Invotra has launched their own extranet functionality, called ‘Invotra Portal’. It’s a product option to add to your existing Invotra intranet, and it allows you to give intranet access to those important key stakeholders and third-party users who contribute to the successful running of your business.
Collaboration within your workforce is key, it’s important to keep everyone engaged within the business. That’s what an intranet is for right? It’s a private space within the organisation where staff can report on news and events, share and create resources and communicate internally to get stuff done. It’s ultimately allowing you to build a creative, efficient and collaborative culture.
Our portal is an extension to Invotra, it allows those important, authorised external users to connect to your intranet and create, exchange and contribute key information in a secure way.
Note I’ve highlighted the word ‘authorised’; security is the core of Portal. There are two important security aspects that Invotra does to provide a secure product. Authorisation and Authentication.
Managing external users
Webmasters have control over managing external users and what they can have access to. A little bit of context for those readers who may not know Invotra too well yet, a ‘Webmaster’ has the largest amount of permissions within Invotra. Webmasters can utilise almost all of the functionality on the site including creating/deleting users – they control the workflow of all content and they are generally the web-master!
Webmasters can give access to a user outside of the organisation by assigning the authorised user the ‘External role’. External users are limited to this role only. ‘Least privilege’ is a core security best practice, this is ultimately preventing accidental privilege escalation.
We know that external users are given their own role, but they also have their own set of permissions. During our requirements phase, our product team identified the different types of users that would use the portal functionality, both currently and potentially in the future. It was also vital to know what we wanted these users to be able to achieve.
An external user needs to engage with content, interact with other users and at the end of the day, get their job done in the most efficient way.
External users will be redirected to a homepage specifically designed for them. This homepage can look different and feature different content to other user types.
Content restriction is an essential part of Portal. Site section managers can control who has access within their section, they can add the members individually or they can add a whole team. This will give members visibility of the content within that section. Anyone who is not a member will be restricted and given an ‘Access Denied’ error message when trying to view this section and its content.
How do external users authenticate securely?
We use an AWS service called ‘Cognito’. Cognito provides authorisation, authentication, and helps with your user management. We would set this up for your instance. Users can then authenticate by either username/password, or, alternatively we can set up SSO (Single Sign-On) for you.
A little side note from me personally. Users are an organisation’s greatest asset, but they can also be a great weakness. Training users in creating secure passwords is key if you go down the username/password route for authentication.
Cognito will only allow authenticated traffic to get through to the application. It is the first point of entry and will not allow anonymous traffic to pass through. It has many positive benefits when it comes to security and minimising vulnerabilities.
You can define roles and map them to whatever you need so that your application can access only the resources that are needed for the user trying to authenticate.
MFA (Multi-Factor authentication) is also available with Cognito; when a user attempts to sign in, it will ask for multiple pieces of evidence to prove it’s the correct user before granting access. For example, a password and a code from an authenticator app, such as Google Authenticator. Cognito also uses common identity management standards like SAML 2.0.
Invotra is ISO 27001:2013 compliant and so is Amazon Cognito. They have various other accreditations which will likely meet your security and compliance requirements.
Do you want to know more about Portal functionality? Talk to us. Alternatively, if you would like to read more about Cognito, or if you would like a more in-depth, technical explanation, head over to AWS.