Zero Trust

Identities are the cornerstone of a Zero Trust Architecture (ZTA). CISA Zero Trust Maturity Model defines identities as an attribute or set of attributes that uniquely describe an agency user or entity, including non-person entities. Agencies should ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access.

The maturity model states that agencies should ensure and enforce user and entity access to the right resources at the right time for the right purpose without granting excessive access. Agencies should integrate identity, credential, and access management solutions where possible throughout their enterprise to enforce strong authentication, grant tailored context-based authorization, and assess identity risk for agency users and entities. Agencies should integrate their identity stores and management systems, where appropriate, to enhance awareness of enterprise identities and their associated responsibilities and authorities.

Multi-Factor Authentication

Thales TCT provides an end-to-end access management and authentication platform that meets all the Identity Pillar requirements of the CISA Zero Trust Maturity Model. With the Thales’ Identity Platform, agencies get a centralized risk-based access platform which supports a broad range of strong multi-factor authentication (MFA) and risk-based authentication to protect all services, apps and environments whether hosted, on-premises or in the cloud.

Offering the broadest range of authentication methods and form factors, Thales TCT allows Federal agencies to address numerous use cases, including authentication, physical access, digital signature, and encryption. Thales’s Identity Platform is an enterprise-wide identity system that supports a broad range of authentication methods, including:

• PIV cards
• FIDO2 devices
• Virtual PKI smart card
• PKI smart cards and USB authenticators
• High Assurance smart card and tokens designed for U.S. Government Networks
• Two factor Push OTP in combination with biometric, contextual and risk based authentication
• Two factor OTP hardware authenticators
• Contextual / adaptive authentication
• Risk-based authentication

Access Management

Thales TCT’s access management solutions have robust policy engines which allow for setting access policies that are extremely flexible. Security policies cater for the creation of very granular and specific rules to constantly reassess users during an open session, rather than only for certain events such as authentication time-outs. If the level of risk changes, Thales TCT’s access management solution forces the user to re-authenticate or step up to a stronger form of authentication. Policies can be set per application, apply to network ranges, operating systems, and user collections and geolocations. Authentication rules can be established as dynamic and as context specific as needed adapting to changes in a dynamic cloud environment.

Non-Person Entity Identity Credentials

Thales TCT’s Luna Credential System (LCS) introduces a new approach to multi-factor authentication by maintaining user or non-person entities credentials in a centralized hardware device that is securely accessible by endpoints in a distributed network. It unites the familiarity of certificate-based authentication with the security of a FIPS 140 certified hardware security module. LCS is a multi-purpose, secure credential system ideally suited for an environment in which the endpoints cannot use a traditional small form factor token. Ideally suited for Robotic Process Automation (RPA) and fully integrated with industry leading RPA vendors such as UiPath and Blue Prism.

The integrity of devices connecting to agency networks—whether agency-owned or bring-your-own device (BYOD)—must be validated. Unauthorized devices must be prevented from accessing agency networks and data.

Hardware Security Modules

Whether the solution involves device attestation, trusted platform modules, secure boot, or similar device integrity technologies, there is always a concept of device identity involved. Thales TCT Luna HSMs are a foundational element in all of these solutions by generating secure device identities or cryptographically signing identity-related data.

Luna Credential System

Luna Credential System (LCS) introduces a new approach to multi-factor authentication by maintaining user or non-person entities credentials in a centralized hardware device that is securely accessible by endpoints in a distributed network.  It unites the familiarity of certificate-based authentication with the security of a FIPS 140-2 certified HSM.  LCS is a multi-purpose, secure credential system ideally suited for an environment in which the endpoints cannot use a traditional small form-factor token. Ideally suited for Robotic Process Automation (RPA) and fully integrated with industry leading RPA vendors such as UiPath and Blue Prism.

Policy Enforcement & Compliance Monitoring

Thales Imperva Data Security Fabric (DSF) provides database vulnerability assessment capabilities to allow organizations to ensure that databases are configured securely whether they run on hardware, virtual environments, cloud environments or as database as a service. Security checklists such as DISA STIGs or Center for Internet Security (CIS) benchmarks for databases are included as prepackaged scan policies as well as dozens of Imperva’s custom database vulnerability scan policies. Vulnerability assessments can be configured to execute automatically on a schedule and outputs can be displayed in detailed reports and dashboards. Scan results can also be integrated with ticketing systems to further an organization’s ability to manage and effectively remediate findings.

CISA suggests that “need to align their network segmentation and protections according to the needs of their application workflows instead of the implicit trust inherent in traditional network segmentation”2 and cites encryption as a key ZTA functionality.

Network Encryption

Thales’ high speed encryption (HSE) solutions offer high-assurance encryption though secure, dedicated encryption devices that feature embedded, zero-touch encryption key management, end-to-end, authenticated encryption and use standards-based algorithms.

Thales HSEs are available as a virtual appliance or as hardware-based, stand-alone appliances ranging in performance from 100 Mb to 100 Gb.  Thales HSEs are suited for environments including:

• Big Data Applications
• Data Center Interconnect
• ‘Mega Data’ Campus Network Environments
• Cloud Computing Services ‘Backbones’
• Aggregating High-Speed Network Links
• Large Scale, MAN and WAN Security

Thales HSE Features:

Certified Security.  Thales HSEs are FIPS 140-2 L3, Common Criteria, NATO, DoD Information Network Approved Products List (DoDIN APL) certified. Our solutions support standards-based, end-to-end authenticated encryption and client-side key management. Advanced security features include traffic flow security, support for a wide range of elliptic curves (Safe Curves, Brainpool, NIST). VLAN based encryption provides unique key pairs in hub and spoke environments to protect against mis-configured traffic. For high-assurance environments, the encryptors also support nested encryption.

Transport Independent Mode. Transforming the network encryption market, Thales HSEs are the first to offer Transport Independent Mode (TIM) network layer independent (covering OSI Layer 2, Layer 3, and Layer 4) and protocol agnostic data in motion encryption.

Fully Interoperable. A single platform can be used to centrally manage encryptors across either single links or distributed networks.

Crypto-Agility. Thales HSE Solutions are crypto-agile, meaning they support customizable encryption for a wide range of elliptic and custom curves support. Thales HSEs already leverage Quantum Key Distribution (QKD) and Quantum Random Number Generation (QRNG) capabilities for future-proofing data security.

Hardware Security Modules

Thales TCT’s Luna T-Series HSMs protect SSL/TLS sessions, a keystone protocol of data-in-motion security, by generating and storing private keys in a high-assurance, hardware root of trust. Thales HSMs are also crypto-agile, capable of supporting a wide range of encryption standards and updated regularly to ensure the hardware deployed today meets the encryption challenges of tomorrow.

CISA recommends that agencies “integrate their protections more closely with their application workflows to ensure the protections have the visibility and understanding needed to provide effective security”.

Access Management Solutions

Thales TCT’s access management solutions protect applications and the data behind them by ensuring the right user has access to the right resource at the right level of trust. Agencies can control access by setting granular policies so authorized individuals can do their jobs efficiently and effectively. Agencies can monitor user access permissions and the risks associated with each login, applying step-up authentication only when the user’s context changes and the level of risk is concerning.

Application Security

Imperva Application Security empowers agencies to protect their applications and mitigate risk while providing an optimal user experience. Imperva deploys an integrated defense-in-depth model which provides a layered approach to enforcing security from the application to the end user. Through Imperva Runtime Application Self-Protection (RASP), a lightweight agent is incorporated during the software development cycle.

Imperva provides Web Application Firewall (WAF) solution (on-premises or virtual appliance WAF Gateway) to defend against all OWASP Top 10 threats including SQL injection, cross-site scripting, illegal resource access, and remote file inclusion. Inspection and enforcement of user traffic occurs across Imperva’s global network of PoPs, each also a DDoS scrubbing center. Policies and signatures are kept up-to-date for your WAF and API Security based on live, crowd sourced intelligence and from security experts at Imperva Research Labs. Imperva API Security provides continuous protection of all APIs using deep discovery and classification to detect all public, private and shadow APIs. It also protects against business logic attacks and many more of the OWASP API Top Ten. The easy-to-deploy solution empowers security teams to implement a positive API security model.

Imperva Attack Analytics, a key part of Imperva Application Security, combats alert fatigue by distilling millions of security alerts into a prioritized set of security insights. It gives recommended actions to improve your security posture, helping you recognize your cyber risk and help bring it down.

Imperva Application Security provides powerful DDoS Protection and Advanced Bot Protection to eliminate attacks long before malicious traffic even has a chance to reach a website. Multiple DDoS protection services are available, with always-on protection for websites, DNS servers, and individual IPs, and always-on or on-demand protection for networks. With near-zero latency and backed by a 3-second service level agreement for network protection, DDoS traffic is mitigated without disruption to legitimate traffic. And with Imperva Advanced Bot Protection, fingerprinting and client classification categorizes whether traffic is coming from a human, a good bot or a bad bot. It does so quickly and accurately, with a very low false positive rate, protecting websites, mobile apps and APIs against all OWASP 21 automated threats, including account takeover, web scraping, business logic abuse and fraud.

Client-side protection further helps organizations secure every aspect of their web applications and ensure the safety and privacy of their data. It mitigates the risk of client-side attacks that exfiltrate sensitive data, resulting in devastating, costly data breaches. By providing clear visibility with actionable insights and easy controls, Imperva empowers your security team to effortlessly determine the nature of each service and block any unapproved ones.

Imperva Runtime Application Self Protection (RASP) is a NIST SP 800-53 specifically enumerated technology that protects applications “by default”. Imperva RASP protects any application (custom or off-the-shelf) from zero day vulnerabilities in applications written in Java, Node.js, .Net, .Net Core and Python as well as the third party libraries used in their development. Imperva RASP is a signatureless solution that can work in air gapped environments, requires no code changes and can be integrated into an organizations CI/CD pipeline, allowing DEVSECOPS teams to effectively “bake in” security to each software release. Imperva RASP follows the application wherever it runs – on prem, cloud services platforms, containerized environments and even serverless environments.

Data Protection & Key Management

CipherTrust Data Security Platform (CDSP) is an integrated suite of data-centric security solutions that unifies data discovery and classification, data protection, and provides unprecedented granular access controls, all with centralized key management. In addition to providing a data-centric security solution as detailed later in this document, CDSP also integrates with agency workloads to provide authentication, access control, and visibility.

Application Data Protection for DevSecOps

CISA also recommends that agencies apply Zero Trust principles to the development and deployment of applications.

CipherTrust Application Data Protection supports the rapidly evolving needs of DevOps and DevSecOps, targeting the desired combination of rapid software evolution with security. It offers simple-to-use, powerful software tools for application-level key management and encryption of sensitive data. The solution is flexible enough to encrypt nearly any type of data passing through an application. Application-layer data protection can provide the highest level of security, as it can take place immediately upon data creation or first processing and can remain encrypted regardless of its data life cycle state – during transfer, use, backup or copy.

CipherTrust Application Data Protection can be deployed in physical, private or public cloud infrastructure to secure data even when it is migrating from one environment to another, without any modifications to existing encryption or data processing policies.

CipherTrust Application Data Protection is deployed with CipherTrust Manager, an architecture that centralizes key and policy management across multiple applications, environments, or sites. The combined solution provides granular access controls that separate administrative duties from data and encryption key access. For example, a policy can be applied to ensure that no single administrator can make a critical configuration change without additional approval.

Hardware Security Modules

Luna T-Series HSMs secure application development by providing a secure, hardware-based key for signing of software code. Able to be configured to require multi-party, multi-factor authentication to complete a code signing request, Luna T-Series HSMs can provide high assurance that an application has not been maliciously altered prior to deployment. And as a CNSS approved HSM, Luna T-Series HSMs are capable of providing hardware security for LMS code signing keys in accordance

Taking a data-centric approach to security is not only a core component of ZTA, but it also critical for any cybersecurity infrastructure.  CISA recommends that “agencies should begin to identify, categorize, and inventory data assets”.4   Next, agencies should deploy security solutions to protect the data itself.

Data Discovery & Classification

Data Discovery & Classification (DDC)automatically discovers all data stores in your data estate—from structured to semi-structured to unstructured—across on-premises, hybrid, cloud, and multicloud environments. Automated discovery and classification is the only reliable way to routinely and consistently discover and classify new or modified data stores as your data estate grows and expands—eliminating error-prone and costly manual procedures in the process. DDC can programmatically identify and classify all sensitive data across your data estate, pinpointing its location and providing a risk-based prioritization to each asset that can help organizations plan their risk mitigation programs, systems, and policies.

Data-at-Rest Encryption

CipherTrust Data Security Platform (CDSP) is an integrated suite of data-centric security solutions that unifies data discovery and classification, data protection, and provides unprecedented granular access controls, all with centralized key management.

CipherTrust Transparent Encryption delivers data-at-rest encryption, privileged user access controls and detailed data access audit logging. Agents protect data in files, volumes and databases on Windows, AIX and Linux OS’s across physical and virtual servers in cloud and big data environments. Security intelligence logs and reports streamline compliance reporting and speed up threat detection using leading security information and event management (SIEM) systems.

CipherTrust Application Data Protection delivers crypto functions such as key management, signing, hashing and encryption services through APIs, so that developers can easily secure data at the application server or big data node. The solution comes with supported sample code so that developers can move quickly to securing data processed in their applications. CipherTrust Application Data Protection accelerates development of customized data security solutions, while removing the complexity of key management from developer responsibility and control. In addition, it enforces strong separation of duties through key management policies that are managed only by security operations.

CipherTrust Tokenization is offered both vaulted and vaultless and can help reduce the cost and complexity of complying with data security mandates such as PCI-DSS. Tokenization replaces sensitive data with a representative token, so that the sensitize data is kept separate and secure from the database and unauthorized users and systems. The vaultless offering includes policy-based dynamic data masking. Both offerings make it easy to add tokenization to applications.

CipherTrust Database Protection solutions integrate data encryption for sensitive fields in databases with secure, centralized key management and without the need to alter database applications. CipherTrust Database Protection solutions support Oracle, Microsoft SQL Server, IBM DB2 and Teradata databases.

CipherTrust Manager is the central management point for the platform. It is an industry-leading enterprise key management solution that enables organizations to centrally manage encryption keys, provide granular access controls and configure security policies. CipherTrust Manager manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role based access control to keys and policies, supports robust auditing and reporting, and offers development- and management-friendly REST APIs.

Luna T-Series HSMs are the choice for government agencies when storing, protecting and managing cryptographic keys used to secure sensitive data and critical applications. Meeting government mandates for U.S. Supply Chain, the high-assurance, tamper-resistant Luna T-Series HSMs are designed, developed, manufactured, sold, and supported in the United States. Luna T-Series models offer secure storage of your cryptographic information in a controlled and highly secure environment. All Luna T-Series models can be initialized by the customer to protect proprietary information by using either multifactor (PED) authentication or password authentication.

Data Activity Monitoring

Imperva Database Security Fabric (DSF) provides continuous monitoring to capture and analyze all data store activity from both application and privileged user accounts, providing detailed audit trails that show the who, what, when, from where, and the effects of such access (query, modification, deletion) as well as the appropriateness of such access. It unifies auditing across diverse on-premises platforms, providing oversight for relational databases, NoSQL databases, mainframes, big data platforms, and data warehouses. It also supports databases hosted in Microsoft Azure and Amazon Web Services (AWS) — including PaaS offerings such as Azure SQL and Amazon Relational Database Services (RDS). Detailed data activity is captured automatically, making it easier to fulfill compliance requirements as well as provided the detailed insights to take immediate action.

Risk Analytics & Insights

Imperva Data Risk Analytics (CRA) and Insights uses automation and machine learning to detect unusual/potentially improper data access and risky behavior from billions of data access activities that occur daily within an organization’s data stores (structured, semi-structured and unstructured). It automatically learns the normal behavior of the users — what they typically access, and how they use such data. DRA then produces actionable insights (provided in detailed narrative form) of potentially dangerous data access that can be investigated immediately and entered into a SOAR workflow system for incident response.

The cross-cutting capabilities of Visibility and Analytics, Automation and Orchestration, and Governance can be applied across all five Zero Trust pillars. CISA defines Visibility and Analytics as support for comprehensive visibility that informs policy decisions and facilitates response activities. Automation and Orchestration capabilities then leverage these insights to support robust and streamlined operations to handle security incidents and respond to events as they arise. And, Governance enables agencies to manage and monitor their regulatory, legal, environmental, federal, and operational requirements in support of risk-based decision making. Governance capabilities also ensure the right people, process, and technology are in place to support mission, risk, and compliance objectives.

Data Visibility & Analytics

Imperva Data Security Fabric (DSF) and Data Risk Analytics (DRA) provide advanced anomaly base User Entity Based Analytics (UEBA) to detect unusual data access. Taking data access audit data, DSF and DRA can automatically generate actionable insights that allow security practitioners to take immediate remedial action.

Automation & Orchestration Capability

Imperva Data Security Fabric (DSF) integrates with third party systems (such as ticketing systems and security event incident manager (SEIM) to enable a cyber security information to automate and effective manage all suspicious data access events.