All applications that process business transactions or business information require some kind of access control. This allows authorised users to access the information. And it also issues the relevant authorisations. It should not be possible for every member of an organisation to make payments or to read confidential information.
Access control is closely linked to the objectives of the individual application. It is thus designed together with the application. Only the application designer knows which operations or resources are critical. And for which users they are reserved.
How is access control implemented?
There are many access control paradigms (MAC, DAC), but the best known is RBAC (Role Based Access Control). D.F. Ferraiolo and D.R. Kuhn created this in 1992. Here is an overview of the different concepts.
Under RBAC, the access rights of an application are divided into logical groups (application roles). These roles are then assigned to the groups of the respective users.
The application designer decides which application privileges they receive. This is the basis of the so-called “Application Security Model”, as it is known in the sector.
In earlier client-server applications, the entire security model was implemented within the application itself with the support of a database. The database listed the users in a table; another table defined the groups: a simple list of users. Groups often had the same names as the roles. Both terms were often confused with each other.
Identity and Access Management Systems (IAMs) were then established which managed user groups directly. They also assigned the application roles to the user groups and listed the “privileges” in the application.
This simple concept is widespread. Many organisations use it today: the application designer defines the roles. The IAM system maintains the membership of the group with the same name. The application itself takes care of everything else.
Access control – adapting to today’s digital requirements
Nowadays, however, this system causes various problems: above all in the management of the groups. What works for a few hundred employees becomes problematic for millions of users on the Internet. Furthermore, it is based on user lists which allow the application to access the database that stores the information. This can represent an obstacle in situations where the users are based in a particular company but the application is hosted by an external service provider.
These and other aspects motivated us to find a solution. After two years of development we are proud to present: SecuRole®.
SecuRole® uses digital tokens instead of representing application roles through group membership. This allows us to scale the groups. We digitally sign the token to increase the security of the assignments. A token allows a large amount of information to be stored: the validity date (an extra field available to the application) and other information useful for the revision are saved in addition to the role name. And last, but not least: a token can be embedded in an SSO token. This is sent (in a secure transmission) during the user session to the application and the service provider. This means we are “cloud ready”.
Innovative access control – future-proof and up-to-date
Looking to update the access control for your applications? While reducing your implementation costs at the same time? And making yourself cloud-compatible? Or maybe you’re looking for simple access rights management solutions that can keep up with today’s compliance and security requirements? Then contact us now!
Syntlogo provides first-class advice – and an efficient and innovative access control solution. We implement this quickly and simply in your existing environments. It meets all requirements and is in full compliance with the new General Data Protection Regulation. Simple, secure and compliant!