Security & Operations

Access you can govern. Data you can see.

The moment our large, and most regulated client once called us "the most technological vendor we have" and told us we're easy to work with, we began treating that as an obligation. We started by protecting our own core features; today Portium protects the institution's whole interaction with the internet, with nothing to install.

Apply for free trial

On this page

Data protectionFiles are gated and inspected before they ever leave.
LoggingEvery action logged in a revision-safe audit trail.
ComplianceISO 27001, SOC 2, HIPAA - certified and audited.
SecuritySecurity that goes beyond access, end to end.
Portium's IAMFull identity & access governance, automated.

Not just a proxy - a data-leak protector

Portium doesn't only let the right people in - it watches what goes out. Every file a user uploads from inside the institution is gated and inspected before it can leave, so sensitive data never slips out to the open internet.

Inside the hospital network, a clinician uploads a file on a publisher site; Portium gates and inspects it, finds sensitive information, and forwards the request to the security department for approval before anything leaves the organization.

Files never leave the organization without approval.

1 · Upload

A clinician uploads a file.

A clinician uploads a file.

2 · Scan

"Please wait, we scan."

"Please wait, we scan."

3 · Routed

"Some sensitive information was found. Your request and file were sent to the security department, and we'll update you once it's approved."

"Some sensitive information was found. Your request and file were sent to the security department, and we'll update you once it's approved."

Good to know

What happens to a file that contains sensitive data?

It's held before it ever leaves the institution. Portium routes the upload and the file to your security department for review, and the user is told their request was received and will be approved once it's cleared - nothing leaves the institution until then.

Does scanning slow people down or block normal uploads?

Every action, logged and managed

Every action - across the proxy, identity, authentication and admin layers - is written to the system log with its timestamp, severity, component, module, function, user and IP. When an alert comes in, filter the logs by the source IP and the whole trail is right there. No function is left without a log.

Every action, logged and managed

Good to know

What exactly is recorded in the logs?

Every action across the proxy, identity, authentication and admin layers - each entry carries a timestamp, severity, component, module, function, the user, and the source IP. No function runs without a log.

How do we investigate an alert?

Trusted, audited, compliant

Compliance and certification

Customer trust is our top priority. Our pragmatic, efficient security is built on the technical expertise and professionalism of our teams - so our users can understand our approach while keeping control. The policies we implement are transparent and produce measurable results; they adapt to changing threats and stay consistent between providers. To achieve this, we certify our solutions to the very highest security standards.

ISO 27001

HIPAA

ISO 27001 · HIPAA · SOC 2 Type II - audited by KPMG.

Additional services

Certifications and reports

Customers can request access to our certifications and reports, and may obtain documents relating to our certifications under certain conditions.

On-site audits

We authorise audits carried out by third parties only, for the purpose of certifying all relevant parties. Contact our sales department to access this type of service.

Security that goes beyond access

From the first vendor-assessment meeting to the way we build and run the product - security is the whole engagement, not a single feature.

We come to the table: live security-review meetings, every document and questionnaire your team needs, and vendor-assessment spreadsheets filled in with you - whatever procurement and security need to say yes.

Meetings & institutional agreements

Good to know

Will you join our procurement and security review?

Yes. We come to the table with live security-review meetings and fill in your vendor-assessment questionnaires and spreadsheets with you, so procurement and security get everything they need to approve.

What multi-factor authentication do you support?

How does Portium fit with RA21 and federated single sign-on?

It moves with it. We sign your scholars in through SSO and federate with publishers wherever their platform allows, so access is standards-aligned and beyond IP. Federation still doesn't reach every platform, so our managed in-path layer covers the rest - and, staying in the path, it adds the security layer a sign-in passes by: data-loss prevention on every upload, allow-listed destinations, and full logging of what enters and leaves, all managed for you with your policies in writing.

One platform to govern every identity - automated, managed, compliant

AutomatedJoiners, movers and leavers flow from your HR/SIS - access is never late, never orphaned.
ManagedWe tailor the connectors and role model to your institution, then run it for you.
CompliantISO 27001, SOC 2 Type II and HIPAA; GDPR-aligned and encrypted end to end.

Identity and access is the kind of system that should never be improvised - and it's what Portium already runs for your institution every day. The full lifecycle of every identity is automated: people are onboarded, moved and offboarded straight from your authoritative systems, provisioned into your directories, and signed in through standards-based single sign-on and MFA - so access is never late and never lingers. Roles and attributes hold everyone at least-privilege, certification campaigns prove access stays appropriate, and every action is written to a revision-safe audit trail. It's ready for the regulators (ISO, SOC and local regulations in EU, US and Japan, encrypted end to end - and it's built to your principles: Portium answers to your institution, with no backdoors and your data kept where your policy and region require. And it's easy, because it's managed: we tailor the deployment, the connectors and the role model to your institution in the onboarding agreement, then run it for you. Everything an institution's identity and access platform must do, in one place:

Portium IAM governance: access granted by role (least-privilege), a self-service request approved while a second is blocked for a Segregation-of-Duties toxic combination, a quarterly certification campaign, a revision-safe audit trail filtered by IP and streamed to the SIEM, and the compliance close — ISO 27001, SOC 2 Type II, HIPAA and GDPR. — How it works, end to end

Identity lifecycle

Authoritative HR / SIS sourcesYour HR and Student Information System become the source of truth - Banner, SAP HCM / SuccessFactors and the like drive every change.
Identity lifecycle - Joiner, Mover, LeaverOnboarding, role changes and offboarding are automated from events in your authoritative systems - so accounts are never late and never orphaned.
Automated provisioning & de-provisioningAccounts and entitlements are created, updated and revoked downstream automatically - delta-based, with retry and self-healing when a system is briefly unavailable.
Directory & cloud integrationNative, event-driven provisioning into Active Directory, LDAP, Microsoft Entra ID / Azure and Google Workspace, kept in sync.
Login-name & email generationDeterministic usernames and email addresses per your naming conventions, with collision handling, as accounts are provisioned.

Access & authentication

SSO, MFA & federationStandards-based single sign-on (SAML 2.0, OIDC), multi-factor authentication, and federation - Shibboleth, SURFconext, Entra, Okta, Duo. Portium acts as both identity and service provider.
RBAC & ABAC access modelsGrant access by role and by attribute, layered business → IT → meta roles, for consistent least-privilege across the institution.
Access requests, approvals & SoDSelf-service access requests routed through approval workflows, with Segregation-of-Duties rules that block toxic combinations of entitlements.
Access certification (attestation)Periodic recertification campaigns where managers re-confirm who has access to what - and revoke what's no longer justified.
Role management & role miningDesign, maintain and discover roles from real access patterns, so role-based access stays maintainable at tens of thousands of identities.
Privileged Access ManagementExtra governance for admin accounts - vaulting, just-in-time elevation and session oversight for the highest-value targets.

People & self-service

External & guest identitiesGovern partners, guest researchers, contractors and visitors who have no HR record - sponsored, time-bounded, with automatic expiry.
Self-service & delegated adminPassword reset, profile and access-request portals, plus delegated administration so local teams manage their own scope - and the help desk sheds load.

Audit & monitoring

Revision-safe audit & reportingTamper-evident logs of every identity and access event, retained per policy, with reporting and usage statistics - GDPR-compliant.
SIEM integration & monitoringStream security events to your SIEM, such as Microsoft Sentinel, with health-checks and monitoring endpoints for operations.

Platform & operations

Open APIs & protocolsREST and SCIM for provisioning, SOAP / SPML where legacy systems require it, plus graph and directory APIs - so it connects to your whole stack.
Deploy your wayCloud, on-premises or hybrid, with EEA or on-prem data-residency, multi-zone topology, redundancy and self-healing.
Enterprise security, certifiedEncryption in transit and at rest, WAF and DDoS protection, regular penetration testing - ISO 27001, SOC 2 Type II and HIPAA.
Proven at scaleTens of thousands of identities across distributed sites, without degradation.
Long-term support & SLAsMaintenance, bug-fixing and security patching under defined SLAs - for the life of the system, not just go-live.

Good to know

What is Portium's IAM, exactly?

A complete Identity & Access Management (IAM) and Identity Governance & Administration (IGA) platform. Beyond connecting your users to research resources, it governs identity for the whole institution - lifecycle, provisioning, SSO and MFA, role- and attribute-based access, certification and audit - in one managed system.

Why is Portium the right system to run our identity and access?

Who controls the data, and are there any backdoors?

Is it hard to implement?

On-premises, hybrid or cloud - what do you recommend?

We run Portium as a managed cloud service, and for most institutions that's the right call. Just as RA21 moved access beyond self-hosted IP authentication, the field has moved toward managed services that are kept current, patched and watched for you - rather than an unmanaged system your own team has to nurse. Your policies still govern everything: we put them in writing in the onboarding agreement, keep full transparency over what's shared, and back it with full compliance such as ISO, HIPAA and SOC 2 Type II audited by KPMG. Where data-residency or regulation calls for it, we also offer on-premises or hybrid, with EEA or on-prem data-residency, multi-zone topology and redundancy - chosen with you.

Which identity sources and directories does it connect to?

Show all questions

Talk to us about IAM

Explore Portium for every team

Talk to us about your security requirements

Apply for free trial