The expression “caught between a rock and a hard place” comes to mind when describing two challenges that the IBM® Office of the CIO was struggling with. First, imagine having to provide identity and access authentication services for over half a million IBM employees around the world, with a highly customized, single tenant, on-premises platform. And at the same time, having to provide similar identity and access services for over 26 million global IBM clients with a separate, antiquated first-generation identity as a service (IDaaS) solution.
Now you might begin to understand what the IBM Office of the CIO was up against: two separate identity and access management (IAM) platforms offering different technologies and different levels of maturity, reliability and functionality.
The scale of the challenge can be hard to imagine. IBM’s Assured Identity and Cybersecurity Operations team supported 5,000 applications, more than 600 federated client companies and their workforces, and over 150,000 authorization groups. In one quarter of 2021, IBM authentication services supported 35.7 million logins.
And in today’s competitive environment, the playing field was constantly changing. As Daniel Opoku-Frempong, Director of the Assured Identity and Cybersecurity Operations team, points out, “The IBM CIO organization provides critical identity services for the entire IBM workforce, millions of clients and now Kyndryl, too.”
Transforming IBM’s authentication services would require significant infrastructure modernization and consolidation to efficiently deliver large-scale reliability and security. Opoku-Frempong describes the difficulty: “We needed to orchestrate a foundational change in how we captured, engaged, managed and administered user identity and access across our millions of users around the world. We could no longer defend the poor return on investment and the slow speed to market that haunted every workflow touched by the old solutions.”
Enhanced scalability
Scalable to over 27 million internal and external identities
Enhanced capabilities
Providing passwordless QR or FIDO2 capabilities for over 800,000 authentications since the migration
Ed Klenotiz, Assured Identity Architect, and his colleagues got the ball rolling. “We completed a competitive analysis of the leading vendors to power both business-to-employee and business-to-business identity services,” he says. “Leveraging a standard, cloud-based authentication platform would be a critical first step to modernizing identity services for both IBM employees and our customers, at scale.”
And just as IBM would recommend to its own clients, the Assured Identity and Cybersecurity Operations team captured all their identity and access requirements and compared several solutions from across the market.
After gathering requirements and considering all the options, the Assured Identity and Cybersecurity Operations team chose IBM Security® Verify (SaaS) for their combined millions of internal and external users. The number-one reason? Top of the list was because the APIs enabled a seamless application migration. And number two? They’d be able to customize the user interface to fit their exact requirements without draining their development resources.
By embracing IBM Security Verify as the standard cloud IAM services platform for all B2E and B2B identities, IBM would be poised to deploy more modern identity capabilities with enhanced security, scale and user experience.
“With the new solution, we could expand internal user choice for authentication,” says Opoku-Frempong. “Two-factor authentication (2FA) significantly protects against password compromise but it’s often cumbersome for users. So, we implemented adaptive features of 2FA that used back-end analytics to determine when and where to require additional authentication. The shift to IBM Security Verify 2FA capabilities offered enhanced choice for IBMers to authenticate via passwordless options, such as QR code and FIDO2 for TouchID and Windows Hello. That was a sea change just by itself.”
But there were other pressures. Historically, the IBM CIO team had invested in developing its corporate directory to comply with the International Traffic in Arms Regulations (ITAR) a United States regulatory regime to restrict and control the export of defense and military related technologies. Ripping and replacing the old IAM solution across the globe and all at once was out of the question. The IBM Security Verify engineers had anticipated this requirement. The Security Verify Bridge coupled with the Bridge for Directory Sync enabled the IBM CIO team to apply its legacy investment and the associated processes. And as a secondary benefit, this enabled them to develop a carefully staggered migration plan with minimal impact.
Opoku-Frempong continues: “There were other migration capabilities that made the transition smoother. IBM Security Verify’s enhanced API library enabled self-service application migration by our application owners, minimizing impact to other workloads. Moreover, the enhanced layer of control around privileged API access gives us tighter security control over the environment, further minimizing attack vectors. That’s definitely a win-win for us.”
Opoku-Frempong and his team had quite a lot to celebrate. By adopting IBM Security Verify, they were able to improve the user experience while also tightening the security for those same users and the company’s network, data and applications, at scale. Lee Ann Rodgers, IBMid Program Manager, puts it this way: “The IBM Security Verify capabilities enabled us to provide our customers with extensible features for enhanced security with flexible MFA methods, password management enhancement, user ID lifecycle management and self-care, application management, flexible user notification of changes, and event notification service.”
Plus, there’s a vision for the future now, a promise for more value. As IBM’s identity and access authentication journey continues, the IBM workforce and IBM clients can expect more benefits:
- A transformed user experience without passwords
- Enhanced protection for privileged users across multicloud environments
- Flexible multi-factor authentication (MFA) methods, improved password management, and user ID self-care and lifecycle management
- Integration with devices and mobile device management solutions to support IBM’s zero-trust strategy
- IBM Security Verify microservices architecture for improved solution fault tolerance and scalability
- Multi-site plans for enhanced reliability
- Continued focus on the user and branding experience with strengthened commitment to security and privacy
Gary Schmader, Sr. Manager of Assured Identity, sums it up: “We are relying on our own commercially available solution for a mission-critical need, on a grand scale. With IBM Security Verify, to anyone who interacts with IBM, we can now provide frictionless, secure, state-of-the-art access to information resources … and we’re just getting started.”
IBM is the global leader in hybrid cloud and AI, serving clients in more than 170 countries. More than 3,500 clients use our hybrid cloud platform to accelerate their digital transformation journeys and, in total, more than 30,000 of them have turned to IBM to unlock value from their data—this client list includes nine out of ten of the world's largest banks. With this foundation, we continue to leverage Red Hat® OpenShift® as the leading platform to address our clients’ business needs: a hybrid cloud platform that is open, flexible and secure. Guided by principles of trust, transparency and support for a more inclusive society, IBM also is committed to being a responsible steward of technology and a force for good in the world.
Legal
© Copyright IBM Corporation 2022. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, January 2022.
IBM, the IBM logo, ibm.com, and IBM Security are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copyright-trademark.
Red Hat® and OpenShift® are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection, and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated, or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure, and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products, or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY