A Case Study: NRI Secure Technologies

nrisecure_usecase_1

NRI Secure Technologies adopted Authlete as an authorization engine for Uni-ID Libra. Uni-libra is NRI Secure Technologies all-in-one product, which provides Authentication, Authorization, ID Management, and Threat Detection functions required for Access Management of Consumer-Oriented Web Services.

Incorporating authorization functions provided by Authlete into Uni-ID Libra greatly reduced the development time and cost before launch. It ensured an environment for fast and high-quality development of authentication functions in accordance with the latest OAuth 2.0 and OpenID specifications.

Quick Summary

  • Objectives and Challenges
    • Developing an authorization engine for Uni-ID Libra
    • Adopting the latest advanced authorization technology
    • Reducing development time required to comply with API specifications, including OpenID Connect
  • Why Authlete?
    • Outstanding special technical knowledge and experience in API specifications such as OAuth 2.0 and OpenID Connect
    • Fast availability of functions required for authorization as services
  • Benefits
    • Reducing development and operational man-hours for the authorization engine of Uni-ID Libra
    • Allowing the company to focus its resources on developing other functions by reducing development man-hours
    • Keeping up to date on the latest trends in technology such as Financial API

Objectives: To develop Uni-ID Libra, a successor to Uni-ID

Due to the growth of sharing technology, including OAuth and OpenID Connect, consumer-oriented web services increasingly need to collaborate with other services as a standard function.

In response to such environmental changes, NRI Secure Technologies (“NRIST”) launched Uni-ID in 2008, a solution for the integration, collaboration, and management of customer IDs. Uni-ID was a great success, implemented by many companies for various applications, such as for an integrated authentication platform by a major newspaper company and an ID collaboration platform by a major mobile carrier.

In spite of steady sales of Uni-ID since its release, as the number of cybersecurity crimes continued to increase year by year, user companies demanded NRIST strengthen its security measures. To satisfy such needs, NRIST started to plan the development of Uni-ID Libra, a new model of Uni-ID with additional advanced security features.

Challenges: Difficulty in finding a development partner for the authorization engine due to lack of companies having the advanced special technical expertise for OpenID

However, simply strengthening the security features could have decreased user convenience. Takehisa Shibata, in charge of developing Uni-ID Libra, recalled as follows:

nrisecure_usecase_2

“We can easily strengthen the security simply by increasing the number of user authentication requests, for example. The extra requests could lower the user experience for users, and they could potentially stop using the service. So we had to carefully balance security and user convenience when planning Uni-ID Libra.”

In the end, NRIST decided to add security features to Uni-ID Libra, such as automatically requesting additional authentication only upon detecting a possibility of illegal access based on behavior during authentication. However, the real challenge was to implement these advanced features not only for security measures but other product functions, such as ID management/collaboration and authorization/authentication.

“In the field of consumer-oriented web services, there is a need to enhance API collaboration function and marketing analysis function, and security measures. In response, we decided that we should develop products in cooperation with other companies who have advanced technologies and skills in different fields, instead of developing everything by ourselves.”

That is why NRIST started researching for partners, each of which has advanced technology in a specific functional field. However, it was not easy to find a partner for developing the authorization engine, which is the core function of the product, it turned out most companies did not fully understand OpenID Connect and how to implement the standard properly.  

Why Authlete?: its advanced special technical skills for authentication and authorization

Mr. Shibata commented as follows:

“NRI (Nomura Research Institute), the parent company of NRIST, is one of the founding companies of OpenID Foundation Japan, which promotes OpenID Connect technology. Having engaged in research on OpenID since its invention, we were confident that we have technological advantages over other companies. Although there are some skilled individuals, unfortunately, we could find no organizations or vendors which can properly implement OpenID with a deep understanding of its specifications.”

While NRIST was still unable to find a partner for developing the authentication function, Mr. 柴田 happened to come across a person who had posted many well-written OpenID Connect documents online while browsing related information. That person is Takahiko Kawasaki, co-founder of Authlete.

“We already knew that there was an OpenID Connect expert on the Internet. Mr. Kawasaki is that person, so we decided to meet and talk with him.”

Highly valuing his OpenID Connect technical expertise, NRIST asked Authlete to participate in the Uni-ID Libra project as a development partner.

Explaining this offer, Mr. Shibata said, “This was also because Authlete’s architecture, which separates authentication from authorization, seemed to fit well with the design concept of Uni-ID Libra.”  

Working with Authlete: “Decision-making was so quick that the development went smoothly”

The Uni-ID Libra development project was launched in September 2016. NRIST and Authlete worked together to develop authorization functions. Mr. Shibata commented on the development as follows:

“We had nothing to worry about Authlete’s functions because we had already had many discussions with Mr. Kawasaki since the planning stage. We made some additional function requests, and Mr. Kawasaki quickly approved the development of whatever would improve Authlete. He made decisions so quickly that the development went very smoothly.

Engineers from NRIST and Authlete took charge of the development work while managing the tasks on Redmine. First, they performed development and testing for incorporating Authlete in an evaluation environment on the cloud and, in March 2017, about six months later, migrated Authlete to the on-premises Uni-ID Libra environment.

Then, after debugging, the Uni-ID Libra project was officially completed in June 2017.

nrisecure_usecase_3

Benefits

“We can concentrate on further product development as Authlete keeps up with the latest API trends” Immediately after its release, Uni-ID Libra was adopted by several companies as an ID integration/collaboration/management solution. The authorization functions developed by Authlete provide customers with highly stable operation, and Mr. Shibata praises the quality as “exactly what he expected.”

“Authlete has brought strategic business benefits, as well as operational benefits, to Uni-ID Libra,” he added.

“Not only does Authlete secure the stable quality of authorization functions but also keeps up with the latest OAuth and OpenID specifications, to which additions and changes are often made. This allows us to focus on developing other Uni-ID Libra functions, including threat detection and marketing analysis.”

As the next task, Mr. Shibata would like Authlete to comply with Financial API. Financial API is an API standard designed to be used mostly in financial institutions. Its specifications are currently under development by groups including the Financial API Working Group in the OpenID Foundation in the U.S. This API is expected soon to become the de facto API standard in the financial industry, and even the development roadmap for Authlete implies compatibility with Financial API.

“Authlete constantly monitors the latest news on authentication and authorization including Financial API and updates it for us. This relationship of trust allows us to concentrate on developing other innovative functions.”

Comment on Authlete: “Authlete is good for companies that quickly want to implement authentication and authorization following OAuth 2.0 and OpenID Connect”

The last question for Mr. Shibata was about the benefits of Authlete:

“Well, first, Authlete provides all the functions required for authentication and authorization as services. This is good for companies that want to reduce load–and do so quickly–in implementing or operating authentication and authorization in accordance with OAuth 2.0 or OpenID Connect.”

He added, “In addition, you don’t need to pour all your precious resources into complying with specification changes in OAuth 2.0 and OpenID Connect and keeping up with the latest technology trends such as Financial-grade API.” NRIST highly values the strong technology, know-how, and partnership which Authlete has established as a service vendor specializing in authorization since its founding in 2015.

To contribute to the spread of Uni-ID Libra, Authlete remains committed to improving the functions and services.

nrisecure_usecase_4

About NRI Secure Technologies

Head office
Otemachi, Chiyoda-ku, Tokyo
Business
Providing one-stop services for information security
Employees
408
Capital
450 million yen
Wensite
https://www.nri-secure.co.jp

(As of January 1, 2018)