Simplified and secure identity management: the keystone of your zero trust strategy

How to secure the access of an employee working from home who uses a computer not controlled by the company, and who has access to your internal resources?

With working form home employees accessing their applications located inside the company network, the usual protection offered by the company’s internal network (FireWall, VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with... More) is no longer sufficient.

At the same time, how to secure access to applications for a group of employees whose rights are suddenly modified after a major change in the context (e.g., health crisis)?

These employees must quickly benefit from their new rights and access to applications/resources, but no longer necessarily benefit from their old access. This must be done in an extremely short timeframe, as the context requires a real reactivity.

The challenge of IAM: giving the right access to the right person at the right time

Strict identity and (digital) rights management offers you protection against this diversity of use cases without compromising security. The key is to give the right permissions to the right person at the right time. Nothing more, nothing less.

This is one of the two major challenges of IAM (Identity & Access Management): giving the appropriate permission to the right person at the right time (Identity Management) by managing its life cycle, managing the authentication (Access Management) of this person (recognizing the person who comes to the access portal thanks to his or her credentials, to a multi-factor mechanism such as biometrics or to a federation mechanism).

Gartner positions IAM as the new security perimeter. This perimeter must now be managed at a logical level: at the level of “people” and the “applications” they use, and in a more precise, granular way, both in space and time. The management of identities and associated rights/authorizations is the first link in the zero trust security chain. Before people access your network, which has become much more open with working form home and the rise of the cloud, even before they authenticate, you take control of what the user has access to. You can react calmly in the context of exceptional events: you modify rights in an organized and rigorous manner because you have full control over the perimeter to which the users concerned have access.

This is the strength of an IAM software product or cloud service that allows you to:

– Trace the rights assigned as well as their origin. In other words, you track who assigned a user the right to access a specific application. There is no room for uncertainty.

– Define rights very precisely. You define user groups in a flexible way, considering their grades, their context, their contracts, etc. You use the multiple filters that suit you, define the authorization rules, and provision the rights obtained in the applications.

Thus, a department manager has access to the applications of his department and not to those of another department. In a specific application, the user has access to the applications in his perimeter: a salesperson can have access to the business in his assigned region and not in the other regions.

This is possible because advanced IAM solutions allow you to define the roles of each user, the structure, the context and to determine the rights according to the authorization rules. That’s what we’re going to see now.

The OrBAC model: simplified and secure identity management

Definition of roles

Let’s take the case of the nurse role for example. Let’s consider that all nurses have access to a daily patient visit tracking software. Nurses have this same permission whether they move from the cardiology department to the emergency department: their role does not change, regardless of the organization. This way of assigning rights, based on the RBAC (Role-Based Access Control) model, allows to manage rights independently from the organization. 

Definition of the organization of entities and the associated structures (ORBAC)

In an ORBAC (Organization Based Access Control) model, the structures and organization of the entities will be defined and will be used to calculate rights. 

Thus, the administrator can easily take into account that a cardiology nurse from the HC1 (hospital center) does not necessarily have the same rights as a cardiology nurse from the HC2, even though both hospital centers are part of the same hospital group. 

The administrator can also take into account that a cardiology nurse has a nursing role but also has specific access to cardiology applications. Thus, when she moves to the oncology department, she keeps the rights related to her role (she would keep access to the application that allows her to clock in and out of daily patient visits), loses her rights related to her original department (access to cardiology applications), and gains the rights related to the new structure (access to oncology applications). The strength of a solution based on the OrBAC model is that the administrator does not need to define 2 roles: an oncology nurse and a cardiology nurse, as is necessary when the IAM solution is only based on the RBAC (Role-Based Access Control) model. In Orbac, the administrator defines the nurse role and assigns access rights to the cardiology applications to the cardiology department. Then everyone in the cardiology department has access to cardiology applications. This extreme efficiency allows you to assign rights easily. When you open a new division or a new service (emergency opening of a COVID service), the administrator distributes the rights rigorously without having to recreate a large number of roles, which are a source of errors.

Definition of a context

The notion of context allows us to refine rights according to the circumstances.

If a hospital is undergoing an emergency plan, or if a community is undergoing an emergency, rights are adapted according to the context and do not correspond exactly to those of the usual context. However, thanks to this approach, your rights continue to be rigorously managed. 

Definition of authorization rules 

Once all the previous steps have been completed, the administrator will attach authorization rules to each identity, a role, a structure, an organization. After calculating the rights, a rights model is generated. Thus, a person will be a “simple” nurse at the HC1 and a general nurse at the HC2 of the same Hospital Group.

IAM products based on the OrBac model, such as Systancia Identity, allow for highly agile management of rights and authorizations, allowing you to significantly increase the security level of your information system in a way that is transparent to the end user, who also benefits from a better access experience.

#IAM