Knowledge

IAM gives you a head start when integrating third-party services

Ever more organizations are cooperating with other companies: open innovation benefits these partners and their customers. Bringing different ideas together spurs innovation. Combining services offers customers a one-stop-shop. To make this happen, applications from different enterprises need to be linked together and exchange data, sometimes of a sensitive nature. Identity and Access Management (IAM) is key to ensure trust towards the customer and between the different partners. Being able to set up these connections with third-party services swiftly and securely is essential to stay ahead of the competition.

Read on to find out:

  • Why organizations build connections to third-party services
  • What is the role of microservices and APIs
  • Why is IAM important in connecting to third-party services
  • The banking and travel industry were first to start building ecosystems
  • Why PSD2 and Open Banking are driving third-party integration in 2020
  • Why TrustBuilder is the best partner to secure third-party integrations

Why do organizations build connections to third-party services?

Today’s consumers expect impeccable quality, fast service, a smooth user experience and, above all, convenience. A brand that can bring together multiple, customer-centric services will always be favored over specific, ‘boutique’ offerings. Traditional businesses are being ‘Amazonized’ and are now looking for ways to expand their range of products beyond the commodity services of old.

Rather than developing these services themselves, companies continue to concentrate on innovating their own services, and bundling these with third-party applications to complement theirs. Leveraging external input and expertise, they can improve existing products and services and even come up with entirely new business models that meet and exceed customer expectations. For maximum convenience and user experience, all these services need to be offered through one common interface and with easy authentication. End-users should never see the back-office complexity or have to log in again when moving from one service to another.

What is the role of APIs and Microservices in building ecosystems?

APIs (short for Application Programming Interfaces) are sets of routines, protocols and tools that are used to build software applications. In essence, an API specifies how software components should interact. The overall collection of APIs and the way they interact with each other is often referred to with the term ‘microservices’.

Rapid changing ecosystems introduce new challenges: monolithic apps are often so large and complex, with millions of lines of code, preventing organizations from reaching the agility they need. Microservices typically contain a few thousand lines of code. By splitting these large applications into smaller microservices, they become easier to adapt as business requirements change. Rewriting microservices that are linked to just one business process or one transaction, is less complex than making changes to a monolithic application that holds an entire company’s business logic. Microservices are a perfect way to conduct new businesses and generate new revenue streams through an ecosystem.

APIs and microservices form the answer to the challenge that traditional monolithic applications pose.

As companies forge partnerships, they offer customers access to third-party applications through these APIs. This has given rise to an ecosystem of APIs and microservices that should not be exposed to the outside world, unprotected.

Why is IAM important when building an ecosystem?

When applications exchange information, this needs to happen in a secure way: if banks are exchanging customer information with a third party, there need to be rules to define which third party has access to what level of customer information. The ability to control API access is the cornerstone of effective API and microservice security, and key to establishing trust in ecosystems. Customers will not want to leave their personal data in an ecosystem of applications if they cannot trust the companies behind the applications. In the case of a banking customer, the bank becomes the broker of trust for the entire ecosystem.

Identity and Access Management is the centerpiece in protecting an ecosystem. IAM will identify and authenticate users and, based on their access privileges, connect them to the services they have privileges to through SSO. When additional security is required, the IAM engine will use step-up authentication, for instance by requesting extra attributes.

IAM will also hide the complexity for the end-user: moving from one application to another in the banking app should be completely transparent, without asking the user to authenticate for each separate service.

What industries are building ecosystems in 2020?

Any industry can take advantage of building ecosystems. Consumers are looking for ease of use and one partner to fulfill as many services as possible. The travel industry and banking are probably furthest advanced in providing integrations with other partners.

Ecosystems in the travel industry:

When booking a flight directly with an airline, the airline will offer you an extra set of services that you can consider when you travel, for instance luggage insurance, which is still pretty close to the core business of the airline, but also other services such as car rental, hotel bookings or registration for day trips from your destination, concert tickets, etc.

Ecosystems in retail banking:

Through their smartphone app, banks offer their own financial services and insurance products and add extra applications, such as travel tickets, buying petrol, concert tickets, utilities and even links to handyman services. Some banks even open up their applications to non-customers, attracting them with these non-financial services in the hope of making them a customer afterwards. Some banks will even offer price checking so that customers get the best conditions when using this bank account.

To offer a good customer experience, these applications need to be seamlessly integrated, and should work without asking the user for credentials for each different application.

Why PSD2 and Open Banking are driving third-party integration in 2020

The Payment Services Directive (PSD2) and the term ‘Open Banking’ are often used to mean the same thing, but there is a difference. PSD2 is part of European regulations that require banks to open up their data to third parties. Open Banking dictates that the exchange of data must happen in a standardized and secure manner. Both PSD2 and Open Banking are at the basis of the integration that we are currently seeing between banks and non-financial service providers.

Integrating with third parties can be quite lucrative for banks. For one thing, they can start acting as a one-stop shop to their customer. Imagine a family that wants to buy a house and checks out the bank’s app for mortgages. Wouldn’t it be perfect if the bank could not just offer the mortgage and insurances, but also find the best utility provider and a removals firm? And why not connect them right away with all the administrative requirements that come with buying a house such as connecting to a utility company or an internet provider. How’s that for customer experience? Secondly, banks could hypothetically monetize customer data by offering information to airline companies or even electronics web shops. Based on the spending pattern of an account holder, a bank could tell an airline what customers are open to buying upgrades, or electronics web shops about who can afford an 85-inch TV screen.

Eight reasons why TrustBuilder is the best partner to secure third-party integrations

Trust is essential in making an ecosystem work. Identity and Access Management can ensure that the integrations with third parties cannot be compromised. API attacks have long stayed under the radar, but some recent high-profile breaches have made API security more prominent. TrustBuilder is your partner of choice when it comes to combining airtight security with customer experience.

  • While API Gateways take care of basic security, only an IAM system such as TrustBuilder provides adequate security in complex environments with hundreds of APIs.
  • Most API Gateways and IAM systems secure microservices only at the edge, not between the microservices themselves.
  • TrustBuilder Identity Hub addresses security of these APIs on an individual level, authenticating identity and privileges at each hop. Whenever a token is passed on from one microservice to another, the user context defines the user access to different microservices.
  • TrustBuilder acts as a single-entry point, invoking multiple back-end servers. It aggregates the results in attributes that can be customized and returned to the requester along with the appropriate authorization.
  • Contrary to many other IAM systems that only consider users, TrustBuilder provides security for both users and APIs in one single system.
  • Acting as a token exchange, TrustBuilder Identity Hub allows easy integration with multiple third-party applications, thus enabling the ecosystem to be developed.
  • Adding a new provider to the ecosystem is enabled by extending standard policies. Following that integration, the customer and other apps can then interact with the newly added application, including microservices. New microservices can be added easily, benefitting from the existing security mechanism.
  • TrustBuilder Identity Hub hides the complexity for end-users, thus enhancing customer experience. Once a user is authenticated, TrustBuilder captures the user context in order to allow access to those microservices that the user has access privileges to. In the case of a banking app, the user can then log in to all services without having to provide credentials again.

The growth of companies depends not only on their ability to develop competitive products and services. Whom they partner with, how they integrate their respective offerings and how they secure the resulting ecosystem will be the defining criteria to achieve success. To maintain trust, an IAM platform that supports a maximum of standards, authorization methods and identity sources, is key. To react swiftly to market changes and expand the ecosystem faster than the competition, an IAM system that offers plug-and-play connections and a maximum user experience, is a must.