Ninety One is a South Africa-based independent, active investment manager dedicated to delivering compelling outcomes for its clients, managing more than £119 billion (2.6 trillion rand) in assets. Recently it implemented Customer Identity and Access Management (CIAM) infrastructure, including Single Sign On, Multi-factor Authentication (MFA). Scott Carr, IT Platforms Manager, Ninety One, tells us why it was important for the company to implement this project.
Established in South Africa in 1991, as Investec Asset Management, Ninety One started offering domestic investments in an emerging market. In 2020, almost three decades of experience organic growth, the firm demerged from Investec Group and became Ninety One. Today, the firm offers distinctive active strategies across equities, fixed income, multi-asset and alternatives to institutions, advisors and individual investors around the world.
Recently, Ninety One teamed up with Auth0, the identity platform for application teams, to deploy the vendor’s solution to authenticate retail fund investors in South Africa.
Ninety One needed to replace its on-premises identity solution with Auth0 as part of a broader Digital Transformation strategy to provide customers with a seamless login experience across its investment products and portfolio.
Following the demerger and listing, Ninety One required its own Customer Identity and Access Management (CIAM) infrastructure, including single sign on, multi-factor authentication (MFA) and self-service password reset features. Ninety One’s own development team and a local transfer agency and administrative outsourcing partner, Silica, recommended Auth0 for ease of integration and the ability to host in the cloud while migrating users gradually from the previous on-premises system.
“The move to Auth0 is indicative of our journey in other parts of the organisation,” said Scott Carr, IT Platforms Manager, Ninety One. “We have embraced Auth0 as essential for our success as a new brand because they enable us to provide the calibre of safe and convenient digital experiences our financial services clients demand.”
According to research firm IDC, IT security spending in the Middle East, Turkey, and Africa (META) will cross US$3.4 billion in 2023, driven by a focus on digital identities and shifts to the cloud.
“Digital Transformation shouldn’t be underestimated, but it doesn’t have to be feared either,” said Steven Rees-Pullman, Senior Vice President International, Auth0. “Ninety One is looking to the cloud and replacing legacy systems with building blocks like Auth0 to be more adaptable and resilient while delivering great experiences for their clients. We’re pleased to help power their journey.”
Intelligent CIO Africa spoke Carr to find out more about the Auth0 implementation and what the deployment of the Customer Identity and Access Management (CIAM) infrastructure means for Ninety One’s Digital Transformation journey.
Talk us through Ninety One’s IT infrastructure and why it was important to implement Auth0’s identity platform solution.
Ninety One was formerly part of the Investec Group and although we functioned as an independent entity, we shared a number of core IT systems with the group, such as payroll, general ledger and specifically their customer identity and access management (CIAM) solution, which was used to control access to the Ninety One Digital Investment Platform. Most systems were on-premise and leveraged a shared network infrastructure. As a consequence of last year’s demerger we needed to procure our own versions of the shared systems. With respect to CIAM we needed a solution that offered all the existing security features but also allowed us to scale and enhance the security and align with a broader strategic move towards cloud services.
What were the main challenges that Ninety One faced prior to this project implementation with Auth0?
Since we did not ‘own’ the old solution, we were constrained to the protocols of the group. (For example password resets could only be done telephonically). In addition, the communications layer between the group’s on-premise CIAM and the on-premise transactional website (hosted by an outsource partner) was highly sensitive to network and firewall changes resulting in downtime entirely beyond our control. Lastly, the solution was very expensive relative to the requirement it needed to serve.
Having looked around for suitable customer identity and access management (CIAM) infrastructure technology currently in the market, how did you settle for Auth0?
As part of an RFP process, we invited several participants, including the incumbent solution. All proposals were scored across various categories – technical capability, security, implementation practice, cost etc as well as engagements with relevant representatives from each participant. Auth0 was a clear front-runner in most of the categories and the interactions with the individuals there gave us confidence about the quality of the product and the prospect of establishing a strong relationship.
Paint the picture of the size of operation Ninety One runs for retail fund investors in South Africa?
Our investment platform administers assets on behalf of roughly 150,000 retail investors, collectively holding nearly 200 billion rands (US$13 billion) in assets. Ninety One has 200 people supporting this business from sales to servicing, operations and IT.
Who led the business case process for Ninety One to implement Auth0 solutions?
Our business analyst, Digital Investment Platform IT, Tom Jackson led the business case process.
How long did the project take to implement and was the project implemented using in-house expertise or you worked with an Auth0 certified solution provider partner?
The Auth0 implementation was aligned with a broader strategic move to create a cloud-first, scalable platform for the future. From purchase to turning off the old CIAM solution was nine months comprising: three months went to design and planning, three months building, testing and deploying, and three months migrating existing users to the new platform.
What would you cite as challenges your IT team encountered during the implementation of Auth0 solutions?
Integrating to an enterprise cloud offering, mainly through remote collaboration was a change to previous on-premise integrations with physical consultant support. One of the primary technical challenges was running the old and new solutions in parallel and having both of these control access to the legacy on-premise and the newly-built cloud website.
Designing a user journey that allowed migration of existing users with the minimum of friction but still meeting the timelines was extremely challenging. That said, an unforeseen challenge arose from the decision to move to email address as the username. Previously this had been a newly-generated customer number. Hence users who had multiple logins experienced issues when trying to re-use their email address for secondary or tertiary accounts.
What has improved following the Auth0 deployment and how has that impacted the overall business at Ninety One?
MFA now protects majority of logins, not used before. With automated registration – most new registrations are completed without manual intervention, previously all registration was serviced through consultants.
Automated password reset, previously had to be reset telephonically.
Did you have to train employees following this Auth0 deployment?
As a consequence of moving away from the on-premise CIAM solution, we were starting with a clean slate and some training was necessary. Two to three developers have skilled up on the Auth0 implementation and in addition to this we have a servicing team of seven to eight who have been trained on the user management portal.
What is next following the implementation of Auth0’s identity platform solution?
Several of the features we are looking at next are: Adaptive MFA, using Auth0 to authenticate to our API service layer and implementing Guardian (or other apps) for MFA.Click below to share this article