Vipps – Identity and access management
Vipps is a Norwegian mobile payment application that quickly became Norway's largest mobile wallet after its launch in 2015. Vipps is now aiming to become a large international player, by merging with MobilePay and the Finnish wallet Pivo (pending approval from regulatory authorities). Vipps partnered with Transcendent Group in 2018 to get access to experienced GRC consultants, and since then TG have contributed in a number of key areas, especially within Identity and Access Management (IAM), security management, security in software development, and penetration testing. “Transcendent Group has been a solid IAM partner for Vipps. We have achieved high levels of self-service, automation, and compliance from our work with TG.” Reza Sobut, Head of Commerce Product Engineering at Vipps.
Modernization with Azure Identity Governance (AIG)
Together with Vipps we created an Identity and Access management, IAM, strategy with the following high-level goals:
• Self service capability for employee access requests
• Approval workflows should be automated
• Audits should be simple and repeatable, as well as workflow-based
• Generally improved security, maturity and compliance
• Time saved for internal IT resources, system owners and similar
A key factor to keep in mind here is that Vipps is a company with an agile mindset and limited size. Lightweight and highly automated technology for Vipps identity and access management was therefore desired. Together we set the course towards the implementation of Azure Identity Governance (AIG). This is, compared to numerous “heavy-weight” IAM solutions out there, native to Azure and can more rapidly integrated with the company’s technology portfolio.
AIG offers self-service through the Microsoft MyAccess portal, and has extensive support for automating approval and audit workflows. A high degree of customization is also available, such as access permissions with expiration dates, the use of multiple approvers, periodic audits etc. Given it is Azure-based, it also fits nicely into Vipps’ technology stack, integrating directly with Azure Active Directory.
A pilot project was run for a period of two months, resulting in a successful proof of concept. The solution was then implemented for all development teams in Vipps in just under 6 months. Some more work is required to mature and fully integrate the solution into the organization and its management systems, but benefits have already been realized at a very early stage. Employees could now simply be directed to the MyAccess portal for self-service access
requests, and the automated workflows saved a lot of time for internal IT, system owners and many others. Security compliance has also been significantly strengthened.
Concluding reflections
For small and medium-sized companies in need of modern Identity and Access-management capabilities, the classic IAM vendors may offer solutions that are overly complex and expensive. Azure Identity Governance offers a more lightweight alternative that can be implemented and used with significantly less effort. It should be noted, however, that the quality of IAM in an organization very much depends on having well-defined and realistic IAM requirements, with good involvement from management in setting these requirements. Make sure you spend sufficient time defining the business requirements and then design your IAM processes to meet these requirements.