices and be easily replicated and shared for simplified scaling. Forum Sentry has been tested and proven in over 18 years of mission-critical high-scale customer environments with 100% success. Pillar #6 - Analytics Agentless bi-directional transaction audit capture. Forum Sentry is optimized to capture the request-response metadata necessary for advanced analytics. The solution tracks user, entity, and device metadata and metrics information with enforcement rules and auditing rules defined to defend and monitor data transaction behavior with user behavior analytics together. Furthermore, Forum Sentry automatically formats this information in unique session identification for each transaction and in Machine Learning engine formats. User behavior analytics. Forum Sentry includes user authentication along with data inspection which provides the distinctly unique ability to have access to all of the information about a user’s behavior at each PEP. Forum Sentry combines the contextualization of the metrics and properties of each transaction into a simplified set of user behavior metrics and formats. This technology allows information to be defined to the level of granularity to track and integrate easily into any machine learning (ML) or artificial intelligence (AI) engine to build real-time heuristic profiles of user behavior patterns for historical analysis and auditing as well as for predictive analytics. • Does your solution/solution set allow for non-traditional assets (i.e. IoT devices)? If so,

please detail the specifics. Forum Sentry handles TCP-based communication as a secure PEP. Forum Sentry can support non-traditional assets that fit the TCP communication protocols and application messaging, including IoT communications over HTTP, or over IoT protocols such as AMQP. • Are there existing, operational implementations of your solution in either government or

industry? Can you provide customer references? Forum Sentry has an established track record of supporting hybrid/multi-cloud commercial deployments that enable context aware API Security and Single Sign On (SSO) with seamless Identity and Access Management (IdAM) integration. This includes internal and cloud-based applications for internal users, external users, and third-party partners across as many as twenty separate segregated Active Directory domains. Forum Sentry is the underlying data security technology used by much of the banking, energy, telecommunications, and transportation sectors where it securely processes more than 10 billion transactions per day in mission-critical environments worldwide. Despite the complexity, traffic volume, and sensitivity

7


of these environments, Forum Sentry has maintained a 100% deployment success rate and has never been compromised or allowed a security breach. Examples of Forum Sentry’s success as the underlying technology supporting hybrid/multi-cloud operations include: • Total Systems Inc. (TSYS), a $10.3B company and one of the world's largest payment

processors. TSYS has depended on Forum Sentry for over a decade to provide secure, agile, API connections to their worldwide partnership network where it has secured processing of over 25B transactions through over 650,000 merchant locations. With a new strategic effort to move services to the AWS cloud, TSYS security protocols require that any cloud services be brokered via Forum Sentry Zero Trust security capabilities. For example, Forum Sentry provides authentication security, auditing, and Data Loss Prevention (DLP) when using AWS Simple Notification Service.

• The U.S. Internal Revenue Service (IRS) where it supports data security, identity access control, and SSO for all U.S. corporate, individual, and foreign electronic tax filings. Since 2005, Forum Sentry has securely brokered over $15 trillion in financial transactions. In support of the Foreign Account Tax Compliance Act Forum Sentry securely brokers traffic from more than 80 nations and over 77,000 financial institutions.

• The Federal Aviation Administration (FAA) where Forum Sentry provides 2-way secure Service-Oriented Architecture and System Wide Information Management (SWIM) standards compliance validation for the real-time weather feeds in the National Airspace System. Volumes up to 12,000 transactions per second are supported.

• The United Kingdom Home Office of Biometrics where Forum Sentry is deployed both on-premise and in AWS to provide the core gateway and cloud API enablement for the government-wide unified, real-time biometric service for the UK government. In this capacity Forum Sentry provides identification, verification and digital forensics support for 45,000 users across more than 50 separate organizations and 54 forensic/biometric bureaus. Forum Sentry securely processes more than 20 biometric message formats, integrates over 50 APIs, handles 120 million biometric records and resolves 85 million identities.

Forum Sentry already has the following security certifications: • FIPS 140-2 Level II Certified Hardware Chassis • Evaluation Assurance Level (EAL) 4+ Certified Integrated Hardened Security Module • DoD Certified PKI Component • FIPS 140-2 Level II Certified Administration APIs / Certified Policy Storage and Key

Management • National Information Assurance Partnership (NIAP) NDPP v1.1 Certified Hardware and

Software

8


• The government will not transition to a Zero Trust environment by flicking a switch. State how your solution will co-exist with legacy approaches during a transition.

This is one of Forum Sentry’s unique value propositions. There is no need for a costly, high risk, and disruptive rip-and-replace approach as Forum Sentry can integrate with existing infrastructure devices, users, and applications without requiring them to be rewritten or redesigned. Forum Sentry serves as a bridge to modernization by providing PEP capabilities for ZTA, while also providing data and protocol translations that allow legacy technologies to be modernized and allows for staged migration of applications.

• How does your solution detect, identify, and handle failures, suspect activity, possible exploits, etc.?

Forum Sentry has its own self-health checks to protect itself against compromise. All policies have associated Error Template and IDP rule policies that enable how to act when various types of failures (i.e. authentication, authorization, integrity, SLA, XML exploits, SQL exploits, malware, etc) are detected. Actions can include blocking at the protocol level (protocol break), blocking at the application level (application level error response), throttling, alerting, and quarantine. • An on-premise end-user device is compromised by an outside party. How does your

solution contain the impact of this exploit? Since Forum Sentry dynamically inspects and enforces rules on every session, specific device compromise can be mitigated and controlled without impacting other sessions and information exchanges. Thus, the business continuity can be maintained, while blocking, quarantining, alerting, and other remediation of devices detected to be compromised, or indicated as compromised by other data sources (i.e. databases, PACS systems, LACS systems, LDAP, AD, etc) • How does your solution prevent the impact of insider threat? Forum Sentry combines continuous user authentication and authorization along with data inspection which provides the distinctly unique ability to have access to all of the information about a user’s behavior in single architecture checkpoints, which then combines the contextualization of the metrics and properties of each transaction into a comprehensive set of user behavior metrics and formats. Enforcement of session flows allows insider threat detection to be mitigated and the impact reduced to only the instances of compromised systems with blocking and quarantine enforcement while the rest of the architecture can continue to function.

9


• Using the recent Solar Winds event(s) as a backdrop, how does your solution address

supply chain issues? The Solar Winds attack is a clear example of why not to use open architecture software technology as enforcement mechanism within modern architectures. The Solar Winds software update was an open package update that allowed a foreign entity to hack the process and inject malware into the update. Forum Sentry does not have this issue due it’s underlying secure product architecture, designed from the ground up to be FIPS 140-2 and NIAP NDPP compliant. Forum Sentry is a closed system, it does not allow Administrative access to the operating system, and all updates are signed for integrity validation. Furthermore, Forum Sentry has self-health Known Algorithm Tests (KAT) to ensure the product has not been compromised. • Describe interoperability with other vendors' solutions. Forum Sentry is designed as a universal integration product which has been deployed in the most rigorous and complex network environments for over 18 years. It has built in adapters and engines for interoperability with different PKI, protocol, message, identity, databases, APIs and much more. The value proposition of Forum Sentry is driven by allowing an organization to avoid a costly and risky “rip-and-replace” approach. Forum Sentry is vendor agnostic and provides open standards and API extensibility to integrate with virtually every component of IP-based technology that exists on the network. • Most agencies will have a mix of cloud and traditional data center

environments. Describe how your solution works in hybrid environments (legacy and cloud).

Leveraging existing identity infrastructure with service-level access control is another key best practice deployed by Forum Sentry. Forum Sentry has built in adapters for mobile, cloud, and on-premise technology communication formats to seamlessly manage, encrypt, and secure traffic across a disparate set of technologies, including mobile, legacy on-premise, and cloud systems. Forum Sentry can be deployed in various form factors, including hardware and virtual with on-premise and cloud environments.

10


• How can agencies leverage existing investments in your solution (cost is one of the main

concerns we've been hearing from the working group, so this is an important aspect of the overall solution).

Forum Sentry can solve many different use cases around identity, authentication, authorization, access control, PKI, auditing, etc. With the versatility to combine many different technologies into one, Sentry provides dramatic cost savings over other vendor technologies. Also, Forum Sentry product licensing is not usage-based, or user-based, but rather instance-based. This means that there are no user-specific, device-specific, service-specific, or API-specific costs associated with a Sentry deployment, which provides order of magnitude cost savings at full scale deployment. • How will the vendor integrate with a trust algorithm? Will this be something that the

vendor would like to provide or something they expect agencies to create in house? (This is in reference to NIST 800-207)

Forum Sentry supports the combination of inputs from multiple sources, as well as the ability to communicate with Forum Sentry over standards-based protocols, message formats, and APIs. Per the NIST 800-207 trust algorithm, Forum Sentry processes the request, processes user identification, attributes, and privilege, dynamically queries applicable system databases for known status of servers/applications, dynamically queries the resource access requirements, and dynamically queries threat intelligence sources. In summary, Forum Sentry provides all of the capabilities to aggregate the components of the trust algorithm and enables this to be an integral part of the dynamic policy enforcement as well as able to be audited in full context.

Feature Highlights

Cyber Secure PEPAgentless policy enforcement point with protocol, message, and identity security built-in. Protocol and message security with authentication and access control combined for identity + data analysis and enforcement. FIPS 140-2 Certified PKI, US Department of Defense (DoD) Certified PKI, Common Criteria NIAP NDPP Certified Hardware.

Integrated SSO and MFARole-based policy controls with universal support of user credential and tokens ranging from on premise to cloud-based. Automatic conversion of identity formats allows multiple-to-one credential normalization.

Agentless Monitoring Seamless deployment with no footprint on the client or service endpoints. In-line communication flow provides real-time data collection with analysis, alerting, and consolidated reporting. Integrates with SIEM and dashboard systems and Machine Learning and AI engines.

Data Level Policy ControlsContent and application level threat detection and prevention for intrusion detection and data leakage. Data at rest encryption for content-level data security.

ACHIEVING SECURE ZERO TRUST ARCHITECTURE

With the evolution of mobile and cloud computing, traditional information borders no longer reside at network boundaries. Applications, devices, and systems communicate with each other on premise and in the cloud, exposing sensitive information with each of those communications. The traditional “brick and mortar” cybersecurity umbrella approach of network border protection is a proven failed model where breaches are often a result of internal application or system compromise. Thus, the perimeter security hardened shell on the outside does nothing to ensure protection of the internal applications and their communications on the inside.

In September 2019, the National Institute of Standards and Technology (NIST) issued draft Special Publication 800-207 titled “Zero Trust Architecture” (ZTA) to, “...develop a technology-neutral set of terms, definitions, and logical components of network infrastructure using a ZTA strategy.” ZTA is defined as, “a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services. This definition focuses on the crux of the issue, which is to eliminate unauthorized access to data and services, coupled with making the access control enforcement as granular as possible”.

The enabling mechanisms recommended by NIST to implement and maintain a ZTA are a Policy Decision Point (PDP) and a corresponding Policy Enforcement Point (PEP).

THE LEADER IN API SECURITY & ZERO TRUST

FIPS 140-2

DoD PKI

NIAP NDPP

PATENT 7,516,333

HARDWARE | AMAZON AMI | AZURE IMAGE | VMWARE | DOCKER | LINUX | WINDOWS

www.forumsys.com

About Forum Systems

Forum Systems is the global leader in API Security and Zero Trust with industry-certified and patented product that secures enterprise infrastructure. Forum Systems has built the core architecture of its technology on the foundation of FIPS 140-2 and NDPP requirements.

The Forum Systems technology has been trusted and deployed in the US govement for over a decade protecting the Internal Revenue Service and the FAA weather feeds from NWS and NOAA.

www.forumsys.com

CDM Phase 3 Implementation

The TIAG and Forum Systems teams offers a solution to the Zero Trust cybersecurity challenge with a state-of-the-art, rapidly scalable, rules-based security technology that will allow Federal organizations to deploy a best-in-class, nimble, agile, and highly performant enterprise Policy Enforcement Point (PEP) solution for a Zero Trust network model.

ZERO TRUST CAPABILITY FORUM SENTRY - COTS PRODUCT SOLUTON FIPS 140-2 and NDDP certified technology

Securely Enforce and Enable Communications Forum Sentry provides a comprehensive set of standardized formats and technologies to provide seamless interoperability. Forum Sentry delivers data transformation, data mapping, and data validation, enabling secure PEP enablement with seamless deployment and no coding or environment disruption.

Fast and easy authentication with SSO and MFA Forum Sentry provides built-in capabilities for modern and legacy identity token formats ranging from username/password and PKI paradigms to modern token formats such as Security Assertion Markup Language (SAML), Open Authentication (OAuth) and JSON Web Token (JWT). SSO session management and token services are part of the built-in technology capabilities, as are step-up authentication mechanisms that provide MFA.

Encrypt On Premise and Cloud Communications Forum Sentry provides accelerated FIPS-140-2 encryption to ensure complete data privacy for data in motion and at rest.

Ensure Integrity of Data Forum Sentry provides integrated hashing and Digital Signatures to ensure communications can be signed and verified.

Leverage Machine Learning and AI Forum Sentry captures contexual metrics and meta-data for individual data transactions and provides a meta-data AI logging format that provides over 15 transaction properties for machine learning.

TECHNOLOGY THAT TRANSFORMS

About TIAG

The Informatics Applications Group, Inc. (TIAG) is an innovative technology services firm and systems integrator known for driving modernization through unique approaches, synergistic processes, and superior solutions that transform business and advance critical missions. Our people are genuine business and technology experts who provide nimble, entrepreneurial responses to multidimensional problemscomputing environment and provides modern architecture capabilities.

www.tiag.net

THE LEADER IN API SECURITY & ZERO TRUST

19309 winmeade dr. suite 446 leesburg, va 20176

Documents