A fintech leader chooses an identity partner
To support its growth, Personal Capital operates a robust cloud architecture, but to achieve Zero Trust it wanted a strong partner that would allow it to unify its identity and access management stack. Personal Capital began with Okta’s Workforce Identity Suite, including Single Sign-on, Universal Directory, Lifecycle Management, and Adaptive Multi-Factor Authentication.
Solving for infrastructure access
After successfully deploying Okta within the organization, Personal Capital looked for an elegant, scalable technology solution for enabling access to its AWS cloud architecture. The team opted for ScaleFT’s Zero Trust Server Access, a product neatly integrated with Okta using not only SAML but also SCIM technology, further simplifying identity provisioning management.
An auspicious and timely acquisition
In July 2018, Okta acquired ScaleFT and put its Server Access product under the Okta umbrella as Okta Advanced Server Access. Personal Capital welcomed the move, which unified identity and access for the company in an even more comprehensive way.
Foundation for secure, low-maintenance growth
Personal Capital also relies on Okta’s API to automate identity operations, turning its highly elastic cloud environment into a low-maintenance, Zero Trust infrastructure. As it continues to lead, Personal Capital has a secure, scalable identity foundation on which to grow.
Okta ties everything to identity. Advanced Server Access binds user devices to authenticated sessions, so we have added assurance that each device can be trusted, at each point in time.Maxime Rousseau, CISO, Personal Capital
- 400 employees using Okta for easy access to their work
- 2M+ registered users who track more than $650 billion in assets on Personal Capital
- Secure, scalable, Zero Trust AWS cloud infrastructure access
- A single, fully integrated identity management solution across workforce and infrastructure
- A consistent, secure and lower friction user experience with consistent Multi-Factor Authentication across access vectors
A fintech leader chooses an identity partner
Personal Capital offers a “high-tech, high-touch approach to personal investing,” bringing financial clarity and confidence through the combined power of smart technology and smart people. The company has built a powerful platform and a strong team of fiduciary advisors. As of February 2019, the company managed more than US $9B in assets with more than two million users.
To support the growth and scale of the business while keeping financial data secure, Personal Capital operates a robust cloud architecture. Initially, the company’s identity management strategy was overly complex, said Maxime Rousseau, chief information security officer.
The company started with an alternative identity solution provider, but Personal Capital was quickly approaching the enterprise category, and Rousseau realized the team needed an identity provider that offered a more comprehensive suite of tools that would scale more rapidly. “We also wanted a platform that would integrate well with our wide array of cloud partners, to unify identity and access for our entire, rapidly growing business under one umbrella,” he said.
After an evaluation process, the team chose Okta as their identity management partner because of its comprehensive approach to enterprise identity. They implemented Okta’s Workforce Identity products, including Single Sign-On, Universal Directory, Lifecycle Management, and Adaptive Multi-Factor Authentication with Okta Verify with Push. Okta provided Personal Capital’s 400 employees streamlined access to its large portfolio of cloud application partners, such as Palo Alto Networks, G Suite, and Slack.
Solving for Zero Trust infrastructure access
Personal Capital runs both customer-facing applications and backend services on an Amazon Web Services (AWS) cloud architecture. After successfully deploying Okta within the organization, the next step was to implement an elegant, scalable solution for accessing that cloud infrastructure securely. For the fintech company, securing controls over server access across the infrastructure is critical along with avoiding clunky solutions that would present adoption challenges.
The team committed to the Forrester Zero Trust model, where access is earned according to dynamic, real-time user and device conditions, and every request is independently authenticated and authorized. “We’re a modern, cloud-first organization with no traditional perimeter, and that’s how we believe security should work,” said Rousseau.
Providing that level of oversight was no easy task, however. “It was a challenge to dynamically provision the right identities, roles, groups, and associated public Secure Shell (SSH) keys while spinning immutable infrastructure up and down at scale,” said Rousseau. Without a unified layer for access control, the team had to either build their own connective tissue or add bolt-on access technologies on top, which would present adoption, compatibility, and scaling issues.
Rousseau found that traditional methods in the space often added to the complexity, wrapping more management layers around already complex deployments. “We needed a better way to manage infrastructure security, that lined up with our overall principles,” he said.
An auspicious and timely acquisition
To leverage Okta’s authentication stack, the Personal Capital team opted for ScaleFT and its Zero Trust Server Access product, which was integrated with Okta, providing dynamic provisioning capabilities. ScaleFT gave Personal Capital’s operations, security, data science, and engineering teams a seamless, secure way to access critical AWS infrastructure.
“By using Okta to bring unified authentication and authorization to server access, ScaleFT made it easy for our team to implement unified access policies across different employee access use cases,” says Rousseau.
At the time, ScaleFT was going through the formal process of verifying its Okta integration, and the company needed a joint Okta and ScaleFT customer to confirm that the integration was working as documented. Personal Capital volunteered to be the mutual customer and helped finalize ScaleFT’s Okta verification. “We were one of the first client bridges between the parties,” said Rousseau.
After verification, Okta took the partnership further and announced in July 2018 that the company would acquire ScaleFT. The two companies had many mutual customers, and ScaleFT helped Okta extend its identity and access management capabilities to infrastructure resources and accelerate the roadmap for its Zero Trust platform.
That announcement was great news to the team at Personal Capital, with their goal of unifying identity and access management under a single umbrella. Today, the ScaleFT Server Access product is called Okta Advanced Server Access. It streamlines core Okta authentication workflows to Linux and Windows servers via SSH and Microsoft’s Remote Desktop Protocol (RDP).
An end-to-end lifecycle management solution
Today, Rousseau’s team relies on the Okta API for automating identity operations, including creating new projects, enrolling servers, and adding or removing users from groups. Okta Universal Directory is the source of truth for server accounts, which are configured with Lifecycle Management. Okta’s SCIM provisioning ensures that any changes to user attributes or group memberships are automatically pushed downstream to Advanced Server Access and then to the servers themselves.
“Okta’s API allows us to maintain control of a highly elastic cloud environment without a lot of management upkeep,” said Rousseau. Servers enrolled with Okta run a lightweight server agent that manages local machine accounts. “That agent continually polls the backend API for any changes, and updates the accounts accordingly,” said Rousseau. “It’s truly an end-to-end lifecycle management solution.”
Employees who need server access run a lightweight client app on their workstations, interfacing directly with their local SSH tools and the Advanced Server Access backend. “Every user’s workstation is enrolled with Okta,” said Rousseau, “so our security team has a clear view and record of which machines and employees are accessing servers at any given moment.”
Server access requests pass through bastion hosts, to provide another layer of security. Advanced Server Access supports bastions as a first-class citizen, transparently authenticating and authorizing each hop.
Zero Trust—made friendly, as well as secure
“Okta Advanced Server Access was the right choice for Personal Capital because it simplifies secure server access while eliminating the need for additional technologies, manual integration and static keys,” said Rousseau. By solving for all policy requirements with one technology, Personal Capital avoids brittle manual integrations.
Advanced Server Access delivers a Zero Trust architecture that protects Personal Capital’s critical infrastructure. “Like Personal Capital, Okta ties everything to identity,” said Rousseau. “Advanced Server Access binds user devices to authenticated sessions, so we have added assurance that each device and employee can be trusted, at each point in time.”
Advanced Server Access removes much of the traditional operational burden that comes with infrastructure. “We have no account synchronization to worry about, no static credentials that can be stolen and/or misused,” said Rousseau. “We can see who accessed what, from which machine, and when.“
As Personal Capital continues to lead the digital wealth management space with advanced technologies, Rousseau feels confident that the company’s infrastructure is prepared. “With Okta covering identity and access management, we have a secure, scalable foundation on which to grow,” he said. “Okta was the right choice for us.”