Identity & Zero Trust
Identity Hub LaaS (ZT)
Acceso temprano
v0.4.1Zero TrustIdentity FederationPolicy EngineClaims TransformationSAML 2.0OIDCMulti-tenantNIS2ENSISO 27001
Identity hub where policies transform multiple providers into unified, custom claims(N providers → 1 hub)
El hueco que cerramos
Identity Hub is a multi-tenant identity platform (LaaS) that acts as a federation broker between multiple external identity providers and the services of each organization.
Modern environments rely on multiple identity sources such as Azure AD, Okta, Google or enterprise SAML/OIDC providers. This fragmentation creates inconsistencies in claims, roles and access control across applications.
Identity Hub solves this by introducing a unified identity control layer.
Instead of integrating each application with multiple identity providers, Identity Hub centralizes authentication and federation, acting as a broker that abstracts the underlying identity sources.
How it works
Users authenticate through their original identity provider, while Identity Hub:
- Normalizes identity claims across providers
- Maps groups and attributes into consistent roles
- Applies federation and access policies
- Issues unified tokens to downstream services
Service Providers receive standardized identity tokens and do not need to know which provider authenticated the user.
Federation & Control
Identity Hub enables organizations to define consistent access policies across all identity sources, ensuring:
- Unified role-based access across applications
- Centralized control of identity flows
- Reduced complexity in multi-IdP environments
Outcome
The result is a single identity layer that simplifies federation, enforces consistent access control, and decouples applications from underlying identity providers, enabling a scalable and Zero Trust–aligned identity architecture.
Compliance mapping
ENSCat. Media — RD 311/2022
op.acc.1 ✅ user identificationop.acc.2 ✅ authentication requirementsop.acc.3 ✅ separation of duties (tenant/system)op.acc.4 ✅ rights management (RBAC + group source tracking)op.acc.5 ✅ password mechanism (bcrypt + lockout)op.acc.6 ⚠️ 2FA — mandatory for system, optional for tenant (ENS Media requires all)op.acc.7 ⚠️ password management — no expiry/historyop.exp.2 ✅ security configuration (Helmet, CSP, HSTS, rate limiting)op.exp.8 ✅ user activity logging (full audit trail)op.exp.9 ❌ incident management register — not implementedop.exp.10 ⚠️ cryptographic key protection — keys in DB, no HSM/KMSop.cont.1 ❌ BIA not documentedop.cont.2 ❌ continuity plan — no RTO/RPO definedmp.info.3 ⚠️ encryption at rest — passwords hashed, secrets unencrypted in DBmp.info.4 ✅ digital signature — JWT RS256, SAML RS256 per tenantmp.info.9 ⚠️ retention — configurable by plan, no formal purge policy
62%NIS2Directive (EU) 2022/2555 — Art. 21
Art.21.2.a ❌ risk analysis policies — no formal risk managementArt.21.2.b ⚠️ incident management — audit logs exist, no playbook or INCIBE notification processArt.21.2.c ❌ business continuity — no BCP/DRP, no RTO/RPOArt.21.2.d ⚠️ supply chain security — no SBOM, no automated dependency audit in CI/CDArt.21.2.e ⚠️ secure development — no SAST/DAST, no formal code reviewArt.21.2.f ❌ effectiveness evaluation — no periodic review or internal audit processArt.21.2.g ❌ cyber hygiene training — no documented training programArt.21.2.h ⚠️ cryptography policy — TLS/RS256/bcrypt in use, no formal written policyArt.21.2.i ✅ HR security + access control — full IAM, MFA for operators, role separationArt.21.2.j ⚠️ MFA — mandatory for system operators, optional for tenant usersArt.23 ❌ incident notification — no automated detection or INCIBE-CERT notification process
55%ISO 27001ISO/IEC 27001:2022 — Annex A
A.5.16 ✅ identity management — full IAM with roles, permissions, source trackingA.5.17 ✅ authentication information — bcrypt, password policy, MFAA.5.18 ✅ access rights — granular RBAC, tenant/system separationA.5.24 ❌ incident management — no formal processA.5.29 ❌ IS during disruptions — no continuity planA.8.2 ✅ privileged access rights — operator roles, mandatory MFAA.8.3 ✅ information access restriction — tenant_id isolation, CORSA.8.5 ✅ secure authentication — httpOnly cookies, CSRF, rate limiting, lockoutA.8.8 ❌ vulnerability management — no CVE scanning in CI/CDA.8.13 ❌ backup — no automated DB backup documentedA.8.15 ✅ logging — full audit trail: actor, IP, UA, action, result, timestampsA.8.20 ✅ network security — TLS, HSTS, CORS, Helmet, CloudflareA.8.24 ✅ cryptography — TLS 1.2+, RS256, bcrypt v6, HMAC-SHA256A.8.25 ❌ secure SDLC — no SSDLC, no SAST/DAST, no mandatory code reviewA.8.29 ❌ security testing — no formal pentest planA.4.4 ❌ ISMS — no formal Information Security Management System established
57%GDPRRegulation (EU) 2016/679 — Data Processor + Controller
Art.5(1)(e) ⚠️ storage limitation — configurable retention by plan, no formal data minimization policy documentedArt.13/14 ❌ transparency obligations — no in-platform privacy notice for tenant usersArt.17 ⚠️ right to erasure — soft delete (INACTIVE) exists, no full data purge + audit log retention conflictArt.20 ❌ data portability — no user data export function implementedArt.25 ⚠️ privacy by design — tenant isolation implemented, no formal DPIA, no privacy-by-default reviewArt.28 ⚠️ data processor obligations — no formal DPA template for tenants (NCN acts as processor of tenant user PII)Art.32 ✅ security of processing — encryption in transit (TLS), access controls, audit logs, bcrypt, MFAArt.33 ❌ breach notification to supervisory authority (72h) — no detection or notification processArt.34 ❌ notification to data subjects — no process or templateArt.35 ❌ DPIA — no Data Protection Impact Assessment conducted (authentication platform = high-risk processing)Art.37 ⚠️ DPO — no Data Protection Officer designated or assessed
38%DORARegulation (EU) 2022/2554 — ICT Third-Party Provider
Art.5 ❌ ICT Risk Management Framework — no formal framework documentedArt.8 ⚠️ ICT asset identification and classification — partial (architecture docs exist, no formal asset register)Art.9 ✅ protection and prevention — MFA, encryption in transit, access controls, rate limiting, CSP headersArt.10 ⚠️ detection — audit logs capture events, no real-time alerting engine or anomaly detectionArt.11 ❌ response and recovery — no BCP, no DRP, no RTO/RPO definedArt.12 ❌ backup policies — no automated PostgreSQL backup, no tested restore procedureArt.17 ❌ ICT incident classification — no classification framework or severity taxonomyArt.19 ❌ major ICT incident reporting — no process for reporting to financial supervisory authoritiesArt.24 ❌ advanced digital operational resilience testing (TLPT) — no threat-led penetration testingArt.26 ⚠️ ICT third-party risk management — no formal supplier risk assessment for cloud/hosting providersArt.28 ❌ register of contractual arrangements — no register of ICT third-party dependencies maintained
28%SOC 2AICPA Trust Services Criteria — Security + Availability + Confidentiality
CC6.1 ✅ logical access controls — MFA, RBAC, tenant isolation, httpOnly cookies, CSRF, lockoutCC6.2 ✅ authentication and authorization — bcrypt, JWT RS256, per-tenant signing keys, middleware authCC6.3 ✅ least privilege — role-based permissions, system/tenant separation, no overprivileged accountsCC6.6 ✅ data transmission protection — TLS 1.2+, HSTS preload, CORS restrictiveCC6.7 ⚠️ encryption at rest — passwords hashed, OIDC client_secrets and SMTP passwords plaintext in DBCC7.1 ⚠️ system monitoring — audit logs exist, no automated alerting or anomaly detection engineCC7.2 ⚠️ security event evaluation — logs captured, no triage or response processCC7.3 ❌ incident response — no formal IR plan, no playbook, no defined rolesCC8.1 ⚠️ change management — git versioning, no formal change approval or rollback process documentedCC9.1 ❌ risk assessment — no formal risk identification or treatment processA1.1 ⚠️ availability commitments — K8s with 2 replicas, no SLA defined, no RTO/RPOA1.2 ❌ capacity planning — no autoscaling, no capacity monitoring documentedC1.1 ⚠️ confidentiality commitments — tenant isolation enforced in code, no formal data classification policyC1.2 ❌ confidentiality disposal — no documented data destruction procedure for tenant offboarding
48%MITRE ATT&CKEnterprise Matrix v15 — Identity & Credential Access
T1078 Valid Accounts ✅ MITIGATED — account lockout (5 attempts/15min), MFA mandatory for operatorsT1110.001 Password Guessing ✅ MITIGATED — rate limiting (10 req/15min on auth) + progressive lockoutT1110.003 Password Spraying ✅ MITIGATED — per-IP rate limiting + account lockout detects distributed attemptsT1539 Steal Web Session Cookie ✅ MITIGATED — httpOnly + Secure + SameSite cookies, frontend cannot read tokenT1550.004 Web Session Cookie hijacking ✅ MITIGATED — CSRF double-submit cookie, SameSite policyT1556.006 Modify MFA ⚠️ PARTIAL — MFA changes require auth, audit log not yet instrumented on MFA config changesT1606.001 Forge SAML Assertions ⚠️ PARTIAL — XML-DSig validation implemented but not centralized (samlAcsController TODO)T1598 Phishing for Information ✅ MITIGATED — open redirect fix (ADR recorded), ALLOWED_HOSTS whitelistT1190 Exploit Public-Facing Application ✅ MITIGATED — CSP nonces, X-Frame-Options, input validation (22 Zod validators)T1212 Exploitation for Credential Access ✅ MITIGATED — Zod validators on all inputs, parameterized DB queries via ORMT1528 Steal Application Access Token ⚠️ PARTIAL — JWT blacklist on logout, no detection of token reuse from new IP/UAT1649 Steal or Forge Authentication Certificates ⚠️ PARTIAL — per-tenant RS256 keys, no key rotation policy or HSM
68%ENS
62
NIS2
55
ISO 27001
57
GDPR
38
DORA
28
SOC 2
48
MITRE ATT&CK
68
Hoja de ruta
01DONE
M1 — Core SSO & Federation
02DONE
M2 — RBAC & Audit Trail
03IN PROGRESS
M3 — MFA & Device Posture
mar 2026
04PLANNED
M4 — Plan Enforcement, Security Hardening & Compliance
abr 2026
05PLANNED
M5 — GA Release
may 2026
¿Listo para protegerte con Identity Hub LaaS (ZT)?
Identity hub where policies transform multiple providers into unified, custom claims(N providers → 1 hub)