SeLF allows you to integrate the Self-Sovereign Identity into your infrastructure without modifying your legacy IT-applications, directories or management systems. SSI credential-based access rules (CrBAC) transform the new technology into authentication and authorization objects that can be synchronized and used by conventional technologies like SAML or LDAP.

Read our new whitepaper [German only] on identity & access management using Self-Sovereign Identity!

SOLUTION

Employees are the most valuable assets for companies. Providing convenient and efficient identity and access management can be difficult, especially in large scale organisations with a diverse application landscape and complicated heterogeneous solutions. Yet, implementing easy-to-use, coherent I&A services can free up resources and empower your organisation.

With SeLF, there is no need to worry about legacy solutions, as applications are easily connected using existing standards like SAML and LDAP. Credentials are stored on an employee’s phone or mobile device, authenticated using SeLF and compared with credential definitions residing in the Sovrin network ensuring authenticity through more than 50 internationally distributed nodes.

While this process makes logging in more convenient for employees – once implemented, scanning a QR code is sufficient – it also provides easy and efficient controls around joiner, mover, leaver and segregation of duties (SoD) processes. Using SeLF, privilege revocation can be reliably achieved by simply adding a revocation entry to the ledger.

Technical Details

SeLF is implemented in concerted microservices and Docker container technology.
This modular architecture of SeLF allows replacing individual containers with different software solutions.
It can run on a Kubernetes or OpenShift in the cloud or on-premises.
The core service comes with a fully functional REST API that allows building own interfaces or UIs.
All data is persisted with a modern and fast graph database (like Neo4J).
Out of the box audit trail due to comprehensive log and event aggregation, for instance using Graylog and Elasticsearch.
Integrates with existing infrastructure, e.g. via SAML, LDAP, Active Directory, RACF and OAuth 2.

Functional Details

Individual UI for application owners, credential distributors and end users.
Native implementation of CrBAC (credential-based access control), a SSI-specific interpretation of ABAC (attribute-based access-control).
Credential distributors can assign and revoke credentials (i.e. employment, project assignment or business role) to identities.
Application owners can define credential rules that result in access entitlements.
Enablement of segregation of duties (SoD) and the principle of least privilege.
SeLF helps you to comply with regulatory standards like GDPR, ISO 2700x, 24760 for identity management and MaRISK/BAIT.
SeLF allows access reviewers to review business facts rather than examining cryptic entitlement names.

The Sovrin Network- Making Self-Sovereign Identity a Reality from Sovrin Foundation on Vimeo.

BENEFITS

SeLF benefits your employees as well as your organisation on several layers, from different perspectives.

DECISION MAKERS

Your Goal:
Chasing the company’s strategy and pushing business efficiency.

WHY SeLF?

Bound resources for manual administration of users are being released and costs being reduced.

Seamless documentation of all transactions backs up compliance and regulatory demands.

Technical integration supports cultural and emotional integration into and identification with the organisation.

TECHIES

Your Goal:
Securing the company’s operations and promoting cutting-edge solutions.

WHY SeLF?

Increased efficiency and security through seamless integration into legacy systems.

Ensured data consistency by leveraging a single trustworthy framework.

Promoting innovativeness using leading-edge technology guaranteeing future-readiness.

USERS

Your Goal:
Reduced administrative efforts to focus your capacities on what matters for your work.

WHY SeLF?

Increase your daily work experience by getting rid of account names and passwords.

Get the right access at the right time.

Always have an overview of your access rights using a single app on your mobile phone.

ABOUT

SeLF Fingerprint SeLF is a solution developed by the esatus AG, an information security specialist with a strong focus on Identity & Access (I&A). In alignment with its mission «Enforcing Information Security» and being vendor neutral, esatus AG offers conceptual and implementation support across a wide range of solutions.

SeLF Blockchain Starting out offering services around I&A in the financial sector, today esatus AG supports clients from various industries in their I&A challenges. Navigating the extensive regulations institutions face, esatus AG was able to develop in-depth knowledge. All this experience is now available in the SeLF solution suite.

esatus’ commitment to research and steady curiosity about new technologies naturally led to a strong engagement in blockchain technologies. Sensing the emerging technology’s potential for application in an I&A context, esatus AG has been promoting Self-Sovereign Identities since 2016 referring to it as BYOI (Bring Your Own Identity, see papers below). Creating SeLF was the natural path to follow.

I&A über Blockchain managen

06/2016

I&A per Blockchain

08/2017

Bundesblock: Positionspapier

10/2017

I&A mit der Blockchain

05/2016

TeleTrusT-Positionspapier Blockchain

03/2017

Bring Your Own Identity

06/2017

Blockchain trifft Digital Identity

06/2018

Digitale Identität in der Blockchain

06/2017

ASSOCIATES

The Sovrin Network is an open source project aiming to provide a global public utility for Self-Sovereign Identity, which enables users to personally manage their digital IDs online. As one of the founding Stewards of the Sovrin Foundation, esatus AG is responsible for operating a node maintaining the distributed ledger and uses the Sovrin Network to facilitate the core functionalities of SeLF.

MyData is a human centred approach in personal data management that combines industry need to data with digital human rights. The core idea is that we, you and I, should have an easy way to see where data about us goes, specify who can use it, and alter these decisions over time. CIO Dr. André Kudra signed the MyData Declaration on behalf of esatus AG, demonstrating commitment to the principles of the foundation.

The IT Security Association Germany (TeleTrusT) is a strong competence network for IT security comprising members from industry, administration, consultancy and research as well as national and international partner organizations with similar objectives. esatus AG is holder of the TeleTrusT’s “IT Security made in Germany” seal, certifying that it provides trustworthy IT security solutions.

The Alliance for Cybersecurity was founded in 2012 by the German Federal Office for Information Security and aims at strengthening the German economy’s and society’s resistance against cyber-attacks. esatus AG is a partner in the alliance and offers workshops and trainings for its members and partners.

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with a membership of 164 national standards bodies. esatus AG takes part in the work of the ISO/TC 307 aiming at the “Standardisation of blockchain technologies and distributed ledger technologies.”

Deutsches Institut für Normung (DIN), the German Institute for Standardization, is the German national body of ISO. esatus AG contributed to the DIN SPEC 3103, which is going to specify standards for “Blockchain and distributed ledger technologies in application scenarios for Industry 4.0”.

WALLET APP

CONTACT

Rheinstraße 5 | 63225 Langen | Germany

Dr. André Kudra

CIO

Phone

+49 6103 9029-0

E-Mail

a.kudra@esatus.com

Sebastian Weidenbach, CISSP

CTO

Phone

+49 6103 9029-0

E-Mail

s.weidenbach@esatus.com

Legal Notice

esatus AG - Rheinstraße 5 - 63225 Langen - Germany - Phone +49 6103 90295-0

Executive Board: Juergen Eichhoefer (CEO), Dr. Andre Kudra (CIO) - Supervisory Board Chairwoman: Christine Eichhoefer

Commercial Register: Local Court Offenbach - HRB 43779

VAT No. DE211198537

Person in charge for the content according § paragraph 3 MDStV: Juergen Eichhoefer (address see above)

1. Content: The author reserves the right not to be responsible for the topicality, correctness, completeness or quality of the information provided. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is incomplete or incorrect,will therefore be rejected. All offers are not-binding and without obligation. Parts of the pages or the complete publication including all offers and information might be extended, changed or partly or completely deleted by the author without separate announcement.

2. Referrals and links: The author is not responsible for any contents linked or referred to from his pages - unless he has full knowledge of illegal contents and would be able to prevent the visitors of his site fromviewing those pages. If any damage occurs by the use of information presented there, only the author of the respective pages might be liable, not the one who has linked to these pages. Furthermore the author is not liable for any postings or messages published by users of discussion boards, guestbooks or mailinglists provided on his page.

3. Copyright: The author intended not to use any copyrighted material for the publication or, if not possible, to indicate the copyright of the respective object. The copyright for any material created by the author is reserved. Any duplication or use of objects such as images, diagrams, sounds or texts in other electronic or printed publications is not permitted without the author's agreement.

4. Legal validity of this disclaimer: This disclaimer is to be regarded as part of the internet publication which you were referred from. If sections or individual terms of this statement are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.

Data privacy statement

Thank you for your interest in SelF, our company and your visit to our website. A use of our website is basically possible without providing personal data. However, special services of our website may require the processing of personal data. If processing of personal data is required, there is either a legal basis for processing or we obtain your consent. In doing so, the regulations of the General Data Protection Regulation and country-specific data protection regulations are observed.

In the course of this data privacy statement, esatus AG would like to inform about the type, scope and purpose of the collected, used and processed personal data and comply with the duty of transparency, in particular by clarifying the rights of persons concerned.

1. Contact details of the responsible person and the data protection officer

Responsible for data processing:

esatus AG
Rheinstraße 5
63225 Langen

Tel.: +49 6103 90295-0
Mail: info@esatus.com
Website: www.esatus.com

Data protection officer:

Tel.: +49 6103 90295-0
Mail: dsb@esatus.com

2. General information about data processing

Regardless of the visit to this website, esatus AG only processes personal data:

To initiate employment relationships and contractual relationships
To carry out contractual or legal obligations
To carry out the electronic communication (e-mailing)
For documentation of the customer and order history
To use photos from events for promotional purposes
For other purposes, which are explicitly indicated on consent declarations

The personal data are processed on the basis of the following legal bases:

On the basis of a declaration of consent (Art. 6 para. 1 lit. a GDPR), e. g. when using photos of events
For initiating or fulfilling contractual relationships (Art. 6 para. 1 lit. b GDPR), e. g. in the execution of consulting services
To fulfill legal obligations (Art. 6 para. 1 lit. c GDPR), e. g. if data is forwarded to appropriate authorities
To be able to respond to incoming requests in order to safeguard legitimate interest and thus to process e-mail addresses (Art. 6 para. 1 lit. f GDPR)
For the decision to establish an employment relationship (§26 BDSG)

Specific data processing operations on this website are defined below. If you are a customer, supplier, partner or other interested party whose data are processed even without visiting this website, please note in particular points 6, 7 and 8 of this privacy policy.

3. Collecting general information

We automatically save information in our logfiles, which your browser transfers during page access. These are:

Browser type / and version
Used operating system
Referer URL (the previously visited website)
IP address of the accessing computer
Time and date of the server request

These data serve the statistical evaluation of the use of our service as well as the fight against abuse (in particular by automated mass access) and are not assignable for us to particular and / or determinable persons (legitimate interest of the data processing according to Art. 6 para.1 lit. f GDPR). A combination of this data with other data and data sources will not be made.

4. Contact via the website

If an affected person contacts esatus AG by e-mail, personal data voluntarily communicated will be automatically saved for the purpose of processing or contacting (legitimate interest in the processing of data according to Art. 6 para.1 lit. f GDPR).

5. Integration of external videos

Our website uses features provided by the Vimeo video portal. This service is provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. If you visit one of our pages featuring a Vimeo plugin, a connection to the Vimeo servers is established. Here the Vimeo server is informed about which of our pages you have visited. In addition, Vimeo will receive your IP address. This also applies if you are not logged in to Vimeo when you visit our website or do not have a Vimeo account. The information is transmitted to a Vimeo server in the US, where it is stored. If you are logged in to your Vimeo account, Vimeo allows you to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your Vimeo account. For more information on how to handle user data, please refer to the Vimeo Privacy Policy at https://vimeo.com/privacy.

As a suitable guarantee pursuant to Article 46 GDPR, Twitter complies with the data protection provisions of the "Privacy Shield" agreement and is registered with the "Privacy Shield" program of the US Department of Commerce. You can find out more at: https://www.privacyshield.gov

6. Twitter

Our website links to twitter (Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA). When you access the link, a connection is established between your browser and the Twitter servers. During this process, data is already transferred to Twitter. If you have a Twitter account, this data can be linked to it. If you do not wish this data to be assigned to your Twitter account, please log out of Twitter before visiting our site. For more information, please visit twitter.com/privacy.

7. Deletion and blocking of personal data

If the purpose of a processing ends or a legally prescribed storage or archiving period expires, the personal data will be deleted or blocked in accordance with the statutory provisions.

8. Rights of persons concerned

All subsequent rights of persons concerned may be claimed at any time, e.g. by request by mail to info@esatus.com. By addressing by e-mail or addressing an employee, the request will be processed and executed without delay.

8.1. Right to confirmation

Concerned persons have the right to ask for confirmation of the processing of personal data concerning them.

8.2. Right to information

Affected persons have the right to request information about their personal data free of charge and to receive a copy of them. In addition to the copy, the following information is provided:

Processing purposes
Categories of personal data
Recipients or categories of recipients in third countries or international organizations
If possible, the planned duration of the storage of personal data and, if this is not possible, the criteria for determining the duration
The existence of further rights of concerned persons, the existence of a right of appeal with a supervisory authority
The existence of automated decision making including profiling
If the personal data were not collected from the concerned person, all available information about the origin of the data

In addition, should the data be transmitted to a third country or an international organization, appropriate guarantees, such as the use of EU standard contractual clauses, will be communicated.

8.3. Right to correction

Concerned persons have the right to request a correction of incorrect personal data and to demand a completion of incomplete data, taking into account the purposes of the processing.

8.4. Right to be deleted or right to be forgotten

Concerned persons have the right to request the deletion of their personal data, which will be deleted immediately upon request, if one of the following reasons applies and processing is not required:

The personal data has been collected for purposes or otherwise processed for which they are no longer necessary
The concerned person revokes their consent to processing and it lacks any other legal basis for processing
The concerned person objects to the processing and there are no high-level legitimate reasons for processing or the concerned person objects to direct mail
The personal data were processed unlawfully
The deletion of the data is required to fulfill a legal obligation
The personal data were collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR

If esatus AG has made personal data of the concerned person public and is required to delete it in accordance with Art. 17 para. 1 GDPR, esatus AG takes appropriate measures, taking into account the available technology and the implementation costs, to inform other data controllers who are responsible for the data processing published personal data, to inform that the concerned person has requested the deletion of any links to such personal data or copies of such personal data from these other data controllers unless the processing is required.

8.5. Right to restriction of processing

Concerned persons have the right to restrict processing if one of the following conditions is met:

The accuracy of the personal data is disputed by the concerned person (for a period that allows an examination by the person in charge)
The processing is unlawful, but the concerned person refuses to delete it and requires a restriction of use
The person in charge no longer needs the data for the purposes of the processing, but the concerned person requires it for asserting or exercising or defending legal claims
The concerned person has objected to the processing and it is not yet clear whether the legitimate reasons of the person responsible or the legitimate interests of the person concerned outweigh

8.6. Right to data portability

Concerned persons have the right to data portability. This right entitles concerned persons to receive their personal data in a structured, common and machine-readable format. The concerned person therefore has the right to transfer this data to another person responsible or to request the transfer from the former person responsible to the new person responsible.

8.7. Right to objection

The concerned person may object to data processing based on a "legitimate interest" (Art. 6 para. 1 lit. f GDPR). As a result, further data processing is prohibited unless it can demonstrate compelling legitimate grounds for processing that outweigh the interests, rights and freedoms of the concerned person, or the processing is for the purpose of enforcing, pursuing or defending legal claims. If esatus AG processes personal data for direct mail, an objection can be filed at any time.

8.8. Automated decisions in individual cases including profiling

As a responsible company we refrain from automatic decision-making or profiling.

8.9. Right of withdrawal

Concerned persons have the right to withdraw consent to processing at any time.

8.10. Right of appeal to the supervisory authority

If you have the impression that the processing of your data violates data protection law or your data protection claims have been violated in any way, you can complain to the Hessian Data Protection Officer.

9. Recipient of personal data

The recipients of personal data on this website, besides esatus AG, is the CJe GmbH (www.cje.de) through the webhosting of this website. It is only about personal data collected that your browser automatically provides (see point 3) and personal data provided in case of contacting the esatus AG via e-mail (see point 4). In order to guarantee data protection compliant transmission, a corresponding order processing contract was concluded. Regarding personal data received by Vimeo or Twitter, please refer to the privacy policies under point 5 and 6.

If you are a customer, partner, supplier or other interested party of esatus AG and you are in contact with us through contractual relationships or other requests, it may happen that processors, such as IT support service providers or cloud providers gain access to personal data from you. In addition, cooperations with third parties to fulfill a contractual relationship may be necessary. A transfer of personal data to a third country outside the EU does not take place.

In addition, if required by law, your personal information may be forwarded to the appropriate authorities.