Call: Security, Network and Authentication & API Management
Contractor: Interpol, Lyon
2 stages: 1) application + NDA, 2) restricted tender
CONTEXT: To enhance global police cooperation, INTERPOL provides Web Services / Application Programming Interfaces (APIs) to member countries and partners, through “INTERPOL Secure Cloud” and other channels. As threats and attacks constantly evolve, the highest level of security must be maintained for these services. Beside INTERPOL APIs offer is increasing year on year and needs for Analytics, monitoring, tool harmonization is becoming crucial I order to provide even better quality of service INTERPOL is launching an open call for tender to select a new solution designed to securely publish WS/API together with a comprehensive API Management toolset.
The goal of this call for tender is to give INTERPOL the ability to expose APIs and Web Applications for different user communities and with different security levels and to provide INTERPOL with state-of-the-art toolset for Security, Network & Authentication and API Management.
PURPOSE OF THE OPEN CALL FOR TENDERS: The Organization is issuing the present open call for tenders with a view to the conclusion and execution of a contract(s), the objective of which is the security, network and authentication and API management.
This open call for tenders is divided into the following two lots:
Lot 1 – Security, Network and Authentication (estimated starting date: end Q1-2022 to Q2-2022)
INTERPOL needs to securely expose its services on two different environments:
• For Restricted Internet Clients:
Restricted Internet is considered as an Unsecure Network with Identified Clients. Communications need be encrypted “edge-to-edge” and strong authentication is required before the HTTPS traffic can be offloaded and forwarded.
In addition to the strong authentication, a second level of user authentication is handled by the Applications or Web Services Providers.
• For Extranet Clients:
Extranet is considered as a Secure Network with Identified Clients. Communications need to be encrypted “edge-to-edge” without authentication. This means the HTTPS traffic can be offloaded and forwarded without strong authentication.
The authentication is done at a second level and is handled by the Applications or Web Services Providers.
In all the previously listed environments, the Applications or APIs requests must be inspected before being forwarded, to make sure they are clear of security threats.
An attack of any kind on one environment, must not impact the other environment.
Lot 2 – API Management (estimated starting date: end Q4-2021 to Q1-2022)
• API Gateway
A server that acts as a front-end for all APIs, receives API requests, enforces throttling and security policies, guarantees authorization and security, passes requests to the back-end service and then passes the response back to the requester.
An API gateway often includes a transformation engine to orchestrate and modify the requests and responses on the fly. A gateway can also provide functionality such as collecting analytics data and providing caching. The gateway can provide functionality to support authentication, authorization, security, audit and regulatory compliance.
• API Design / Publishing tools
A collection of tools use to design using OpenAPI, publish and deploy APIs as well as record documentation, security policies, descriptions, usage limits, runtime capabilities and other relevant information. They may also include test and debug the execution of API, including security testing and automated generation of tests and test suites, deploy APIs into production, staging, and integration/quality environments, and coordinate the overall API lifecycle.
• API store/Developer portal
A store or catalogue where APIs can be exposed to internal and/or external stakeholders. This portal then serves as a marketplace for APIs, where users can subscribe to APIs, obtain support from users and the community and so on. It is a single convenient source information and functionality including documentation, tutorials, sample code, software development kits, an interactive API console and sandbox to trial APIs and manage subscription keys such as OAuth2 Client ID and Client Secret.
• API Reporting and analytics
Functionality to monitor API usage, load, transaction logs, historical data and other metrics that better inform the status as well as the success of the APIs available.
Reporting and analytics functionality can be used by the API provider to optimize the API offering within an organization’s overall continuous improvement process and for defining software Service-Level Agreements for APIs.
Functionality to support charging for access to commercial APIs. This functionality can include support for setting up pricing rules, based on usage, load and functionality, issuing invoices and collecting payments including multiple types of credit card payments.
The Candidates may submit an application for one or for both lots and must clearly specify for which lot(s) they are submitting the application.
The Candidates must submit the offer for all the items per Lot.