OpenPMF™ Zero Trust Access Policy Automation

Maximum security. Minimum effort.

OpenPMF 4.0 offers a comprehensive Zero Trust platform that makes access control effective and manageable through automation and intelligence. It helps manage and enforce fine-grained Zero Trust access control policies across complex IT/OT environments.

What

OpenPMF™ makes Zero Trust policies effective and manageable, restricting information flows only to what is authorized. Its award-winning “security policy automation” allows intuitive policy creation, automatically generating detailed technical rules by analyzing organizational and technical data. OpenPMF supports modern access controls, including Zero Trust Architecture (ZTA), DevSecOps, and Attribute-Based Access Control (ABAC).

  • Policy Management: Create intuitive policies using natural language and graphical editors. These policies are captured in generic terms, reducing the need for frequent updates.

  • Automation: Automatically generates detailed technical rules by analyzing IT/OT/IoT/IIoT/Cloud environments. It integrates data from user/device identities, application configurations, and network traffic patterns.

  • Enforcement: Enforces low-level policies via its infrastructure and integrates with third-party products through customizable exporters.

  • Monitoring & Compliance: Monitors security continuously and generates compliance documentation automatically.

  • Testing & Scalability: Allows policy testing before deployment and scales efficiently with evolving IT landscapes.

Why

  • Cost Savings: Significant maintenance cost reduction due to the automation and efficient management of security policies.

  • Adaptability: Handle complex and evolving IT/OT landscapes in a manageable, robust and scalable way.

  • Zero Trust: Make technical access control manageable in Zero Trust environments

  • Manageable policies: Manage policies in generic, intuitive “umbrella” terms as a single source of truth.

  • Flexible integrations: Use customizable importers to ease policy automation by importing existing context.

  • Automation: Generate low-level technical rules/configurations enforced via our enforcement infrastructure and third-party products.

  • Compliance documentation: automatically generate compliance documentation.

  • Testing: Formally test policies before deployment

  • Monitoring: Monitor access enforcement

How

OpenPMF captures policies in generic terms rather than specific technical rules, reducing the need for frequent updates. For example, in dynamic IoT/IIoT environments, it automatically generates security enforcement rules by analyzing these generic policies alongside changes in applications and their interactions. This method ensures policies remain manageable in large, evolving IT/OT landscapes, leading to significant maintenance cost savings. OpenPMF’s patented technology makes policy management both efficient and adaptable. In its most basic form, OpenPMF’s policy automation steps involve importing, authoring, and generating:

  • 1. Import: Import information about your organization, including systems/applications, networks, data flows, users and alerts. And Import your existing technical policies as a baseline, for example access control configurations.

  • 2. Author: Author security policies that are intuitive, generic, rich and easy customizable. Policies are technology-neutral, allowing for easy application to many technologies

  • 3. Generate: Generate technical enforcement rules & configurations for example for access control automatically. OpenPMF’s own enforcement infrastructure supports many technologies out-of-the-box, and other technologies on demand. OpenPMF comes with its own enforcement infrastructure, which includes local software agents.

OpenPMF’s policy automation workflow

OpenPMF uses your existing information to simplify policy automation. Import information about your networks, applications, systems, and users at the click of a button. Analyze and visualize the information, and select subsets you want to use for policy generation or policy testing.

Import existing security policies into OpenPMF as a basis for the policies you will manage in OpenPMF. For example, import from OASIS XACML compatible systems, or use OpenPMF’s customizable importers to import other existing policies.

Author policies in generic, intuitive, and rich concepts, using terms you choose.

  • Policy editor to author intuitive security policies
  • Most  policy building blocks user-configurable
  • Rapidly customizable/flexible
  • Standards-based (Eclipse EMF)
  • Web browser based, SaaS-ready

Generate enforcement of technical rules & configurations at the click of a button. OpenPMF generates “low-level” technical policy implementation from generic, intuitive expressive “high-level” policies and other – ideally already existing – information sources.

Test Policies Using Formal Methods

Test policies using formal methods. For example, you can test whether certain policies can or cannot occur.

Document compliance & natural language policy

Document compliance & natural language policy in English language text exported at the click of a button.

  • easy to read & understand
  • to make sure the policy is right
  • for audit & compliance

Enforce

Enforce via OpenPMF’s own runtime. Many technologies out-of-the-box

  • Fine-grained Access Control Products (XACML)
  • Development Tools (Eclipse IDE & EMF)
  • Middleware: OSGi, BPMS BPMN SOA, web app servers, DDS, CORBA/CCM, IIOP ObjectWall
  • Network Intrusion Detection Systems
  • Identity Management, Directory Services, PMI & PKI, X.509, LDAP
  • Databases: PostgreSQL (under dev.)
  • Other technologies on demand

Export

Export security configurations into 3rd party products using OpenPMF’s rapidly customizable exporter.

  • Firewalls, IDS/IPS, …
  • XACML, …
  • DLP
  • OS security

Monitor

1) Monitor via OpenPMF’s own runtime. Many technologies out-of-the-box:

  • Fine-grained Access Control (XACML)
  • Development Tools (Eclipse)
  • Middleware: OSGi, BPMS BPMN SOA, web app servers, DDS, CORBA/CCM, IIOP ObjectWall
  • Network Intrusion Detection Systems
  • Identity Management, Directories, PMI & PKI, X.509, LDAP
  • other technologies on demand

2) Import 3rd party alerts: using OpenPMF’s customizable importer

Automatically update & rapidly customize:

  • policies when your IT landscape changes
  • policies & enforcement for your organization

To update, just import any changes to your IT landscape, and simply regenerate the technical policy at the click of a button.

Customize most features of OpenPMF, including policy features, importers, exporters, enforcement.

OpenPMF is based on standards (Eclipse EMF/MOF, OMG QVT etc.)

We generally favor ‘model driven security’ to actually execute and implement digital dynamic access control.

OpenPMF Integrations & Support

OpenPMF is customizable for your particular business and IT landscape. While it comes with its own (optional) policy enforcement features, we currently offer pre-developed 3rd integrations and support for a wide range of technologies right out of the box, and other technologies supported upon request.

  • Application platforms, incl. OT/ICS  (e.g. RTI DDS) & legacy middleware

  • Firewalls rulesets and other network infrastructure

  • Identity systems, PKIs, PMIs, LDAP directory services

  • REST API (documentation)

  • Export into OASIS XACML compatible platforms

  • IDE integration into Eclipse
  • Network traffic collectors (e.g. tcpdump logs)

  • ClientSDK (Java) (documentation)

  • User documentation (excerpt)

OpenPMF Auditor™ for testing 3rd party policies

Can you trust the security policies you manually authored or implemented outside of OpenPMF? OpenPMF can be used to audit such access policies not authored or managed in OpenPMF. Using proven information modeling and formal testing techniques, OpenPMF analyzes information about your technical security policies and your IT environments.

The OpenPMF Auditor standalone workflow involves the following steps:

  • Import Information: Import and consolidate security policy information from many sources, such as networks, systems, applications, identity & access systems etc.

  • Author test requirements: Author your audit/test security policy (Access Control) requirements in generic, intuitive, and rich concepts, using terms you choose.

  • Test security policy requirements: Automatically test your test requirements against the imported information using formal methods

  • Visualize and document results: Intuitively visualize the test results and create documentation.

OpenPMF Auditor benefits:

  • Verify access control policies against static constraints.

  • Helps  develop more robust and secure Zero Trust implementations.

  • Guidance where to focus cybersecurity efforts
  • Consolidated visibility into technical security policies.
  • Helps document cybersecurity for audit & compliance.
  • Rapidly customizable to fit to your particular audit/test requirements and IT landscape.
  • Detect potential errors/vulnerabilities in policies, especially manually authored policies.

  • Reliable Return on Investment and low deployment and maintenance costs.

  • Cost-effective, repeatable testing of your access control policies.

  • Easy to use interface makes it easy to import, author, analyze, test and export.

 

“OpenPMF 4.0 provides comprehensive security policy management.  RTI is looking forward to partnering with ObjectSecurity to improve DDS-based secure systems.“

– Stan Schneider, CEO, RTI, Inc.

“OpenPMF 4.0 is in a league by itself, including the only security policy automation platform with natural language policies… “

– Mike Davis, CISO,ABS & Cyber Evangelist.

 “A real proven product without the hype and snake oil you see too often. OpenPMF Security Policy Automation is here to stay.”

– John Mullen, CEO, Promia, Inc.

“OpenPMF automates policy management, giving you the assurance that your security mechanisms are actually enforcing the policies you specify.”

— Dr. Alan Karp, HP Labs

“Using RTI Connext DDS and ObjectSecurity OpenPMF, you can build secure and complex distributed applications much more easily. You can concentrate on your business, the development of the application itself, and do not need to think about all the little technical details. So we were able to build two innovative systems in a short time frame.”

— Elena Cordiviola, Intecs, ICSI coordinator