Globeteam

NSIS

Peter Langvad - Globeteam

Feel free to contact me if you want to hear more

Compliance

NSIS solutions for the private and public sectors, including finance, insurance, state and municipality

In 2022, NemID will be replaced by MitID, and employee signatures (MOCES) will be replaced by corporate identities. At the same time, the Agency for Digitisation will introduce several new requirements for the authentication of IT users, which are described in the so-called National standard for identity assurance levels (NSIS). This means that you will have to assess how your existing solutions for access and user management are to be adapted to the new public infrastructure.  

Globeteam offers modular NSIS solutions, meaning the solution we provide can be tailored to meet your specific needs, whether that is on premise or in the cloud. You can start small and choose a basic IdP solution that solves some of the challenges related to NSIS, then expand upon it later if your needs change. Or you can choose an extended solution that digitalises all processes in relation to NSIS and provides full compliance with the standard. We can also help you with the larger compliance work involved with the solution. 

NSIS sets out several requirements for you as an organisation if you either use or offer digital self-service solutions for corporate users. The same requirements will be valid for self-service solutions for citizens, when they change from NemID to MitID in late 2021 or in the beginning of 2022. 

Therefore, first and foremost, you need an overview of what is required of you in order to comply with the standard and how best to approach the task. 

But what is NSIS exactly?

NSIS is the Danish version of the EU elDAS regulation, the purpose of which is to create a common framework of trust in digital identities, and it affects all public systems within digital identity services. Among other areas, it affects health, tax services, courts, finance and insurance sectors and citizen services, and therefore it affects all those people who must access systems in those areas. The standard also requires that identities and users of applications in the future should be identified with one of three security levels: low, substantial or high. This is done by establishing a local IdP for authentication, among other things. 

Compliance

Why use a local IdP or IdM?

Today, you use employee signatures that might be managed locally by you via the so-called “local signature server solution” (LSS). However, employee signatures will no longer be valid, and, therefore, you will have to switch to another method of creating and authenticating your (corporate) users against public IT systems.  

You can choose to administer users directly in the new joint public NemLog-in solution that will also manage corporate identities in the future. This means that everything will be done manually. 

Alternatively, you can use a concept that in NSIS terminology is called “local IdP” (Identity Provider) and/or “lokal IdM light”. 

With NSIS local IdM light, you can synchronise all your user identities with NemLog-in. One of the advantages of this is that you can be certain that all relevant users always have access to creating a profile at NemLog-in and can run their login for the public systems from there. The users will also be deleted when they leave the company. 

With an NSIS local IdP, you assume responsibility for authenticating identities against the public systems which provides users with a number of advantages like, for example, single sign-on for the public systems based on your existing login solution (typically Microsoft AD or Microsoft Azure AD). 

However, establishing a local IdP solution also increases your audit burden significantly, as you will likely have to put together an annual statement of assurance for the Agency for Digitisation, documenting your compliance with relevant NSIS controls within your daily work.  

Therefore, we offer various extra modules for our local IdP solution that make it possible to digitise practically all the processes involved in the assurance.  

Compliance

Our NSIS solutions: local IdP and more

Globeteam offers a solution model that consists of an IdP basic solution and two expansion modules. Each element of our solution is developed with the aim of achieving the largest possible automation and digitisation of the NSIS requirements. Our solution structure also provides flexibility to match your needs and ensures a high level of user-friendliness for the end-user.  

We can deliver your solution either as software that is installed locally with you or as a Managed Service, where we take care of the operation of the solution and, at the same time, are responsible for the work with and the expenses of developing the required statement of assurance for the majority of the NSIS controls.  

Basic solution: NSIS local IdP

The basic solution can authenticate MitID users for NemLog-in3 and the other public, digital infrastructure based on your own Active Directory (AD) or Azure AD. 

It supports all requirements for a NSIS local IdP and complies with NSIS security levels “low” and “substantial”. This includes multifactor authentication (MFA) with, for example, Microsoft/Google Authenticator, Android and IoS phones, Windows Hello, OS2faktor and most other hardware tokens.  

With this solution, you can offer users the advantage of only having one identity to administer, which gives them single sign-on for all your systems and all the joint public systems. At the same time, they are only asked to carry out an MFA-login, when they go from NSIS level “low” to a system that requires the level “substantial”. 

The basic solution works with all operational models, whether you have an on premise or cloud-based infrastructure, and it can be integrated with your current AD FS, Azure AD, Safewhere Identify or another common federation solution. 

It is important to note that your IT infrastructure will not be connected to the IdP solution in any way, not in terms of security or operation. The solution integrates with your infrastructure via federation standards such as WS-Federation, SAML 2.0, OpenID Connect or similar, and it does not require an exchange of passwords or other security information. 

The solution also provides the following advantages:  

Synchronisation module

This module adds automatic user creation to the basic solution and, thereby, removes the last of the manual tasks in connection with creation of NSIS users against NemLog-in.  

User creation is done by automatic synchronisation from your Directory, Azure AD or Safewhere Identify to NemLog-in. 

This module can also be used as an independent solution if you do not want a NSIS local IdP and, thus, only need to automate on-boarding and off-boarding of your users with NemLog-in. 

This means functionality corresponding to what in NSIS terminology is called a “local IdM light”. 

Process module

The complete solution digitalises and optimises the processes required under NSIS by enrolling employees and issuing electronic means of identification. 

Users with NemID/MitID can do automatic enrolment themselves and administer their own MFA login in the solution, so that you completely avoid manual work tasks in that context.  

Where there is manual on-boarding for users without NemID/MitID, and identity needs to be proven with passport/driver’s license or witness testimony at enrolment, the majority of case review processes are also automated within this solution. 

The process module also automatically generates a complete compliance and documentation trail for your review.  

Furthermore, there are several possible adaptations and expansions, including coverage of automatic enrolment of employees from other EU countries.  

Compliance

NSIS advice and audits

Globeteam offers advice about the organisational implementation of NSIS processes, as well as design and implementation of IdP or another NSIS solution. 

To ensure that you get off on the right foot with the legal and technical audit requirements, we have also established a collaboration with a professional IT audit company that can carry out the audit on your side at a good price.  

Compliance

Why choose Globeteam as your NSIS provider?

You should choose us because we are the most experienced in Denmark when it comes to delivering solutions within this very specialised field, usually referred to as “identity federation”. 

Since 2006, Globeteam has delivered both large and small identity federation solutions within different industries. Many of our simple solutions were based on Microsoft’s identity federation server AD FS (Active Directory Federation Services), for which we have also developed several extra modules over time.  

We also delivered some very large and complex solutions based on the product Safewhere Identify, which excels in being the only identity federation server to contain full support for the Danish standards, OIO IDWS, OIOSAML and OIOSAML Local IdP Profile and all the common international identity federation standards, among others

Therefore, it is, for example, Safewhere Identify, that manages the many millions of yearly logins that occur at The Agency for Modernisation of Public Administration, KOMBIT (Support systems and access control for systems and users), and The Danish Environmental Portal.  

Public Denmark is finally moving to identity federation in connection with the implementation of eIDAS via the new NemLog-in and MitID in 2021, yet another reason why we are the obvious choice of collaborative partner.