30 Jun 2018
Often PSD2 Implementation is focused around API Management. Identity & Access Management (IAM) is much more critical to PSD2 Implementation. Below post justifies importance to handling IAM functionalities in such regulatory program
Two major aspects of the program are -
Identity & Access Management (IAM): Provides a framework for managing & enforcing access controls on digital identity to meet organisation's governance requirements.
API Management (APIM): Help to create, analyse & publish APIs to third parties (developers)
From PSD2 perspective - PSD2 regulation allows 'resource owners' (bank customers) to share their 'resource' (banking data) to 'clients' (third party providers -TPPs) subject to customers' consent. PSD2 regulation keeps customers at the heart of all changes. Identity, Verification, SCA, Access Controls, Security & Consent make PSD2 much more IAM intensive than API Management.
Also bear in mind the breach aspect of GDPR - which may help convince senior stakeholders about importance of identity & its protection.
Lessons from UK's CMA9 Open Banking delivery (13Jan2018)
Some leading banks started the Open Banking Program from API perspective and chose an API Management product to kickstart their implementation. Thinking behind was - "we have customers data, we can expose via APIs". Later on in Jul 2017, OBIE published Security profile. Project team looked within API Management products for solution to solve security profile. That led to teams writing customisation to API-Management product.
Slowly some customisation nuggets started to turn into bigger work with aspects of Identity verification, consent management, access controls, Single-sign-on with legacy bank applications. Lot of these problems could have been better managed by IAM systems.
Anyways, at that point of time there was no time to bring in an IAM system & hence Open Banking programme went to delivery without properly solving IAM needs. That accrued as technical debt & banks are trying to solve that today for PSD2-RTS delivery. No wonder at this point of time, major 3 UK (CMA9) banks are in RFP stage to procure an IAM product.
Why IAM Product in PSD2?
- Identity & governance is better managed by IAM system than a API-Management Software
- It helps to provide SSO experience across enterprise in seamless fashion. API Management software are not meant to provide that
- IAM systems connect to lot of identity-data-sources with simple configurations. API management do't have that capability. It involves writing custom module.
- Different Access methods like - redirect/OAuth, decoupled, embedded, delegated, distributed - can be easily handled by IAM system
- RTS-SCA support is delivered OOB with IAM systems. Leading multi-factor authentication (MFA) providers give integration support to products from Ping Identity & Forgerock. Support in API-Managment is basic & involves custom work
- IAM products react to breaches quickly & are usually better than API-Management in terms of security. IAM vendors keep their product up to date and address any vulnerabilities
- IAM products provide support to lot of identity standards - OAuth, SAML, OpenID, SSO, HOTP, OATH, PKI, FIDO, UMA, etc.
- PSD2 RTS policies can be translated into implementation code & integrated easily into IAM products
- Integrates well with Fraud/Risk engines. Also provides lightweight fraud detection in terms of adaptive/risk based authentication
- Consent Management is an IAM topic and integrates well with IAM products & but requires work to make it work in API-Management
- Replacing vanilla product in IAM/API-Management would be easy. But if built with lot of custom code to API-Management (for eg), then replacing becomes expensive project. Also those custom code come with maintenance overhead.
- 'Separation of concerns (SoC)' design practice allows technical stack to evolve without any vendor lockin
Avoid vendor lockin
We have seen team of developers in tier1 banks adding customisation to API Management to meet the IAM requirements. Such team are not IAM experts in design and implementation of the solution. We would recommend to buy IAM product which may be cost effective solution considering long term. A loosely coupled (plug & play) systems will allow to replace one product with another easily. That kind of design will give the banks an edge when negotiating license pricing of IAM or APIM products.
Are IAM Products expensive?
No. Leading vendors in IAM like Forgerock & Ping Identity price their product based on number of customers. Hence it should be affordable to banks of all sizes.