Access – Smooth and easy permission to information

We all need to access systems to share or access information that someone else provides. In these needs, there are several challenges. Partly, to make the information available at all, but above all, to make it available only to those who are entitled to access it.

Do you have sufficient protection?

Information is typically made available through systems or services, and providers often have good and purposeful features for presenting and processing information. However, the need for protection varies with different types of information. Sometimes, systems and services have built-in protection that is sufficient, while other times it may be inadequate.

Protection and security for various types of information

Depending on the type of information, the need for protection varies. In some cases, the information may be public, and anyone should have access to it. Does this mean the information doesn't need protection? Of course not. We want everyone to be able to read our company's website, but certainly not alter it. Other information may be highly sensitive and should only be made available to authorized personnel.

Choosing systems and services for secure information sharing

Some systems and services have built-in support to ensure that only the right individuals can access the information. Often, these services only support a specific method, and additional costs arise for the purchase of items like SITHS cards or similar. At times, the service lacks sufficiently strong authentication to be legally used for sensitive information.

Federation: An effective security model for information sharing

More commonly, the system or service relies on user control happening through a different means, typically under the control of the information owner (the customer). In practice, this often means that the service provider relies on the customer's authentication service, known as federation. There are several advantages to this. The customer can use the same login methods for multiple systems. The customer can set up access to multiple systems via a single login, known as single sign-on. The management of accounts and login methods is in the hands of the customer rather than the provider.

Information security classification

What is needed?

The laws that pertain to your business and the information in question

The specific industry regulations, if they exist

The requirements that your customers place on you

Your own principles regarding the information

Information is often subject to legal requirements such as GDPR and NIS/NIS2, as well as other industry-specific regulations. Even if specific legal requirements are absent, there are often commercial or other needs to protect one's information.
ID North

Why "One Size Fits All" doesn't work

It is important to tailor the level of trust to specific needs. Depending on usage and formal requirements, the level of trust must vary. Information security classification should also be considered, and internal requirements should be established to meet the needs. In summary, it's about balancing security, user experience, and available resources to verify user identity with sufficient security.

The Digitalization Authority has defined

Three levels of trust

Some trust, such as EduID from Sunet.

High trust, such as BankID and Freja.

Very high trust, such as EFOS and Swedish Pass.

More information is available at "Trust Levels for e-Authentication | Digg."

If there are no specific legal or industry requirements for trust levels, you can determine which type of authentication to use on your own. This can range from passwords to multi-factor solutions such as service cards, mobile apps, various hardware keys like YubiKey, and more.
ID North

Choosing an identity credential issuer and its requirements

You need an IdP (identity credential issuer), which can be purchased as a service or set up internally. It must support the necessary login methods and may need to participate in federations such as Skolfederation, SAMBI, and others. Its technical support should include SAML, OpenID Connect, VPN, and proxying to handle various systems and requirements.

Login service/credential issuer (IdP)

How do you proceed?

1. Classify information

2. Purchase an IdP based on your needs

3. Configure the IdP to handle logins per information category in accordance with the classification

We have extensive experience in both public and private sectors. One of the areas we operate in is ensuring that information can be accessed, but only by those who should have access to it.
ID North
Contact us

We assist in all steps from planning to installation, configuration, operation, and support of the login service.

Our offices

Stockholm
Vasagatan 23
111 20 Stockholm

Helsinki
Ilmalantori 4,
00240 Helsinki, Finland

Borås
Nils Jakobsonsgatan 5D
504 30 Borås

Gothenburg
Kobbegårdsvägen 7
436 34 Askim

Post address

ID North AB
Vasagatan 23
111 20 Stockholm

E-mail

Say 👋🏼
info@id-north.com

Call us

Sweden
+468-54520044

Finland
+358405703636

Denmark
+4531512484



Social media

Download Gartner® Report

Unlock the “Cybersecurity Turbulence in 2024: 7 Forces That Will Threaten Your Organization’s Future” from Gartner® in this exclusive report.

Read now