Components of TeSA
What is TeSA?
Technology-enabled Shared Accommodation (TeSA) is a suite of services that allows staff from multiple organisations that work out of shared accommodation to access and share common resources at that physical site.
Cogito Group’s TeSA services allow for a consistent user experience. It appears simply as if staff are working from a single organisation’s resources, despite securely sharing these resources with other organisations within their building. In addition, TeSA can be configured to enable approved visitors access to their organisation’s network services when present in the building. This enhances productivity as it means they are not confined to limited or dedicated guest services. Such services are particularly beneficial when a visitor is a member of a tenant organisation, but not based in that building, or is a member of a partner organisation visiting the building.
TeSA Solution Overview
The Cogito Group TeSA solution allows organisations within a multi-tenanted building to share resources whilst retaining control of their own data.
The TeSA solution is extensible and scalable. Importantly, it has been designed to allow for future shared capabilities. The Cogito Group TeSA solution is comprised of two parts:
1. The Shared Accommodation federated Directory (SAfD)
2. The Jellyfish Network Access Engine (JF NAE)
Components of TeSA
Jellyfish Network Access Engine (JF NAE)
Cogito Group’s TeSA solution enables the secure sharing of networks between tenants through the implementation of the JF NAE. The JF NAE provides 802.1x authentication through native certificate authentication and by proxying to the subscribing organisation’s RADIUS servers. The JF NAE integrates with the SAfD to verify users or devices connecting to the JF NAE by their presence in the SAfD. This process can be seen in Figure 1 – TeSA Overview below.
Multiple tenants can connect to a building’s 802.1x compliant Wi-Fi or through a wired access system and connect to their organisation’s private network. Despite members of multiple organisations connecting through the same network connection, each organisation’s private, home network remains inaccessible to users outside of that organisation. This allows users to access their organisation’s private resources from the shared network without the risk of guests or members of other organisations also accessing these resources.
Shared Access Federated Directory (SAfD)
The sharing of resources within the TeSA system is facilitated through the SAfD. The SAfD is a single, centralised, federated identity store that can store users from subscribing organisations and provision identities from many different identity providers. The SAfD provides federated Single Sign-On (SSO) services and allows subscribing organisations to control the information they share to the directory. It also provides reporting and management capabilities through Jellyfish.
Tenant organisations can choose which users and devices they want to publish to the SAfD. The trust relationship between tenant organisations and the SAfD is one-way, meaning that organisations retain full control over their data and their home directory remains the single source of truth for identity information within their organisation. Access to the SAfD and NAE are facilitated through Cogito Group’s Identity Brokerage solution.
Identity Brokerage
Cogito Group’s Identity Brokerage solution:
- Allows for a shared network and services structure.
- Allows users to utilise their existing credentials for authentication to shared services.
- Enables the sharing of resources (such as WI-FI) by organisation without the need to duplicate or share accounts.
- Provides a single interface for services to authenticate users and devices.
- Is a single trust point.
Organisations need only establish one connection that allows the authentication of third parties, rather than a complex web of connections. Efficiencies are gained in that each organisation only needs to integrate with the identity broker once to be able to accept many types of credentials, with rules assigned regarding what can be accessed. Cogito Group’s Jellyfish service monitoring capability is also employed at this stage to detect anomalous, unusual, or excessive credential use.
Tenant organisations may also wish to use the TeSA service to provision identity information to external services such as guests or temporary services. These can be provisioned and de-provisioned through the Jellyfish interface.
Building Usage Statistics
TeSA’s reporting system can provide valuable statistics and insights regarding the utilisation of space within a shared building that are difficult to determine through other means. As TeSA tracks the movement of people within a building, it can generate live reports that members of tenant organisations can utilise to efficiently determine what zones are in high demand and what desks are available for them, without the need to spend time searching the office floor. TeSA reporting can also provide information on the availability of meeting rooms, their utilisation, and track the flow of people over a set period.
Shared Visitor Management System
When guests or members of a tenant organisation can’t find desks in a large building, time and money is wasted. TeSA can determine how many devices are in an area compared to how many desks are in that area. This information can determine the availability of desks within an area, which is then presented to the building’s visitor management system or to a member’s mobile device in the form of a traffic light system. This allows people entering the building to see which floors are full (red), nearly full (amber), or have space available (green). People can then head straight to empty desks and get to work.
Shared Print/ Locker Management
The SAfD service provides user authentication for common facilities within the building such as shared printing and locker systems. The SAfD authentication service passes requests from users trying to access common facilities to their respective organisation’s directories on logon. Once their home directory has authenticated the user, the SAfD processes the user authentication and grants the user access to the service.
The SAfD service ultimately ensures that each tenant organisation within a shared accommodation maintains ownership over authentication for their users, whilst providing the resources to manage the shared use of the services.
Shared access to facilities such as printers and lockers reduces the need for multiple systems running at the same time within the same building, saving money and reducing complexity whilst still remaining independent and secure with each tenant organisations information.
Shared PACs/ EACs
Physical Access Control systems (PACs), also known as Electronic Access Control systems (EACs) integrate a variety of hardware (e.g. card-readers, access cards, door locks) and software (e.g. access control server, identity database, policy data) to provide an organisation with the ability to control people’s access to physical facilities at the entry points of a building.
Tenant organisations sharing a single PACs reduces the complexities associated with having multiple access control systems managing a single access point. PACs can be configured to provision access discriminately, allowing tenant organisations to choose who can access where, allowing for both shared common areas and privately controlled areas within a single building.
Shared Booking Management System
Maintaining a single, common booking management system for all organisations within a single accommodation rather than several concurrently running systems ensures that the common booking management system remains the single source of truth for meeting room bookings. This ensures that doubled up bookings don’t happen, increasing workflow and efficiency. Through using Jellyfish, a building’s tenants can eradicate double ups and make decisions about policy enforcement, such as the freeing up of a booked meeting room if no one has swiped into the room within 15 minutes of the scheduled start of the meeting.
Our experience
Cogito Group has successfully deployed TeSA systems for multiple government agencies, solving the complex problems of large-scale organisational integration. To do this, Cogito Group implemented the Jellyfish NAE and SAfD. These projects have allowed several government organisations to share accommodation and services without requiring organisations being in the same security domains. It has allowed these organisations to share Wi-Fi, printing, visitor management systems, meeting room booking systems, secure locker systems and more in a secure and efficient manner.