A Global Bank's Identity Modernization Journey

When any large enterprise undergoes technological change, the business case and benefits must be crystal clear. Our client, one of the largest global banks, understood this when deciding to modernize their existing legacy WAM. Their first-generation solution had been operating for almost 20 years, was experiencing problems handling the bank’s increasing cloud workloads, and was in such a delicate state after years of customization that any wholesale changes carried too much risk to implement. The system clearly had reached its limits. 

They knew that to successfully modernize, the bank would need to upgrade their legacy WAM system with an IAM solution that could meet their scalability, performance and reliability requirements, allowing them to further their goals of supporting modern apps, devices and APIs, improving workplace productivity, and achieving new business initiatives.

Business Drivers for a Modern IAM Infrastructure

“How can I be successful if I’m dependent upon these developers

that may need a lot of hand-holding? How can I accomplish this without

having just massive operational stability and risk for my scale?"

These are the questions our client was facing as the bank began evaluating vendors to upgrade his legacy WAM. A successful deployment would be possible only if developers could onboard their applications easily. Also, any replacement would have to scale and meet the requirements of the bank’s massive environments and range of use cases—workforce, partner, customer—where thousands of transactions per second occur. 

Along with the need for a painless migration from the legacy WAM, other business drivers for the new solution included:

• Support for Modern Protocols. Such as OAuth 2.0, SCIM, FIDO2, and OpenID Connect, can facilitate seamless integration with the bank’s increasing initiatives around mobile and cloud while also allowing them to break free from cumbersome and expensive proprietary technology.
• Session Management. A session revocation service and a foundation for continuous authentication that can detect and respond intelligently throughout the life cycle of a session would enable greater security and response capabilities.
• Simple Application Onboarding. A developer-friendly service would support various preferences, minimize impact to code, and enable a growing number of apps onboarding as API clients.
• Automation. Augmenting their private cloud and implementing self-service developer features would free up resources on the identity team.

For the new identity and access management system, the client wanted a best-of-breed technology that could handle the size of enterprise workloads and also the various preferences of their developers. They went with Ping Identity because “they have the single best access management product on the market,” and PingAccess was the chosen solution for their needs. PingAccess is a centralized access security solution with a comprehensive policy engine and can be deployed anywhere. It provides secure access to applications and APIs down to the URL level, and ensures that only authorized users access the resources they need. 

The client also knew they needed a partner for the migration and selected KPMG to “accelerate my transition [and] help me operate my modern platform in a modern way.”

The Three-step Identity Migration Process

Given the limited amount of resources on his staff, the client understood that finding internal champions on other teams and delegating responsibility was crucial. They enlisted stakeholders with governance responsibilities and people in charge of patching and vulnerability management. Recognizing that most people were not authentication experts, the client leader also made sure to provide them with a communication plan that emphasized simplicity.

With the champions in place, the migration was rolled out in three phases:

1. Easy Wins. The client identified the motivated early adopters. These developers were frustrated by the legacy protocols and wanted modern options, so they did not need much convincing.
2. Stop the Bleeding. The team stopped onboarding new applications on the legacy platform, and then later enacted a change freeze—effectively ending support.
3. Actual Migration. The client then approached each business to create a migration plan with developers and owners. Rather than being issued a directive, this gave them flexibility and allowed them to assume ownership of the project.

A key aspect of the migration was the creation of an internal website, which provided updates of progress made by application and business unit. The website displayed real-time data from both legacy and PingAccess with full transparency, whereas previous information-sharing methods of using spreadsheets had failed. The initiative created business unit accountability and friendly competition to keep the project momentum going.

Strategic Benefits to WAM Modernization

There were obvious wins of migrating to PingAccess: Easier onboarding of applications through automation. No more one-off custom code changes to accommodate an application (as had been done many times in the past with the legacy WAM). Support for modern protocols and APIs, which meant faster application service delivery and happier developers.

However, the team brought other strategic benefits to life during the WAM modernization. They built a reporting layer on top of PingAccess to show developers usage of their applications, thereby adding incentives for them to migrate. In addition, the modernization project was a springboard to increase the number of applications using passwordless authentication, which reduced risk across various areas of the bank.

By adding value where they could, the IAM team at the bank was able to keep the migration momentum going. While the project was still in progress, the client said, “it could not be easier to onboard [applications] with PingAccess.” Still, they emphasized that “this technology piece really wasn’t the hardest part. The hardest part was this coordination and this communication aspect and really getting these application teams lined up to move. This truly was the hardest part and is the hardest part.”