IAM Integration with White Gloves
Kestra Holdings operates one of the most successful online wealth management platforms in the United States, supporting an ecosystem of over 2,400 independent financial professionals across six subsidiaries, and employing over 700 associates. To securely and conveniently connect employees and their network of financial professionals to the central platform, Kestra Holdings consolidated its Identity and Access Management solution with experts from iC Consult in an end-to-end identity solution from Okta – laying a sustainable foundation for future acquisitions and innovations.
At a glance
Developing an enterprise-wide IAM strategy, defining standards for connecting internal and external users, and replacing the existing legacy systems with a contemporary identity solution.
Products and services:
Identity Solutions from Okta and SailPoint
- Strong Identity Solution with MFA and SSO: Users can log in with different factors depending on the context and level of risk.
- Successful Roll-out: Over 90 % of 5,000 consultants adapted the solution before the official launch.
- Involvement of all stakeholders: Regular reports on the solution and the milestones achieved ensure full support from stakeholders.
- Next milestone: The services will be migrated to a redesigned and powerful next-generation platform.
- Identity-as-a-Service is the future: In the medium term, IaaS services could be provided in all offices and for each consultant, to strengthen collaboration with partners.
Kestra Holdings has always been committed to completely redefining the future of wealth management through first-class service, cutting-edge technology, and a wide range of back-office support. In serving its clients and partners, the company therefore relies on a contemporary digital platform, through which internal and external users can currently access around 50 business applications and extensive resources.
However, granting secure access to these tools has not always been easy within Kestra‘s complex infrastructure, reports Kyle Weckman, Head of Cybersecurity and Technology Risk at Kestra Holdings: “Kestra has grown rapidly in recent years – partly organically, and partly through acquisitions. Our holding company now includes six dedicated subsidiaries, and for a long time, each managed its own identity and access rights. In addition, until the formation of the Holdings Co. the many thousands of financial professionals we work with were also using heterogeneous, and sometimes outdated, solutions. There was a lack of architectural standards, consistent processes and the automation needed to scale – so we called in the experts at iC Consult to tackle the issue of identity from scratch and put it on a robust and future-proof foundation.”
Okta Scores with High Interoperability
The primary goal of the project was to develop an enterprise-wide strategy for Identity and Access Management, define clear standards for connecting employees, external consultants, and customers, and replace the existing legacy systems with a contemporary, secure, and easy-to-use enterprise IAM solution.
The project team evaluated the market and ultimately chose the IAM platform vendor Okta: “We liked Okta‘s secure and resilient platform right away,” said Kyle Weckman. “But the deciding factor was ultimately the fact that the company is a vendor-agnostic identity provider, which means it can be combined with other solutions in an extremely flexible way. In our heterogeneous and dynamic landscape, that is exactly the flexibility we need.”
Cross-Identities Become a Pain Point
The project team implemented Okta’s workforce and customer platforms as an enterprise authentication and authorization solution for employees, consultants, and customers – and consolidated the subsidiaries’ existing legacy systems into one overall solution. However, the clear division of roles was not always enforceable in practice: many Kestra Holdings users hold multiple roles – such as customers who are also consultants, or freelance consultants who are acquired and brought in as employees. “Handling these cross-identities proved to be extremely complex,” agrees Kyle Weckman. “In the course of the project we therefore decided, together with the experts at iC Consult, to implement a SailPoint solution as a dedicated orchestration platform in addition to Okta. This helped us reliably manage identities and access rights across all roles.”
Key Highlights of the IAM Solution:
- Strong Multi-Factor Authentication (MFA) for employees: Okta supports strong adaptive MFA, where users can log in with different factors depending on the context and level of risk – for example, via password, fingerprint, Magic Link or One-Time-Password. This is not only secure but also convenient – and sustainably relieves the help desk.
- Workforce portal with Single Sign-on (SSO): As part of the project, Kestra Holdings integrated a new application portal, where employees and consultants, after logging in once, can access more than 40 business applications at any time. Dedicated application portals were also set up for Kestra‘s customers.
- Automation of account lifecycle: Okta largely automates the onboarding and offboarding of employees, including the assignment of granular access rights. This allows Kestra Holdings to ensure that new colleagues have immediate access to all the applications and resources they need from day one – without the need for IT team intervention.
- Improved user experience for customers and employees: Flexible, in many cases passwordless, authentication options and convenient Single Sign-on ensure a high-quality experience for for customers and employees at all times.
- Reliable compliance with regulatory requirements: As a Wealth Management firm, Kestra Holdings operates in a heavily regulated market and must ensure compliance with national and international requirements – such as SEC and FINRA guidelines. Specifically, these stipulate the mandatory use of MFA technology – a requirement that Kestra Holdings meets throughout with Okta.
Head of Cybersecurity and Technology Risk at Kestra Holdings
“Our new architecture allows us to bridge the gap from our legacy systems, with our new cloud based micro-services platform going live shortly. Users will be able to easily log in with their existing identities and be productive and secure from day one. This has been a pain point and a must have requirement for our customers.”
White-Glove Service for Optimal Acceptance
“Even though we knew about the many benefits of the new identity platform, it was clear to us that the success of the IAM rollout would stand or fall with acceptance on the part of customers and employees – and that is difficult to predict with thousands of users, many of whom having no experience with modern IAM solutions,” explains Kyle Weckman. “So, together with iC Consult, we decided to take an unusual step: Our IT team developed a new white-glove service specifically for this project – basically an all-round carefree VIP support service for users, where we handled all requests personally, offered extensive help and made sure to involve all users from day one. This worked wonders – over 90 percent of our 5,000 consultants adapted the solution before the official launch.”
Proactive Stakeholder Onboarding
Flanking the white-glove program, the project team also made sure to solicit boardroom support across all subsidiaries: All CIOs and stakeholders were regularly updated on the benefits of the new platform and the future potential of the solution and informed of milestones achieved. In this way, the project had full support across the board right from the start – and it even managed to exceed the high expectations since the solution went live: “I have to say I think Okta is now one of my favorite apps, given the ease it enables logging into our disparate apps with different usernames”, says Stephen Langlois, President at Kestra Financial.
Next Milestone: New Next Generation Platform
This high level of acceptance is of central importance. The new IAM platform and experience is not only intended to alleviate identity pain points in the short term but also represents an important long-term milestone: “We plan to migrate our applications and services to a completely redesigned, much more powerful next generation platform over the course of the next year – and the new IAM solution is the corner stone of this new platform,” explains Kyle Weckman.
Identity-as-a-Service Is the Future
In the medium term, however, the new IAM platform offers Kestra Holdings even more ambitious potential, according to Kyle Weckman: “I could well imagine that in a few years’ time we will be offering IaaS services based on Okta for all 1,100 branch offices. From our point of view, that would be a truly groundbreaking model for further strengthening collaboration with our partners – and with a solution like that, we would establish a whole new standard in the industry.”