Increased exposure to the Internet with the advent of Cloud services accessible to all, the broadening of application access to persons outside the company (partners and customers for example), the deployment of modern application architectures based on APIs and microservices, the digitalization of banking services and the new DSP2 directives... all challenges to the security of logical accesses.
Improved user experience and security
Improved user experience and security
The user experience and security are often antagonistic… often, we enhance one at the expense of the other. However, modern Access Management solutions have several features that can improve both aspects simultaneously:
- Single Sign-On (SSO):
one single authentication to access all applications… this is the promise of SSO. We can implement such a feature in a number of ways: e-SSO, Web SSO, identity federation (SAML2, OpenID Connect, WS-*…) which, moreover, can be combined to meet different needs. Deploying an SSO solution, by reducing the number of passwords, helps to strengthen access security while improving the user experience.
- Identity federation:
while fully participating in the implementation of an SSO, identity federation also serves to control authentication and access to the company’s SaaS services (OAuth). Authentication to these services is therefore delegated to the Access Management solution, which guarantees the application of the security rules required to authorize access to the requested service.
- Self-service Passwords :
users who have lost or forgotten their passwords can retrieve them without requiring time-consuming assistance from the support team. This feature also enables the implementation of a password policy to reinforce access security.
- Password free Authentication :
it provides users with enhanced authentication methods (certificates, biometrics, etc.) that offer a better level of security while making the user experience more fluid
- Multi-factor authentication :
it allows to reinforce the security during the authentication by using a second factor (OTP by SMS, push on a mobile application, FIDO2 key…) and thus to guarantee the validity of the authentication provided by the user
- Adaptive Authentication :
it allows to define a risk-based access strategy, which allows to require from the user a more or less reinforced level of authentication (second factor, certificate…) depending on the estimated risk for the requested access. This risk can be linked to different metrics such as the network origin of the request, the geographical origin of the request, the type of terminal used for access, the criticality of the resource accessed, the time and date of the request, etc..S
Secure access to micro-services and API back-ends
Modern application architectures rely heavily on APIs and microservices? These endpoints, which expose critical data, must be secured.
The deployment of an authorization server enables these endpoints to be secured using the Identity Federation protocol OpenID Connect (OIDC) and/or the authorization protocol OAuth2.
The integration of the authorization server can be done at the level of an API portal and/or directly at the endpoint level.
The use of standard protocol guarantees the compatibility of the solution with development frameworks and/or solutions on the market.
Compliance with DSP2 Directive
Under the impetus of the DSP2 directive, the security and interoperability of online banking services are undergoing major change: SMS OTPs are no longer considered sufficiently secure for this type of operation.
The validation of a transaction goes through several requirements: complete presentation of the information related to the transaction, explicit consent i given by the user, strong authentication of the user.
In addition, the use of banking data by an online service (merchant site, account aggregator…) is subject to the consent of the user with his bank. Management of these consents (collection, consultation, revocation…) must be provided to its customers by the bank.
Finally, it goes without saying that access to exposed banking services for partner sites must be strongly controlled to guarantee the security of exposed banking data.
Through standard protocols (OpenID Connect et OAuth2), multi-factor authentication and the consent management features available, Access Management solutions address all of these issues
Zero Trust Strategy
Nomadism and teleworking , increasingly frequent in the corporate world, the widespread use of Cloud services, and the broadening of access to certain resources to partners (B2B, B2C, facilities managers, etc.) are undermining system security. In such a context, access is never totally trustworthy. A “Zero Trust” strategy ensures that, whatever the context in which the user attempts to access a resource, the validity of this request will have been verified through an adapted and reliable authentication process.
Access Management at Synetis
- Over 30 Consultants dedicated to Access Management with an average experience of more than 5 years in cybersecurity.
- Over 6 Active partnerships with major market players (Ilex International, InWebo, Okta, Ping Identity, Wallix / Trustelem, Yubico) and real expertise with other software companies such as ForgeRock, Microsoft, OneLogin…
- Over 20 software companies certifications acquired
- Over 65 projects in progress (as of August 1, 2020), including over 40 new projects in 2020 of all sizes (from 10 days to more than 250 days) and of all types scoping, audit, integration, TPM, CDS), with a contractual commitment to results (fixed price) or to means (management).