Below we present a graphical overview of the solution that illustrates the interconnectedness between Active Directory, Identity Stack, and MitID Erhverv. This schematic representation clarifies how these entities coexist and interact within the system.
Active Directory (Entra ID)
On the left-hand side, each company with its corresponding Active Directory operates as a tenant within the Identity Stack solution. This connection is established using the Azure Enterprise Application concept. Through this Enterprise Application, organizations grant Identity Stack read permissions to their Active Directory. This enables Identity Stack to actively monitor the directory and respond to changes. For instance, when a user is added or removed from a group, the system can react accordingly. This may result in the user being invited to acquire a MitID Erhverv business identity or, conversely, having their existing MitID Erhverv business identity revoked.
On the right-hand side, you'll notice connections to one or more MitID Erhverv organizations. This setup is especially beneficial for conglomerates encompassing multiple entities, such as holding companies, operations, investments, partners, and the like. This adaptable design empowers such organizations to efficiently manage all of their business identities across diverse subsidiaries via one Active Directory. The connection is established using a system certificate which is issued by MitID Erhverv. Once uploaded to the Identity Stack solution, this certificate empowers Identity Stack to act on the company's behalf, thereby enabling seamless creation or removal of business identities.
Crafted with the utmost attention to best security practices, Identity Stack embodies the principle of security by design. We've ensured that rights management within the organization is both scoped and time-limited, accessible only to trusted employees via Privileged Identity Management (PIM). All data is encrypted both in transit and at rest. To further protect user privacy and data, we follow strict data protection measures. Notably, all personally identifiable information is pseudonymised, transforming it in such a way that the resulting data cannot be attributed to a specific individual without the use of additional information. Adhering to the principle of least privilege access, Identity Stack only requests the necessary permissions to carry out its tasks. For example, it only requires read access to the Active Directory.
Furthermore, all entities within the system are configured to use passwordless authentication, a measure that significantly enhances the overall security posture and reduces the risks associated with traditional password-based systems. To underscore our commitment to security and compliance, Identity Stack is designed to support the National Standard for Identity Assurance Levels (NSIS) frameworks. This commitment necessitates an annual external audit of Identity Stack. Additionally, the signing keys are securely stored in a Hardware Security Module (HSM) which complies with the stringent FIPS 140-2 Level 3 and eIDAS Common Criteria EAL4+ security standards, further bolstering the system's robustness and resilience.