Merging IAM capabilities across People First Bank‍
‍

In early 2023, People's Choice Credit Union (PCCU) and Heritage Bank Limited (HBL) officially merged to become Australia's largest mutual bank. The merged entity, People First Bank, now manages over $23 billion in assets with over 720,000 members and 1900 employees across Australia.

The merger was a significant undertaking, requiring rapid integration of two distinct digital estates and core services.

One of the primary challenges was the alignment of two separate identity directories and addressing difficulties related to providing secure employee access to shared digital applications for all employees.

The Challenge

The main challenge presented was minimising the dual access being granted via various methods from both organisations and the provisioning of multiple accounts in disparate identity systems.

This was creating challenges for administrators and application owners, limitations for end users, as well as creating technical debt and increasing the attack surface for potential credential theft.  

This also led to some end user uncertainty, which led to some frustration for the cyber security team, application administrators and owners.  

The Solution

Identifly was engaged to develop a Transitional Identity & Access Management framework to guide the merged organisation to a target state architecture, providing guidance to ensure consistent decision making.

The framework focused on three core objectives:

1. Managing cyber risk:
Ensuring consistent application of key controls during the transition.

2. Improving worker experience:
Minimising delays when providing workers to access to resources across either entity and enabling a consistent experience through single-sign-on and authentication policies.

3. Increasing operational efficiency:
Minimising manual processing of identities and addressing interim technical debt.

‍

Rob Testi, Head of Cyber Security, noted of the initiative;

“Identifly provided timely and expert guidance, enabling us to transition to a converged set of digital services for the merged bank whilst minimising exposure risk. The approach enabled an overall more seamless end user authentication experience and assisted in the transition to one entity.”

The target state of Identity at People First Bank was a converged and unified Identity & Access Management (IAM) landscape with standardised processes and technology for all users regardless of location.

The key themes of the framework were centered around the IAM capabilities that provide access to users:

1. Authentication: The process of recognising a user’s identity to allow access to a resource

2. Provisioning: The process of creating, updating, and deleting accounts in systems

3. Authorisation: The process of determining if a user has the rights or privileges to use a resource.

‍
Privileged Access Management (PAM) – Identifly assessed the current state and existing technology covering PAM capabilities within both PCCU and HBL and then produced a recommendation on the future PAM direction for PeopleFirst Bank with a detailed implementation plan and roadmap.

Adaptive Multi-factor Authentication (MFA) – Identifly delivered a design and implementation plan to leverage the existing investment in Okta licencing to implement risk-based authentication policies based on Okta FastPass andNIST SP 800-63 application assurance level guidelines.

The Impact

The framework delivered assisted HPC in rapidly addressing technical debt and enabling the smooth transition of services to a converged identity environment. Integrating the People’s Choice Credit Union Okta platform with the Heritage Active Directory enabled a single identity to be established.

It also enabled secure and seamless cross-organisational authentication to key business applications with a single identity/credential.

Our team also supported People First in providing a universal sign on experience for all users, across both organisations, for all web applications.

In the future, the transitional architecture can be reused and adapted to further bring online additional acquired organisations, minimising cost, reducing risk, and improving the overall impact of the merger activity.

How Can we Help?

The Identifly team have significant experience in supporting organisations during times of transition, including acquisitions and mergers. Our approach is pragmatic, technology agnostic and with full awareness of organisational objectives.

If you are interested in learning more, please contact us to find out how we can help.