USE CASE
Improved Organisational Security
A role-based Identity and Access Management system that aligns with the 'least privilege' concept and is at the heart of a zero-trust architecture.
How Do You Migrate to a Future-Oriented Security Approach?
Traditional organisational security is based on well-defined security perimeters. The full focus is on ensuring good security when it comes to corporate network access, but once access is granted, it is assumed that connected users and devices are trustworthy. Now that remote working is becoming more common and not only staff but also contractors, customers and partners need to have access, a fundamentally different security approach is required.
Identity-Driven Security, With Zero-Trust as the Starting Point
HelloID organises the issuance, management and use of all user accounts and their associated access rights from a single system. This lays the foundation for an identity-based security model in which every user is authenticated for each session and gains access to applications and data solely on a ‘need to know’ basis.
Identity-based and role-based security
- User accounts are assigned and managed based on information from source systems such as the HR system.
- When employment is terminated, accounts are automatically cleaned up. No more risk of data breaches due to ‘forgotten’ accounts.
- Access rights are granted and managed based on an individual’s user role, with all access being strictly on a ‘need to know’ basis.
- Access rights are always up to date. Role changes automatically lead to adjustments in rights.
- Secure request process for additional (non-standard) access rights. With automated approval processes and – preferably – temporary validity.
Flexible access security
- In combination with – for example – Active Directory, we establish a flexible framework for additional authentication and authorisation functions.
- Comprehensive Multi-Factor Authentication (MFA) for additional verification. Various standards, authenticators and tokens are supported.
- Role-based access rights can be refined based on context-driven factors such as time, location, network access and/or device type.
- Support for various user groups. In addition to employees, access can also be granted to, for example, contractors, clients and partners.
Fully auditable solution
- Attempts to access systems and data are centrally logged and can be quickly analysed for the purpose of reporting and audits.
- Reports listing all granted access rights, which can be grouped based on users (or user groups), departments, roles, etc.
- Reports of rights requests, including information regarding applicants and evaluators.
Features
How We Establish a Zero-Trust Ready Identity and Access Management System
7 steps that can each be configured using low-code or no-code solutions
- Source system: Integration of HelloID with source systems such as HR, SIS and/or scheduling systems. This way, changes in the source data are automatically available in HelloID.
- People: Conversion of data about people/roles from source systems to a common representation within HelloID using an ‘identity vault’.
- Business rules: Determining rules that determine which roles are granted which types of accounts and access rights, and under what conditions.
- Target systems: Linking HelloID to on-premises and/or cloud-based applications. This can be executed step by step per application.
- Service processes: Automating processes, including online approval flows and activation in target systems. This can be carried out step by step for each process.
- Access management: Set up access procedures, such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), in conjunction with — for example — Active Directory.
- Reporting and auditing: Configuring standard and client-specific reports and monitoring functions for analysis and audits.
Frequently Asked Questions
Traditional IT security is likened to a castle: usually there have been heavy investments in network security – the digital walls and moat – but once users and devices have entered the network, they are trusted. Now that people are working remotely and in the cloud more often, such traditional access security is no longer viable or sufficient. IT applications must be accessible at all times, through various networks and devices, and not just to employees but also to contractors, clients and partners. Modern IT security should be based on the principle that we never blindly trust anyone. At the start of every user session, the question is who is requesting access, what their role is and what access rights are necessary. This means that the identity of the user is the focal point, making IAM solutions key in such zero-trust architectures.
The ‘least privilege’ principle means that access rights are granted on a ‘need to know’ basis. This means a person only receives the rights that are necessary to perform their work. These rights are determined based on a person’s role. The so-called Role-Based Access Control is the method we use to ensure alignment with the ‘least privilege’ concept.
HelloID organises the issuance, management and use of all user accounts and associated access rights from one central system. User accounts are automatically created and managed based on source data such as the HR system. When a person’s employment is terminated, their accounts and rights are automatically revoked, thereby significantly reducing the risk of data breaches due to ‘forgotten’ accounts.
HelloID’s MFA offers a high degree of flexibility. It supports various standards, authenticators and tokens, allowing organisations to tailor their MFA solution to their specific needs and risk profile. Additionally, MFA security can be further refined with contextual factors such as time, location, network access and device type, allowing for a layered security approach.
RBAC ensures that there is a clear and definitive link between a person’s role and the rights needed to perform that role effectively. Thanks to RBAC, there is no ambiguity regarding which rights someone does or does not require, which helps prevent mistakes.
RBAC (Role Based Access Control) is a system that determines a user’s access rights based on their role. For instance, an accountant at a healthcare institution gets standard access to the financial system but not to the Electronic Patient Record (EPR). Within HelloID, we implement RBAC with the help of business rules. These are adjustable rules that organisations put in place in order to set up the RBAC framework. These rules are not limited to purely determining which access rights fit which user roles. Business rules can also define the context of access rights in more detail. An employee and their manager may both have access to the same system but perhaps the employee, for example, only has access during working hours while the manager gets 24/7 access. This is specified in a business rule.