To this end, there are many existing rights models: MAC, DAC, GBAC, ABAC, etc.

How do you understand these many different rights models in practical terms and apply them to your business?

The models differ in their degree of complexity and in the response they provide to the specific needs and constraints of an organisation or system. The most recent models incorporate issues of security, scalability and compliance in an increasingly complex technological environment.

In this article, we will follow a chronological logic, identifying how authorisation has evolved over the decades to meet the challenges faced by organisations. We will see that, like information systems, rights model approaches have become increasingly complex and now include more and more parameters for deciding whether to grant or deny access.

Models can be grouped into 3 approaches reflecting their progressive sophistication:

– Classic approach: admin-time

– Modern approach: run-time

– Forward-looking approaches: event-time

We will illustrate each of these approaches with emblematic models, highlighting:

1) The response to an initial need

2) The limitations of the model

We conclude with a chronological summary of the approaches and their models.

Classic authorisation approaches: Admin-time

In the 60s and 70s the development of computer systems, marked by the development of the first multi-user systems (Multics, HP-3000), gave rise to the need to rethink user rights.

Innovative security principles, which are still used today, were defined for these systems such as rings of protection, which aim to protect the integrity of the operating system against deliberate and accidental modifications and initiate a rethink of user access policies to resources.

In the first access rights models to emerge, the management of rights remained summary, defined in hard terms by ‘administrators’: this was admin-time, of which the DAC and MAC (60s-70s) and RBAC (90s) models are particularly noteworthy.

Discretionary Access Control (DAC) and Access Control Lists (ACLs)

As its name suggests, the DAC model – for ‘discretionary access control’ – leaves it up to each resource owner to assign permissions to users. This is the basic rights model found on Unix systems, which can be supplemented by the ACL mechanism, or ‘access control lists’. Often associated with DAC, ACLs specify, for a given resource, the users and their rights over the resource, as illustrated below using the Unix example.

Beyond Unix, file-sharing systems such as OneDrive and social networks, where the user can choose who can view or comment on each publication, are other examples of the use of DACs and ACLs.

In fact, the flexibility and granularity of this model are an advantage for local implementations centred on individuals. On the other hand, they become problematic for ensuring a correct level of resource protection on a large scale in more complex systems.

Mandatory Access Control (MAC)

The MAC model, which stands for Mandatory Access Control, is the opposite of DAC. Rather than leaving the assignment of rights to the ‘discretion’ of individual users, resource by resource, limiting system-wide visibility and encouraging errors and vulnerabilities, rules are predefined by administrators according to different security classifications and strictly enforced by a central authority, generally represented by the operating system itself.

It is particularly prevalent in government, military and industrial environments, because it allows tight control over access to sensitive data. It uses labels that characterise the sensitivity of objects and users, according to the rules of the organisation concerned:

– A resource classification level, for example: ‘Unclassified’, ‘Restricted’, ‘Confidential’, etc.

– A level of user authorisation, linked to the existing resource classification levels.

Below we describe Multics and SELinux, two fundamental examples of MAC implementation.

MAC example 1: Multics and protection rings

Already mentioned above as a precursor of multi-user systems (also known as ‘time-sharing’ systems), the Multics project, released in 1969, was the source of many innovative features, particularly in its memory management and security. It prefigured MAC even before the formulation of models such as Bell-LaPadula (1973) and its first formal definition set out in the Department of Defense’s Orange Book (1983), which established US computer security standards.

It is based on the concept of rings of protection, which Multics created, as shown by its logo (image above), and which form the basis of MLS – Multi-Level Security – systems, widely used in highly confidential contexts. It consists of a set of concentric rings representing levels of sensitivity that increase the closer you get to the centre (ring 0) – and therefore the privileges required for access. Mechanisms known as guards or gatekeepers, located at the interface between two rings, closely control the legitimacy of access in both directions, which they grant or deny.

In reality, these rings are of two types:

– Kernel protection rings are physical rings built into processors and used by the operating system to guarantee its integrity against faults (which cause the machine to crash) or modifications, whether intentional or not.

– User space rings are logical rings implemented by the operating system. This is where MAC comes in. By means of labels, each user and each resource is attached to a ring level. From there, rules define the actions that can or cannot be taken, following the example of the Bell-LaPadula model, which emphasises data confidentiality: ‘No read up’ (a user cannot read access to layers higher than his own), ‘No write down’ (he cannot write to layers lower than his own, to avoid leaks).

The image below summarises the principle of protection rings.

 MAC example 2: SELinux, the Linux kernel security module

Initially developed by the NSA in 2001, SELinux was proposed and added to the Linux kernel security modules (LSM, Linux Security Modules) in 2003, and is natively integrated into RedHat distributions such as Fedora.

This is another well-known example of MAC implementation: it allows administrators to assign a security context label to each resource in order to classify them and define the security policies to be applied by the operating system. Even with privileged rights, an application will see its rights restricted to the domain it needs to function (for example, the folders specified), with SELinux detecting and preventing any non-compliant action.

SELinux therefore provides an additional layer of protection in the event that a user or process manages to bypass traditional access controls.

In practice, MAC policies are rarely sufficient on their own, but are superimposed on existing DAC rules, whose flexibility they compensate for.

Two models based above all on the identity of the user or process, on the basis of which they authorise or deny access: this is known as Identity-Based Access Control (IBAC). These models are still limited to local contexts and have little resistance to scaling up.

Role-based Access Control (RBAC)

Formulated in 1992 by David FERRAIOLO and Richard KUHN, two engineers from the American NIST, the RBAC model – role-based access model – was designed to simplify the management of permissions throughout an organisation while reflecting its structure as closely as possible (hierarchy, responsibilities, departments, etc.).

Instead of granting rights directly to an identity, as with IBAC, a method that can quickly become difficult to maintain, we design business roles and the associated privileges. Users then inherit the rights associated with their role within the company, enabling them to access the various applications and enterprise sharing systems considered necessary for their internal activities.

This initial conceptual framework was completed and standardised in 2004 with the ANSI INCITS 359-2004 standard, which takes into account practical business cases and scenarios. For example, it addresses the need to separate responsibilities (SoD, Segregation of Duty), which is fundamental in financial and banking institutions, as well as the principle of least privilege and the inheritance of permissions.

Progressive and increasingly centralised adoption of RBAC

From the 80s and 90s onwards, databases, which were widely adopted by large companies and likely to contain sensitive information to which access was naturally controlled, were pioneers in the implementation of the RBAC model. They illustrate its implementation at the level of isolated applications, with no repercussions for external applications or systems.

The 2000s saw the launch of Microsoft’s Active Directory, starting with Windows 2000 Server. This centralised directory is designed to manage all the organisation’s resources (people, physical resources, applications). Although it is not strictly speaking an RBAC tool, a comparison can be made. The allocation of access rights is based on security groups – which can be perceived as roles – with permission inheritance mechanisms and the concepts of domains, trees and forests designed to represent the logical structures of the company.

Modern IAM solutions, such as Okta, SailPoint IIQ and Microsoft AzureAD, now support RBAC for heterogeneous environments, including cloud services. They illustrate the gradual centralisation of access rights management, which was initially managed locally within applications, and is now increasingly delegated to IAM solutions covering the widest possible spectrum.

RBAC assigns rights based on a business role, whereas IBAC is linked to an identity. The layer of abstraction created between the subject’s identity and an individual’s role means that it can be extracted from restricted contexts (file systems for DAC, operating systems for MAC) and adapted (at last!) to the access control needs of organisations. However, they all share the characteristic of a rigid definition of rights, based on an identity or a role.

In entities where exchanges are increasingly dynamic and fluctuating, this abstraction through roles alone may prove insufficient. New models have emerged to represent more complex organisations, taking into account additional, evolving attributes to assess access rights to a higher accuracy at a given time: we are moving from admin-time to run-time.

New approaches to authorisation: Run-time

The increasing complexity of information systems, and therefore of access, has led to the run-time approach. This approach meets organisations’ needs for dynamic flexibility and security. Unlike the ‘admin-time’ era, characterised by static permissions, the ‘run-time’ era offers real-time management at the time of the access request, based on various contextual elements. This transition to more flexible and precise authorisation models enables organisations for adapting to change and better protect their resources against today’s threats.

Graph-Based Access Control (GBAC)

The GBAC (Graph-Based Access Control) or GraphBAC model is based on the use of graphs to represent the relationships between users, roles and resources within an organisation. These 3 types of entities (users, roles, resources) and the relationships between them form the core of this model: entities can be represented by the nodes of the graph, and the relationships between them by the edges.

Access authorisations to a resource are determined in real time by queries to this graph database, enabling access decisions to be made based on the connections between entities at the time of the request. Users can thus obtain access to a resource according to their role and their relationships with other users or resources in the organisation.

The GBAC model is suited to the dynamic environments of large organisations, where relationships between entities are constantly evolving. On the other hand, it can be complex to implement, and the projects involved are relatively long, with significant costs. In addition, the gradual addition of new relationships can make the graph increasingly difficult to manage, complicating internal audit or recertification activities, for example.

Attribute-Based Access Control (ABAC)

In the ABAC (Attribute-Based Access Control) access model, the management of access to a resource is based on the dynamic combination of attributes. These attributes relate to the user requesting access (role, group), the resource requested (type of resource) and the context in which the request is made (time of day, type of network). This approach makes it possible to authorise or deny access flexibly and in real time.

The model was formalised in 2014 in the publication by NIST (SP 800-162) which provides detailed information for its implementation.

4 components are essential to the operation of this model: Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), Policy Administration Points (PAPs) and Policy Information Points (PIPs).

After interception by the PEP, the access request is transmitted to the PDP, which is responsible for making decisions by analysing the access policies managed by the PAP and often accessible from an access policy database. The PIP provides the PDP with additional information on the user or resource from different sources, enabling it to make decisions in line with access rules. For contextual information, the information system can be connected to other tools or sources (IDS, logs, sensors) that enable this information to be collected at the time of an access request.

ABAC is a particularly interesting model in environments where access needs are varied and evolving, as it enables fine, granular management of authorisations, particularly in the context of PAM (Privileged Access Management), concerning access and critical resources.

However, this level of detail and flexibility comes with challenges such as the ongoing review of attributes and the maintenance of policies, which require constant attention to ensure they meet the needs of the business. Over time, the increasing number of attributes and conditions can make it difficult to maintain a clear and functional ABAC architecture, especially in environments undergoing constant transformation.

In current ABAC architectures, PEPs are generally designed to work only with PDPs from the same vendor, using proprietary protocols, with no support for compatibility between different vendors.

Standardizing the way these different PEPs and PDPs interact, in order to improve system interoperability and reduce dependence on a single supplier, is the aim of the OpenID AuthZEN working group.

OpenID AuthZEN: towards improved interoperability

AuthZen is a working group initiative launched in 2023 by the OpenID Foundation to standardize the interactions between PEPs and PDPs, in order to improve interoperability between systems from different suppliers.

This initiative responds to current problems where authorization services (PEPs and PDPs) are often designed to work only with solutions from the same vendor, limiting their interoperability.

AuthZen was launched to develop a standardised protocol that would facilitate integration and communication between PEPs and PDPs, reducing dependency on single vendor solutions and improving overall authorisation security.

To make these interactions more flexible and universal, AuthZen relies on existing architectures and technologies (OPA/Rego, XACML, etc.) to improve deployment, scalability and interoperability. The first two stages of this standardisation with Open ID AuthZen are the implementation of a simple ‘Request/Response’ and ‘Permit/Deny’ type protocols and a multiple decision approach in order to group several authorisation requests into a single request and receive several decisions in return.

The AuthZen think tank includes security players such as 3Edges, Axiomatic and others. It is also open to players who want to develop authorisation systems and make architectures more secure and interoperable.

Prospects for the evolution of authorisation: Event-time

A new approach to the evolution of access systems is event-time. It is defined as an implementation of dynamic authorisation where access rights are adjusted in real time in response to immediate events or changes that occur. Unlike static or attribute-based approaches, event-time is characterised by a continuous evaluation of access rights, to ensure that all access remains compliant with the policies in place within the organisation.

For example, when a user’s status changes (promotion, departure, mobility, etc.), the system automatically adjusts or revokes their access rights. This proactive, event-based adjustment approach is common in information systems monitoring and security incident management.

Event-time is based on the following key concepts:

– Listeners: system components that monitor events in time and analyse important changes (mobility, promotions, departures, etc.) from various sources, in particular HR systems.

– Triggers: actions in response to an event identified by a listener, such as the revocation of access rights on the actual day a user leaves.

– Shared Signals: enabling different systems to share information about events in real time.

– Continuous evaluation: constant checking of access rights to ensure that each action or access remains in compliance with policies.

Frameworks and standards play a key role in implementing event-time by providing a structure for implementing the concepts in systems:

The Shared Signals Framework (SSF) is directly linked to the concept of shared signals, which enables systems via an API to share information about events in real time to ensure consistent access management. The continuous evaluation of this information is supported by CAEP (Continuous Access Evaluation Protocol), a protocol for standardising the writing of status changes. RISC (Risk and Incident Sharing and Coordination) is a generic protocol for standardising the transmission and reception of security incidents between these different systems, thereby enhancing the overall responsiveness of an information system.

Event-time is not based on a specific model such as RBAC or ABAC, but can function as a complementary access management layer to these traditional access systems, making them more dynamic and aligned with real-time situations.

The evolution of authorisation models, from traditional approaches to modern, dynamic methods, reflects the ongoing adaptation of IAM and access systems to the growing and changing needs of organisations.

Admin-time approaches laid the foundations for resource security with models such as DAC and MAC. RBAC introduced structured rights management, which is widely adopted in organisations today due to its relatively simple application.

With the advent of the runtime, access decisions became more refined, based on attributes specific to users, resources and context, as with the ABAC and GBAC models. However, these increasingly sophisticated models have led to the emergence of numerous proprietary solutions, limiting the interoperability of authorisation components and creating a dependency on specific technologies. This has led to the emergence of initiatives such as the AuthZen working group, which is working to develop standards.

The event-time approach provides real-time responsiveness, enabling systems to automatically adjust access in response to specific events. CAEP and the Shared Signals Framework facilitate this dynamic by standardising the exchange of information between systems, thereby strengthening security and compliance.

An overview of these different approaches and their associated models is presented in the timeline below, together with a summary table of the different models discussed.

By combining these different approaches, you can implement more secure, flexible and proactive access management, capable of responding to current and future identity-related challenges. These developments also highlight the importance of adopting adaptive and interoperable authorisation solutions to ensure effective protection of resources while meeting the operational requirements of teams.

These developments raise an essential question about the ability of organisations to anticipate these changes and integrate these new access management dynamics.

Whether you are still using admin-time models, exploring runtime options, or considering moving to event-time management, it is crucial to choose a model that meets your specific needs. It is also very important to anticipate the consequences for the management of this model over time (review of rights, measurement of data quality, review of policies, definition of expected reactions, etc.).  

What type of model do you use? 

Don’t hesitate to contact us to find out more and understand how to apply these authorisation models to your organisation’s context!

Cet article Access management: how is authorisation evolving to meet the challenges and needs of organisations? est apparu en premier sur RiskInsight.

So, despite some success stories and the cardinal role of identity in business transformation, IAM remains a disparaged theme in organizations, synonymous with a “necessary evil” rather than a “key issue” for the company.  

How can we restore IAM’s reputation? How can we explain it better, and give it its rightful place in the enterprise? 

The paradox of identity 

An essential driver of transformation programs… 

This situation is paradoxical as identity plays a fundamental role in current transformation programs, presenting three major assets. 

• It is first of all a pillar of cybersecurity by allowing: 
  • Have a homogeneous knowledge of all users, centralizing essential information such as name, manager, title and many other characteristics specific to each; 
  • Guarantee the uniqueness of individuals through the publication of a single repository; 
  • Control and adapt user access throughout their lifecycle; 
  • Be part of a Zero Trust approach by ensuring that only the right people, with the right level of rights and the right level of authentication access to the appropriate resources. 
• It is also an essential business facilitator, particularly for: 
  • Accelerate cloud service adoption and deployment of new applications through automatic account creation and simplified entitlement (often through an IGA – Identity Governance & Administration tool); 
  • Facilitate the controlled opening of the IS to and towards third parties: partners, suppliers or in case of creation of Joint Ventures; 
  • Improve, thanks to CIAM (Customer Identity and Access Management), the customer relationship and regulatory compliance by simplifying the progressive creation of accounts and compliance with privacy regulations such as the GDPR in France. 
• Finally, efficient identity management is a prerequisite for a state-of-the-art user experience, combining comfort and security requirements: 
  • Seamless and seamless access to all its applications and data, regardless of its access context; 
  • Access rights granted automatically and available on the day of arrival; 
  • A single portal to make and follow up your ad-hoc requests. 
  • Pertinent dashboards and targeted review campaigns to meet regulatory requirements without over-soliciting managers and process owners. 

… but a theme unfairly considered 

Despite the significant advantages it represents, the theme of identity is rarely at the centre of companies’ concerns. It is rather perceived as a necessary evil, or even occupies a place of «ugly duckling». Thus, it is common to note the pitfalls when Identity is insufficiently well managed, and even more common to consider as normal and acquired the benefits it produces. 

Beyond the simple constant, it is necessary to understand the reasons that led to this situation of lack of investment, sponsorship, even recognition. 

First explanation of the paradox: the dispersion of expected gains towards different beneficiaries. Indeed, the IAM is, by nature, very transversal in the company. To succeed, it must embrace a wide range of topics and therefore mobilize many stakeholders. If each of them will see gains; none will stand out enough to bear primary responsibility. For example: 

• The identity makes it possible to simplify the customer relationship, subject of major interest for a marketing/ digital manager, but not the compliance manager. 
• The latter will see identity as a significant advantage in meeting the CAC’s access review requirements. 
• The IT department will expect consistent and automatic management of the allocation of accounts and rights, synonymous with financial gains, particularly in terms of licenses, support, etc.  
• As for the CISO, its priority will be to remove access in the event of departure and the application of the principle of “less rights granted or the early detection of “suspicious” behaviour. 

Second explanation: like any transformation, which is transversal, the launch and success of an identity project is conditioned by essential prerequisites. 

The difficulty and effort required to achieve these prerequisites depend on the context of each company; but the prerequisites themselves are relatively constant and can be articulated around 4 axes: 

• Data quality: both for data consumed by IAM (organizations, structures, identity data from HR…) and for data that IAM must make available (application account identifiers, attributes in applications…).
• In-depth knowledge of end-to-end processes: this is essential to anticipate the impact of future changes on users, but above all to be able to change and harmonize ways of doing things, and not to continue with what already exists “because that’s the way it’s always been done”.
• Mastery of the applications to be connected: it is necessary to mobilize both technical knowledge (technologies used, APIs available…) and functional knowledge (user populations, data model, authorization model…).
• Last but not least, the ability to impose a “normative” IAM framework, to find a compromise and to arbitrate both on the target (operational model, functional framework, attributes and management rules, arrival/mobility/departure processes, standardized connection framework for applications…) and on the trajectory and success indicators (priorities, subdivision…). To put it in a nutshell: “It’s not IAM’s job to heal what has been poorly thought out or what has become inadequate over time“. 

Third and last explanation: a complete identity management is based on several complementary technological bricks. With varied origins and somewhat ambiguous names, it is not always easy for a non-expert in the field to understand precisely the contribution of each of these bricks: 

• IGA – Identity Governance & Administration: Identity Governance 
• IAI – Identity Analytics & Intelligence: Data analysis and control 
• PAM – Privileged Access Management: Privileged Account Management 
• AM – Access Management: Authentication and Access Control 
• CIAM – Customer Identity & Access Management: Client identity management 

What’s more, these names have evolved over time, sometimes legitimately to reflect major developments, sometimes more as a result of publishers wishing to differentiate their value proposition. The emergence of new functionalities (real-time detection, consent management, etc.) and the innovations proposed by software publishers are also changing the lexical field of IAM. 

How to give identity its rightful place in the company? 

To overcome this paradox, the usual avenues (high-level sponsors, more resources, evangelization, etc.) are necessary but often insufficient. More structural transformations are needed. 

Unify the strengths of identity under one banner 

IAM topics have emerged in scattered order in companies, and have matured at very different rates. The result is that, all too often, teams remain isolated. 

It is therefore imperative to bring together all identity-related teams and budgets under a single umbrella. And if, as the saying goes, there’s strength in numbers, the aim is not just to be visible, legitimate and have a say in the organization. 

Synergies abound: 

• Make identity a perennial and recurring topic, at the very least at the level of the CIO CoDIR, and in all company evolutions.
• Define a global value proposition, proposing a unified offering that is more legible for business lines and application managers, who will be able to rely on a single point of contact.
• Be part of a long-term strategy to take advantage of software publishers’ roadmaps, create a continuous improvement approach and prepare for future corporate changes: reorganizations, mergers & acquisitions, new ERP…
• Improve the consistency of IAM services and manage with end-to-end service indicators.
• Guarantee a high level of expertise by enhancing team know-how, building loyalty and offering richer development perceptives. 

This far-reaching transformation can appear delicate and a source of risk for companies with less mature IAM systems. This is why it is possible to initiate it gradually, starting from one of the following axes: 

• Bringing together under a single organization the teams working on the various IAM themes: IGA, IAI, AM, PAM and even CIAM.
• Unify the teams in charge of projects and those in charge of “RUN” in order to offer a “product” approach to each identity service, and to be part of a continuous improvement logic.
• Extend IAM teams’ responsibility for data control, so that they can commit to indicators and, ultimately, to the quality of service provided and perceived. 

On this last point, however, IAM teams cannot assume responsibility for the quality of the company’s data and repositories. They must, however, guarantee the quality of the service rendered, by ensuring both the proper operation of IAM services (the “container”) and the quality of the data manipulated (the “content”). IAM teams must therefore be equipped and organized to supervise, control and alert the quality of data received, as well as the use made of it. 

An advantageous unification but which obligates 

This ambition for unification, which puts IAM in the spotlight, de facto obliges the Identity manager to be exemplary in his role and responsibilities: 

• With regard to customers: have a clear service offering, take into account feedback and realities in the field, define and respect a roadmap of evolutions, provide “meaningful” service quality indicators, i.e. those that make sense in the day-to-day life of the business, promote gains and benefits…
• Regarding other stakeholders in the company (HR, Purchasing, Cybersecurity, Regulatory Compliance, Audit and Control…): communicate, materialize and help to appropriate the Identity value proposition on a day-to-day basis and during structural transformations (reorganizations, acquisitions…), find ways to compromise, show the “win-win” character of process and operational model evolutions, share everyone’s roles and responsibilities, illustrate the impacts in the event of breaches… 
• For its teams: have a robust operating model, balance responsibilities between internal employees and external service providers, build a genuine HR ambition for the medium and long term (validation of expertise, talent management, building career paths, enhancing the value of the IAM channel…). 

Conclusion 

The unification of IAM services is a fundamental trend, and within 3 years a large majority of large companies will have converged towards this model, at least partially. 

This movement is not always the result of a desire to reposition identity within the organization on a long-term basis. It is sometimes imposed by teams to compensate for a lack of resources or expertise, or in the hope of keeping costs down; in such cases, it reinforces the feeling of lack of consideration. 

And yet, there are many opportunities to demonstrate the need for an in-depth rethink of IAM ambition, and to give it its rightful place: technical obsolescence of IAM tools, corporate strategy to switch to Cloud solutions, difficulties in accompanying structuring transformations in the organization, new regulatory requirements, or the results of a simple satisfaction survey among users or application managers…  

Do you dare to seize them? 

Cet article ​​How to give identity its rightful place in the company​  est apparu en premier sur RiskInsight.

Regal digital identity brings together all the information essential to formally authenticate an individual or organization in the digital world. This includes personal identification data, electronic certificates and biometric information. This identity is crucial for securing electronic transactions, facilitating access to online public services and protecting citizens’ rights and privacy.

In France, a program was launched in 2018 to create a high-guarantee digital regal identity. At the same time, France is committed to the introduction of a smart ID card with a chip, which will form the basis of this electronic identification. This authentication mode will be integrated into FranceConnect+ created at the end of 2021, an online identification and authentication service of minimum substantial level.

Examples of use cases depending on the target :

Companies

A potential B2E use case could be re-registration and access recovery. The use of regalian digital identity becomes particularly relevant in companies where employee authentication relies exclusively on FIDO passkeys linked to a device, often their phone. If this device is lost, the employee is unable to authenticate. With regalian digital identity, access recovery is simplified. Employees can use their digital identity to restore their access, then get a new phone and re-enroll their FIDO passkeys. In this way, the re-registration and access recovery process is greatly facilitated, guaranteeing enhanced service continuity.

On the CIAM side, banks could use regalian digital identity to verify the identity of customers when opening online accounts or carrying out sensitive transactions, and thus improve the security level of their service and their KYC (know Your Client) process. Currently in France, customers can use FranceConnect to authenticate themselves with banks such as BNP Paribas when opening online accounts, guaranteeing secure and simplified identity verification. Similarly, e-commerce sites could use the regalian digital identity to enable users to authenticate themselves securely when purchasing products, further enhancing security and reducing the risk of fraud.

In the context of the extended enterprise (a form of organization enabling collaboration between a company, its subsidiaries and its partners), the secure enrolment of partners to access the company’s information systems (IS) is crucial. The challenge is to increase the level of confidence in enrolment, while at the same time making it easier.
The use of the European Identity Wallet or other identity wallet could significantly simplify and secure this process. Partner employees could prove their identity to the company they wish to collaborate with, using their identity wallet. Here’s how it could work:

First of all, for the initial registration employees of partner organizations use their identity wallets to register with the main company’s system. Identity is then verified using electronic certificates and other secure information.
Once registration has been validated, these employees can access the main company’s information systems. The identity wallet enables secure authentication in line with corporate security standards. Or secure enrolment in the company’s local authentication systems.
The identity wallet can also be used to manage and modulate access rights according to the specific roles and needs of partner employees, reducing the risk of over-provisioning and increasing security.

If identity information changes (for example, if an employee changes position or responsibility), access can be updated seamlessly via the identity portfolio, without the need for cumbersome administrative processes.
Imagine a construction company working with various subcontractors on different projects. Subcontractors’ employees can use their identity portfolio to authenticate themselves and access project plans and documents hosted on the main company’s IS. This ensures that only authorized and verified employees have access to sensitive information, and that their access can be quickly modified or revoked if necessary.

Citizens

Regalian digital identities offer citizens numerous advantages, notably by simplifying access to various online services and reinforcing the security of digital transactions. In France, for example, insured persons can use their digital identity via the Ameli service to access their personal space. This enables them to consult their reimbursements, book appointments with healthcare professionals and manage other aspects of their medical cover securely online.

Similarly, for tax purposes, French citizens can use their régalienne digital identity via impots.gouv.fr. This feature facilitates online tax declarations, enabling users to fill in their returns, consult their tax notices and track their payments and refunds simply and securely.

Beyond France, other European countries are also implementing digital identity solutions to improve access to public services. Students, for example, will benefit greatly from the regalian digital identity for their administrative procedures. They will be able to use it to enroll in universities, access their transcripts, and manage their student accounts in a secure and simplified way. What’s more, international students will also be able to use this identity to validate their residency status and access various public and academic services without the hassle of paper procedures.

In Spain, regalian digital identity enables citizens to electronically sign official documents via the FirmaDigital.gob.es service. This solution is used for tasks such as signing rental contracts, submitting administrative documents, and other procedures requiring a legal signature. This makes administrative processes more efficient and secure, eliminating the need for physical signatures and reducing the risk of fraud.

The European Identity Wallet (EUDI)

The European Identity Wallet (EUDI Wallet) is a major initiative by the European Commission to provide EU citizens with a secure, interoperable way of managing their digital identity across borders. Designed to offer a convenient and secure solution, EUDI Wallet will enable citizens to store and share their electronic credentials seamlessly, while preserving their privacy and complying with the EU’s strict data protection standards.
This concept emerges against the backdrop of the increasing digitization of European society and the need to reinforce trust in online transactions. With the diversity of electronic identification systems used across the EU, EUDI Wallet aims to harmonize these systems and facilitate access to cross-border digital services, such as public services, commercial transactions and online interactions with businesses.
The EUDI Wallet will therefore function as a secure digital wallet where citizens can store their identification information such as electronic certificates, biometric data and identity documents. They will be able to use this wallet to authenticate themselves online and access a range of digital services across the European Union.
With the EUDI Wallet, citizens will be able to easily access their healthcare data, such as patient summaries and electronic prescriptions, anywhere in the EU, promoting better continuity of care. In addition, Wallet will enable diplomas and professional qualifications to be securely managed and verified, simplifying the recognition of qualifications and promoting worker mobility. Finally, it will facilitate online transactions by ensuring strong, harmonized authentication, thereby boosting confidence in cross-border e-commerce.

In order to carry out these use cases, the European Commission has defined two main scenarios describing very basically the portfolio’s use flows;

To date, the countries of the European Union have agreed on the content to be included in the European wallet, and have agreed on a global standard for the project, with a target implementation date of 2026. What remains to be done is to finalize the standard, draw up precise technical specifications for it, and develop the technical solutions to be implemented in each European country to ensure compatibility with the established standard.

Conclusion

The introduction of the European Identity Wallet (EUDI Wallet) represents a crucial step towards a more integrated and digitized digital Europe, offering numerous benefits to citizens and businesses across the European Union. In France, the adoption of EUDI Wallet will depend on several key factors. Firstly, the establishment of a robust regulatory framework that complies with data protection standards such as the RGPD will be essential to ensure user confidence and the security of their personal data. In addition, public confidence in the security and reliability of EUDI Wallet will play a decisive role in its widespread adoption. Public awareness and education campaigns on the benefits and security measures of EUDI Wallet could help build this confidence.

However, the most important element for EUDI Wallet will be the rate of adoption by private services. The involvement of private companies is crucial, as they provide a large proportion of the services used daily by citizens. Widespread adoption by the banking, healthcare, education and other private services sectors would ensure wider and regular use of the wallet, making its integration more fluid and natural for users.

The technology is still emerging and not yet mature enough to be implemented immediately. However, given the many potential benefits, it is crucial to follow this technology closely and adopt it as soon as possible. This is particularly true for the banking sector and extended enterprise use cases, where EUDI Wallet could bring significant improvements in security, transaction fluidity and operational efficiency.

Nevertheless, by overcoming these obstacles and taking advantage of the opportunities offered by EUDI Wallet, France could play a leading role in building a more secure, innovative and connected digital Europe for years to come.

Cet article The European identity wallet, the digital identity of the state soon to be in our pockets est apparu en premier sur RiskInsight.

What is the extended enterprise?

The extended enterprise is a group of entities and economic players working together on common projects. Companies have always needed to collaborate by sharing resources and exchanging data. To achieve this, the employees of each of these companies need to be able to interact securely with external users.
These external users can be suppliers, subcontractors, B2B customers, subsidiaries (that do not share the same IS), and so on. Collaboration can take many forms and can be time limited.
Because of this diversity of scenarios, it is neither possible nor relevant to define a single answer to every IAM project for the extended enterprise. The strategy to be adopted by any company wishing to address this issue will depend on its own context and specific use cases.
An extended enterprise IAM strategy can be initiated by answering two key questions: how should IAM governance and delegation be handled with the various partners? And, what type of solution on the market best covers these use cases?

What type of governance?

There are 4 main approaches to IAM governance in the extended enterprise. The choice of one of these approaches will depend mainly on two criteria: the level of IAM maturity of the various stakeholders and the sensitivity of the resources accessed.

Which vendor’s solution?

A number of functionalities clearly distinguish CIAM editor solutions (customer scope) from Workforce IAM solutions (employee scope). These two types of solutions are at opposite ends of the spectrum referring to the criteria analyzed in the diagram below.

Extended enterprise (B2B) use cases can be positioned over a wide range of this spectrum for each criterion, depending on the context. It is therefore difficult to respond to them with traditional workplace IAM or CIAM solutions, however more and more software publishers are offering new dedicated modules to meet these new needs.

What new technologies to facilitate implementation?

One of the key factors in the success of an extended enterprise project is the ability to decentralize IAM processes and mechanisms. The technological advances presented in the table below make it possible to rethink traditional approaches to identity and access management from this angle. They offer more flexible solutions, adapted to the diversity of use cases encountered, thus enabling greater decentralization, particularly with less mature partners, thanks to identity wallets and passkeys:

In this quest for solutions adapted to a wide range of use cases, it is imperative to keep abreast of market developments and constantly assess the relevance of proposed solutions to the specific needs of each context.

Cet article Which IAM for the Extended Enterprise? est apparu en premier sur RiskInsight.

Drawing from its experience in the field of digital identity, Wavestone is publishing its first edition of the CIdO Radar in 2024. This radar follows the same methodology as the CISO Radar published by the firm for the past 10 years and offers an in-depth look at the underlying trends driving the digital identity ecosystem.

In this article, we invite you to explore some impactful and structuring topics for the IAM landscape, with two currently trending  subjects (passwordless and CLM) and moving towards the future topics they foreshadow in the emerging section of the radar (respectively predictive anti-fraud and post-quantum cryptography).

Passwordless, a major evolution not so simple to achieve

For decades, the password has been the central authentication factor for users (and often still is). Passwords have then been complemented into multi-factor authentication strategies to compensate for the inherent weaknesses of this authentication method (low complexity, reuse, phishing risks, etc.). New tools have thus been added to the user authentication process: OTP via SMS or email, push notifications, soft and hard tokens, etc. Despite the increased security level provided by the addition of these new authentication factors, the password remains both a weakness if discovered (it remains reusable on an account without MFA where it is enrolled) and a burden for the user’s experience, as they must remember it and securely store it.

All these reasons have led vendors to imagine secure authentication methods not relying on the use of a password. Eliminating the password allows companies to improve the user experience for their employees, enhance authentication security by reducing the attack surface, and benefit from a positive image in the market. The user finds themselves in an environment where they no longer need to remember a multitude of complex passwords and where they are no longer at risk of having their account stolen through phishing attacks. The use of FIDO2 (Fast Identity Online 2) technology is based on asymmetric cryptography which is currently the most widespread alternative to passwords. This technology is driven by the FIDO Alliance (Google, Microsoft, Amazon, Apple, etc.) and, relies on the use of physical security keys locally storing the private key associated with each service. Ultimately, this  allows a user to log into all their accounts without a password, their login, or email address (simply by using the physical key they possess and a second factor such as biometrics).

However, implementing passwordless authentication comes with significant organizational questions for a structure. How to manage account recovery if this account does not rely on a password? If an employee loses their security key, how can access to their account be restored without being able to use the associated private key? This major issue of “credentials recovery” is inseparable from any passwordless policy and assumes that an organization has anticipated each step of it,  such as: purchasing and distributing authentication media, managing their loss/theft/destruction, obsolete media rotation processes, account backup solutions, double enrolment for critical accounts and management of employee departures, etc.

Passwordless authentication is a trending topic and is being deployed in many organizations. For many, the next step involves establishing fraud detection capabilities before they occur (also called “predictive anti-fraud”).

Predictive anti-fraud, how to prevent fraud before it occurs?

Predictive Anti-Fraud corresponds to proactive monitoring of systems aimed at identifying and stopping fraud before it occurs, rather than relying solely on post analysis of malicious activities that have already happened. These surveillance capabilities are particularly relevant for securing online business activities involving money transfers (such as pooling funds, loyalty accounts, online payments, etc.) in sectors like retail or luxury for instance (as they are often less mature on this subject than banks). We are currently witnessing an increase in phishing attacks aimed at stealing customer account data to misuse their contents (loyalty card fraud, for example, is a real concern for players in the retail sector).

Access management solutions are increasingly capable of detecting fraud patterns and halting illicit activities before completion. All these capabilities rely on machine learning (involving a training phase for the tools) and involve three key stages:

• Detection: Systems can detect behaviours deviating from typical user/customer journeys and as well as sequences of suspicious actions. Detection relies on the customer context (browser used, network, cookies, etc.), the dynamic context (IP address, device used, user behaviour, typing speed, strength of authentication performed, etc.), and the business context (type of requested transaction, amounts, modifications of sensitive information, etc.).
• Analysis: Automatic analysis is conducted with the assignment of a confidence score to the current user profile.
• Response: Response rules are defined to best address alert triggers, with automatic responses for obvious or critical situations (e.g., additional authentication factor, session termination), or manual responses for cases requiring human decision-making.

The main challenge of predictive anti-fraud is the correct  calibration of machine learning tools and their adaptation to the specific business context. Placing too much emphasis on security could cause a disproportionate amount of  negative impact on the service: a high number of false positives affecting user experience and an increase in service complexity and slowdowns (captcha, step-up authentication, significant network consumption, longer processing times). The definition of relevant security and detection rules must be accompanied by a model based on machine learning, as specific as possible to the use case. Given the increasing complexity of attacks, the key to an effective predictive anti-fraud strategy lies in the solutions’ ability to detect and correlate weak signals. For example, some vendors are now capable of detecting fraud attempts during false customer service calls by correlating the users’ actions with whether they are on a phone call.

Certificate Lifecycle Management (CLM), a new market for an old issue

Many companies are currently facing an explosion in the number of electronic certificates within their IT systems. These certificates (and associated cryptographic keys) serve various purposes such as machine-to-machine authentication, user authentication, data signing and encryption, websites security, application micro-services, etc. This increase in the number of electronic certificates significantly increases the workload for the teams in charge of their management. The lifecycle of an electronic certificate includes several stages such as:

1. Requesting the certificate from a PKI (Public Key Infrastructure)
2. Receiving the certificate and associated keys
3. Deploying the certificate within its scope (either as a replacement for an expiring certificate or on a new scope)
4. Decommissioning and revoking the old certificate (if applicable)
5. Continuously monitoring the certificate and its future expiration date
6. Reproducing this process for each certificate before its expiration.

Manual management of tens (or even hundreds) of thousands of electronic certificates poses numerous challenges. This type of management is highly resource-intensive, relies on repetitive tasks, and is prone to human errors. It is not uncommon for certificates to slip through the cracks of teams and go unrenewed, or simply remain undeclared within the IT system (shadow IT). For all these reasons, an organization with a large fleet of electronic certificates should consider adopting a CLM solution.

CLM solutions offer many features to facilitate and ensure the reliability of certificate lifecycle management. Some of these features include:

• Certificate discovery tools, allowing a company to have a comprehensive view of its certificate fleet (even for undeclared certificates).
• The use of protocols automating all certificate-related actions (mentioned above).
• Numerous connectors enabling clients to seamlessly integrate these solutions within their IT systems.
• Governance and rights management modules for certificates.
• Alerting capabilities serving as a safety net for teams.

The “Zero Trust” philosophy, often requiring securing communications between services through mutual authentication using electronic certificates (with the increasingly frequent use of microservices architectures, the explosion of non-human accounts, etc.), tends to increase the number of electronic certificates within organizations. Utilizing dedicated certificate lifecycle management tools rather than manual tracking can reduce certificate-related incidents by 90% and decrease incident processing time by 50%, according to Gartner[2].

For more details on CLM solutions, you can read Wavestone’s article dedicated to this subject here.

The implementation of a CLM solution signifies a step forward in securing infrastructures, but more importantly, it can be leveraged towards crypto agility (the ability to quickly replace or update encryption algorithms or protocols to address evolving threats). Crypto agility is a theme that we should expect to encounter more and more frequently in the medium term, largely due to the development of quantum computers.

And what’s next? Technological challenges ahead, such as post-quantum cryptography

While organizations strive to adopt robust IAM strategies, considering current technological threats is no longer sufficient. The impending topic of quantum computing (even if it seems still a few years away from now) is set to disrupt all our encryption practices, necessitating early anticipation of measures to be implemented for the 2030 decade. The use of quantum computers and their famous qubits (which can simultaneously take on values of 0 or 1) already allows for much more efficient cryptographic calculations than traditional computers.

It is important to note that symmetric cryptography is not as much at risk from quantum threats, and increasing the size of encryption keys will allow this encryption mode to resist quite effectively. However, classic RSA and Elliptic Curve asymmetric cryptography is truly threatened: key exchange, authentication, and digital signature which rely on that classic asymmetric cryptography are already at risk for specific use cases. The Shor’s algorithm could enable a quantum computer to break RSA 2048-based encryption in a matter of hours.

Post-quantum cryptography is currently focusing on solutions to adapt encryption to the future capabilities of quantum computers. ‘Store Now, Decrypt Later’ which means that we can decrypt in 10 years what is captured now, even encrypted, or the capability to modify (in 10 years) the author or the content of a digital signature are risks that should already be considered today, especially with the time needed to handle the migration to post-quantum algorithm. In 2022,  NIST published a list of 4 such encryption algorithms, resistant to quantum computers: CRYSTALS-Kyber for general encryption, CRYSTALS-Dilithium, FALCON, and SPHINCS+ for electronic signature. These algorithm should be confirmed during 2024.

The main current recommendation to ensure the transition to post-quantum encryption is to perform hybrid encryption, i.e., to use both classical and post-quantum encryption algorithms to secure communications. While this issue is not yet at the heart of current IAM challenges, it is important to monitor its evolution, especially since some major vendors are already entering the market and introducing a new term: QCaaS (Quantum Computing as a Service).

Cet article 2024 CIdO Radar est apparu en premier sur RiskInsight.