Managing Identities and App Security Consistently in a Complex IT Environment
ICA Gruppen is a large Swedish retail company that has grown into an organization spanning multiple business areas. With that evolution comes many challenges for managing the IT infrastructure and keeping a consistent view of various business areas.
In a recent webinar, Alexander Salwey of ICA Gruppen joined Travis Spencer and me from Curity, along with application specialist Per-Gustaf Stenberg of Data Ductus. Our discussion focused on how ICA Gruppen built a centralized identity platform enabling their teams to use modern authentication schemes and allow secure access to their APIs. Below, we'll review ICA Gruppen's journey and what they learned along the way.
How It All Started
ICA Gruppen had identified several projects in the organization that required access to employee user accounts. At the time, they had no single interface to access these accounts. Several ad-hoc solutions had been created to access accounts for specific projects, which further complicated things. An internal driver was also the need for multi-factor authentication, which several applications required. ICA Gruppen started to investigate how they could consolidate the data and offer it to their internal services. As a starting point, Curity was invited as consultants to help shed some light on how a service like that could be built.
Curity had already built several centralized identity platforms and introduced the idea of the Neo-Security Platform. This reference architecture defines a set of capabilities needed in a secure identity platform. The capabilities in the reference architecture are described as Security Token Service, Profile Service, and Federation Service, rather than product names. These capabilities are bound together using open standards, enabling the components to be replaceable. This promotes a platform where you can use the best product for each capability, rather than buying a monolith that supplies more than you need without granting flexibility.
Where to Begin
ICA Gruppen liked the Neo Security Architecture concept and decided to go down this route. Other products were evaluated, but the Curity Identity Server was finally chosen to take the role of Authentication Service and Token service. The product's simplicity and many integrations with authentication methods, user storages, and databases played a big role in the decision.
The idea was to build an Identity Management System around the Curity Identity Server to allow the authentication service to provide central access to the accounts and enable internal applications to integrate using OpenID Connect. This would also allow for easier implementation of multi-factor authentication.
To raise awareness and generate interest for the initial projects within the organization, ICA Gruppen held an internal roadshow where they evangelized the Neo Security platform. Informing the right people what this platform enabled was essential to drive adoption across the organization.
To help accelerate adoption, ICA Gruppen decided to create an Identity and Access Management team. The team was put in charge of running and maintaining the platform and tasked to support the groups wanting to integrate with it. ICA Gruppen didn't possess this technical know-how in-house at the time, so they brought in consultants from product experts Data Ductus. Data Ductus took on the role of the technical owner of the platform. Yet, as Per-Gustaf explained, the number one goal was to gradually give ownership back to ICA Gruppen while they slowly grew the team and gained the knowledge they required.
Requirements and Effects
When the platform was built and the first projects were onboard, the main drivers for the platform came to be:
Business demands like biometric authentication, Single Sign-On, and mobility.
Legislations regulated certain parts of the organization like the GDPR, PSD2, and SAMBI.
Higher security demands for new applications.
By already having a centralized platform with products to support these standards, ICA Gruppen was well-positioned to add the features needed to comply with regulatory and business demands. Some were easier than others, but with the standards-based approach in mind, and trying to build features that were usable for many applications, the platform grew even further. The time to market has decreased for ICA Gruppen since the elements are already there for most new integrations. The integration teams now don't have to worry about authentication and access and can focus on their application features.
Be customer-first, without bending the rules: ICA Gruppen treats its platform and integrating teams as customers. It's always essential to meet your customers' needs and demands, but equally important is not complicating the platform. To avoid a worse experience, always have your platform's standards and rules in mind when designing new integrations. Don't rush to implement new requirements exactly — take a step back to consider what would be the most usable approach for your platform overall.
Have open communication channels: It's very important to retain direct communication with developers on channels like Teams or Slack. Still, log formal requests in a ticketing system.
Keep it simple. Improve over time:Aim for speed — allow your customers to get something running quickly and add in features and customizations later.
Spread the knowledge: Depending on your team size, it might be easy to become too dependent on a single person. Do what you can to spread the knowledge in the team, and take in help where you can. Outsourcing some of the service operations could be a way to reduce the burden.
Refer to the architecture: Having a reference architecture to build from, and using only standard protocols, has proved helpful in communicating with customers. Customers can sometimes present requirements that do not adhere to the architecture or standards, and it's useful to have something to refer to in those cases. For ICA Gruppen, it's easy to point to the reference architecture and say, "This is how it is supposed to work". This helps the platform stay generic.
Looking to the future, ICA Gruppen plans to increase the number of applications that integrate with the platform. This will be accomplished by implementing new features and technologies that the Curity Identity Server has adopted during its years of development. It's essential to stay updated on new features to accommodate customer demands and remain modern in an ever-changing environment. For instance, passwordless authentication is in the pipeline for ICA Gruppen. They also foresee that regulations and legislation will continue drawing users to their platform.
ICA Gruppen has been very successful in building its identity platform and advocating its use with its internal teams. A big key for that was, in my opinion, the internal roadshow they did early in the process. It was an excellent choice to get the word out, being loud and clear on what they planned to build and how their development teams could benefit. And, of course, having a clear owner of the platform that manages it as a product, creates roadmaps for it, and helps other teams integrate, is part of the success. This ownership is something we see in many customers that have successfully implemented similar platforms.
So thank you, Alexander, for sharing ICA Gruppen's story, and thanks to Per-Gustaf as well for sharing the insights you collected along the way! If you want to watch the webinar, it's available here.