More than the Sum of its Parts: Identity Federation at Raiffeisen Bank International
As one of the leading European banking groups, Raiffeisen Bank International is constantly pushing forward the digitalization of its services – and, in view of strict regulatory requirements, increasingly dependant on a strong Identity & Access Management. When the heterogeneous identity landscapes of its twelve subsidiaries were identified as a challenge to innovation, the internal customer IAM experts, together with iC Consult, tackled the development of a group-wide federation architecture based on PingFederate – and laid a solid foundation for future innovations.
At a Glance
Central and Eastern Europe
Developing a suitable, companywide customer IAM that consolidates the heterogeneous identity landscapes of twelve subsidiaries and meets RBI’s strong security and compliance requirements.
Products and Services:
- Consolidation of a heterogeneous IDP landscape into a group-wide solution
- Implementation of a federation platform based on Ping Identity for up to 17 million customers
- Consistent implementation of industry standards for easy integration
- Compliance with highest security standards and all regulatory requirements
- Sustainable reduction of development costs
Based in Vienna, Raiffeisen Bank International (RBI) is one of the continent‘s leading banking groups with twelve network banks (NWB) in Central and Eastern Europe. When the NWBs were merged starting in the early 1990s, a number of important decisions had to be made – including whether the responsibility for the IT infrastructures should remain at local level or be centralized. Since integrating the heterogeneous landscapes would have come at high costs, the management chose the first option – and continued this model very successfully for three decades. But in today‘s digital world, the downsides of multiple local IT solutions are becoming increasingly apparent: Group-wide innovation projects require a high degree of agility, which is often difficult to ensure in a decentralized organization, and the lacking standardization within the group also bears a cost impact, because attractive savings potentials cannot be tapped.
To pave the way for the future, RBI is currently focusing on a sustainable digitization, standardization and consolidation of its IT, as Yaron Zehavi, Customer IAM Product Owner at RBI, explains: „Our strategic goal is to develop once standardized omnichannel banking applications and reuse them across our network banks. We had a clear roadmap for standardizing APIs and event streaming solutions. But what was missing for a long time was an end-to-end identity and access management solution that would allow customers to securely authenticate and authorize themselves on the centrally deployed applications. Without such a solution, each service had to negotiate IAM processes separately with the NWBs – leading to problematic identity silos and complex integration projects.“
Ping Identity, implemented with iC Consult
The search for a suitable, company-wide customer IAM federation was anything but easy: The main challenge was to unify the fragmented IT landscape of the twelve NWBs with their multiple IDP solutions – from OpenAM to GAAS to Azure AAD – and their colorful mix of on-prem and cloud topologies in a single, comprehensive solution. This solution had to meet the strict regulatory requirements of the European banking industry, but also offer the security and usability expected by the customers – and be capable of scaling to serve the entire user base of 17 million customers. Therefore, the list of requirements with which Yaron Zehavi entered the market evaluation was quite extensive and detailed:
- The new enterprise-wide IAM solution needed to meet highest security standards and all European banking regulatory requirements, including Single Sign-On with Multifactor Authentication.
- One of the main goals of the project was to make the integration of new, centrally deployed banking applications as easy as possible for the NWBs. To achieve this, the new solution had to be fully compatible with the diverse infrastructures of the network banks.
- The solution had to provide outstanding resilience, stability, and performance with virtually unlimited scalability – given that any downtime of the IAM infrastructure would also lead to downtimes of relying RBI services in all countries.
- Authorization should be based on secure, unified access tokens in a standardized format to simplify the validation of tokens at the API level across the group.
- And finally, on a technical level: The centralized IAM should be designed for agile development environments and support contemporary CI/CD processes in order to be able to perform continuous testing and validation of new functionalities.
This detailed list of requirements was not the only challenge – the schedule for the ambitious integration project was also tight. Yaron Zehavi recalls: „The kick-off for the Customer IAM project happened in May 2021, and our goal was to go live with the new solution four months later. Therefore, we developed a pragmatic and agile roadmap: We decided to focus on the critical login security – including authentication, identities, and authorization – in the first step, and then gradually incorporate more complex authorization metadata. In the third phase we will integrate the authorization handling for banking transactions.“
Ping scores with strong federation features
After numerous discussions and a comprehensive analysis of the market, RBI decided to implement the new customer IAM solution based on Ping Identity‘s products. The cloud-based and resilient combination of PingFederate and PingDirectory addressed all customer requirements and supported sophisticated solutions for a secure login and privilege management.
During this early phase of the project, the RBI team made another important strategic move: Looking at the depth and complexity of the integration, they onboarded iC Consult, an external consulting team that would support the internal identity experts with ideas and impulses down the road.
Customer IAM Product Owner at Raiffeisen Bank International
„We are really proud whenever a new NWB or a new banking application goes live and the first customers access it. With Ping Identity’s solutions and iC Consult as our partner, we have laid a robust foundation for our future identity strategy – and we are very much looking forward to successfully finalizing this ambitious and high-profile modernization project together.”
Savings potential of a group-wide identity platform
If RBI had decided to set up a separate identity solution for each NWB, this would have meant the development of 240 integrations (20 banking applications in 12 NWBs). With estimated 3 person-months of development per integration, this totals 720 person-months, or about 6 million Euros. In addition, this scenario would inevitably have led to significant delays and organizational disruptions – either because of a lack of development resources, or because developers from other departments would have been pulled away for the project. And customers would have been directly affected as well, since an exchange of credentials would have been unavoidable.
In contrast, the development and implementation of a group-wide IAM solution took only 24 personmonths. Even if we assume that it will take another 96 person-months to integrate the banking applications and NWBs (3 months each for 12 NWBs and 20 applications), and 96 additional person-months for maintenance and support, the cost of the consolidated solution is just 216 person-months , or 1.6 million euros. That‘s less than a third of the cost of the alternative model, with a significant increase in security and convenience.
Integration of 60,000 users in two NWBs
The roll-out started in mid-2021 with the implementation of the new IAM architecture and the connection of the first two NWBs. To meet RBI’s strong security and compliance requirements, the project team implemented a resilient, scalable, and highly available multi-cloud architecture, and closely followed the best practices for a secure OAuth 2.0 and OpenID Connect deployment for IAM. AWS Elastic Load Balancing (ELB) and Web Application Firewall (WAF) functionalities ensure stable and secure operations, and the Prometheus monitoring solution provides seamless visibility into the environment.
Security without compromises
„As a financial institution, security is a top priority for us. Therefore, we follow all current best practices for AWS Cloud Deployment when integrating and operating the architecture – and we can also leverage Ping Identity‘s cookbooks as a valuable source of information,“ says Yaron Zehavi. „In addition, we test the infrastructure once a day, after each deployment, and perform a pen test once a year. As a member of OpenID, we also consistently keep up to date with new drafts and developments.“
Continuous testing and validation
To ensure a smooth and safe implementation of new apps, updates and modifications, the project team set up a sophisticated testing environment where every change is rigorously tested before deployment. The test stack – a demo NWB IDP with a demo client – includes over 150 test scenarios with client-side and IDP-side errors and edge cases, enabling RBI to proactively and forensically test the robustness of the environment.
New functionalities are provisioned according to the agile principles of Continuous Delivery. „We don’t want to try the patience of our customers with manual updates, and we don’t want to commit our own team to unnecessary night shifts, so new releases are automatically tested, verified and rolled-out during running operations,“ explains Henrik Kroll, IAM Consultant at iC Consult. „The process works so well that RBI can serve 3 million customers without quality issues while the PingFederate and PingDirectory pods are being re-uploaded. That‘s really impressive, and creates a whole new level of freedom when planning deployments.“
Leading the way into the future
The Ping solution went live late 2021. Since then, the first two banking applications have been integrated. The federated architecture proved to be extremely intuitive and flexible from day one, and quickly established itself as the groupwide de facto standard for customer identity. The solution has also been well received by customers, who particularly appreciate the improved user experience, which enables them to use RBI‘s digital services comfortably and at any time – without new credentials, via the familiar interface and in their respective local language.
With the implementation of Ping Identity, RBI successfully set the foundation for the secure and efficient delivery of standardized banking applications to its twelve network banks – independent of the identity technologies they use, and at a mere fraction of the cost that would have been incurred in developing custom integrations.
Not surprisingly, the preliminary analysis of Yaron Zehavi is very positive: „We are really proud whenever a new NWB or a new banking application goes live and the first customers access it. With Ping Identity’s solutions and iC Consult as our partner, we have laid a robust foundation for our future identity strategy – and we are very much looking forward to successfully finalizing this ambitious and high-profile modernization project together.”