Synovus Simplifies Mobile Banking and Optimizes SSO and Federation with Forum Systems

Background

Based in Columbus, Georgia, Synovus (NYSE: SNV) is a financial services company with more than $27 billion in assets, and its bank divisions provide commercial and retail banking, investment, and mortgage services to customers in Georgia, Alabama, South Carolina, Florida, and Tennessee. Founded in 1888, Synovus currently has more than 350 branches spread across 30 different markets.

Challenge

Synovus had many disparate applications serving multiple lines of business, where information needed by each centralized application was fetched either by batch process or application-centric functions. As a result of increased real-time data requirements and the velocity of data change needed within the organization, the Synovus technology team adopted a Service Oriented Architecture (SOA). The migration to SOA allowed Synovus to rely on interoperable services with well-defined business functionality built on software components that can be reused for different purposes.

The SOA strategy provided a methodology and infrastructure for business services to enable legacy and new applications to 
share their business rules and data across Synovus applications, but Synovus also needed to establish a secure and efficient method to authenticate access to both internal and third-party applications. The financial services institution needed a framework that would enable Single Sign-On (SSO) to multiple applications, one that would enable secure federation of a user identity to multiple internal and third-party servers. Synovus also needed a solution that could scale to support mobile banking services for thousands of consumers with a Bring Your Own Device (BYOD) requirement.

Solution

Synovus evaluated gateways and selected a solution from Forum Systems, a leader in SOA and services security.  Synovus initially deployed the Forum Sentry XML Gateway, which provides comprehensive support for SOAP, XML, REST, HTML, and JSON services. Forum Sentry was deployed as the gateway for all web services, and it was particularly appealing because it is agentless.

“We looked at other gateways using SOA and concluded that agents can actually hamper communications,” said Santosh Kokate, Lead Enterprise Architect for Synovus. “Architecturally, we want minimum security on the server because the only way to access it is through the gateway. This allows us to simplify actions at the business layer and it makes the SSL encryption run faster. Selecting a secure, agentless gateway has allowed us to better protect our servers and simplify our transactions.”

He continued, “Forum Sentry also offers high security by physical and virtual separation for web services implementations. Physically, we create a SOA demilitarized zone by creating a virtual LAN between the gateway and the selected web server so there’s an encrypted path between the authenticated user and the applications the user’s entitled to access.”

Synovus relies on Web Services Description Language (WSDL) for describing the functionality of web services. A WSDL description of a web service provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns, and Synovus has created a virtual WSDL for each web service to enable scalability. “Virtual WSDLs changed everything for us,” Kokate stated. “We load them onto the Forum Sentry and the client will authenticate according to defined policies. It will be automatically checked against the established schema, so it’s easy to re-use web services and enable transparent and secure access to multiple web services.”

Service-Oriented Business Architecture

Synovus was named the overall winner of the SOA Consortium and CIO Magazines SOA Case Study Competition. Building on its SOA vision, Synovus embarked on the next major component of its IT architecture, which it refers to as Service-Oriented Business Applications (SOBA). This layer of architecture sits on top of the SOA layer and becomes the interface by which users interact graphically with its systems.

Previously, online banking was enabled through a vendor partnership, but with SOBA access to web applications goes through Forum STS Identity Broker to enable secure collaborative relationships with Synovus partners, empowering secure portal federation and SOA federation. “Forum STS provides us with secure token services,” said Kokate. “It communicates with the LDAP services and adds another layer of security for us.”

Forum STS provides Synovus with a standards-based identity management platform that can consume, translate, generate, and authorize credentials in message-based and protocol-based formats. Credential tokens can be automatically converted, allowing it to bridge environments, portals, and SOA domains. It allows Synovus to centralize access control and identity management and provides comprehensive identity token translation with direct integration with all major identity servers.

SOBA enables SSO so that users can transparently and securely access multiple web services. It also provides interoperability between different Synovus and third-party products. It provides a simple, point-and-click mechanism for providing federation and SSO functions for internal and third-party applications.

Forum Sentry Web Application Firewall unites natively, for the first time in one appliance—the threat protection, scalability, and federated identity capabilities of an XML Gateway with the security of a Web Application Firewall (WAF). By removing the identity and security burden from web sites and composite applications, this unified content firewall securely authenticates and authorizes users invoking services, regardless of where the services reside. Unlike legacy WAFs, Forum Sentry WAF enforces decisions across complex identity tokens and repositories and throughout the entire transaction, rapidly delivering rich online content to users without requiring multiple sign-ins.

“Users and their sessions authenticate on the Forum solution, their SAML assertions are signed by Forum, and Forum also issues their secure tokens,” said Kokate. ”The beauty is we have online banking sitting safely behind the identity gateway and the identities and authentication are established there. We don’t have to manage those identities or write a single line of code to make federation happen.”

Now with Forum Sentry WAF centralizing XML and HTML policies and performing the requisite identity management, Synovus has reduced online banking sign-in time from averaging about 20 seconds to averaging less than six seconds—significantly enhancing the user experience. “Our Forum solution blocks everything, simplifying secure access and authentication, said Kokate. “We even hired a third-party security assessment team to evaluate our security and look for areas we could improve, and they found no security risks we needed to address.”

Scaling to Support Mobile Banking

Re-use was further leveraged when Synovus deployed mobile banking to its customers. The organization wanted to swiftly offer consumers mobile access to their accounts from cell phones, smart phones, and tablets. Since online banking was already in place and consumers could view their accounts and conduct transactions from their computers, IT only had to create virtual WSDLs, expose them to existing web services and to web services offered by mobile partners via dedicated VPNs, and conduct testing.

“Mobile banking relied on the same infrastructure already in place for online banking, so we were able to introduce mobile banking services with less than 500 hours of IT involvement,” said Kokate. “We re-used Internet banking web services in the mobile channel, and it was faster for us to develop and test the solution than it was for us to get the contract signed with our telecommunications service provider. It took us 40 days to build and test it, and it took 45 days to get the contract signed with the mobile provider.”

With the consumerization of IT, people are increasingly relying on their personal smartphones and tablets to gain secure access to enterprise resources, driving increased expectations for secure BYOD access to bank accounts. Mobile banking services have already become popular, and Synovus now supports over 10,000 customers accessing their accounts through iPhone, Blackberry, Android, and WAP clients.

Unifying Enterprise Applications

Prior to the SOA implementation, customer and account information, funds transfer, credit card balances, and intraday bank balances and transactions were not possible outside the branch channel. Now this data has been integrated into call center, Internet, and mobile banking channels using services from the banking and credit card legacy systems. Development time for new projects and applications across Synovus are reduced significantly, because SOA allows IT to securely re-use customer data and existing web services. IT is able to bring enhanced project ROI and business agility to the organization’s ability to deploy new products to meet the needs of end customers.

For example, the internal call center supports online and mobile banking customers as well as internal application users. In the past, this required call center representatives to log into as many as 35 different applications but now all of the web services are unified. “We implemented a rule—everything that needs a web services has to go through Forum Sentry,” said Kokate. “This allows us to eliminate siloed and scattered access to applications and lets users easily access the information they need.”

Benefits

By partnering with Forum Systems, Synovus has achieved major IT goals, including the following:

• Implemented an SOA strategy to enable legacy and new applications to securely share business rules and data
• Enabled fast and efficient SSO to Synovus and third-party applications
• Dramatically accelerated the response time for authenticating users for online banking while enabling SSO to third-party applications
• Re-used existing web services to swiftly deploy new applications—such as creating and testing a mobile banking application within 40 days