Needed an integrated mobile access control platform, flexible and scalable enough to meet requirements across different business units and technologies
- API Management is the enterprise-wide security policy enforcement point (PEP) for all mobile, web, API, and EDI traffic
- Improved user experience and faster delivery of mobile service offerings
- Simplified security architecture and improved overall security and governance
- Cost savings on software licensing, support, hardware and administration
40,000 employees service more than 20 million individual and corporate customers for this institution, which offers hundreds of mutual funds via 5,000 channel partners. The institution achieved its success with a combination of comprehensive service offerings and personalized customer service at competitive prices. The institution believes in the adoption of mobile technology to not only deliver the best possible customer self-service experience, but also to keep pace with the latest customer engagement innovations.
Granting device and system access
Only part of the challenge
Nearly half of the institution’s 40,000 employees require mobile access to company resources. Therefore, in addition to issuing BlackBerry smartphones, the institution has embraced bring-your-own-device (BYOD) and supports the iOS and Android platforms. Additionally, the institution builds and supports custom mobile solutions for large channel partners and corporate customers. With such a diverse population of mobile users, and equally diverse back-end resources, the institution needed an integrated mobile-access platform that could meet flexibility and scalability requirements across different business units. Essentially, the institution required unified and seamless access control across web, mobile, API and EDI channels.
Scalable multi-platform and multi-channel support
In order to win new customers and new channel partners, and attract talented employees from the competition, the institution needed to support all major mobile platforms. It also needed to support mobile applications used by large channel partners and corporate customers to access the institution’s services – all of which meant managing new mobile and web APIs. The institution also needed to support web services and secure file transfer solutions used by its partners and customers. To satisfy these requirements, the institution needed a single-access control platform that could accommodate all traffic protocols with a single set of security policies and security artifacts.
Legacy access control technology silos
The institution had a number of access control technologies in use, including CA SiteMinder for web-access control, Ping Identity for SAML-based federation, and Cisco ACE XML Gateway for web service security. These technology silos required coordination and custom integrations to work across business units, yet collectively they were still unable to provide reliable mobile access. The institution wanted to extend, simplify, or replace these legacy technologies to improve governance and manageability.
Backward compatibility with existing integrations
The institution had a large number of existing integrations with partner systems and its own back-end systems, which used many different standards, protocols, certificates and security tokens. Therefore, massive conversion across these integrations was not an acceptable solution. The new access control platform had to be backward-compatible with existing integrations to allow for an easier, phased migration.
Benefits of API Management and much more
The institution deployed Axway API Management as its enterprise-wide security policy enforcement point (PEP) for all mobile, web, API, and EDI traffic. As a result, the institution was able to:
- Simplify its security architecture while saving software licensing, software maintenance, hardware and administration costs
- Improve user experience and accelerate delivery of new mobile service offerings
- Improve overall security posture and governance with auditing, monitoring and reporting capabilities
The institution’s new solution included:
- A single PEP for all traffic types, to consolidate and replace hundreds of CA SiteMinder agents
- Integrated PEP for data-security policies, including data redaction, encryption and tokenization policies
- Support for multiple mobile platforms including iOS and Android without modifying or upgrading back-end systems
- An extended CA SiteMinder authentication scheme to handle mobile traffic using device, application, and user identities, along with Security Token Service supporting existing SAML–based federation and OAuth 2.0 support
- Comprehensive threat protection against all API attacks such as denial-of-service and injections
With Axway API Management, this financial institution was able to simplify its security architecture, while saving software license, software maintenance, hardware, and administration costs. In addition to hard-dollar savings, the institution also improved the user experience and accelerated delivery of new mobile service offerings. The institution improved its overall security posture and governance with better auditing, monitoring and reporting capabilities.