As executive vice president of technology at Financial Engines Inc., Garry Hallee has dealt with more than his...
share of access control challenges.
Palo Alto, Calif.-based Financial Engines provides investment advice and manages retirement portfolios and 401(k) plans for individuals and large corporate clients. It currently manages more than $5 billion in assets for more than 6 million customers. While its representatives work with customers face to face and over the phone, customers increasingly access information and advice on its website.
Keeping those interactions secure is, of course, a top priority for Hallee's staff. In addition to being subject to regulations such as the Gramm-Leach-Bliley Act, "we're coming more and more frequently under [the Sarbanes-Oxley Act], because, while we are not public, we provide services for public companies," said Matthew Todd, the firm's chief information security officer. Furthermore, the company expects to go public in the near future, Hallee said.
The challenge has been to maintain security while making it easy as possible for customers to use Financial Engines' services.
Customers use a typical ID/logon routine to authenticate themselves and gain access to personal information and services on FinancialEngines.com. However, a typical transaction often requires logging onto one or more of the firm's business partners as well.
An individual customer or corporate portfolio manager might check out various mutual funds on a financial service company's site, then go back to FinancialEngines.com for information and advice on which to choose. Logging in and out each time can be cumbersome. Customers become impatient, perhaps irritated, and use the site less often.
Several years ago, Hallee's staff began addressing this issue by setting up a federated identity management system that establishes single sign-on between Financial Engine's Web site and those of trusted business partners.
Federated ID management is a type of ID and access management that targets companies that need to provide Web-based systems access to the employees, or customers, of a large number of business partners. Often included in ID and access management suites, federated ID applications provide single sign-on across multiple companies' networks. Once a customer is authenticated on one partner's network, the information gets passed onto the other partner's access control system, which then looks up the customer's profile and grants appropriate access rights. This allows end users to jump back and forth among trusted partners' Web sites without having to log on each time.
There were no standards back when Financial Engines first began implementing federated ID management, so the firm had to build links with partners on a case-by-case basis, Hallee noted. WIth a small IT staff, he decided to limit the initial deployment to the 15 or 20 major 401(k) providers, an area where single sign-on offered quick returns in customer satisfaction.
"We want to make it as convenient as possible, so we integrate our site with a 401(k) recordkeeper's," Hallee explained. For example, a partner's site might ask the customer, "Want to learn how to make better investment decisions?" and provide a link to FinancialEngines.com.
The project made Financial Engines something of a pioneer -- even now, federated ID management is primarily the province of large enterprises, said Jamie Lewis, CEO of Burton Group Inc. in Midvale, Utah. However, as companies of all sizes move toward a service-oriented, Web-based business model, federated ID is catching on as a means of setting up trusted relationships and managing secured interactions among large groups of partners.
Better late than never
One indication of federated ID management's growing popularity is the recent emergence of industry standards. About a year ago, Liberty Alliance (projectliberty.org), a consortium of vendors, businesses and public sector organizations, officially ratified Security Assertion Markup Language (SAML) 2.0, along with other federated ID mechanisms.
With the help of these standards, and Hewlett-Packard Co.'s OpenView Select Federation platform, Financial Engines is now in the process of extending federated ID management to the dozens of investment and financial firms with which it does business. This is an important step, given that many customers do business with multiple providers, Hallee said: "They might have a 401(k) with Fidelity and an IRA with Schwab," for example.
We're interested in providing a holistic advisory experience, bringing customers into a circle of trust…
Garry Hallee, executive vice president of technology, Financial Engines Inc.
Federated ID management saves customers from having to keep track of multiple IDs and passwords, and thus makes it easier for them to use Financial Engines' Web-based services, Hallee said. "We recommend getting long-term investment advice once a quarter; the average person does it once or twice a year. If they forget the password, it's an excuse not to bother."
Financial Engines chose OpenView Select Federation primarily for its ease of use and quick deployment features, and its ability to link up to a wide variety of federated ID protocols, Hallee indicated.
While some of Financial Engines' partners are adopting SAML 2.0, others are sticking with earlier versions of Liberty Alliance protocols, or previously deployed, proprietary interfaces, Hallee noted. "They're asking: 'Why change?'"
"HP's solution is not only standards based, it works with multiple versions of SAML and various other protocols," Hallee said.
Federation Select's typical setup time is about an hour, according to HP. However, it took Hallee and his team several days to get the platform up and running and properly communicating with Financial Engines' Personal Online Advisor's access control system, he said. They are now in the process of integrating with a major financial services firm's proprietary implementation of Liberty Alliance.
Broad industry adoption of SAML 2.0 would be "a win-win for us, because we would only have to develop and maintain one set of code," Hallee pointed out. Until that happens, however, his team still has to deal with point-to-point interfaces.
"We continue to be quite happy with the HP product and expect a strong ROI" from using it to build a standards-compliant interface, Hallee said. He added that his team could have built a similar platform, but the time to market would have been much longer. Furthermore, in order to interoperate with various partners, "we would probably have had to build multiple versions."
The Federation Select deployment is scheduled for completion by year's end, and will go live first quarter of next year.
Standards-based or not, federated ID management is expected to provide big paybacks for the financial consulting firm. Streamlining connections with financial partners will not only improve customer satisfaction, but it will also potentially bring in more business, Hallee said.
"We're interested in providing a holistic advisory experience, bringing customers into a circle of trust where they can obtain services from all providers without having to sign onto multiple systems," he said. Federated ID management represents a giant step in that direction.
Elisabeth Horwitt is a freelance writer based in Waban, Mass.