Smooth access to information

Only for those who are authorized

Those who are reading this probably have information they need to share or a need to access information that someone else is providing. In these needs, there are several challenges. One is to make the information available in the first place, but more importantly, to make it available only to those who are entitled to access it.

The first question is often resolved with the help of the system or service that one has decided to use for handling the information. The provider of the system or service generally has good features for presenting and processing the information that the system is designed to handle. However, this text does not focus on that issue.
ID North

Protection and security for various types of information

The second part is about protection and security. Depending on the type of information, the need for protection varies. In some cases, the information may be public, and anyone should have access to it. Does this mean the information doesn't need protection? Of course not. We want everyone to be able to read our company's website, but certainly not alter it. Other information may be highly sensitive and should only be made available to authorized personnel.

Choosing systems and services for secure information sharing

Some systems and services have built-in support to ensure that only the right individuals can access the information. Often, these services only support a specific method, and additional costs arise for the purchase of items like SITHS cards or similar. At times, the service lacks sufficiently strong authentication to be legally used for sensitive information.

Federation: An effective security model for information sharing

More commonly, the system or service relies on user control happening through a different means, typically under the control of the information owner (the customer). In practice, this often means that the service provider relies on the customer's authentication service, known as federation. There are several advantages to this. The customer can use the same login methods for multiple systems. The customer can set up access to multiple systems via a single login, known as single sign-on. The management of accounts and login methods is in the hands of the customer rather than the provider.

Information security classification

What is needed?

The laws that pertain to your business and the information in question

The specific industry regulations, if they exist

The requirements that your customers place on you

Your own principles regarding the information

Information is often subject to legal requirements such as GDPR and NIS/NIS2, as well as other industry-specific regulations. Even if specific legal requirements are absent, there are often commercial or other needs to protect one's information.
ID North

Why "One Size Fits All" doesn't work

It is important to tailor the level of trust to specific needs. Depending on usage and formal requirements, the level of trust must vary. Information security classification should also be considered, and internal requirements should be established to meet the needs. In summary, it's about balancing security, user experience, and available resources to verify user identity with sufficient security.

The Digitalization Authority has defined

Three levels of trust

Some trust, such as EduID from Sunet

High trust, such as BankID and Freja

Very high trust, such as EFOS and Swedish Pass.

More information is available at "Trust Levels for e-Authentication | Digg."

If there are no specific legal or industry requirements for trust levels, you can determine which type of authentication to use on your own. This can range from passwords to multi-factor solutions such as service cards, mobile apps, various hardware keys like YubiKey, and more.
ID North

Choosing an identity credential issuer and its requirements

You need an IdP (identity credential issuer), which can be purchased as a service or set up internally. It must support the necessary login methods and may need to participate in federations such as Skolfederation, SAMBI, and others. Its technical support should include SAML, OpenID Connect, VPN, and proxying to handle various systems and requirements.

Login service/credential issuer (IdP).

How do you proceed?

1. Classify information

2. Purchase an IdP based on your needs

3. Configure the IdP to handle logins per information category in accordance with the classification

We have extensive experience in both public and private sectors. One of the areas we operate in is ensuring that information can be accessed, but only by those who should have access to it.
ID North
Contact us

We assist in all steps from planning to installation, configuration, operation, and support of the login service.

Our offices

Stockholm
Vasagatan 23
111 20 Stockholm

Helsinki
Ilmalantori 4,
00240 Helsinki, Finland

Borås
Nils Jakobsonsgatan 5D
504 30 Borås

Gothenburg
Kobbegårdsvägen 7
436 34 Askim

Post address

ID North AB
Vasagatan 23
111 20 Stockholm

E-mail

Say 👋🏼
info@id-north.dk

Call us

Sweden
+468-54520044

Finland
+358 50 517 5778



Social media