Soffid IAM (Soffid Identity and Access Management) software suite covers certain parts of the European General Data Protection Regulation (GDPR). This regulation mentions that best practices should be implemented in regard to Information Systems security. Best practices in this topic are covered by ISO 27001. Therefore, this document also presents Soffid’s coverage of the ISO 27001 (Information technology — Security techniques — Information security management systems — Requirements).
Out of a total of 11 Chapters with a total of 99 Articles in the GDPR, Soffid has substantial contribution in 3 Chapter and 16 Articles. Regarding the ISO 27001, Soffid has nearly full coverage of section A.9 Access control. On top of this, Soffid contributes with coverage of control in sections A.6 (Organisation and Information Security), A.7 (Human resources security), A.8 (Asset management), A.11 (Physical and environment security), A.12 (Operations security), A.15 (Supplier relationships) and A.17 (Information security aspects of business continuity management).
Summary of the regulation
New regulation
On April 14, 2016, the European Parliament approved the General Regulation on Data Protection, with direct application in Member States.
Regulation enforcing date
The new legal framework for data protection will apply as of May 25, 2018.
Impact on processes
This normative change has a clear and important impact for the organizations, since it implies new obligations for the same that will affect not only the traditional fulfillment but also, and in a very important way, to the processes, as well as the way of analyzing the risks of privacy.
Main points of impact of the regulation:
1. The territorial scope is al EU states. 2. Data protection principles are expanded and reinforced: Limitation of purpose, data minimization, accuracy, limitation of preservation, integrity and confidentiality; and proactive responsibility. 3. Recognition of new rights to data subjects: Right to portability of data; right to oblivion; right not to be subject to decisions based solely on automated data processing – profiling; right to claim and appeal to the supervisory authority or to the person in charge. 4. Legal basis on which treatments are developed. Obtaining unequivocal consent. Specify and document legitimate interest. 5. New obligations: Registration of processing activities; Notification of security breaches; Data Protection Officer. Processes for attention to the exercise of rights 6. New paradigm in data protection: responsibility of accountability; privacy from design and default; impact assessments on data protection. 7. Self-regulation and certification: adherence to codes of conduct; establishment of certification mechanisms, seals and trademarks. 8. New sanctioning regime: penalties up to 4% of total annual global turnover.
Soffid contribution
Soffid, being an integral solution of access control and identity management, provides the following solutions (within the framework of this new regulation):
1. Organization of data by identity, unification and quality of data. Unique location of data, conservation, integrity and confidentiality of data.
2. Obtaining data, portability of data, right to forget and obtaining consents with the integration of Soffid business process manager.
3. Management of all the processes and treatments that are done to the data. Audits and reports of all operations carried out on the data, solving the obligation to have a Register on the treatment activities.
4. Notification and detection of security breaches
Gartner published the report: Options for Open Source Identity and Access Management: 2017 Update, on the 8th of March 2017.
In this report, Gartner analyses the technological state of the different open source products, it provides a comparison between them, and issues a series of recommendations for the end users.
General key findings
– Open-source software identity and access management components can provide more flexibility and adaptability than proprietary vendor components and at a lower cost.
– The majority of components come with varying levels of functionality and maturity. The end user needs to carry out extensive research to confirm adequacy of maturity and functionality for their use case.
– Support plans are available for most of their components from primary developers or their supporting partners. In some cases, there are two versions of a product: a free version and a version with more features that is only available in conjunction with a support plan.
Soffid Analysis
“Soffid is a vendor that develops and offers support for a comprehensive IAM solution that was custom-developed for the government of the Balearic Islands in Spain. With the permission of the government, the source code of the product has been released as open source. Soffid IAM consists of a provisioning system, a PAM module that includes a password vault, an ESSO component that uses access server-side credential injection, web SSO and federation functionality based on Shibboleth that supports SAML, OAuth, OpenID Connect and authorization enforcement based on XACML. The software runs on Windows and Linux; the ESSO module is supported on Windows and Ubuntu Linux. It includes a synchronization engine that also supports reconciliation and comes with several connectors, including SAP. Role management and recertification is also supported. The product has recently been extended to include rapid configuration capabilities and integrated with Jasper Reports.
Functionality: (Medium to High). Soffid has one of the most comprehensive list of IAM features of products reviewed in this report. It is also the only product set from one vendor that includes ESSO and PAM functionality.”
For more information please read the full report here.
We are pleased to announce that version 2.0 of the Soffid Console and Soffid Sync server have been released.
This version includes a lot of improvements with respect to previous versions, and it is indeed a lot more than an incremental improvement of the software. This version includes functionality, as well as User Experiency improvements together with enhancements in performance. The team of Engineers at Soffid has been working hard to get this version out there, and now it is time for our clients and our community to take advantage of it. We hope you enjoy it.
The list of the new features that we are including in this version 2.0 are:
1) Multi-tenant functionality
Now Soffid has multi-tenant functionality. One individual instance of Soffid can manage more than one tenant, thus from a single Cloud instance Soffid can handle Identity and Access management for different clients or different companies. This feature will enhance operations for multiple of our clients.
2) User Experience improvements
This version of Soffid presents several User Experience improvements. For instance, Soffid now offers autocompletion in role and application searches, dynamic filters are now substituting the old static filters, and we have added multiscreen configuration pages for custom object definitions.
3) Great performance improvement
An extra layer of reconciliation intelligence has been added into Soffid to produce an initial grouping of tasks related to the same object before commiting changes to the database. This allows for faster speed in tasks completion and a huge increase of performance in bulk processes.
4) SCIM server
Soffid now offers a SCIM server RESTful API service. Full control of actions in Soffid can be done through this new RESTful service to enhance integration with other services or other third party applications. Everything is following the SCIM standard.
5) Custom objects
This version of Soffid introduces for the first time Custom Objects as part of the Soffid data model. With these new type of objects, the administrator may define new multidimensional attributes to every user such as Tablet (with all their identification data) or mobile phones (including their SIM and serial numbers) all encapsulated in the same object. There is also a specific pane to define the characteristics of the custom objects. This gives a big amount of flexibility to the tool. We hope our customers enjoy it.
6) Soffid is now enabled to work as Software as a Service
Version 2.0 is cloud ready! For the very first time, Soffid is now ready to be installed fully as Software as a Service. Current and future users of Soffid can now decide if they want to still host the Soffid instance on premise or if they want to migrate to a cloud installation. This will mean a big smoothing out of operations and maintenance costs.
7) TomEE is now the JEE platform (substitution from JBoss)
Soffid has migrated from JBoss to TomEE as the current JEE platform. TomEE offers better memory handling, it is faster and it is more reliable.
8) Control measures to avoid accidental mass changes
Soffid has incorporated in this version also a control measure to avoid accidental massive changes in the repository. This has been added to Soffid to avoid that massive changes in a certain target system propagate to the central system of Soffid even if they were due to a malfunction or an accident on the target system. To avoid these circumstances, a threshold of maximum allowable actions can be defined in Soffid. If this maximum is reached, Soffid will mark all such tasks as pending, and will prompt the administrator for confirmation. Just an extra step of control that prevents possible operational crisis.
9) Some minor bugs are also fixed within this version
We are always eager to listen what users think of these improvements and we are also looking forward to hearing for more suggestions for our future Soffid versions.
Google Apps is one of the most popular service providers for business of any size, but the tools provided by Google to manage user accounts and groups don’t give system administrators the flexibility and capabilities a specialized identity management product can offer.
With Soffid, you can configure Google Apps as one of the identity consumers of your organizations. You can decide to give Google accounts to every user on your organization, restrict them to a selected organization unit or user type, or write down a rule to enable or disable access depending on user attributes. In such a way, you can integrate mail groups and mail alias in your whole account life cycle, managing how users join or leave groups. You can tell Soffid to maintain mail groups based on a mix of users, business units groups and information system entitlements. Puede utilizar Sofifd para matnener las listas de correo en base a una mezcla de usuarios, unidades de negocio, y autorizaciones de sistemas de información.
Leveraging Soffid, you will also get synchronized password management. When a user changes its password, it’s immediately pushed to Google Apps.
More and more, you can deploy Soffid Identity Provider. With Soffid IdP, Google will no longer ask users for a password. Instead, Google will redirect the password request to Soffid Idp which will identify the user based on its password, digitial certificates or any other enabled mechanism. Google will receive a signed and cyphered authentication token issued by Soffid Idp, letting the user log in.
The most relevant benefits of using Soffid Idp + Soffid GoogleApps connector are:
You don’t need to give Google access to your directory.
Users logs in on your system first, keeping a live access log on your site.
You can easily customize how users are created on Google, using simple expressions.
You can use complex rules to set who can use Google services and who not.
Every change is audited at the highest level available.
To learn more about how to configure it, please visit our wiki.
Password reset is one of the most recurrent tasks in help desk departments. With Soffid you can dramatically reduce the number of call center calls, by giving the user the tools to self recover the password.
Soffid allows administrator to enable or disable some recovery methods including presaved questions, email, smart cards, SMS and others. At this post we will see how a user deals with presaved questions recover.
At first, user is encouraged to answer some predefined questions, as well as fill in new questions. The video below this lines shows how a user is automatically redirected to password recovery form just after login into the workstation.
Once the password has been filled in, the user is able to recover its password from within Windows login screen. See next video.
Please accept cookies to allow us to provide you with the best browsing experience across our website. Find out more on how we use cookies and how you can change your settings.OkCookies Policy
