Access Management

Controlling access to systems, applications and information plays a major role in the security of our digital services and life. Because of the large amount of people and things that need access and the ever increasing access gain, control of this access becomes more important.

Looking for a new solution? Transition from your existing environment to a new technology stack? The structure of your AM management organisation? Please contact one of the Red5 account managers.

Red5 Access Control includes controlling access to systems, processes and information. The access control is based on one of more authorisation models.

The following authorisation models are often applied:

Risk-based authentication makes authentication a multi-factor affair. Authentication proves that users are who they say they are. Three traditional factors are identified: what you know, what you have, and what you are. But nowadays new technology and information services can add context factors making it possible to derive location, behaviour and risk.

The interpretation of precisely what authentication is has become a relevant question given that the definition is no longer explicit. Therefore the value of each factor must also be measured. It all comes together now in an often static policy that is no longer tenable. The answer is found in risk-based authentication.

Hence it is a non-static authentication system which looks at the profile of the agent requesting access to the system to determine the risk profile associated with that transaction. This risk profile is then used to determine the complexity of the challenge. Consequently, higher risk profiles lead to stronger challenges, whereas a static username/password may suffice for lower-risk profiles. The application is allowed to challenge the user for additional credentials only when the risk level is appropriate.

A ‘means of strong authentication’ is usually reverted to when access is needed to information where great risk is involved. But the static checking between username and password or a strong means of authentication is no longer sufficient.

Enforcing the correct authentication depends on many characteristics such as where the user is located, what device is being used and what information the person wants to use. This involves the extent to which these characteristics or a combination of the characteristics are trustworthy, namely, to what extent is it ‘normal’ or ‘suspect’ behaviour. What risks arise when we give a user with these characteristics access to information?

With risk-based authentication, these characteristics are identified and weighed. Intelligent algorithms determine the minimum required means of authentication before a user with such characteristics receives access to the desired information. This may be determined beforehand, but it is also possible during a transaction using a so-called ‘step up’ or re-authentication.

Red5 has extensive experience in access control, design and configuration. If you want to more about this topic, feel free to contact us. We will be happy to share our vision and experiences.

Attribute Based Access Control (ABAC) is a logical access control method, based on the applicant’s attributes, information, action and context of the application.

Attribute-based access control (ABAC) is an authorisation model that evaluates attributes (or characteristics), rather than roles, to determine access. The purpose of ABAC is to protect objects such as data, network devices, and IT resources from unauthorised users and actions—those that don’t have “approved” characteristics as defined by an organisation’s security policies.

ABAC as a form of logical access control became prominent in the past decade, having evolved from simple access control lists and role-based access control (RBAC). As part of an initiative to help federal organisations improve their access control architectures, the Federal Chief Information Officers Council endorsed ABAC in 2011. They recommended ABAC as the model to adopt for organisations to safely share information.