In the wake of Signalgate, we’ve had many people ask us how an enterprise-grade deployment of Element ensures that only the right people are in the right conversations.
It’s an interesting insight into just how pervasive the use of consumer messaging apps within governments (and workplaces) has become. Based on their experience of WhatsApp or Signal, people simply don’t expect a messaging app to have enterprise-grade guardrails.
Yet when it comes to workplace fileshares, for example, people know the IT department oversees the creation and management of accounts; leavers, joiners, movers - they get removed or added to relevant groups, no problem. It would clearly be completely inappropriate to use your personal Google Drive or Dropbox for storing your workplace data, and it’s just as important, if not more, for your messaging and collaboration apps.
The IT team integrates its file sharing, email system, and most other enterprise applications, to a central directory service that identifies, authenticates and manages end-users’ access. Microsoft Active Directory is an obvious example at a vendor level, and OIDC, LDAP and SAML are common protocols. Directory services are fundamental parts of an organisation’s security strategy; helping support identity and group access management, single sign-on systems and multi-factor authentication.
The Admin Console within Element Server Suite - our backend solution that governments use to self-host our communications platform - enables the IT department to integrate Element to the organisation’s existing directory system(s) in the way it would connect any other enterprise application. Indeed, if we’re asked by an IT function “how does Element ensure that only the right people are in the right conversations” our answer is “pretty much as you’d imagine; by delegating authentication and group access controls to your existing identity systems.”
Given Element is specifically designed to ensure secure and sovereign communication, end-user management is more tightly controlled than within a typical corporate email system. For instance, with email, an employee could easily add an external person by accident or maliciously. Whereas an organisation can configure Element so that unapproved accounts simply cannot be added into a chat room.
A demo showing Element integrated with Microsoft Active Directory, to stop unapproved guests joining a chat room.
The beauty of Element being based on the Matrix open standard is that multiple government departments can federate with other, with each self-hosting its own Matrix-based deployment. In Germany, for example, the Matrix open standard is used to underpin a huge private federation between healthcare providers. Completely separate organisations, each preserving its digital sovereignty, and using different Matrix-based servers and apps (so no vendor lock-in to Element). Yet they can all communicate with each other.
In this type of large private federation, individual organisations will still use directory services such as Microsoft Active Directory to control identification, authentication and access management for their own system and its end-users. But in addition, secure border gateways between deployments can be put in place to create an extra layer of rules-based security. It is also possible to support high side and low side environments through cross domain gateways, as well as stand alone air-gapped deployments.
In short Element offers the easy - infectious - usability of the best-loved consumer messaging apps, but with enterprise-grade features and functions.
