Auteur/autrice : Thomas Trouvet

  • PBAC : La nouvelle génération du contrôle des accès

    Pourquoi le PBAC s’impose aujourd’hui

    Les organisations modernes doivent sécuriser les accès sans freiner le métier. 

    Les modèles classiques, comme le Role-Based Access Control (RBAC), ont montré leurs limites : multiplication des rôles, exceptions à répétition, gouvernance complexe. 

    Le Policy-Based Access Control (PBAC) répond à ces enjeux. 

    Ce modèle de nouvelle génération prend des décisions d’accès dynamiques, basées sur le contexte plutôt que sur des rôles statiques. 

    Résultat : une sécurité plus flexible, précise et traçable, trois piliers essentiels de tout projet IAM moderne.

    Du rôle à la politique : une révolution naturelle

    Le RBAC a longtemps dominé la gestion des accès.

    Solide dans des environnements stables, il devient rigide dès que les utilisateurs, les applications ou les données évoluent rapidement. 

    L’attribute-Based Acces Control (ABAC) a introduit plus de contexte grâce ayx attributs (département, localisation, fonction).

    Le PBAC va plus loin : il traduit la logique métier en politique combinant attributs, conditions et contexte pour des décisions d’accès en temps réel. 

    Exemple : 

    • RBAC : « Alice a le rôle RH »
    • PBAC :  » Autoriser Alice à consulter les données RH si elle appartient au service RH et si la demande est effectuée pendant des heures de travail. »

    Comment fonctionne le PBAC 

    Les composants essentiels du PBAC

    Le modèle PBAC repose sur quatre points clés, qui structurent la chaîne de décisions d’accès : 

    • PAP – Policy Administration Point : point central où les politiques sont crées, gérées et distribuées. 
    • PDP – Policy Decision Point : moteur de décision, il évalue les politiques et détermine si l’accès est autorisé. 
    • PEP – Policy Enforcement Point : il applique la décision du PDP sur la ressource concernée. 
    • PIP – Policy Information Point : il fournit les attributs et les informations contextuelles nécessaires à la décision

    Ensemble, ces composants forment un système cohérent où chaque requête d’accès est évaluée, validée et tracée en temps réel. 

    PBAC en pratique : l’exemple d’Alice

    Prenons un cas concret : 

    1. Demande : Alice veut accéder aux données des employés
    2. Décision : Le PDP regarde les politiques actives et les attributs d’Alice : 
      1. Politique : « Le groupe RH peut accéder aux données des employés en lecture seule » 
      2. Attribut : « Alice est membre du groupe RH » 
    3. Résultat : Le PDP autorise l’accès en lecture d’Alice et le PEP applique cette décision

    Si Alice quitte le groupe RH, sa prochaine demande sera refusée automatiquement, sans intervention manuelle. 

    Le PBAC assure ainsi un contrôle dynamique et contextuel des autorisations. 

    Les prérequis d’un projet PBAC réussi

    Le PBAC est un modèle puissant, mais il exige une maturité IAM avancée et une gouvernance solide.

    Sa mise en oeuvre repose sur plusieurs clés :

    • Une architecture IAM intégrée : Interconnexion entre IAG, AM et sources de données. 
    • Une modélisation des besoins métier claire : savoir QUI accède à QUOI, et dans QUELLES conditions. 
    • Une gouvernance rigoureuse : politique conçue, testée et documentée comme du code.

    La réussite passe par une approche progressive : commencer petit, tester, ajuster, puis étendre. 

    Quand adopter le PBAC ? 

    Le PBAC s’adresse particulièrement aux organisations qui : 

    • évoluent sous fortes contraintes réglementaires (finances, santé, secteur public) ; 
    • gèrent plusieurs applications, partenaires ou environnements ; 
    • disposent déjà d’une base IAM mature (IAG, AM, PAM). 

    C’est aussi un levier stratégique pour le Zéro Trust, où chaque accès est continuellement vérifié selon le contexte et le niveau de risque. 

    PBAC VS autres modèles 

    Modèle 

    Base 

    Force 

    Limitation 

    Maturité IAM 

    RBAC 

    Rôles 

    Simple à comprendre 

    Rigide, difficile à évoluer 

    Intermédiaire 

    ABAC 

    Attributs 

    Contextuelle 

    Difficile à gouverner 

    Avancé 

    PBAC 

    Politiques 

    Dynamique, évolutif, auditable 

    Complexe à implémenter 

    Expert 

    De nombreuses entreprises adoptent une approche hybride : RBAC pour les accès standards, PBAC pour les autorisations sensibles et à forte granularité. 

    Vers une gouvernance des accès modernes 

    Le PBAC marque une évolution majeure dans la gestion des identités et des accès. 

    Plutôt que de maintenir des milliers de rôles, il permet de centraliser les politiques, d’en améliorer la traçabilité et d’aligner la sécurité sur les besoins métiers. 

    Bien implémenté, le PBAC devient le moteur décisionnel de la gouvernance des accès, garantissant que chaque autorisation est explicable et contextualisée. 

    En résumé, le PBAC illustre parfaitement la philosophie Ariovis : « Security meets Business ». 

  • V25.10

    Ariovis poursuit l’amélioration de son extranet pour offrir une expérience toujours plus fluide et utile à chacun de ses utilisateurs.

     

    Ce mois d’octobre, Ariovis met l’accent sur la clarté et la transmission : un parcours candidat repensé pour plus de lisibilité, une base de connaissance réorganisée pour un accès simplifié aux articles, et une refonte complète de la formation ACIA, pensée pour accompagner les premiers pas dans l’IAM.

    Amélioration

    • Recrutement :  Le process de recrutement a été retravaillé pour rendre la candidature plus fluide et la communication plus claire à chaque étape avec le candidat
    • Académie : Refonte de la formation ACIA
      La formation débutante IAM fait peau neuve : contenus repensés, progression simplifiée, et une meilleure introduction aux fondamentaux de l’IAM.

    • Base de connaissance : 
      La base de connaissance Ariovis évolue !
      L’accès aux articles a été repensé pour plus de clarté et d’efficacité. Une organisation par thématiques, des interfaces allégées et une meilleure lisibilité vous permettent désormais de trouver la bonne information en un coup d’œil.

    Votre équipe Ariovis

  • How to avoid phishing scams without spending money

    Phishing is one of the most widespread cyberattacks. And also one of the most effective: every day, thousands of people click on a fake link, share their login credentials, or download malware… without even realizing it.

    The good news is that it’s entirely possible to protect yourself effectively from phishing, without spending a penny. You just need to be aware of the best practices and apply them daily.

    1. Learn to recognize phishing attempts

    The first line of defense against phishing is you. And it starts with being a little observation.

    Here are some typical signs of a fraudulent message:

    • A strange or misspelled email address
    • An urgent tone: « Your account will be suspended », « Immediate action required »
    • ● A link to click that leads to a suspicious site
    • An unexpected attachment
    • ● Spelling or formatting errors

    Tip: hover your mouse over the link without clicking. You’ll see the real URL. If it doesn’t match the official site, run away.

    2. Always verify the sender… and the context

    Receiving an email from a service you don’t use? An invoice from a company you don’t know? A message from a « friend » with a strange tone?

    In 90% of cases, it’s phishing.

    Ask yourself these simple questions:

    • Was I expecting this message?
    • Is the sender’s address legitimate?
    • Is the message’s tone consistent with the company or the person?

    When in doubt, don’t click on anything. Go directly to the official website concerned, or contact the sender through another channel.

    3. Enable two-factor authentication (MFA)

    Even if you fall into the trap of a fake site, it’s not too late. The best defense to prevent your accounts from being compromised is two-factor authentication.

    For free, you can enable it on:

    • Gmail, Outlook, Yahoo
    • Social networks (Facebook, Instagram, TikTok, etc.)
    • E-commerce or online service sites

    It adds an additional verification: a code by SMS or via an app like Google Authenticator.

    . A hacker who only has your password won’t be able to go further.

    4. Update your devices

    An updated system = fewer exploitable vulnerabilities.

    Whether it’s your computer, phone, or even your browser, remember to:

    • ● Install updates as soon as they’re available
    • ● Use antivirus software (even free)
    • ● Delete applications you no longer use

    Updates often include invisible but essential security patches.

    5. Use filtering DNS against malicious sites

    A lesser-known but very effective trick: change your internet box’s DNS to use a service that automatically blocks phishing sites.

    For example, DNS4EU is a free European solution that you can easily configure at home.

    Ariovis has written clear guides, adapted to each operator:

    With this configuration, even if you accidentally click on a fraudulent link, the site will be automatically blocked.

    In summary: you can act right now

    Protecting yourself from phishing requires neither money nor expertise, just paying a little attention and a few easy settings:

    • Observe suspicious signs
    • Verify senders and URLs
    • Enable two-factor authentication
    • Update your devices
    • Filter malicious sites via your DNS

    To go further: follow Ariovis on Instagram

    Want to learn how to outsmart online traps, recognize fake messages, secure your accounts and educate your loved ones?

    We regularly publish concrete, visual advice on Instagram, accessible to everyone, including the youngest.

    Follow us on: ariovis_officiel

    An account to learn how to better protect yourself, one tip at a time.

  • How Europe Is Building Its Digital Resistance

    Europe is waking up.

    After years of watching the power struggle between American and Asian tech giants, the EU is now trying to regain control over its data, infrastructure, and cybersecurity. This awakening, still fragile, is taking shape through new regulations, sovereign tech initiatives… and a clear ambition: no longer be subject to the rules of Silicon Valley.

    But is this “resistance” credible? Where is it being deployed? And can it truly reverse decades of technological dependence?

    Let’s take a closer look at this ongoing reconquest.

    A deeply rooted American dominance

    Since the early days of the web, the United States has shaped the global internet.

    Google, Apple, Meta, Amazon, Microsoft, the main platforms, everyday tools, cloud services, and even submarine cables are mostly controlled by American firms, often closely tied to intelligence and surveillance interests.

    The consequences?

    • Massive dependency for European businesses and public services
    • Systematic exposure to U.S. extraterritorial laws (like the Cloud Act)
    • A continuous flow of our personal data to servers often located outside the EU

    This imbalance is no longer just economic it’s strategic.

    Europe fights back: a multi-pronged approach

    Faced with this reality, the European Union has chosen not to stand by. In recent years, it has launched a series of concrete initiatives to reclaim digital sovereignty:

    Strong regulations: GDPR, DSA, DMA

    • The GDPR (General Data Protection Regulation), adopted in 2016, laid the foundation for the right to digital privacy.
    • The DSA (Digital Services Act) and DMA (Digital Markets Act) aim to regulate large platforms and rebalance the digital playing field.

    Sovereign technology initiatives

    • GAIA-X: a European cloud designed to host strategic data
    • Chips Act: to bring some semiconductor manufacturing back to Europe
    • EU Digital Identity Wallet: a secure European digital ID

    European-built alternatives: like DNS4EU

    Less publicized but just as strategic, DNS4EU (DNS for Europe) is an initiative to build a sovereign DNS service that aligns with European standards — and remains independent from major U.S. players.

    DNS4EU: A quiet yet powerful symbol

    DNS is the internet’s invisible directory. It’s what enables your device to turn a domain name (like ariovis.fr) into an IP address your browser can understand.

    Today, this process mostly runs through DNS servers owned by Google or Cloudflare.

    DNS4EU offers a European alternative:

    • Hosted within the EU
    • Compliant with GDPR
    • Not commercially exploited
    • Equipped with security filters to block digital threats

    It’s a small technical change but a big political statement: Europe still has the capacity to build its own infrastructure.

    And this change can start right at home, by reconfiguring your router’s DNS settings.

    Taking back control starts at home

    Digital sovereignty isn’t just an institutional issue, it’s also about individual choices.

    Changing your DNS, protecting your data, understanding who collects what and where it’s sent these simple actions are modern-day digital citizenship.

    At Ariovis, we help you make informed choices with step-by-step guides to install DNS4EU based on your internet provider:

    A European shift to watch closely

    Europe doesn’t (yet) have its own Google, Amazon, or mass-market operating systems. But it’s laying the groundwork for an alternative digital model — one that’s more ethical, more controlled, and more transparent.

    DNS4EU, GAIA-X, GDPR… these are building blocks of a new digital sovereignty.

    And for this resistance to become a viable alternative, it must translate into everyday practice. Individuals, businesses, institutions, everyone has a role to play in restoring meaning to the word “independence” in the digital world.

  • How to Protect Your Children Online for Free?

    They play, they watch videos, they click on everything… and sometimes, they stumble upon things they should never have seen.

    Today, protecting your children online isn’t a “nice to have”, it’s essential.

    The good news? You don’t need to spend a single cent to help them navigate more safely.

    Here are 5 practical, easy-to-implement, and completely free solutions to better guide kids through their digital lives.

    1. Use built-in parental controls on your devices

    It’s probably the most underrated option: nearly all modern computers, phones, and tablets already include built-in parental controls.

    On Windows, Android, iOS, macOS… you can:

    • create a child profile
    • set usage time limits
    • block certain websites or apps
    • monitor activity without being intrusive

    For example:

    • On Android, install Google Family Link: it lets you manage everything from your own phone
    • On iPhone/iPad, enable Screen Time to set limits and filter content
    • On Windows, add a child account via Settings > Family

    No need to be tech-savvy: these tools are made for parents, not IT pros.

    2. Install a kid-friendly web browser

    Instead of letting your children use Chrome or Safari freely, install a secure browser designed just for them.

    It’s free, quick to set up, and makes a real difference.

    Trois optioThree trusted options:

    ns fiables :

    • Qwant Junior : French search engine, no ads, no tracking
    • Kiddle : a filtered version of Google made for kids
    • Google SafeSearch : an option to activate in Google Search settings

    This is a great habit to introduce as soon as kids begin browsing independently, even at primary school age.

    3. Filter content directly from your home router

    There’s a simple, free, and powerful way to block inappropriate websites right at the source — without having to configure every device:

    Set up filtering DNS directly on your internet router.

    This allows you to automatically block violent, adult, or malicious content across your entire home network: computers, tablets, consoles, smart TVs…

    And the best part? Anyone can do it, no technical skills required.

    We’ve written step-by-step guides tailored to each router model:

    DNS4EU is a free European DNS service supported by the EU, designed to ensure greater safety, privacy, and performance.

    Changing your DNS is like setting up a global parental control filter for your Wi-Fi — without installing anything.

    4. Really talk with your kids

    Let’s be honest: no tool can replace communication.

    You don’t need to be a cybersecurity expert to pass on the right habits, just start the conversation.

    Simple rules to repeat often:

    • Never share your real name, school, or home address
    • Don’t reply to strangers online
    • Tell your parents right away if something shocking appears on screen

    You can also watch a short video together, or ask an open-ended question like:
    “So… do you know what an online scam looks like?”

    5. Teach good habits… in a fun, simple way

    Cybersecurity doesn’t have to be scary or complicated.
    With the right words and tools, you can start teaching kids how to stay safe online, and make it a shared moment.

    Instead of scolding or silently watching over their shoulder, try:

    • asking questions about real-life situations (“What would you do if someone messaged you in a game?”)
    • discussing safe behaviors together
    • or watching a short illustrated video with them to spark the conversation

    At Ariovis, we believe that awareness comes through education and repetition, not fear.

    That’s why we regularly share practical, age-appropriate tips on Instagram, designed for both kids and parents!

     

    A smart move: follow @ariovis_officiel to get weekly insights on how to make the internet safer for the whole family.

    In summary

    Protecting your children online doesn’t require a big budget or technical skills.

    With a bit of common sense, a few simple settings, and open conversation at home, you can already provide a much safer digital environment.

  • How to Install DNS4EU on an SFR Box: The Complete Guide by Ariovis

    Are you an SFR customer looking to enhance the security and privacy of your internet connection? Configuring your SFR box to use DNS4EU servers is an effective solution. At Ariovis, experts in cybersecurity and access management, we’re here to guide you through a simple tutorial to install DNS4EU on your SFR box.

    Why Use DNS4EU on Your SFR Box ?

    DNS servers play a crucial role by translating domain names into IP addresses. By default, your SFR box uses the operator’s DNS servers, which do not always offer optimal personal data protection.

    DNS4EU, supported by the European Commission, provides a secure and privacy-focused DNS infrastructure across Europe. Switching to DNS4EU allows you to :

    • Protect your personal data
    • Enjoy safer browsing
    • Benefit from a reliable and high-performance DNS service

    Steps to Configure DNS4EU on Your SFR Box

    Follow this step-by-step Ariovis guide to change your DNS settings on an SFR box in just a few minutes.

    1. Log in to Your SFR Box Interface

    • Make sure you’re connected to the SFR network (Wi-Fi or Ethernet).
    • Open your browser and go to:

    http://192.168.1.1

    • Log in using your credentials. By default, the username is usually admin, and the password is written on your box’s label.

    2. Access the DNS Settings

    • In the interface, go to Local Network or Advanced Settings.
    • Look for DNS Servers or DNS Configuration.

    3. Configure DNS4EU servers on your box SFR

    Here are the 5 official DNS4EU addresses you can set on your SFR box for enhanced privacy and network security:

    • 86.54.11.1 (DNS4EU primaire – IPv4)
    • 86.54.11.201 (DNS4EU secondaire – IPv4)
    • 2a13:1001::86:54:11:1 (DNS4EU primaire – IPv6)
    • 2a13:1001::86:54:11:201​ (DNS4EU secondaire – IPv6)

    How to apply the settings:

    1. In your SFR box interface, go to Advanced Settings > Network.
    2. Find the DNS Servers section, and replace the existing values with the five DNS4EU addresses above.
    3. Save your changes and restart your box SFR and connected devices to apply the new DNS settings.

    These five servers (two IPv4 and three IPv6) offer a more secure, reliable, and privacy-respecting browsing experience, fully aligned with European standards.

    Need more help? Check out our full tutorial to guide you through the setup based on your SFR box model (4, 5, or 6).

    4. Save and Restart the Box

    • Save your changes. 
    • To apply the new configuration, restart your SFR box as well as all connected devices.

    How to Verify DNS4EU is Active ?

    To confirm your SFR box is using DNS4EU, perform a simple test:

    If the DNS server shown is one of the DNS4EU addresses (51.81.216.60 or 51.81.216.70), the configuration is successful.

    Ariovis: Your Cybersecurity Partner for a Safer Network

    Changing your DNS is an important first step toward protecting your home network. At Ariovis, we help individuals and businesses with cybersecurity projects, access management (IAM), and network infrastructure security.

    Need personalized guidance? Reach out to us or visit our website at ariovis.fr

    Conclusion

    Installing DNS4EU on an SFR box is a simple and effective way to improve the privacy and security of your internet connection. Follow this Ariovis guide for a quick and reliable setup, and browse with peace of mind using a European DNS service designed to protect your data.

  • How to Install DNS4EU on a Freebox: The Complete Guide by Ariovis

    Are you a Freebox user looking to enhance your online privacy and security? Installing DNS4EU on your Freebox is a smart choice. At Ariovis, experts in cybersecurity and identity access management (IAM), we’ll walk you through how to configure your Freebox to use DNS4EU—a secure, privacy-respecting European DNS alternative.

    Why Choose DNS4EU for Your Freebox?

    DNS servers play a critical role in your browsing experience: they translate domain names (e.g., ariovis.fr) into IP addresses your devices can understand. By default, your Freebox uses Free’s DNS servers, but these don’t always offer optimal privacy.

    DNS4EU is a European DNS service backed by the European Commission, designed to :

    • Protect your personal data,
    • Secure your online browsing,
    • Deliver reliable performance through a robust European infrastructure.

    Switching your Freebox’s DNS to DNS4EU is a simple yet powerful way to boost your everyday cybersecurity.

    How to Set Up DNS4EU on Your Freebox: Step-by-Step

    Here’s the method recommended by Ariovis experts to configure DNS4EU on your Freebox in just a few minutes.

    1. Log In to the Freebox Management Interface

    First, ensure you’re connected to your Freebox network. Open a web browser and go to:

    http://mafreebox.freebox.fr

    Log in using your Freebox password. If you’ve never changed it, it’s displayed on your Freebox Révolution (touchscreen) or written in your contract.

    2. Go to Network and DNS Settings

    Once logged in :

    • Click on Freebox Settings,
    • Then open Port Management and Local Network, or directly DHCP, depending on your Freebox version,
    • Locate the DNS server configuration fields.

    3. Configure DNS4EU servers on your Freebox

    Here are the 5 official DNS4EU addresses you can set on your Freebox for enhanced privacy and network security:

    • 86.54.11.1 (DNS4EU primaire – IPv4)
    • 86.54.11.201 (DNS4EU secondaire – IPv4)
    • 2a13:1001::86:54:11:1 (DNS4EU primaire – IPv6)
    • 2a13:1001::86:54:11:201​ (DNS4EU secondaire – IPv6)

    How to apply the settings:

    1. In your Freebox interface, go to Advanced Settings > Network.
    2. Find the DNS Servers section, and replace the existing values with the five DNS4EU addresses above.
    3. Save your changes and restart your Freebox and connected devices to apply the new DNS settings.

    These five servers (two IPv4 and three IPv6) offer a more secure, reliable, and privacy-respecting browsing experience, fully aligned with European standards.

    Need more help? Check out our full tutorial to guide you through the setup based on your Freebox model (4, 5, or 6).

    4. Save and Restart

    Save your changes. To apply the new settings, restart your Freebox and all connected devices (computers, smartphones, etc.).

    Verify Your DNS4EU Configuration

    To check whether your Freebox is using DNS4EU, you can run a quick test:

    If the DNS server shown matches 51.81.216.60 or 51.81.216.70, you’re all set.

    Ariovis: Your Cybersecurity Partner for Safer Browsing

    Switching your DNS servers is a crucial first step toward improving your home network’s security. At Ariovis, we support individuals and businesses in their cybersecurity efforts, from access management (IAM) to securing IT infrastructure.

    To further protect your digital environment, feel free to contact us or visit ariovis.fr to discover our services and expert advice.

    Conclusion

    Installing DNS4EU on your Freebox is a simple and effective way to boost your online privacy and security. Follow Ariovis’ guide for a smooth setup and enjoy a safer internet experience thanks to a trusted European DNS provider.

    Want to learn more about cybersecurity or get personalized guidance ? 
    Ariovis is here to help.

  • How to connect a python flask application with OpenID Connect and Keycloak ?

    OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. It allows applications to verify the identity of users based on the authentication performed by an external provider. This is especially useful when you want to secure applications without managing your own user credentials. Keycloak is an open-source Identity and Access Management (IAM) solution that makes it easy to set up a robust OpenID Connect provider.

    In this article, we’ll discuss how to connect your own python flask application to any OpenID Connect provider and how to configure your own with Keycloak. You’ll configure a Keycloak server, register an OIDC client, and build a simple Flask application that authenticates users through Keycloak using industry-standard protocols.

    By the end of this guide, you will have:

    • A working Keycloak instance running in Docker
    • A Flask application secured with OpenID Connect
    • A complete login and logout flow
    • A structured and scalable Flask project architecture

    This setup is ideal for developers looking to add authentication to their Python web apps using modern identity standards.

    Prerequisites

    Before you begin, here are the basic prerequisites to use this guide:

    With both tools in hand, we can safely start our project.

    Understanding what is Open ID Connect ?

    If you are already familiar with OpenID Connect, you can pass this section. If you aren’t or want a refresher on the concept, this section will give you a quick overview of how OpenID Connect works, why it’s useful, and what role it plays in securing your application.

    So OpenID Connect is built on the open Oauth2 protocol. It is a globally adopted web standard used by major tech players like Google, Microsoft, and Apple. It enables user identity verification by relying on the identity and authentication services of an external provider.

    This approach eliminates the need for a dedicated user database, simplifying the way you implement authentication and authorization in your apps.

    Fully interoperable, OpenID Connect operates through a RESTful HTTP interface with JSON formatting. Chances are, you already use this standard daily—any time you click a “Sign in with Google” button instead of entering separate credentials, you’re leveraging OpenID Connect.

    Now, if you aren’t familiar with Oauth2 protocol either, here is the detailed flow of information that happens when you use OpenID Connect.

    When you log into the service, you are first redirected to the provider to authenticate with your account. A code or proof of authentication will be given to you in exchange, which you will give to your service. This service can then exchange the code for a token with the provider, which will represent your identity.

    Each time the service will need to get information about your profile, it will ask the provider for the information and give you access to resources accordingly to your identity.

    This is called the authorization code flow of OpenID Connect. By this design, the token is never exposed to the frontend, reducing the possible angle of attacks and identity thefts.

    What is Keycloak ?

    Keycloak is a fully open-source identity and access management solution that provides all-in-one support for authentication and authorization. Designed for flexibility, it enables developers to secure applications with minimal effort, offering features like single sign-on (SSO), social login, and user management out of the box.

    We will use Keycloak to play the role of the Identity Provider in our project. With it, you will be able to create and manage your users, fully customize the authentication flow and link your users to all your projects faster. This solution is also lightweight and scalable thanks to its clustering ability if you plan to implement it on bigger projects.

    All configurations will be done through this admin console, so no specialized skills are required to use it.

    Configure Keycloak

    The first step of this guide is the configuration of Keycloak. For this we will use Docker as this facilitate the installation step.

    To work, Keycloak need to store its data in a database. For this article, we will use Postgres, but you can use any database in the following list:

    To orchestrate all configuration, we will use the following docker-compose.yaml:

    This file is the configuration of your Keycloak and Postgres environment, be sure to change the user and password parameters accordingly to your preferences.

    Run the following command to launch a basic instance of Keycloak on your machine.

    docker-compose up
    

    Once the container is fully started, you can access the admin console at the following address: http://localhost:8080. You can connect to the administration console and should get to this page:

    From this console, you can administrate all your connexion, users, clients, and more…

    First we will create a realm for our app, for this you can click on the list of realms on the top left. We don’t have a current configuration so we will just create an empty one. For this article I will name it demo-openid-connect.

    In Keycloak, a realm is like a container that holds all the users, applications, and settings for a specific project or environment.

    The next step is to configure an OpenID client that Python will use to connect with Keycloak. In you newly created realm, go to client and create a new one.

    You will need to configure the following parameters:

    • client type : OpenID Connect
      You can choose between SAML or OpenID Connect, in this article we will focus on OpenID Connect.
    • client id : 7f3c2e10-8c1a-4c71-89f2-f0bb72e536f4.
      The id of your client, it will be needed later to connect to it. You can choose anything, for this example I chose a random uuid.
    • ame : open-id-client
      The name of your client. This is only use to identify your client on keycloak, you can choose anything.

    • client authentication : toggle to true
      Enable to authorize opined flow on this client.
    • root url : http://localhost:8081
      The root url of you application. For this example we will use a local instance on port 8081.

    • home url : /
      The home of the application, since our application will be at the root url, we will just put ‘/’. If you want to run it under a specific path, you can update this
    • alid redirect urls : *
      For this example, we will allow any url from our domain to act as a redirection from our client. In production, you should change this to a more specific url to restrict your client to your own application only.

    Finally you will need to configure a secret for your client. For this you can go in the credential tab and copy it. It should look like something like this: 961jZtg26dDrLcUacShPyYRvUEAhQEA4.

    This secret is the proof your app will use to authenticate to keycloak. You have to be careful not to share it and save it in an unaccessible place like a secret manager or an environment file.

    You can also configure custom roles for your application if you need to:

    Switch to python

    Our keycloak is now ready for our Python application to use. We will now build our python application. For this we will use Flask, be aware you can use any other http server for this.

    What is Flask ?

    Flask is a minimalist web framework written in Python. It allows you to quickly spin up a web server and expose endpoints for your application. It’s lightweight, simple to use, and well-suited for building REST APIs or small web services.

    Here’s a basic example of a Flask application:

    In this example we launch a web server and create an endpoint at the path /. To run this application, simply save it in a file (for example app.py) and execute it with Python:

    • python -m pip install Flask
    • python app.py

    You can now go on your chosen web navigator to http://localhost/. You should see the text Hello, world!.

    You can now go on your chosen web navigator to http://localhost/. You should see the text Hello, world!.

    The power of Flask is to render html template and inject your own data. We will update our script a little bit to make a basic example, but first we will need to organize our project a little bit.

    If you followed every steps, you should have something like this:

    The recommended structure we will use for a Flask project is the following:

    Description :

    • App : This folder is the root of your project. Everything related to Flask will be placed inside.
    • __init__.py : This file name convention from python allow us to use directory paths directly as path for the python file inside it like it would work with index.html on the web. The one at the root will contain the configuration of your Flask app.
    • routes.py : This file will contains every endpoint in the folder and implement the logic behind. In bigger project you could place the logic in a dedicated services.py file.
    • config.py : This file will contains the configuration of your Flask app and import your environment variables.
    • Extensions : This folder will contain all python script you need in your app that isn’t directly related to Flask like a database connexion for example.
    • Main : This folder contains all main endpoint of our app.
    • Templates : This folder contains all html files that will be used by Flask and need data injection.
    • Static : This folder contains all static data of our project, such as images, css, script, and more.

    To execute our app we will now execute the following command:

    flask –app app run –debug –port=8081

    The content of each file will look like this:

    app/__init__.py

    config.py

    app/main/__init__.py

    app/main/routes.py

    app/template/index.html

    app/base/base.html

    There are a lot of new concept here:

    First Blueprint. In Flask, you can create Blueprint to group your endpoints. Each folder with routes will represent a Blueprint in our project. For now we only need the main one.

    Second Templates, as aboded before you can use template in Flask made from html and Jinja2. To learn more about it, you can check the Flask documentation. In this project we have two html file :

    • base.html : It will contain everything we want to share between our page such as tailwind import in our case.
    • index.html : This will contains the content of the home page of our app.

    To launch your newly created app you can use the following command:

    • flask —app app run —debug

    You can see the result of your application at http://localhost:8081/.

    Know that you are familiar with Flask and project organization, we will start to develop the OIDC connector to Keycloak !

    Implement OIDC with Flask

    We will now implement Open ID Connect in our application. For this we will use the oic python library.

    First we will put our environment variable in our config. For this you will need to add this to your config.py.

    .env

    Replace the appropriate variable with you own data. AUTHORITY represents the base url of your keycloak Open ID server. REDIRECT_URI represents the endpoint we will use in the future for our Open ID Connect flow.

    The identity class

    To easily reuse our identity script that will manage the Open ID logic, we will create a static class.

    Here is the base of our class:

    app/extentions/identity.py

    This class define a OpenID client and configure it with our environment. provider_config and store_registration_info will give the necessary information to our client to fetch all data it need to learn the urls of our keycloak endpoint.

    We will now implement each step of the OIDC flow:

    1. Get login url

    To connect, the user will need to build an url with all informations about the connection request. This url is specific to each connexion and must give to keycloak:

    • The redirection url of the request
    • The authentication method and response type
    • The scopes the user want to access
    • State and Nonce, two random strings to identify the request

    For this we will use the power of the oic that will make this much faster.

    app/extensions/identity.py

    2. Get the authentication token

    The next step of the Open ID Connect flow is to retrieve the token of the user from the provider. For this we will once again make use of the oic library. This time we only need to send the following information to the provider:

    • The code given by the user, proof of his authentication with the provider
    • The redirect_url from which the server retrieved the code

    app/extensions/identity.py

    In this function, we will make a request to the provider with all information given from our client. We must create the Grant and add it ourself to the client for the request to be a successful. This retrieved token will be the proof of identity of our user.

    We now have all we need to start implementing our endpoints and test out our OIDC.

    3. Testing the authentication flow

    For this we will create dedicated routes in a new folder with the two following files

    app/auth/__init__.py

    app/auth/routes.py

    In this code we define two endpoints which will be used by our clients to follow the identification flow. The first one will redirect our client to the provider with the appropriate information. The second one will retrieve the token from the callback of the provider.

    Just before testing our program we need two small update to our app:

    • First we need to add our new blueprint to our app

    app/__init__.py

    Next we need add parameters inside our configuration to use flask session

    config.py

    You will also need to install Flask-Session as dependency. You can use the following command:

    pip install Flask-Session

    When going to http://localhost:8081/auth/login, you should be redirected to your keycloak and see the following:

    To finish our test we will need to add a user inside the keycloak console. Go to the user tab and add one:

    You will also need to set a password from the interface. For this go inside the credentials tab. Return to your app and connect with your user. If everything went fine you should be redirect to your Home page.

    If you try to input different information than the one previously used, you will notice that nothing change. The login flow worked, but we don’t access the user information yet. This will be the final step of our guide. If you are curious, you can open the dev console of your navigator and see that you have a cookie session which was created by our authentication flow. For security purpose, we choose to hide the real access token from the client and only give him a reference to the data. This helps avoiding attacks such as token hijacking with an XSS vulnerability in your app.

    4. Get the user information

    All we need now is to be able to retrieve information about our user when he his connected to our app. For this we can call the user information endpoint of our provider with the do_user_info_request method of our oic client. The code will look like this:

    app/extensions/identity.py

    To use this method, we need to give the token to the request. For this we choose to use a property which will try to get the access_token from the session. Since we only use this class with static method we will need to define a static property.

    app/extensions/identity.py

    Each time we access our access_token, the script will try to get the token from the session or return nothing.

    We can now update our home page to display our user information:

    app/main/routes.py

    app/templates/index.html

    And that’s it! the application finally display our user’s informations correctly. 🥳

    To go further

    While we finished our authentication flow, you may want to add more functionality such as logging out or protecting endpoint with authentication.

    For this we will add the following to our Identity class:

    app/extenstions/identity.py

    This code will use the oic library to end the session on keycloak and will clear the session on the client side. You can now call this function in your code or create a dedicated endpoint like this:

    app/auth/routes.py

    For the second part, the best way to secure any endpoint easily is to write a decorator that will do every check for you:

    app/extensions/identity.py

    You will just need to put this decorator on any route you want to protect and it will be inaccessible to the client if he doesn’t login first. It will also add the user information as an optional parameter from you function on call. This way you will be able to directly retrieve the information of the user without calling the get_user_info function yourself. Example:

    app/auth/routes.py

    If you want to learn more about decorator and how to use them, you can check the following tutorial https://realpython.com/primer-on-python-decorators/.

    By following this tutorial, you’ve successfully configured Keycloak as an OpenID Connect provider and integrated it with a Python Flask application. You created a secure authentication flow, retrieved user information, and added logout functionality. You also learned how to structure a Flask application for scalability and maintainability.

    For production environments, don’t forget to:

    • Secure secrets and sessions properly
    • Enable HTTPS
    • Use strict redirect URI validation
    • Implement token expiration and refresh handling

    With these foundations in place, you’re ready to extend your app with protected APIs, role-based access control, and much more. 🚀

    🔗 link to the code of the article

  • AI-Powered Access Management: The Next Evolution of IAM

    Bridging the Gap Between Security and Business Needs

    In 2025, organizations continue to struggle with authorization management. Technical complexity and miscommunication between IT and business teams often create bottlenecks that slow down enterprise agility. 

    While access policies have always been fundamental to applications, today’s landscape is dramatically different. Generative AI is transforming this space by bridging the divide between business requirements and technical implementation. 

    Generative AI: Transforming IAM Teams

    In 2025, generative AI has opened new possibilities across multiple industries. For IAM teams specifically, it serves as a powerful force multiplier that extends their capabilities and unlocks strategic opportunities. 

    IAM professionals can now escape the endless cycle of technical translations and implementations. Instead, they’re free to focus on what truly matters: crafting innovative security strategies, enhancing identity governance, and aligning security with business goals. 

    This shift creates a compelling opportunity for organizations to turn access management from a necessary burden into a strategic business advantage. 

    From Business Language to Secure Code: Finally Bridging the Gap

    After more than a year of deploying AI solutions for authorization, we’ve identified their main strength: they create bridges between business needs expressed in common language and tailored technical implementation. 

    This advancement solves one of the historical challenges of cybersecurity: communication between different stakeholders. On one side, business teams express functional needs; on the other, IAM experts translate them into operational policies. 

    This augmented collaboration enhances IAM expertise in its strategic dimensions: 

    • Designing access policies aligned with the overall security strategy 
    • Compliance with regulatory and contractual requirements 
    • Optimizing performance and security implementations 
    • Unified governance of access policies 

    AI and Access Control: A Human-Machine Synergy

    To understand the value of this combined approach, let’s take a concrete example: 

    Imagine that within a career management application, access rights must be adapted according to roles and hierarchical relationships. A manager should be able to supervise the objectives of their direct reports, while each employee should have limited rights to their own data. 

    Without AI, this request would require: 

    1. Detailed interpretation by IAM teams 
    2. Numerous and complex technical data sources 
    3. Implementation by developers 
    4. Validation testing 
    5. Successive adjustments in case of misunderstanding 

    Implementing access policies without AI

    With AI tools assisted by IAM experts, this same rule is first automatically translated into a technical access policy, then verified and refined by specialists before deployment. AI accelerates the process and reduces the number of back-and-forth exchanges between teams, but human expertise ensures its relevance and security.

    Implementing access policies with AI 

    ​Tangible Benefits of This Human-Machine Collaboration  

    Since we began supporting our clients through this transformation, we’ve observed tangible benefits for both IAM and business teams: 

    • Enhancing IAM expertise: specialists can focus on high-value tasks rather than repetitive technical translations  
    • Facilitated communication: reducing misunderstandings between business and technical teams 
    • Improved policy quality: rules are more precise and better aligned with actual needs, while remaining secure 
    • Enhanced documentation: security choices are naturally documented, facilitating audits and controls 
    • Increased adaptability: policy modifications can be proposed, validated, and implemented more quickly 

    But the most important benefit is undoubtedly the reconciliation between security imperatives and business needs. AI, under the supervision of IAM experts, allows security to become a facilitator rather than a constraint, ultimately improving operational efficiency. 

    Policy Companion: A Workflow Redesigned in 5 Steps  
     
    ​The market now offers several solutions that integrate generative AI to assist in access policy management. Players like Axiomatics with Policy Companion have adopted these technologies to complement—not replace—human expertise. 

    At Ariovis, we’ve developed a balanced approach to support our clients. We help them select and integrate these tools into their existing ecosystem and train their IAM teams to leverage these technologies effectively without losing control

    How does this synergy work in practice?

    1. Needs expression phase: Business teams formulate their access requirements in natural language 
    2. Initial AI translation: The tool generates a technical version of these policies 
    3. Validation and optimization by IAM experts: Specialists verify, correct, and optimize the generated policies 
    4. Feedback to business for confirmation: AI translates the technical version back into accessible language 
    5. Secure deployment: After final validation, IAM experts deploy the policies in the environment 

    This approach combines the best of both worlds: the efficiency and speed of AI with the rigor and expertise of IAM professionals. 

    Addressing the « Hidden IAM » Challenge 

    This collaborative approach also addresses the growing problem of « Hidden IAM » that we explored in a

    previous article

    ​When authorizations are hard-coded into applications, they escape centralized governance.

    Using AI under the supervision of IAM experts enables:

    • Easier standardization of access policies across the organization
    • Facilitated adoption of centralized authorization solutions
    • Limited development of fragmented authorizations that are difficult to audit

    Our Vision for the Future

    At Ariovis, we’re convinced that generative AI, properly framed by IAM experts, will continue to positively transform identity and access management in the years to come. Our « Security Meets Business » approach finds an ideal balance in this human-machine collaboration.

    We’re transforming how business and security teams interact. Cybersecurity is no longer just a technical hurdle that few understand—it’s becoming a business enabler that everyone can appreciate. While remaining firmly grounded in expert oversight, security becomes more accessible and valuable across all organizational levels.

    Want to Learn More?


    ​Find out how to integrate generative AI into your access management strategy with expert guidance from our IAM team, and stay ahead of the curve.

    Request a demo. 

    Connect with us on LinkedIn

    to follow all of our activities and do not hesitate. to visit our web site

  • Spectre: When Hardware Vulnerabilities Challenge Zero Trust

    At Ariovis, we believe that security should be a value driver, not a constraint.

    In the face of hardware vulnerabilities, traditional security models show clear limitations. In this article, we address a fundamental flaw that continues to threaten systems worldwide: Spectre. This critical hardware vulnerability affects processors at their core, requiring us to fundamentally rethink our security approaches. The Zero Trust model, which aligns perfectly with our « Security meets Business » philosophy, offers a compelling response to these emerging threats that too often remain in the background of security discussions.

    While software security often takes center stage in cybersecurity strategies, hardware security frequently remains the overlooked component of our defenses. However, as we’ll explore, the Zero Trust approach can provide an effective shield, even against vulnerabilities embedded deep within our infrastructure.

    What is the Spectre vulnerability?

    In the cybersecurity landscape, certain vulnerabilities create distinct « before and after » moments.  Discovered in 2018, Spectreis undoubtedly one of these watershed moments. Unlike conventional software flaws, Spectre exploits an architectural feature present in virtually all modern processors: speculative execution.

    To understand Spectre, imagine your processor trying to save time by anticipating and executing instructions before knowing whether they’ll actually be needed. If this prediction proves incorrect, the processor discards the result but leaves traces of these operations in its caches. Spectre allows attackers to exploit these traces to extract sensitive information, such as passwords or cryptographic keys. It’s as if an intruder, rather than forcing your front door, could read your confidential documents by looking through the walls.

    Why is this a serious concern?

    The danger is very real: a simple malicious website can potentially read sensitive data stored in your browser or even the browser’s memory, which might contain passwords stored in plain text by your password manager extension—all without requiring any malware installation.

    This reality fundamentally challenges the isolation principles we’ve long taken for granted in our information systems. In essence, the very foundations of computer security have been shaken.

    What are the concrete risks for your organization?

    The discovery of Spectre highlighted an uncomfortable truth: even the hardware architecture of our systems cannot be considered inherently secure.

    This situation exposes your organization to three major risks :

    1. Sensitive data leakage : Confidential information can be exfiltrated even through supposedly isolated environments
    2. Ineffectiveness of traditional controls : Classic security mechanisms provide insufficient against this threat
    3. Remediation challenges : The impossibility of completely eliminating this flaw increases the complexity of maintaining a robust security posture

    Rather than viewing these challenges solely as threats, our approach transforms them into opportunities for optimization and value creation for your organization.

    How should we address this challenge?

    When a vulnerability as fundamental as Spectre tests our security systems, the Zero Trust model emerges as a particularly relevant architectural response. Its core principle— »Never trust, always verify »—aligns perfectly with the nature of this threat that exploits processors’ internal optimization mechanisms.

    The Zero Trust model, recommended by authoritative organizations like NIST and ANSSIis built on several principles that create complementary layers of protection against Spectre:

    • Continuous authentication: Each access is verified, limiting potential exploitation windows
    • Micro-segmentation: Drastically limiting exposure zones reduces the impact of memory leaks
    • Principle of least privilege: Assigning minimal necessary rights limits what an attacker could obtain
    • Inspection and logging: Constant monitoring facilitates detection of suspicious activities

    This interplay between Spectre and Zero Trust perfectly illustrates the necessary evolution of security approaches. At Ariovis, we observe that this evolution not only enhances protection but also creates value for organizations by optimizing their security processes.

    How does this translate to practical defense?

    When Spectre attempts to exploit hardware architecture flaws, the Zero Trust model provides robust resistance. This defense materializes through four key strategies that, together, significantly neutralize attack vectors:

    1. Keep systems updated with a robust patching strategy

    In response to Spectre, processor manufacturers, operating system vendors, and browser developers have all released patches that mitigate certain aspects of the vulnerability. While these patches are imperfect in isolation, they constitute an essential first line of defense.

    Ariovis, in partnership with Dhala, now offers a comprehensive workstation security solution that includes:

    • Automation of critical updates
    • Monitoring of missing patches
    • Centralized management of update policies

    When patches and Zero Trust principles work together, they create a barrier that, while not eliminating the vulnerability entirely, substantially complicates its exploitation.

    2. Catalog and monitor your data against side-channel attacks

    The nature of Spectre, which exploits side channels to exfiltrate data, directly conflicts with the continuous monitoring principle of the Zero Trust model.

    For effective protection, three essential actions must be implemented :

    • Classify your data according to sensitivity
    • Catalog the location of your critical information
    • Monitor unusual access to this data

    Solutions like Netwrix Auditor, recommended by Ariovis, enable precise tracking of who accesses what data and when. This vigilance creates a significant obstacle for Spectre-type attacks, which typically require multiple access attempts that such systems can detect.

    3. Segment your infrastructure according to ANSSI recommendations

    Micro-segmentation, a fundamental principle of Zero Trust, presents a formidable challenge for Spectre, which seeks to cross boundaries between isolated environments. Following ANSSI’s recommendations on network segmentation, this approach involves:

    • Creating distinct security zones based on data sensitivity
    • Establishing strict controls at boundaries between zones
    • Applying the principle of least privilege to each access request

    Our specialized team helps you design and implement a segmented architecture that multiplies obstacles against Spectre and dramatically reduces the exploitable attack surface.

    4. Plan strategic hardware renewal

    Hardware evolution plays a crucial role in this defense strategy. Processors designed after 2019 incorporate hardware protections against Spectre and its variants, significantly reducing the attack surface at its source.

    Our « Security Meets Business » approach helps you identify critical systems for priority renewal, gradually transforming your infrastructure to make it naturally more resistant to hardware vulnerabilities.

    When Spectre challenges Zero Trust, we witness a fascinating contest between a fundamental vulnerability and a security model designed to trust nothing by default. This situation perfectly illustrates the necessary evolution of cybersecurity approaches when facing threats that question the very foundations of IT architecture.

    We’ve seen how Zero Trust principles offer structured resistance to Spectre’s exploitation mechanisms:

    • Continuous authentication against unauthorized access
    • Micro-segmentation against lateral movement
    • Principle of least privilege against privilege escalation
    • Continuous monitoring against abnormal behaviors

    At Ariovis, we believe this approach not only provides effective defense but also perfectly aligns with our « Security Meets Business » vision. Indeed, a well-implemented Zero Trust architecture delivers benefits beyond protection against vulnerabilities like Spectre:

    • Optimization of information flows within the organization
    • Clarification of responsibilities and access boundaries
    • Strengthened regulatory compliance
    • Facilitated infrastructure evolution

    This is precisely why Ariovis is launching a new offering that integrates safety and cybersecurity with native hardware security features. Against Spectre and future hardware vulnerabilities that will inevitably emerge, Zero Trust represents not just an effective shield but also a catalyst for organizational transformation. 

    Against Spectre and future hardware vulnerabilities that will inevitably emerge, Zero Trust represents not just an effective shield but also a catalyst for organizational transformation.

    Contact us ​to discover how the interaction between hardware threats and Zero Trust architecture can become an opportunity for your company.

    When Security meets Business – Ariovis