Last updated on 3. August 2020
Users of oneclick™ and FIDES gain self-determination over their data by means of digital authorization chains.
Classical identity and rights management systems do not sufficiently meet the users’ need for data sovereignty and security. This is why Bundesdruckerei’s innovation laboratory has developed a revolutionary approach with FIDES which anchors individual data sovereignty in the basic technology. At the core of FIDES identity and rights management are linked authorizations, so-called ID chains, which are based on block chain technology. The idea behind it: With FIDES, the user alone has control over his digital authorizations, such as access to his personal data. Authorizations can be passed on to others or withdrawn again. The central point is the right of self-determination of the individual user to decide at any time and with sovereignty about his data and its transfer.
Meeting high requirements of data protection
With the concept of ID-Chains, FIDES provides a consistently user-friendly answer to increased expectations of data protection and security, which meets the high requirements of the general data protection regulation of the European Union. This stipulates, among other things, the right to be forgotten and the privacy-by-design approach to the processing of personal data. With these demands, a public block chain, for example, encounters problems. Information stored in the chain cannot be deleted there and can be viewed by the participants in the block chain.
Compliance conform and traceable
With FIDES, every user can only see what he or she has permissions for. Within the system he has no way of finding out what other identities and authorisations are available. The consequence: Everyone sees only what he is allowed to see. Data sovereignty is solely held by those to whom the data belongs in a professional or personal sense. Due to the clear assignment of rights, there is a clear responsibility for each right. The system logs all rights and identities. It also documents every delegation of authorizations and all accesses. This guarantees the integrity of the user data, transparency and security against manipulation. A user can track what happens to his rights at any time. Particularly during audits, controllers can always trace who has accessed which data or systems when and with which authorizations and where these authorizations originate. A transaction history in the form of a timeline is regularly saved by the system.
The “Business Chain” for enterprise customers and other organizations
“With oneclick™ we have found a partner to apply FIDES as a business chain in the corporate environment,” says Dr. Manfred Paeschke, Chief Visionary Officer of Bundesdruckerei.
“In conjunction with the oneclick™ platform, our FIDES concept enables efficient and secure allocation and maintenance of rights for access to all applications, data and other company resources. Thanks to FIDES, a new employee can obtain all important authorizations directly from the team leader or a responsible colleague. FIDES gives those responsible in the organization the design authority and the technical tools to distribute and maintain their respective rights. Each owner of rights as well as each delegating instance in the chain takes responsibility for ensuring that only those identities that actually need authorization are given it. If, for example, a person’s area of responsibility changes, the rights that are no longer needed are immediately withdrawn.
Security is the top priority at oneclick™
The oneclick™ platform, winner of the renowned eco and Enterprise Workspace Awards, among others, is based on IT security best practices for application provisioning, namely the principles of a Zero Trust Architecture (ZTA).
Each access to dedicated company resources is individually authenticated and the trust status is continuously checked. Unauthorized sideways movements in a company network or within larger and distributed hybrid structures are reliably prevented. oneclick™ bears the Trusted Cloud Label as a trustworthy cloud service. A review conducted by Capgemini on behalf of the Federal Ministry of Economics and Energy confirms that oneclick™ meets all requirements in terms of transparency, security, quality and legal conformity. In addition, oneclick is an active member of TeleTrust, the largest competence association for IT security in Germany and Europe.
From “Zero Trust” to “Zero Knowledge”
“With our digital workspaces in the browser, we connect users in a secure way with all company applications and data”, says Dominik Birgelen, CEO of oneclick AG.
“As a central orchestration platform, oneclick™, for example, enables remote access to on-premises environments, automates the provision of cloud infrastructure via interfaces, and authenticates users to assigned SaaS applications. We at oneclick pursue two paradigms: Consumerization of IT and Democratization of Innovation. FIDES supports us in both goals by focusing on the individual user. But we go one step further: through the use of the FIDES pseudonymization service, no personal data is stored recognizably in oneclick™ and our Zero Trust architecture is supplemented by a Zero Knowledge approach. From a visionary point of view, thanks to the integration of FIDES, we are moving beyond the already supported Bring-your-own-Device (BYOD) towards Bring-your-own-Application and even one step further thought towards Bring-your-own-Data. With oneclick™ and FIDES, companies and administrators now have the opportunity to position themselves as absolute leaders in the field of data protection and thus achieve competitive advantages”.
Control over the system but not over user-related data
A company is free to decide where the identity management system of FIDES is operated. It can be operated in Bundesdruckerei’s data center, at oneclick™ or in the company’s own data center. In each scenario, the data is encrypted using Bundesdruckerei’s highly secure algorithms. The solution differs fundamentally from classic identity management systems in which the administrator assigns specific roles and rights to each identity. Particularly in larger organizations, it is often no longer possible to trace which rights a selected person had or has at a certain point in time.
In addition, the administrator often does not learn about changes in personnel or responsibilities in time. In the worst case, employees can access the data of a department even though they left it months ago. While in most existing systems an administrator has all file permissions, with FIDES the rights are assigned to the respective responsibilities. This means that the administrator still has control over the system but no longer over the user-related data.
Simplified operation and simultaneous cleanup of the Active Directory
Managing an enterprise Active Directory can quickly become a complex task for larger and distributed enterprise structures. Now, users are created clearly and easily in FIDES and the Active Directory is operated via a connector. At the same time, the customer’s Active Directory is tidied up, because FIDES immediately recognizes all redundancies and conflicts that have accumulated over time during the setup, for example by assigning users to several groups with overlapping rights. FIDES plays back such inconsistencies to the administrator so that he can clean up the Active Directory. It is also possible to synchronize with multiple systems, for example, by combining an Active Directory and SAP.
Unique: A secure Unified Workspace for Active Directory management and access to all applications and data
The combination of oneclick™ and FIDES makes it possible for the first time to manage both the administration of the entire Active Directory and the access to applications and data via a uniform interface in the browser. With the FIDES app in the oneclick™ workspace, every user can manage and delegate his Active Directory authorizations. All applications necessary for everyday work can also be opened and operated directly via the oneclick™ Workspace. Data is shared across applications via the so-called Hybrid Drive using state-of-the-art streaming technology without the data leaving the defined storage location. There is no need to install additional client or server services.
Secure authentication and Single Sign-On
In order to work with oneclick™ and the FIDES identity and rights management, users only have to log in to the platform once. The basis for access is a trustworthy identity provider, who creates and confirms identities. The oneclick™ platform and FIDES support the OpenID Connect standard. A rights owner can define different trust levels for certain rights. For example, access to less critical documents may only require the entry of a password, or a second or third factor may be requested for particularly sensitive information.
Easy handling of strong passwords
In order to make strong passwords easy to handle, the partners rely on PASSPOL, a patented, graphical multi-factor authentication, which is a fast, convenient and highly secure alternative for textual passwords, PINs or biometric methods. Personalizable images, which also serve as cryptographic key files, are moved in a specific order on a matrix. This sequence, in combination with the correct images, serves for verification, is very easy to remember and almost unforgettable. PASSPOL makes use of three proven psychological phenomena: the Pictorial Superiority Effect, the Dual Code Effect and the high memorability of movement patterns.
Bundesdruckerei GmbH is a leading German high-tech security company. Its products and services are “Made in Germany” and are based on the secure identification of persons and institutions. As a federal security company, the company paves the way to a secure digital future. More information can be found at www.bundesdruckerei.de.
- Bundesdruckerei (2018): White paper: From the Almighty Administrator to the Self-determined User. Online: https://www.bundesdruckerei.de/en/whitepaper/download/2835/Whitepaper-Fides.pdf