Kestra’s Digital Transformation: Raising the Bar for Wealth Management
Kestra Holdings has always been committed to completely redefining the future of wealth management through first-class service, cutting-edge technology, and a wide range of back-office support. In serving its clients and partners, the company therefore relies on a contemporary digital platform, through which internal and external users can currently access around 50 business applications and extensive resources.
However, granting secure access to these tools has not always been easy within Kestra‘s complex infrastructure, reports Kyle Weckman, Chief Information Security Officer at Kestra Holdings: “Kestra has grown rapidly in recent years – partly organically, and partly through acquisitions. Our holding company now includes six dedicated subsidiaries, and for a long time, each managed its own identity and access rights. In addition, until the formation of the Holdings Co. the many thousands of financial professionals we work with were also using heterogeneous, and sometimes outdated, solutions. There was a lack of architectural standards, consistent processes, and the automation needed to scale – so we called in the experts at iC Consult to tackle the issue of identity from scratch and put it on a robust and future-proof foundation.”
IAM Project Challenge
Okta Scores with High Interoperability
The primary goal of the project was to develop an enterprise-wide strategy for Identity and Access Management, define clear standards for connecting employees, external consultants, and customers, and replace the existing legacy systems with a contemporary, secure, and easy-to-use enterprise IAM solution.
The project team evaluated the market and ultimately chose the IAM platform vendor Okta: “We liked Okta‘s secure and resilient platform right away,” said Kyle Weckman. “But the deciding factor was ultimately the fact that the company is a vendor-agnostic identity provider, which means it can be combined with other solutions in an extremely flexible way. In our heterogeneous and dynamic landscape, that is exactly the flexibility we need.”
Consolidate Systems and Implement Authentication Best Practices for Success
Cross-Identities Become a Pain Point
The project team implemented Okta’s workforce and customer platforms as an enterprise authentication and authorization solution for employees, consultants, and customers – and consolidated the subsidiaries’ existing legacy systems into one overall solution. However, the clear division of roles was not always enforceable in practice: many Kestra Holdings users hold multiple roles – such as customers who are also consultants, or freelance consultants who are acquired and brought in as employees. “Handling these cross-identities proved to be extremely complex,” agrees Kyle Weckman. “In the course of the project, we therefore decided, together with the experts at iC Consult, to implement a SailPoint solution as a dedicated orchestration platform in addition to Okta. This helped us reliably manage identities and access rights across all roles.”
Key Highlights of the IAM Solution:
- Strong Multi-Factor Authentication (MFA) for employees: Okta supports strong adaptive MFA, where users can log in with different factors depending on the context and level of risk – for example, via password, fingerprint, Magic Link or One-Time-Password. This is not only secure but also convenient – and sustainably relieves the help desk.
- Workforce portal with Single Sign-on (SSO): As part of the project, Kestra Holdings integrated a new application portal, where employees and consultants, after logging in once, can access more than 40 business applications at any time. Dedicated application portals were also set up for Kestra‘s customers.
- Automation of account lifecycle: Okta largely automates the onboarding and offboarding of employees, including the assignment of granular access rights. This allows Kestra Holdings to ensure that new colleagues have immediate access to all the applications and resources they need from day one – without the need for IT team intervention.
- Improved user experience for customers and employees: Flexible, in many cases passwordless, authentication options and convenient Single Sign-on ensure a high-quality experience for customers and employees at all times.
- Reliable compliance with regulatory requirements: As a Wealth Management firm, Kestra Holdings operates in a heavily regulated market and must ensure compliance with national and international requirements – such as SEC and FINRA guidelines. Specifically, these stipulate the mandatory use of MFA technology – a requirement that Kestra Holdings meets throughout with Okta.
Paving the Way for Next-Generation IAM
White-Glove Service for Optimal Acceptance
“Even though we knew about the many benefits of the new identity platform, it was clear to us that the success of the IAM rollout would stand or fall with acceptance on the part of customers and employees – and that is difficult to predict with thousands of users, many of whom having no experience with modern IAM solutions,” explains Kyle Weckman. “So, together with iC Consult, we decided to take an unusual step: Our IT team developed a new white-glove service specifically for this project – basically an all-round carefree VIP support service for users, where we handled all requests personally, offered extensive help and made sure to involve all users from day one. This worked wonders – over 90 percent of our 5,000 consultants adapted the solution before the official launch.”
Proactive Stakeholder Onboarding
Flanking the white-glove program, the project team also made sure to solicit boardroom support across all subsidiaries: All CIOs and stakeholders were regularly updated on the benefits of the new platform and the future potential of the solution and informed of milestones achieved. In this way, the project had full support across the board right from the start – and it even managed to exceed the high expectations since the solution went live: “I have to say I think Okta is now one of my favorite apps, given the ease it enables logging into our disparate apps with different usernames”, says Stephen Langlois, President at Kestra Financial.
Next Milestone: New Next Generation Platform
This high level of acceptance is of central importance. The new IAM platform and experience is not only intended to alleviate identity pain points in the short term but also represents an important long-term milestone: “We plan to migrate our applications and services to a completely redesigned, much more powerful next-generation platform over the next year – and the new IAM solution is the cornerstone of this new platform,” explains Kyle Weckman.
Identity-as-a-Service Is the Future
In the medium term, however, the new IAM platform offers Kestra Holdings even more ambitious potential, according to Kyle Weckman: “I could well imagine that in a few years’ time we will be offering IaaS services based on Okta for all 1,100 branch offices. From our point of view, that would be a truly groundbreaking model for further strengthening collaboration with our partners – and with a solution like that, we would establish a whole new standard in the industry.”
Kestra Holdings’ CISO Shares His Experience
Watch the video below to hear Kyle Weckman, Kestra Holdings’ CISO, share their success story firsthand.