The core module for Data Access Control lies between the application and the databases. It remains part of the application, but is transparently encapsulated from it via standard interfaces. Security aspects and actual business functions are completely separated.
The Control Kernel intervenes in the process in real time and “controls” the access efficiently and without noticeably compromising the overall system performance. Via the minimally invasive Integrator the complete available context such as ID, role, tenant, member, location etc. are adopted. Unauthorized or restricted access and operations are thus prevented in real-time, respectively adapted in accordance with the rules.
The Configurator combines authenticated identities and roles with the applicable rules and specifications of the company to the individual database tables and fields. Security strategies and data access policies as defined by (top) business management can directly be implemented into IT solution in a uniquely direct way. The defined rules are made available to the kernel for real-time control (enforcement).
Reporting& Monitoring allow any kind of analysis of all movements. The full context of the user is transparent and available for logging - as opposed to the usual "technical users" . Nothing escapes the attention of the control kernel – the available inventories of log-files and analysis options are correspondingly broad and deep.
We take over the authenticated identities and roles from the existing systems.
From the database we extract the structure of all the information which is available to the application and its users.
In the configurator we assign the corresponding access rights for all operations (create, read, update, delete) to the user and/or his role. If required, this is possible right down to field level of the individual tables.
Contentual conditions can be used in the same granularity, which makes the control mechanism potentially very powerful. For example, an administrator is only permitted to approve payments of up to CHF 20’000.--.
Security specialists, auditors and other business users have view-access via the configurator, and on-demand access to the set of rules, its development and all changes therein.
Changes of the identities/roles or rules can be implemented quickly and without code adaptations; these changes are traceable at any time.
The detailed and comprehensive log-information can be used for a multitude of analyses, alerts, BI-queries and DWH-applications.
The configurator on the „input side“ can be integrated in the existing Identity & Access Management IAM-solutions.
Furthermore, the monitoring and reporting can be transferred to proven DWH/BI solutions
such as SIEM Suites (Security Incident& Event Management).