ENISA Indispensable baseline security requirements for the procurement of secure ICT products and services

MidPoint is a leading identity governance and administration (IGA) platform. As such, midPoint is a foundation stone for cybersecurity practices in almost every organization. Therefore, midPoint supports cybersecurity mechanisms of other applications, systems and services.

Naturally, midPoint itself is designed with security in mind since the very beginning. MidPoint architecture divides the system to subsystems and components with clearly defined responsibilities. The architecture is reflected in midPoint source code.

Following features demonstrate adherence to security by design principle:

While midPoint is a comprehensive and very flexible platform, individual features can be activated or deactivated using authorization mechanism, thus reducing the functionality to necessary minimum.

MidPoint does not contain any malware, spyware, hidden functionalities, un-documented backdoors or any other unapproved or unwanted functionalities such as non-authorised data forwarding.

Least privilege principle is at the very core of midPoint, both internally as an application and externally, as an identity governance and administration (IGA) platform.

Authorization mechanism can be used to control access to data and functionality on a very fine-grained level, which allows to grant users access to the very minimal set of data and functionalities. Authorization statements are naturally integrated with role-based access control (RBAC) framework, allowing design of roles that perfectly match responsibilities of every user. Authorization framework, together with RBAC is used to support delegated administration scenarios. Dynamic, policy-based RBAC is used to automatically assign and unassign roles based on the organizational assignment of the user, user attributes, responsibilities and other characteristics, automatically reducing user privileges when not needed.

Access certification mechanism can be used to systematically review user privileges, reducing them as necessary.

MidPoint administration user interface can be used to manage user accounts, as well as roles and privileges. This functionality is also provided by RESTful application programming interface (API). The functionality also includes management of technical and service accounts. MidPoint provides password management features with support for password policies.

Flexible authentication mechanism can be used to set up complex authentication schemes for access to midPoint, including multi-factor authentication. As the name suggests, authentication schemes can be flexibly adjusted for various scenarios to fit specific needs of each individual organization.

Privileges of every individual user can be controlled using authorization mechanism, which includes service accounts. As long as service accounts are not explicitly authorized to access user interface, they will not be allowed interactive log-on.

Authorization mechanism is used to control access to data stored in midPoint repository on a very fine-grained level. Authorizations are enforced independently on several levels, bound to midPoint architecture and component structure.

Passwords are stored in midPoint in hashed or encrypted forms only. Unique cryptographic key is generated for every deployment at the first start of the system, stored in local Java key store. Standard cryptographic libraries and algorithms of Java platform are used for cryptographic operations.

MidPoint is distributed from Evolveum web site, protected by standard HTTPS mechanism, providing transfer protection as well as assurance of origin.

MidPoint distribution files are signed using standard Java platform method (JAR signing). Authenticity of the files is checked at the start of the system.

Moreover, complete source code of midPoint is publicly available, published on reputable platform (github), which can be used for independent checks of the code, as well as build artifacts.

Complete documentation of midPoint is publicly accessible on docs.evolveum.com, Evolveum documentation site. This includes installation documentation, reference documentation, architectural documentation, developer documentation, even a publicly accessible book about use of midPoint.

The documentation is updated for each release of midPoint. Source code of midPoint documentation is available too, providing access to full documentation change history.

Moreover, complete source code of midPoint is publicly available under an open source license, allowing unlimited access to knowledge about internal workings of midPoint.

Security of midPoint code is regularly monitored, including monitoring of security and vulnerability of midPoint dependencies (libraries and components used by midPoint). This process is partially automated. Regular upgrade and update of dependencies is a native part of midPoint development process. MidPoint has well-established development and support mechanism, including public roadmap and predictable schedule of releases with matching support programs. Security advisories are published whenever security issue is discovered. New maintenance version of midPoint is released when necessary.

Dedicated security guide is publicly available, describing security properties of midPoint. MidPoint was subject of several penetration tests and security scans, results of which were incorporated into midPoint development. MidPoint was part of European Union Free and Open Source Software Auditing (EU-FOSSA2) project.

MidPoint has well-established development and support mechanism, including public roadmap and predictable schedule of releases with matching support programs. Support lifetime of each release is clearly stated for each release. Maintenance versions are released as necessary, especially as a reaction to security issues. Fixes for security issues are prioritized, and are immediately made available for all midPoint users regardless of their support program. Responsible disclosure practices are documented in midPoint security guide.

MidPoint is developed completely in European Union. MidPoint development, distribution, support and all related activities are completely guided by EU law.

MidPoint is an on-premise software product. All data stored in midPoint are maintained within the system, unless midPoint is explicitly configured by the operator to do otherwise. MidPoint is not collecting or forwarding any data, except those channels that are explicitly configured by operator.