Bankdata contacted Curity for a couple of reasons. They wanted to modernize their banking information technology, they also needed to comply with changing regulations, such as PSD2 and GDPR. The company had begun using APIs in their mobile app but could foresee the need for more APIs over time.
All of these requirements drove Bankdata’s need for an Identity Management System (IMS) and an API Management System (AMS) that worked in tandem to solve their current and expected future use cases. Initially, they had procured and deployed a product to serve as the AMS. However, they still needed an IMS that could meet their login and token issuance demands.
Their demands were high due to the need to deliver banking-grade security. These requirements were satisfied by the Curity Identity Server which included the features necessary to deliver this high bar of safety.
In particular, Bankdata was able to leverage the PKCS#11 support to sign JSON Web Tokens (JWT) with keys stored in a Hardware Security Module (HSM). They were also able to use many of the features which the Curity Identity Server supports to comply with the Financial-grade API (FAPI) specification, like certificate-constrained access tokens, mutual TLS for client authentication, and signed request objects.
Additionally, Bankdata took advantage of the Dynamic Client Registration (DCR) capabilities of the product to create a more dynamic environment that required less centralized management. On the point of manageability, Bankdata’s DevOps team utilized the Curity Identity Server’s RESTCONF API and related features to create a Continuous Integration and Continuous Delivery (CI/CD) process that allowed them to manage configuration as code.
The result was an improved, modernized identity infrastructure. This new IMS worked in tandem with Apigee, the commercial API management product they had previously selected. Similarly, they were able to reuse their HSM from their preferred vendor using a standards-based integration.
Very importantly, they also were able to comply with new PSD2 and GDPR regulations in a safe way using a commercial off-the-shelf (COTS) product. This greatly reduced their development, and maintain efforts, helping ensure that the new platform remains modern and adaptive over the long-term.
We’re really pleased to have achieved an infrastructure that not only help us comply with regulation now, but that we can scale and adapt to suit future requirements, and new legal demands as they come, without the need to rip out and replace.
Michael Lind Mortensen - Lead Domain Architect at Bankdata