Tag Archives: Identity and Access Management

Delighting Customers with an API First Approach at Proximus

Proximus, the largest telecommunications provider in Belgium, has been around since 1930. At present, Proximus provides internet, TV, telephone, and network-based ICT services. Their brand portfolio includes Scarlet, NBRACE, tango, ClearMedia, TeleSign, Davinsi Labs, telindus, BEMOBILE, and bics. Collectively, these brands have presence beyond Europe – in the Middle East, Americas, Africa, and APAC.

APIs Are Great – Again

Proximus has 2,000 to 3,000 applicators in the entire organization, integrating internally and externally with partners, competitors, and customers. Most importantly, these integrations have to be managed. The scenario that would result in not doing so is endless difficulty and inconvenience. A decade ago, Proximus designed their architecture for managing commodity services such as authentication, authorization, routing, and monitoring. So far, so good.

Change came in the form of agile business transformation. By becoming more agile, they were looking to deliver services faster, of better quality, and at lower cost. Proximus achieved business agility by building functionality shaped building blocks that are re-usable and loosely coupled. These building blocks are used to provide their digital solutions, all at lower costs and higher quality. Agile transformation has been made possible by WSO2 API Manager, which supports any spectrum of the API lifecycle, and WSO2 Identity Server, a holistic identity and access management (IAM) solution. Both are open source.

“We had to rethink what we were doing and essentially look at making APIs great again,” says Sean Kelly, an enterprise architect at Proximus. They’ve already worked with APIs, mainly to offer services – but agile transformation means approaching everything differently. This began by bringing together architectural domains that are well-defined and separate. For one, there was a functional domain which operated on specific blocks of functionalities (such as customer address management). Then there was an important security domain that is responsible concerns such as GDPR compliance. The application domain handles patching, upgrading, migrations, and such. And finally, the infrastructure domain is needed for deployment.

Functional Domain in Detail

Sean explains the new approach at Proximus by using the functional domain as an example. The team at Proximus documented all business capabilities and they first defined the characteristics of a capability. For starters, a capability must be a subject matter expert i.e. a customer address management capability is the owner and master of this specific block of data. This capability is the single source of data for the particular function, with a specific team attached to it. Furthermore, business capabilities are also mutually exclusive – unique, but independent, self-contained, and well defined.

The implementation of this new API-first approach happened in a very structured manner. APIs at Proximus are lightweight and powerful, with simpler life cycles and release cycles. Product teams were empowered and the API management platform is more agile. Although the API management platform is a self-service one, there are certain controls in place. Collaboration plays a big role too. Given the number of architectural domains, collaboration could be a challenge and it required a shift in mindset across the organization.

Organizational Change from Service Orientation (SOA) to Resource-Based Architecture

Proximus adopted the Bimodal practice to deal with organizational change. Introduced by Gartner, Bimodal refers to the strategy of coping with change and it’s comprised of two modes (modes 1 and 2). As per Gartner’s definition, these 2 modes are cycles, and not separate groups or departments in the company. “Mode 1 is the marathon runner, that is, it refers to APIs that perform core business functions. Mode 2 is more like a sprinter. These are the APIs that respond to the environment, are closer to your customers, more agile, and typically more disruptive,” Sean explains. At Proximus, mode 1 is applied to internal APIs and existing SOA services. Mode 2 is applied to external APIs and this is where they publish their digital products, with a strong focus on security.

Apart from the Bimodal practice, Proximus has also adopted several principles. There’s no domain dumping model at Proximus, and they use concepts that are known and understood within the organization. They design for loose coupling, as vendor-neutral APIs are preferred and it allows them to change one component to another with minimal impact. Proximus also use industry standards such as O-Auth2, XACML, SID, JWTE, etc. Another is the use of smart endpoints and dumb pipes, which is to avoid business logic in a centralized middleware. Security is coded, rather than configured. As such, the code is typically only written once and then validated by security, making it easier to manage this process as well. Proximus also do not use the latest version of a particular technology offered – they prefer to trail behind the bleeding edge, as they’re on the lookout for the first round of patches and use the functionality with greater confidence at a later time. And finally, Proximus only builds components or purchases software that is cloud native.

Delighting Customers

The team at Proximus are satisfied with their API first approach and the resulting API marketplace. “We’re focusing on delighting our customers, delivering value, and doing all this at a lower cost. We use WSO2 to do what they do best. For us, WSO2 is an API management platform and we let them handle that while we focus on the business,” says Sean. As with any innovative business, there are more changes afoot at Proximus and they’re looking to take WSO2 along with them as their business evolves.

Watch Sean’s presentation for more information about the transformation at Proximus.

Check out our product pages for WSO2 API Manager and WSO2 Identity Server to find out how you can use these products in your enterprise.

Ask an Expert: Catching up with Ruwan Abeykoon

Ruwan, on the right, participating in a badminton competition in WSO2

If you bump into Ruwan outside WSO2, you’re most likely to meet him along a hiking trail or underwater, scuba diving somewhere in Sri Lanka’s southern coast. He’s also a vehicle enthusiast and loves technology. Inside WSO2, Ruwan currently looks into product stabilization efforts of WSO2 Identity Server that results in improving the overall architecture of the product.

In this interview Ruwan sheds light into his journey at WSO2 so far, identity and access management (IAM), and his view about software.

1. How did you enter this industry (was it by accident, why IAM)? Tell us about your journey at WSO2 so far?

Every change in my career was based on calculated decisions at critical junctures and I’m very pleased at how everything has turned out.”

I started off as an entrepreneur after grad school, working in the telecom and retail sectors. My expertise lies in telecom signalling and it’s been one of my interests for the longest time, in addition to high performance computing and IoT. Subsequently, I joined WSO2 where I was a part of the App Manager team, which is now the WSO2 Identity Server team. Every change in my career was based on calculated decisions at critical junctures and I’m very pleased at how everything has turned out.

2. What are some of the interesting projects you’ve worked on recently?

Adaptive authentication is one of the latest features we added to WSO2 Identity Server. What’s different about how we offer adaptive authentication is that it’s based on scripting language similar to ECMA. This is also involves user behavior analytics based authentication.

WSO2 Identity Server analytics is able to monitor login and logout sessions, and provide analysis based on a user’s behavior which helps with providing an additional security layer when authenticating them. This is what adaptive authentication is ultimately about.

Adaptive authentication is very important right now and not because of user convenience alone. Major financial institutions use adaptive authentication to provide advanced user experiences while providing Open-Banking APIs.

3. Do you see adaptive authentication as a game changer and how so?

People always want easy access to applications and systems. Making this process difficult means users will either move away from the business or they will have weak security methods. For example, enforcing people to use long and complex passwords can lead to them writing their passwords on a piece of paper somewhere, which isn’t a smart thing to do.

On the other hand, security experts want to limit access to resources and systems as well. Hence there is a need to find the right balance. And a need to detect risk and limit access while allowing free access for legitimate cases or users. This involves evaluation of many parameters and behaviors than simple static rules that are offered by most IAM solutions. In the future, we’ll also need to embrace AI on the authentication process.

4. What trends do you see in the IAM market? Where do you think we’re heading?

I’m going to provide a very brief overview of some trends that I’ve observed. For one, there’s an increasing dilemma between whether or not we should opt for a centralized IAM system. But given privacy concerns, it’s quite evident the IAM industry is heading towards a decentralized identity and access management system. Another trend is sovereign identity, where an individual decides what can be done with an identity. Although there’s a growing need for increased privacy, people must be able to share and delegate easily. Another is space-time-bound edge device security with identity of a person.

5. We now keep hearing that IAM is an enabler and it’s more than just security or an IT project. What’s stopping enterprises from embracing this? Why do you think they should?

It is easy to start an IAM system with a homegrown solution of simple databases. There are a plethora of libraries available to kick start a homegrown IAM system. But it gets into an inescapable vortex when more and more functionalities are needed in today’s agile businesses. Enterprises need to detect this at an early stage and adopt a proper IAM solution before the vortex grows into an unmanageable beast by itself.

6. Two things you’ve learned in your career that you’d like to share with a newbie?

Think of software as a medium of communication between both systems and people.”

First, think of software as a medium of communication between both systems and people. This could be system to system, system to person, and person to person. Second, learn to unlearn. No software practice has lasted for more than a decade. New languages and methods keep propping up and your openness to learn is what helps you progress.

Ruwan on one of his many scuba diving adventures!

A Year in Identity

We’re looking at the possibilities of 2019, and after spending one year as the product marketing manager for WSO2 Identity Server, here are some observations I’ve made as to why enterprises would need identity and access management (IAM).

Identity is more than SSO, it’s a key enabler for Integration Agility

Throughout 2018, we kept hearing how identity should be treated as something more than merely a security project at every identity conference we took part in. We have to go back to our enterprises and say why identity is the glue that holds it all together. Single sign-on (SSO0, authentication or securing APIs, would come off a simple task or singular project but it all eventually becomes a part of a much larger project, like integration. Customer identity and access management (CIAM) is a great example of integration. You use identity, API management, and integration components along with analytics to give users a fantastic user experience. So whatever your enterprise strategy may be, identity plays a key role in being future-proof and it’s more than just logging into applications.

Your customer comes first

CIAM, which may appear as a trend, should be the ultimate goal for any enterprise. Most customers that we deal with use WSO2 Identity Server for CIAM through SSO, identity federation, etc. CIAM helps to give your users a unified experience. An example is West Corporation, who does an excellent job of giving their customers a connected experience.

We’re moving from multi factor authentication to adaptive authentication for the very same reason, to help you make your user’s life secure and better.

There’s an API for that

Everything today is API driven. All businesses are inclined to expose their APIs and the rate of exploding endpoints is surely alarming. Yet, what would be the point if these are not secure?

Open source IAM is “still” an emerging concept and this should change

Although open source might not be the most known option for IAM, it should be. A lot of people assume that open source means free, but it’s the “freedom” to try the product, to scan and test the code as you please and NOT being “locked-in” to a vendor. It’s also easy to innovate fast with open source and it’s versatile because of the variety of authenticators and connectors. One of my team-mates illustrated this quite brilliantly on Quora.

Therefore if one were to choose an IAM solution for their enterprise, I strongly urge to give open source a try.

Privacy

It takes a situation like Cambridge Analytica for enterprises to take IAM seriously. With the rise of General Data Protection Regulation (GDPR) and the upcoming Consumer Credit Protection Act (CCPA), user consent and privacy are taking the precedence over everything and we fully support this. IAM is wired to provide compliance so that users are secure and businesses can make use of this opportunity to demonstrate that they are “user-centric” and prioritize privacy over everything. This way you maximize user retention too.

Some final thoughts

2018 has been a fantastic learning curve, also because I get to work with the best in the industry (both in Marketing and Engineering/IAM). One such person is Prabath Siriwardena, who is a walking encyclopedia of all things identity (check out his blog, you’ll learning something you didn’t know).

Here’s to a data breach free 2019!

. . .

You can read more blogs posts from me here. I also Tweet and get in touch with me @fishfaceishi

Ask an Expert: Catching up with Sagara Gunathunga

Sagara Gunathunga, the product lead of the identity and access management (IAM) team at WSO2, has had one amazing career. Starting as a committer to Apache, he most recently led WSO2’s efforts to become GDPR compliant – using WSO2! In this interview, he tells why GDPR must be viewed as an opportunity to build closer relationships with customers and why we must always be curious to innovate.

1. Tell us about your introduction to open source and your journey at WSO2 so far.

Before I joined WSO2, I was a contributor to the Apache Software Foundation. In 2006 I attended various open source events like ApacheCon and I was highly motivated with the concept of contributing towards open source. So the motivation and some initial work towards it ended up with me being a committer in Apache. My first committer-ship was in an Apache project which was part of the Apache web service project and this also paved the way for my access to other projects.

During this time, I got a chance to join WSO2. Initially, I was driving WSO2’s contribution towards Apache. I started working on Axis2 and web services project during my own time and arranged various initiatives to review and mentor their work towards Apache. I also encouraged others to become committers. At present, I am part of the IAM team. It was quite challenging at the start, as none of my previous projects were on security and my knowledge was limited to the security aspects that I’ve been exposed to when working on Apache projects. Services, application development, and governance were my core focus areas back then but I used the knowledge I gathered as the base for career as an “identity guy”. There was lots to learn, going deep into the concepts of IAM – but it’s a been a rewarding journey.

2. What’s the most exciting project you’ve been a part of recently?

One of the main tasks I was assigned to was to work with the privacy standards given the emerging requirements in the EU/UK(GDPR) and Australia. As a technology company, it’s quite a task to keep up with all the privacy standards per country. Given that we have an identity product, it’s a priority for us.

We manage 50 mn+ identities, so in our case we store personal information and the main challenge is “how do we comply ourselves with the standard?” There are many known approaches like “Privacy by Design” but my architectural effort was to make WSO2 Identity Server comply with all the privacy standards, not just GDPR. Then we had to expand that exercise to all other WSO2 projects as all WSO2 products has some sense of personal data.

From a business perspective, WSO2 has data from customers and users that we need to protect and I was a part of that team that handled the privacy compliance/GDPR compliance. Meeting the deadline on the 25th May was daunting, but we did it!

From a business perspective, WSO2 has data from customers and users that we need to protect and I was a part of that team that handled the privacy compliance/GDPR compliance. Meeting the deadline on the 25th May was daunting, but we did it!”

4. You proudest moments at WSO2?

Not just one, but being a part of WSO2 alone is always something to be proud of. The reality is that on the surface, you don’t see a lot of technological innovations in this part of the world (South Asia) due to various reasons. At WSO2 we are able to innovate given these limitations, competing with leading and innovative tech companies around the world. Right now we are known as the largest OSS integration vendor in the world managing 50 mn identities through our identity server, and that’s truly special.

The reality is that on the surface, you don’t see a lot of technological innovations in this part of the world (South Asia) due to various reasons. At WSO2 we are able to innovate given these limitations competing with leading and innovative tech companies around the world.”

5. How do you see GDPR- is it an opportunity or a roadblock?

It depends on your individual perspective. Some think it’s a financial barrier/roadblock but many other people do not share this view. Last month I presented at the GDPR summit and at various meetups where GDPR was discussed. I learnt that most people think it’s an opportunity for them to demonstrate their commitment towards user privacy, how they respect it, and demonstrate the ways in which they have measures in place to provide data protection.

There are positive perceptions – including as an avenue for brand recognition and how you care about your customers. That’s great and I think it’s one of the best ways to prove to your customers that you respect their privacy and you have taken all measures to protect their data. Businesses are now moving away from being solely profit-oriented and to instead building relationships with their customers. That’s the most important aspect, and I believe this is how GDPR should be viewed.

6. Where do you think the future of IAM is heading and where does WSO2 Identity Server fit into that picture?

IAM is a broad term. We’ve noticed that authentication or how you verify the authenticity of a user is an evolving space and is a part of many privacy standards. For example, PSD2 and Open Banking in the UK requires enforcing Strong Customer Authentication (SCA). Financial institutions and banks used to have biometric and token devices for authentication. Yet, given the volume of cyber attacks and privacy violations, it is important that you provide maximum protection for your users. Therefore, authentication needs to become more agile and adaptive.

We’re hoping to provide adaptive authentication with WSO2 Identity Server, which is a very exciting direction for us!

7. WSO2 IS is an open source IAM product how does it stand as opposed to a regular IAM vendor or product?

At WSO2 the GA releases are under Apache 2.0 license which means you are free to do whatever you want.”

Open source is a loaded term. To ensure that what we offer is truly open source, we provide binary distributions that are freely accessible so you are able to customize, redistribute, and access the source code.

There are other “open source” IAM products where you can get the source code and run it, but you cannot run the officially binary release in production. At WSO2 the GA releases are under Apache 2.0 license which means you are free to do whatever you want. You can use the code and run it yourself or extend, customize or even resell. In case you need professional support and help, you can then engage with us.

8. From the point you started at WSO2, you have had an amazing professional journey. Any advice for budding developers or engineers who are beginning their careers?

Be curious. Always.

If you’re curious, the commitment and passion to what you do will come naturally. But if you settle, innovation becomes a battle.”

I have been in the field for more than 10 years and I’m more curious than ever given how much the technology landscape is evolving. If you are planning to have a fruitful career (which I’m sure you are), you have to be curious. I’m paraphrasing one of our greatest losses from recent times, Stephen Hawking, who said the key to his success was being curious. When people grow up they tend to settle with what they know but if you are curious, you grow with knowledge. It’s a guiding principle for me too.

As an identity guy, the key is to learn ideas and concepts thoroughly, so the application of the technology becomes easier. If you’re curious, the commitment and passion to what you do will come naturally. But if you settle, innovation becomes a battle.

Wait, I have to have WHAT in place by May 25, 2018?

We’re THIS close to inventing a drinking game everytime someone says GDPR. It’s quite fascinating to see how much is going to change with this regulation. Just like college, everyone is scrambling to meet the deadline of May 25, although the regulation came into place in 2016 and this is technically a “grace period”. Personal data and privacy are more important than anything else. We bet you now regret the time you clicked on “What does your favorite pizza topping say about your personality?” in exchange for all the personal data you submitted at the time – without so much as a second thought.

GDPR is going to change everything and place user consent on top, which is great. But if you’re an enterprise dealing with data of anyone living in the EU, you’ve got a lot to do. We put together a few questions we encountered, let us know if these help!

What exactly do I need to have in place to be in compliance with GDPR?

In this article we’ve listed 7 pragmatic steps you can take depending on where you are on the journey. Here’s a quick look of what they are:

  1. Build awareness around GDPR: in-depth awareness and building in-house expertise on all aspects of the regulation.
  2. Analyze if you’re company is affected: if you’re dealing with PII (personally identifiable information) of “residents” in the EU, then your company must deal with GDPR.
  3. Review the impact of your current data: thoroughly evaluate if all data collection methods used the necessary consent and furthermore, if you are able to demonstrate proof of consent.
  4. Review your systems and processes: review data storage and access mechanisms, and specifically decide if a data processing impact assessment (DPIA) must be carried out. It’s recommended you get a professional’s help with this.
  5. Implement necessary safeguards: adjusting business processes, upgrading software/storage systems, training for staff members, and introducing auditing systems.
  6. Appoint a DPO/EU representative: to address GDPR related matters within the organization such as advising staff members on data protection procedures, monitor compliance, and act as the point of contact for supervisory authorities when liaising with them.
  7. Revise your documents and policies: thorough review of all documents and policies of the organization such as websites, terms and conditions, privacy policies, and social channels.

I’m a company in Milwaukee/Bikini bottom [or insert wherever you’re from]. Should I concern myself with GDPR and if so, to what extent?

As long as you’re dealing with PII – Personally identifiable information of those living in the EU, GDPR affects you. From a small retail company to a large financial organization, as long as you deal with Karen who lives in Norway, your company must be compliant with the law. You can find a link to all the laws here.

Should we extract and provide all of the customer data if requested by the customer? All the data or just the personal data like name, address, email, etc? Should we also extract the old orders that we have stored in the system?

Yes. Absolutely. There’s a right on “data portability”, meaning there should be a mechanism to access all the details if an end user wants to. Remember that with GDPR, it’s all about the customer and their rights must be given the utmost priority.

All data or personal data?

All the data. Whatever that’s stored, for whichever reason, should be made available if the user requests. The key term here is, PII – personally identifiable information. And if individuals want their data erased, you must adhere to it too.

Does WSO2 provide consultancy to make an organization GDPR compliant?

If it involves technology such as using WSO2 products, yes, we can provide consultancy to help your organization. Successful GDPR compliance require changes in people, process, and technology aspects. WSO2’s suite of technologies can be used to make your organization GDPR compliant. To reiterate, if you’re looking for consultancy from a technology perspective and if it concerns our products and technology, yes, we provide consultancy based on that.

How can you help me speed up the process? What tools do you provide? / How exactly are you helping to implement GDPR compliance?

WSO2 provides a stack that’s fully GDPR compliant, this includes the WSO2 Identity Server, Enterprise Integrator, API Management, and the open banking solution. This article will help you understand what you need to look for when searching for a GDPR compliant IAM product and how it helps to optimize your GDPR strategy. WSO2’s open source Identity Server in particular can help you save time and cost involved given the consent management and the privacy tool kit in our latest release. Get in touch with us if you’re building your own solution or if you have any questions. What our products will essentially do is, help you build a GDPR compliant solution. You can find out more here.

Should we perform pseudonymization of the database in order to protect our data?

If by our you mean your customer, yes. Performing pseudonymization is in fact a best practice. So yes, by all means. If the end user requested you to erase their data, you should comply according to the “right to be forgotten” rule. Having a proper IAM solution in place to do this would be helpful too. We also have a privacy toolkit that will enable you to do that, learn more here.

We are a company who is doing business with EU customers. We maintain their data in our CRM, do we fall under GDPR? In this case how can we collect consent of customer of CRM?

Yes, you are processing, collecting details of EU residents, therefore you are affected by GDPR.

What if legacy apps are involved?

GDPR is focused on the end user, doesn’t matter how your business does things, whether it is cutting edge or not. So even if it’s legacy apps you work with, you must have processes in place that will bridge between the applications and the regulation.

Are there examples of what other companies have done to become GDPR compliant?

It might be not explicit but if you do a quick search or pay attention to your inbox, a lot of other companies might be already sending you mails saying updating their privacy policies meaning that’s them taking steps to become compliant. And that’s just one part of ensuring explicit consent.

Did we miss a question? Get in touch with us and we’ll get back to you!

5 Countries, 14 Cities: WSO2’s IAM Summer Tour

Given the needs for regulatory compliance, the need to offer a customized experience for customers and employees and tightening privacy controls (think Cambridge Analytica), having a solid IAM system solves more than just a simple IT problem of connecting identities.

Certain debates you need to resolve within your team is what kind of technology (we suggest IAM) will help you accelerate your compliance processes especially with having to meet deadlines. Or if adopting an open source IAM solution would offer more value as opposed to a traditional IAM solution and if it offers better capabilities or create additional privacy or security issues. What must you look for when opting for Customer IAM solution and what value do you create by prioritizing these?

WSO2’s Senior Director of Security Architecture, Prabath Siriwardena (fresh out of sabbatical), is going to hit the road starting April 30 and we’re going all out with everything we know on identity and access management and how adopting open source IAM can help you better with your IAM strategy. He’s got a jam packed schedule and given his expertise of over 10 years including extensively speaking at conferences worldwide (he just spoke at RSAC 2018, sold out his books on API security), we think you should be marking your calendars just like you’re waiting for the final GOT season.

Here is a partial list of the topics we will cover:

  • Improving app IAM: About 71% of enterprise security decision makers believe that securing customer facing apps is a critical priority. So here’s what it means. You need to ensure that you have an effective customer IAM solution in place that offers BYOID, progressive profiling, strong SSO and authentication, and self-care portals to secure your customers data and offer them and engaging experience. What should you have in place so your IAM solution can address these?
  • Securing APIs: APIs are everything and most enterprises are increasingly adopting and exposing APIs with more 3rd parties involved. Are your APIs secure enough and what best practices should you adopt?
  • The IAM and Compliance Relationship: In the wake of privacy and regulations like GDPR, what steps are your enterprise taking to be compliant?

Find the answers to these and more! We’re starting with Canada and taking it all the way to WSO2Con USA.

Here’s where we’re going to be:

Canada

USA

Sri Lanka

  • May 30 – Jaffna

Singapore

UAE

  • June 6 and 7 – Dubai

Learn more about our events and how the WSO2 Identity server can help your enterprise.

Three Months in to PSD2 – Confessions of the WSO2 Open Banking Team

It’s been 3 months since the PSD2 compliance deadline and the dust is settling in. Or is it really? Just like when it started, the post PSD2 landscape is viewed from different angles. It has been called everything from a ticking time bomb to a slow burn to a never ending honeymoon period. We think the biggest surprise was that everyone thought that January 13 was the end. It wasn’t, it was the beginning.

When we created WSO2 Open Banking, we knew customer needs would be diverse and every technology experience we deliver would be unique. Turns out we were right. Our journey with WSO2 Open Banking has unraveled some interesting experiences while working with different stakeholders in this compliance ecosystem. Here’s what we learned.

Confession #1: (Almost) Everyone was late to the party

Everyone (including us) started counting down to PSD2 from 6 months to 3 months to 1 month. But the reality was, January 13 was just the date when PSD2 was implemented by the EU parliament as a European-wide regulation.

Several regions across Europe chose to deal with imposing PSD2 in their own way. We’ve been tracking the country-specific deadlines quite closely and about 46% are yet to set an official deadline for compliance. We believe that the final date for compliance will be when the Regulatory Technical Standards (RTS) come into effect in September 2019. That’s good news for us because there’s still a large viable market for compliance technology! ;)

Confession #2: Compliance confusion did not discriminate

Over the past several months, we’ve worked with many banks of different sizes across Europe and they all had similar questions:

This led us to believe that banks, regardless of size, require a lot of guidance in the compliance process. It’s a good thing we have a team of experts to do just that!

Confession #3: They came, they saw, they vanished

When PSD2 first started gaining traction in 2016, the knee-jerk reaction of every API management and integration vendor was “this is a goldmine of opportunity we cannot miss”. So they went head on into the market with an existing product. Come 2018 when the need for compliance technology has evolved, these “first mover” technology vendors have gone quiet.

It remains uncertain whether it was the lack of a well thought out strategy to keep consistent market demand, fintech domination, or not giving the compliance market the attention it deserved. One thing is for sure, this is a highly competitive market for technology vendors like us. But no complaints, we love a challenge and are pretty good at winning them!

Confession #4: API standards (and the organizations writing them) are a solution providers BEST friends

A lot of shade gets thrown at not having a common API standard across Europe (version 1.1 of the Berlin Group API specification is yet to come, we’ve got our eyes peeled for that). However, Open Banking UK has got this in the bag by having a comprehensive API specification that WSO2 Open Banking supports.

When we first started out, these standards really helped set the base for building our solution. Our development team continues to spend a good couple of hours every week identifying latest improvements in the specifications and contributing to their development by participating in working groups.

Confession #5: Compliance is not a back breaker…it just needs a well thought out strategy

A lot of banks think of compliance as a major headache and seek a “quick fix” to compliance just so they can tick off the checkbox. The reality is, quick fixes can do more damage than good. PSD2 compliance is a big deal and if you go into it without a strategy, that’s cause for alarm. Even if you don’t have a dedicated open banking or compliance team you can still get the job done.

You just need to rally the right members, set your goals for compliance and figure out what you need from a technology vendor. Then you need to pick the technology that gives you value for money and won’t take eons to work with your systems and deliver compliance. It’s a matter of working closely with a solution provider towards a common goal.

Confession #6: Do your research or go home – The learning never stops

There is a minimum of 3 articles written a week on open banking. Everything from thought leadership material, opinion pieces (like this one), and publications from standards continue to explore and discuss this ecosystem. And what we learn from our conversation with customers is an invaluable source of research to keep abreast of where the market is heading. We treat each of these as a unique source of intelligence and they continue to nurture our product management, sales, and marketing strategies. It’s the only way to survive in an ecosystem as dynamic as this one.

It’s been a great ride so far and we can’t wait to see what comes up next! No doubt there will be plenty more surprises and exciting developments to look forward to!

The WSO2 Open Banking Team

Helping You Say GDPRghh Less – Meet Us at the GDPR Summit London!

The process of becoming compliant with the General Data Protection Regulation (GDPR) isn’t simple. Anyone who says otherwise isn’t telling you the truth. However, you can make the process tolerable by using the right technology.

The prime focus of our spring release was to ensure that the entire WSO2 platform is compliant and for our products to be able to provide rapid growth by leveraging the regulation. For instance, WSO2 Identity Server is now able to provide end-to-end consent management as well as the ability to anonymize user data which adheres the ‘right to be forgotten’ rule.

To further help you accelerate compliance, Sagara Gunathunga, a director at WSO2 and a key member of the WSO2 IAM team, will be speaking on “Best Practices: How to Optimize Your GDPR Strategy” at the GDPR Summit held on April 23 at 155, Bishop Gate, London. During his session, he will explore

  • The main factors for optimizing your strategy
  • The role played by IAM
  • How technology helps organizations leverage GDPR to drive growth
  • How to stay up-to-date with other privacy regulations

The event usually witnesses at least 500 attendees and aims to provide an actionable and practical roadmap for organizations to become GDPR compliant. Described as high impact, content-rich and jargon-free, over 40 expert speakers are scheduled to speak at this one-day conference.

Come say hi to our team and attend Sagara’s talk at the GDPR roadmap theatre. Click here to find out more!

Won’t be able to attend? Sign up for our ongoing webinar series to learn about all things GDPR!

Roses are red, violets are blue. We don’t have time to rhyme because the GDPR deadline is coming up soon!

At our last webinar on the General Data Protection Regulation (GDPR) hosted by Prabath Siriwardena and Asanka Abeysinghe, we looked at technical aspects of the regulation and what steps you can take to ensure your security strategy is primed for GDPR.

With less than two months to go, what you need now is the right approach to accelerate your GDPR compliance journey. According to a survey conducted by Forrester research1 a few months ago, 11% of firms are still unsure of what needs to be done and 29% of fully compliant companies may have taken some incorrect steps. This can cause serious issues and lead to hefty fines when scrutinized by governing bodies. From an industry perspective, while financial industries are usually ahead given the constant regulations, media and retail industries could be lagging behind in getting their systems and processes into place.

Your enterprise’s longevity depends on the trust you build with your customers. That’s why user consent and privacy are vital. If the aftermath of the Facebook – Cambridge Analytica scandal taught us anything, it’s that. GDPR may seem like a daunting challenge at first, but by adopting the right technology you can move beyond compliance and take advantage of the regulation to gain your customers’ trust, strengthen their loyalty, and grow your business rapidly.

To help you grasp the complex processes involved in GDPR compliance, the WSO2 Identity Server team is conducting a series of seven webinars which explores how our products are GDPR compliant and what steps you can take to accelerate compliance.

  1. April 10: Accelerating Your GDPR Compliance with the WSO2 Platform – Sagara Gunathunga, Director, WSO2
  2. April 17: The Right Steps to Becoming GDPR Compliant – Darshana Gunawardena, Technical Lead, WSO2
  3. April 24: GDPR Compliance with WSO2 Identity Server – Ayesha Dissanayaka, Senior Software Engineer and Hasintha Indrajee, Associate Technical Lead, WSO2
  4. May 2: GDPR and API Security – Sanjeewa Malalgoda, Senior Technical Lead, WSO2
  5. May 8: The Role of GDPR in Customer Identity and Access Management – Rushmin Fernando, Technical Lead, WSO2
  6. May 15: GDPR Compliance by Design – Ruwan Abeykoon, Associate Director/Architect and Jayanga Kaushalya, Senior Software Engineer WSO2
  7. May 22: The Impact of GDPR on User Experience – Dakshika Jayatilake – Associate Technical Lead, WSO2

Sign up and spread the word!

1 Forrester Research, Inc. “The State Of GDPR Readiness GDPR Readiness Progresses, But Strategies Depend Too Heavily On IT” by Enza Iannopollo with Laura Koetzle, Stephanie Balaouras, Elsa Pikulik and Peggy Dostie, January 31, 2018

We Did It! WSO2 Identity Server is Now OpenID Certified

We thought turning 10 was a reason enough to celebrate, but we’re not done with the celebrations yet. Our Identity Server (IS) team has been working to keep that momentum going. We just became OpenID certified!

Being OpenID certified by the OpenID foundation is a big deal. What is OpenID? OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. “We’ve been compliant with OpenID standards for a long time,” says an ecstatic Prabath Siriwardena, WSO2’s Senior director of security architecture. “Getting the certification puts a stamp on it and gives the assurance users are looking for,” Prabath explains.

WSO2 Identity Server is the most extensible and fully open source IAM provider that can help connect and manage your identities. It’s a key enabler of digital transformation. Our single sign-on bridges protocols such as OpenID, has been a key component offering solutions to enterprises in education, telecommunication, and health among others.

By becoming OpenID certified, we’re joining a list of industry giants who also have this certification including Yahoo! Japan, University of Chicago, Verizon, Salesforce, Paypal, and Google. Now WSO2 Identity Server can provide the assurance to its users that it really conforms to the profiles of OpenID connect protocol.

Kudos to our IS team on this feat and looking forward to many more successes!