Raiffeisen Bank International achieves secure delivery of standardised banking applications to its 12 network banks

Raiffeisen Bank International achieves secure delivery of standardised banking applications to its 12 network banks

Alongside growing regulatory requirements and a fragmented IT landscape across Central and Eastern Europe, an Austrian bank provider, Raiffeisen Bank International, needed an agile, comprehensive solution that prioritised security and usability for its user base of 17 million customers.

Alongside growing regulatory requirements and a fragmented IT landscape across Central and Eastern Europe, an Austrian bank provider, Raiffeisen Bank International, needed an agile, comprehensive solution that prioritised security and usability for its user base of 17 million customers.

Based in Vienna, Raiffeisen Bank International (RBI) is one of the continent’s leading banking groups with 12 network banks (NWB) in Central and Eastern Europe. When the NWBs were founded or acquired starting in the early 1990s, a number of important decisions had to be made – including whether the responsibility for the IT infrastructures should remain at national level or be centralised.

Since integrating the heterogeneous landscapes would have come at high costs, the management chose the first option – and continued this model very successfully for three decades.

But in today’s digital world, the downsides of multiple national IT solutions are becoming increasingly apparent: group-wide innovation projects require a high degree of agility, which is often difficult to ensure in a decentralised organisation, and a drop in standardisation within the group is also noticeable on the cost side because attractive savings potentials cannot be tapped.

The challenge

To pave the way for the future, RBI is currently focusing on a sustainable digitisation, standardisation and consolidation of its IT. “Our strategic goal is to develop standardised banking applications for our network banks and to provide them as a centralised omnichannel services,” said Yaron Zehavi, Senior Enterprise Architect, Identity Architect & CIAM Product Owner, Raiffeisen Bank International.

“We have implemented the required standardised APIs and event streaming solutions. But what was missing for a long time was an end-to-end Identity and Access Management (IAM) solution that would allow customers to securely authenticate and authorise themselves on the centrally deployed applications. Without such a solution, each service had to negotiate IAM processes separately with the NWBs – leading to problematic identity silos and complex integration projects,” added Zehavi.

The solution

Ping Identity, implemented with iC Consult

The search for a suitable, company-wide customer IAM was anything but easy. The main challenge was to unify the fragmented IT landscape of the 12 NWBs with their multiple IDP solutions – from OpenAM to GAAS to Azure AAD – and their colourful mix of on-prem and cloud topologies in a single, comprehensive solution. This solution had to meet the strict regulatory requirements of the European banking industry, but also offer the security and usability expected by the customers – and be capable of scaling to serve the entire user base of 17 million customers. Therefore, the list of requirements with which Zehavi entered the market evaluation was quite extensive and detailed:

  • The new enterprise-wide IAM solution needed to meet highest security standards and all European banking regulatory requirements, including Single Sign-On with Multi-Factor Authentication.
  • One of the main goals of the project was to make the integration of new, centrally deployed banking applications as easy as possible for the NWBs. To achieve this, the new solution had to be fully compatible with the diverse infrastructures of the network banks.
  • The solution had to provide outstanding resilience, stability and performance with virtually unlimited scalability – given that any downtime of the IAM infrastructure would also lead to downtimes of all RBI services in all countries.
  • Authorisation should be based on secure, unified access tokens in a standardised format to simplify the validation of tokens at the API level across the group.
  • And finally, on a technical level: The centralised IAM should be designed for agile development environments and support contemporary CI/CD processes in order to be able to perform continuous testing and validation of new functionalities. 

This detailed list of requirements was not the only challenge – the schedule for the ambitious integration project was also tight. Zehavi recalls: “The kick-off for the Customer IAM project happened in May 2021, and our goal was to go live with the new solution four months later.

“Therefore, we developed a pragmatic and agile roadmap: We decided to focus on the critical login security – including authentication, identities and authorisation – in the first step, and then gradually incorporate more complex authorisation metadata. In the third phase we will integrate the authorisation handling for banking transactions.”

Ping scores with strong federation features

After numerous discussions and a comprehensive analysis of the market, RBI decided to implement the new customer IAM solution based on Ping Identity’s products. The cloud-based and resilient combination of PingFederate and PingDirectory addressed all customer requirements and supported sophisticated solutions for secure login and privilege management.

During this early phase of the project, the RBI team made another important strategic move: looking at the depth and complexity of the integration, they onboarded iC Consult, an external consulting team that would support the internal identity experts with ideas and impulses down the road.

Integration of 60,000 users in two NWBs

The roll-out started in mid-2021 with the implementation of the new IAM architecture and the connection of the first two NWBs. To meet RBI’s strong security and compliance requirements, the project team implemented a resilient, scalable and highly available multi-cloud architecture, and closely followed the best practices for a secure OAuth 2.0 and OpenID Connect deployment for IAM. AWS Elastic Load Balancing (ELB) and Web Application Firewall (WAF) functionalities ensure stable and secure operations, and the Prometheus monitoring solution provides seamless visibility into the environment.

Security without compromises 

“As a financial institution, security is a top priority for us. Therefore, we follow all current best practices for AWS Cloud Deployment when integrating and operating the architecture – and we can also leverage Ping Identity‘s cookbooks as a valuable source of information,” said Zehavi. “In addition, we test the infrastructure once a day, after each deployment, and perform a pen test once a year. As a member of OpenID, we also consistently keep up to date with new drafts and developments.”

After the deployment is before the deployment 

To ensure a smooth and safe implementation of new apps, updates and modifications, the project team set up a sophisticated testing environment where every change is rigorously tested before deployment. The test stack – a demo NWB IDP with a demo client – includes over 150 test scenarios with client-side and IDP-side errors and edge cases, enabling RBI to proactively and forensically test the robustness of the environment.

New functionalities are provisioned according to the agile principles of Continuous Delivery. “We don’t want to try the patience of our customers with manual updates, and we don’t want to commit our own team to unnecessary night shifts, so new releases are automatically tested, verified and rolled-out during running operations,” said Henrik Kroll, IAM Consultant at iC Consult. “The process works so well that RBI can serve three million customers without quality issues while the PingFederate and PingDirectory pods are being re-uploaded. That’s really impressive and creates a whole new level of freedom when planning deployments.”

Leading the way into the future

The Ping solution went live late 2021. Since then, the first two banking applications have been integrated. The federated architecture proved to be extremely intuitive and flexible from day one, and quickly established itself as the group-wide de facto standard for customer identity. The solution has also been well received by customers, who particularly appreciate the improved user experience, which enables them to use RBI’s digital services comfortably and at any time – without new credentials, via the familiar interface and in their respective local language.

The results

With the implementation of Ping Identity, RBI successfully set the foundation for the secure and efficient delivery of standardised banking applications to its 12 network banks – independent of the identity technologies they use, and at a mere fraction of the cost that would have been incurred in developing custom integrations. 

Not surprisingly, the preliminary analysis of Zehavi is positive: “We are really proud whenever a new NWB or a new banking application goes live and the first customers access it. With Ping Identity’s solutions and iC Consult as our partner, we have laid a robust foundation for our future identity strategy – and we are very much looking forward to successfully finalising this ambitious and high-profile modernisation project together.”

We dive further into the project with Yaron Zehavi, Senior Enterprise Architect, Identity Architect & CIAM Product Owner, Raiffeisen Bank International, to explore the successful partnership.

Yaron Zehavi, Senior Enterprise Architect, Identity Architect & CIAM Product Owner, Raiffeisen Bank International

Reflecting on the implementation in 2021, how has the comprehensive solution improved RBI’s services?

The search for a suitable, customer group-wide IAM solution wasn’t easy as we needed a highly scalable solution that would be compliant and effective across 12 countries and operational in a short space of time.

Our project team, working closely with Ping Identity and IC Consult, were able to implement a resilient, scalable and highly available multi-AZ cloud architecture that went live in four months. With robust foundations of an identity strategy laid down in 2021, we have since integrated a number of banking applications. The solution has not only been well-received by customers who appreciate the improved customer experience, but the federated architecture has quickly established itself as the group-wide de facto standard for customer identity.

Alongside this, as part of the Ping Identity integration we have also benefitted from the consolidation of our heterogeneous IDP landscape, consistent implementation of industry standards for easy integration and compliance with the highest security and regulatory standards.

How did agility come into play when expanding services across 12 network banks?

Group-wise innovation projects always require a high degree of agility. It is, however, often difficult to ensure agility in a decentralised organisation lacking standardisation across groups. While focusing on the sustainable digitisation, standardisation and consolidation of our own IT, we also needed to ensure the solution deployed was compatible with the diverse infrastructure of network banks, hence why agility was key. 

The centralised IAM based on Ping products designed for agile development environments supports contemporary CI/CD processes to be able to perform continuous testing and validation of new functionalities. In addition, by closely following emerging OAuth ecosystem standards we were able to innovate while ensuring interoperability and support despite our diversified IAM technology stack across our network of subsidiaries. I cannot imagine how difficult it would have been if we’d go off-standard towards custom solutions.

How do the regulatory requirements of the European banking industry influence security measures across the sector?

As with any organisation in the banking industry, regulatory frameworks guide us and set the level of privacy and security standards we must operate in. At RBI, we view them as more than compliance requirements, but also as a safety net. Regulations are a validated checklist that allows us to serve our customers with the safety, privacy and security they expect when they entrust us with their data and financial assets.

Financial service (FS) institutions have an interest to be well-aligned with both regulation and their customers’ interests – everyone aspires to protect customer privacy and prevent malicious attacks. So, when we started looking at an Identity Access Management (IAM) solution, we had to choose one which met the strict regulatory requirements of the European banking industry. This included PSD2 and RTS.

In addition, we needed to ensure the solution we chose was compliant with EU regulations which aren’t specific to banking but apply to a wide range of industries. This included GDPR that deals with privacy; NIS2 which focuses on cybersecurity; and the upcoming eIDAS 2.0 amendment which will provision EU digital identity wallets. That was no mean feat. After numerous discussions and a comprehensive analysis of the market, we decided to implement Ping Identity’s products.

What benefits do an omnichannel solution provide for the user experience of customers?

True omnichannel solutions provide a seamless experience and enable FS providers to accommodate customer wishes without gaps. It’s something customers have come to expect.

RBI’s strategic goal with implementing Ping Identity’s solution was to develop standardised banking applications for our networks of banks, and to provide them as centralised omnichannel services.

Omnichannel also augments fraud detection. FS organisations can now unify customer activity across channels and detect potential fraud attempts from certain attributes such as the time and location on the login. For example, if a customer is active in Vienna, then an hour later from Tokyo, it’s likely a fraud attempt is happening and should be addressed with a high-risk rating.

How did the partnership with iC Consult support the internal identity experts with ideas and impulses? 

We made the strategic move to onboard iC Consult during the early phase of the project to support our internal identity experts. After looking at the depth and complexity of the integration, it was clear an external consulting team was necessary to ensure a smooth onboarding process.

The onboarding of iC Consult was the right move for us at RBI, ensuring skilled architects and engineers were available to create the solution architecture and implement it. We were able to combine the IAM platform with our DevOps solutions and practices, including creation of a sophisticated testing environment enabling us to test any time and validate every change, according to the agile principles of continuous delivery. Also, load tests were implemented to support capacity planning and ensure the service is stable and maintains low latency at high workloads. Furthermore, we validated our continuous deployment capabilities and verified we can deploy updates to PingFederate and PingDirectory pods without shutting down the service, while serving workloads of millions of users concurrently. This means a whole new level of freedom when planning deployments.

Looking ahead, what’s in store for the modernisation project across the network banks in the future?

At RBI, we are looking at several exciting modernisation initiatives. Firstly, we’re exploring how PingFederate – an enterprise federation server that enables user authentication and single sign-on – and PingOne Neo – decentralised identity – combined with Callsign’s banking orchestration engine, could empower our mobile banking apps to offer streamlined security capabilities. This project supports the reuse-centred application modernisation journey we’re currently on.

Even further, we are seeking interoperable capabilities of Strong Customer Authentication, consent, risk responsive customer authentication, delegation by customer of support topics, as well as providing verified data from wallets. All these things will enhance the customer experience.

We are following the progress regarding the EUDI-W (European Digital Identity Wallet). FS organisations, as well as large retailers, will be obligated to accept the EUDI-W as a means of customer identification, equivalent to displaying a physical government issued ID. EUDI-W could facilitate easier digital onboarding of new customers, while providing the highest levels of assurance.

The EUDI-W goes far beyond the existing national eID scheme and is an open platform for storing a selection of relevant financial and professional verifiable credentials that support more efficient and smoother Know Your Client processes.

In addition, our organisation is taking part in a working group of major banks brought together by Ping Identity. This group has the aim of trying to harmonise data schemes to enable verified cross-border banking. For example, if you’ve ever had to open a bank account in another country, how do you prove you have an existing account? Usually, it’s with a PDF document that can be easily forged – it’s not a secure process. If banking credentials are standardised, however, they can be trusted and processed by any bank, anywhere in the world. This will allow customers to be swiftly accepted and respected, with the data they chose to share easily verified while remaining secure.

With Ping Identity’s solutions, we have laid a robust foundation for our future identity strategy – and we are very much looking forward to successfully finalising this ambitious and high-profile modernisation project together.

Browse our latest issue

Intelligent CISO

View Magazine Archive