TrustBuilder helps future-proof European bank
One of our customers, a large European bank, deployed TrustBuilder to add Single Sign-On functionality to an existing security solution, but quickly expanded the use of TrustBuilder Identity Hub to the authentication of all internal users. Currently, the bank runs TrustBuilder to secure connections from external users towards its ecosystem of third-party applications. The bank also counts on TrustBuilder to secure its ecosystem of third-party applications.
As a major European bank, our customer has over 35,000 employees. The bank manages savings and offers loans and insurance services. The bank is a frontrunner in digitizing the banking industry in Europe and was among the first to harness an ecosystem strategy to fend off new fintech and big tech players, and thus safeguard the firm’s future.
TrustBuilder has been working with the bank for a long period already. “We first came into contact with TrustBuilder when we were looking for an SSO solution for our WebSeal/ISAM implementation,” says an IT Architect at the bank. “At the time, TrustBuilder was the only company offering such a solution. This is the first functionality we used from TrustBuilder, but as we progressed, we implemented the full product and started using TrustBuilder for more use cases.”
Currently, the bank uses TrustBuilder for SAML Federated Authentication towards a number of internal applications and external applications that work in Software-as-a-Service (SaaS) mode. Examples of such SaaS-applications are ServiceNow and SuccessFactors, but lesser known SaaS applications are also used.
In all, over 40.000 employees and business partners authenticate their use of applications through TrustBuilder – both people working for the main branch and employees in other countries. “Our internet portal and web applications are all secured by TrustBuilder. Our employees log on using their Active Directory account and, through Single Sign-On, they get access to the other applications they have access rights to.” There are also a number of connectors to local authentication sources, for instance local instances of Active Directory in other countries. TrustBuilder is also used for external workers, for instance the outsourcing company that delivers desktop PCs to employees at the bank. “They also need access to ServiceNow and connect using two factor authentication (2FA) or certificate authorization. We use a one-time password (OTP) solution for 2FA. In fact, for anyone accessing through the internet, we impose 2FA.”
To the end-users, the use of TrustBuilder is completely transparent. The bank wants to make accessing applications and data as easy as possible to its internal users. “Employees use SSO with Kerberos. We connected TrustBuilder to our on-premise Active Directory. Through their browser they access the internet portal. When redirects to applications are set up, authentication happens seamlessly to the users.” Step-up authentication is used for important, business-critical applications when SSO does not suffice. “In that case, TrustBuilder prompts Multi-factor Authentication (MFA),” said the IT Architect. “Authentication is so seamless that users don’t know they are using TrustBuilder.
Ecosystems change the authorization context
Over the past few months, the bank has been expanding its use of TrustBuilder to also cover access to third-party applications that its customers are accessing. Banks are turning into one-stop-shops for their customers, building an ecosystem by also offering third-party applications that have no link to financial services. For instance, clients can order public transport tickets through their bank’s apps. Some banks are allowing non-banking clients to use the bank’s smartphone app to access these services. Banks are doing this to attract new customers. By using the app for non-banking activities, they get acquainted with the bank’s level of service and come to see advantages in becoming a customer. “This is a huge change for our authentication systems,” said the IT Architect. “The entire context changes. Whereas, previously, back-end systems knew that someone who authenticated was also a customer, this is no longer the case. The back-end system always expects a client number, but with non-clients now accessing these applications, we have to reassess how authentication is done and when we need to step up the authentication.”
Context is very important to the back-end systems: a different level of authorization is needed for someone who is merely ordering a bus ticket than for someone who wants to make a money transfer. TrustBuilder’s ability to add Bring Your Own Authentication (BYOA) solutions such as itsme (Belgium) or eHerkenning (Netherlands), allows easy onboarding of these new potential customers. Also, new business logic can be added to an existing environment, so as to easily identify and authenticate new users in an ecosystem. The bank has already implemented TrustBuilder Identity Hub for third-party applications and intends to extend that as the ecosystem grows.
One step ahead
Over the years, the bank has built up considerable TrustBuilder expertise. “TrustBuilder is supported internally, we have a couple of TrustBuilder specialists on our staff for maintenance.” Whenever new use cases come up or the bank has specific questions, the bank turns to TrustBuilder for strategic guidance and assistance in the implementation and for training. “We are quite pleased to see the same people coming back, armed with the accumulated knowledge TrustBuilder has built up of our own business processes.”
The bank is well pleased with the service it is getting from TrustBuilder. “TrustBuilder Identity Hub is a solid product, and it allows us to respect the Service Level Agreements (SLAs) we have with our internal users. Rarely do we have a hiccup.” The bank also commends product development: with every update of the product, the bank sees new functionalities that it is considering for later use. “New versions always contain new specifications and support for the latest authentication protocols. Most of the time these are specs we don’t yet need but know that we will do in the future. When it comes to functionalities, TrustBuilder Identity Hub is always one step ahead of us.”
Build or buy
The bank has identified several use cases where it can take advantage of the qualities of TrustBuilder Identity Hub. “For most of our commercial contacts with customers, we built our own authentication methods,” said the IT Architect. “But going forward, we prefer to buy rather than build. When we see opportunities for new implementations, we will use the tooling we already have in house, TrustBuilder for instance. We used to have a strict separation for authentication systems between internal users and commercial users. But it is clear that we will take advantage of our TrustBuilder know-how for new implementations where we need authorization to get from one application to another, and to standardize with some divisions that have their own authentication methods. In building secure connections with third-party applications, it is a big differentiator that TrustBuilder Identity Hub is fully RFC-compliant (Request for Comments). It definitely makes integration with third parties easier when all applications use the same protocol.”
Challenges
- The bank wanted to offer 40.000 employees access to all enterprise applications through Single Sign-On
- External employees required 2-factor authentication to access the bank’s applications
- The bank was looking for an IAM-solution to build out its ecosystems with third-party applications
Results
- TrustBuilder Identity Hub offers employees transparent access to applications
- The IAM solution imposes step-up authentication when SSO does not suffice
- The bank started using TrustBuilder Identity Hub for employees only, but now extends its use to all new customer applications
