Back
Industry solutions

Online Security

A way to open-source IAM solution

As a fast-growing company, with increasing number of employees and systems they use for everyday work, we stood in front of a similar problem as you might be facing right now. Several years ago, we did the research for Identity and Access management solution, that is financially acceptable, sustainable and without burdensome licence fees. We did very quickly find out that commercial IDM solutions are out of acceptable price range and lacks possibility of customizations, thus we turned our attention towards open-source solutions on the market. We found the products, and as an IT company, we took the integration as a challenge. And we did it! Actually, we found out that it is something we are good at and that we really love that stuff. That’s how started our story in IDM waters. Since then, we have built a strong team with multiple certifications and implemented many solutions based on our preferable product set for companies of various sectors all around the world.

To be able to fulfil all kinds of demands for identity and access managements, we are building our solutions on a set of the products that manages to cover all imaginable customers environments. From Windows to Linux, no matter the integration interface from SOAP to REST, all kinds of databases from Oracle to Postgres and of course including directories from LDAP to MS Active Directory. We are able to integrate any system thanks to huge amount of available connectors, and as a contributor, we are ready to create new connector for any of your specific needs. All this can be achieved thanks to open source products like midPoint by EvolveumKeycloak and FreeIPA by RedHat.

The strongest proof, that our IDM solutions fits anybody is a variety of our clients and their very different environments. We created identity and access management based on Keycloak for the biggest non-profit organization in the world and on the other hand we participated on Keycloak customization and application integrations for one of the largest banks in the country. We implemented IDM solution based on midPoint for small size University and another midPoint integration for biggest mobile telecommunication company in the country and many more.

Midpoint

midPoint by Evolveum is the heart of every one of our comprehensive identity management solution. This open-source IDM engine provides multiple ways to manage identities, simplify and automate internal processes with vigorous regard to security. midPoint evolved to a scalable product suitable as well for smaller deployments as for environments with millions of identities. In addition, tens of out-of-box connectors help decrease integration time and costs. As an Evolveum’s partner and contributor, we developed and currently support several connectors and of course, we are ready for any new challenge.

FreeIPA

FreeIPA is a perfect Linux alternative to MS Active Directory, whether you have a Linux based environment or you want to save money on MS AD licences. It is an excellent security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). To ease maintenance effort, it provides a web interface and also command-line administration tools.

Keycloak

Take advantage of a complete set of authentication and access management features with Keycloak. It’s lightweight but still packed with advanced features like SSO, user federation, identity brokering, social logins, 2FA authentications, and it is fully customizable to your corporate design.

iam-layers

Authentication enables organizations to keep their networks secure by permitting only authenticated users or processes to gain access to their protected resources. Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. There can be applied multiple authentication principles to ensure user’s identity. After access is granted based on provided credentials, authorization is what comes next to determine whether data or services should be available to the user.

Single Sign-On

With single sign-on authentication scheme, your users are allowed after single log in to access multiple independent applications or systems without necessity of re-authentication. This is enabled for applications that provide possibility to integrate via some of the following standardized protocols like OpenID Connect, SAML, OAuth 2.0, or even LDAP. To ensure a higher level of security, there is also single sign-out functionality to terminate all open sessions with a single action.

Password Management

Self-service password management allows users for password resets and user account recovery in case of forgotten passwords on the target systems and applications. Password synchronization ensures that password changes are successfully propagated and committed across all integrated applications and systems. Progressive IGA vendors offer risk-appropriate identity proofing mechanisms in case of forgotten passwords for account recovery actions and multiple form factors of user authentication for initiating password changes.

Password policies

There are vast possibilities to configure password policy to fulfil organizational needs in terms of complexity, password repeating or password lifespan. To allow new users to easily read their initial password, complicated and error-prone characters are usually removed from password policy used for initial password generation. Global password policy can be configured, so it is not in contradiction with any target system password policy. Also, every user type could have different authentication complexity based on level of granted permissions. With Keycloack, it is very easy to protect your network with multifactor authentication or even delegate authentication to other identity providers like social networks, Google or Apple.

Access Certification

Another essential capability is to obtain organization-wide visibility in the state of access rights across the multitude of devices, systems, and applications, including access to cloud-based applications. Access certification allows process and role owners to initiate on-demand or periodic access reviews to manage attestations that users have only access rights limited to those necessary to perform their job functions. Access certification campaigns facilitate faster and more accurate access reviews by highlighting policy violations and permission conflicts in users’ access entitlements across multiple applications to be revoked or approved under-listed exceptions. More commonly based on resource level or hierarchy requirements, access certification capabilities are increasingly becoming risk-aware to include micro-certifications based on the risk of an identity lifecycle event. Unlike periodic access certifications, event-based micro-certifications contribute to an organization’s continuous Access Governance capabilities.

Authorizations is a process to control access of specific users to specific resources with specific permissions. In larger organizations, this can end up with thousands of roles and permissions, which become very demanding to keep an eye on. midPoint with its advanced RBAC model, logging and auditing significantly helps manage roles, grand and remove them from users and remain in control.

Role Management

Role management enables capabilities for managing access entitlements by grouping them based on relevant access patterns to improve administrative efficiency. The definition of roles can be done at several levels, such as people, groups, resources, and application. Role governance is a critical capability within broader Access Governance and encompasses essential role management as part of the global role lifecycle management.

Role Governance

Role governance is the capability to control a role’s lifecycle, from its inception to decommissioning. In a typical role-based access control (RBAC) setting, role governance monitors and guards the role life cycle’s fundamental processes. Midpoint provides various levels of support for governing each of these role lifecycle states:

1. Role Definition – Defining a role based on the business functions and logically grouping the access entitlements based on the approved prototypes

2. Role Approval – The process of seeking chained consent of the business role owners, including related role analysis and tracking of approvals

3. Role Creation – Monitoring and auditing of tasks related to the implementation of approved roles into production

4. Role Assignment – Execution of policy checks to ensure role assignment is compliant with defined rules together with Segregation of Duties

5. Role Modification – Ensuring that modifications applied to existing roles are approved, tracked, and compliant with defined rules without any risks

6. Role Reporting – Using reporting capabilities to identify inefficient roles and approval processes and implement improvements to optimize the role catalogue and its use.

Access Request Management

The self-service provides the user with an interface to request access to resources such as enterprise systems, web applications, and other resources. Access request management offers a complete, user-friendly shopping cart-like approach for searching and requesting access to resources from the available resource catalogue within a configurable process workflow. It enables searching in the system’s available hierarchy models and simplifies requests for access cloning.

Segregation of Duties

Segregation of Duties (SoD) refers to the processes and rules critical to identifying, tracking, reporting, and mitigating the SoD policy violations leading to substantial risks of internal fraud in an organization. These controls are essential to managing role-based authorizations across applications with complex authorization models. However, IGA controls provide more course-grained abilities to identify SoD risks than at a fine-grained entitlement level found in other complex applications. Critical controls offered as part of SoD controls management include cross-system SoD risk analysis, compliant user provisioning, emergency access management, advanced role management, access certifications with SoD analysis, transaction monitoring, and auditing and reporting.

An identity repository is a critical component of IGA/IAM solutions that provides a mechanism to manage identities, identity attributes, access entitlements, and other identity-related attributes & references distributed across enterprise systems.

Management of access rights data and entitlements across the identity repositories are collected and correlated as a part of the access entitlements management process to determine user access across the IT systems. The entity repository offers a consolidated view of all identity data.

FreeIPA

FreeIPA, a Linux alternative to MS Active Directory, is an excellent security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). For better maintenance, it provides a web interface and also command-line administration tools.

LDAP

Lightweight directory access protocol is a widely used open-source directory to store user information. It is very fast and provides a solid set of services to be very useful in corporate environment. LDAP can be as well used as an authentication service, whether via simple authentication by username and password, or via secondary service like Kerberos.

Active Directory

Active Directory is a database and a set of services provided by Microsoft. It contains critical information about organizations network like users, computers, organization units and permissions granted to individual users. Active Directory does all the authentication and authorization in windows domain type of network. In terms of user, in the directory are stored all the user’s attributes, credentials, organization assignments and access entitlements. That means, reliable synchronization between the provisioning engine and a directory is critical.

Identity lifecycle management provides processes and mechanisms for creating, modifying, and deleting user identity and associated account information across the target systems and applications. The methods are intended to support Joiners, Movers, and Leavers (JML) and provide built-in capabilities for all identity-related events through an extensive set of available connectors for automated provisioning/de-provisioning or workflows for manual intervention. Management of user accounts and access entitlements across many enterprise IT systems, including cloud-based applications, is an increasingly important requirement for identity lifecycle management capability.

Policy and Workflow Management

Policy management provides the mechanism to deliver rule-based decision-making based on pre-defined rules for identity lifecycle events, such as account termination, role modification, exceptional approval, access rights delegation, and segregation of duties. The enforcement of policies is either triggered by lifecycle events or determined by associated workflows. Workflow management is concerned with defining the necessary actions to be executed to support a successful event processing or decision-making process. This includes orchestrating tasks involved in the end-to-end decision-making process to support the business requirements. Workflow management allows easy customizations to include common business scenarios such as approval delegations and escalations.

artin-iam-solution

Verified with our clients, with our set of tools, we are capable to fulfil any business requirement and integrate within various corporate, university or government environment. Until now, there are tens of ready to use midpoint connectors available on the Evolveum’s pages. Some of them are build in midPoint like LDAP, Active Directory or CSV, some of them are developed by partners a free to use. We are as well contributor of connectors for midPoint, so we are prepared to create new connector in case there are systems with different APIs in your environment. With these custom connectors can be with midpoint integrated systems, that are in our scheme labelled as Legacy Apps.

If your environment is build upon Microsoft services and as main user data storage is Active Directory, midPoint is ready for that. There can be established outbound communication from midPoint to Active Directory to provision changes from source systems. There are cases when Active Directory or Office365 is used to provide users with possibility to manage their passwords. We have developed Password Agent for MS Active Directory that will deliver a changed password to midPoint and allows a distribution of a password to all integrated systems. Everything mentioned above works by analogy in case you have your environment build on Linux servers thanks to FreeIPA by RedHad, which is full-featured alternative of MS Active Directory for Linuxes. Both, MS Active Directory and FreeIPA dispose with LDAP and Kerberos protocols to provide with authentication mechanism for other systems.

To enable modern single sign-on capability within organization environment, Keycloak by RedHat comes handy. It is packed with all standardized authentication protocols like OIDC, OAuth2 or SAML to enable other systems with support of these protocols to seamlessly integrate and allow users to gain advantages of SSO. In addition, it also provides full pack of useful authentications features to boost security of your organization like user federation, identity brokering, social logins, 2FA authentications, and its design is fully customizable. To bring the security of your organization to the next level, all the critical systems can be hidden from the outside world except the Keycloak, which can be the single point exposed for users to manage their accounts and change their passwords. Changed passwords will be distributed back to the midPoint and to all integrated systems within the organizational environment.

Industry solutions

Telecommunication

Insurance

Banking

Display all