Depending on the type of information, the need for protection varies. In some cases, the information may be public, and anyone should have access to it. Does this mean the information doesn't need protection? Of course not. We want everyone to be able to read our company's website, but certainly not alter it. Other information may be highly sensitive and should only be made available to authorized personnel.
Some systems and services have built-in support to ensure that only the right individuals can access the information. Often, these services only support a specific method, and additional costs arise for the purchase of items like SITHS cards or similar. At times, the service lacks sufficiently strong authentication to be legally used for sensitive information.
More commonly, the system or service relies on user control happening through a different means, typically under the control of the information owner (the customer). In practice, this often means that the service provider relies on the customer's authentication service, known as federation. There are several advantages to this. The customer can use the same login methods for multiple systems. The customer can set up access to multiple systems via a single login, known as single sign-on. The management of accounts and login methods is in the hands of the customer rather than the provider.
It is important to tailor the level of trust to specific needs. Depending on usage and formal requirements, the level of trust must vary. Information security classification should also be considered, and internal requirements should be established to meet the needs. In summary, it's about balancing security, user experience, and available resources to verify user identity with sufficient security.
You need an IdP (identity credential issuer), which can be purchased as a service or set up internally. It must support the necessary login methods and may need to participate in federations such as Skolfederation, SAMBI, and others. Its technical support should include SAML, OpenID Connect, VPN, and proxying to handle various systems and requirements.
Read the monthly report from Gartner “Identity-First Security Maximizes Cybersecurity Effectiveness” and see why Identity-first security is recognized as the foundational element of an organization’s cyber security strategy.