Striking a Balance Between Flexibility and Security to Enable Unfettered Growth
Qonto is the leading European business finance solution. It simplifies everything from everyday banking and financing to bookkeeping and spend management. With its fast and innovative product, highly responsive customer service and transparent prices, Qonto energizes SMEs and freelancers so that they can achieve more.
Launched in 2017 by Steve Anavi and Alexandre Prot, Qonto serves more than 220,000 clients in 4 countries (France,Germany, Italy and Spain) and employs more than 500 talents in Paris, Berlin, Milan and Barcelona. Since its creation, Qonto has raised a total of €622 million from Valar, Alven, the European Investment Bank, Tencent, DST Global, Tiger Global, TCV, Alkeon, Eurazeo, KKR, Insight Partners, Exor Seeds and Gaingels to support its global growth ambitions.
Qonto has been listed by the French government in the Next40 index, which brings together the 40 most promising scaleups in France with the potential to become a global leader.
-
Country
France,Germany, Italy and Spain -
Industry
Financial Services - PDF Download
Challenges
As is true of many fast-growing companies, Qonto calls upon a combination of employees and contractors to support its business. Previously, when onboarding, both employees and contractors received multiple emails with passwords to relevant applications. Workers struggled to know who to turn to when they experienced app access issues.
For many teams, onboarding quickly became an exponential nightmare as Qonto welcomed up to 20 people every two weeks and provided access to as many as 60 applications. While each employee is associated with an HR file, contractors come and go, introducing different challenges for the security team when it comes to maintaining app access and credential lists.
The challenge continued with the offboarding process. A point-in-time audit that was quickly out-of-date was insufficient for understanding who still worked for Qonto and who didn’t. Plus, it was complicated for the security team to revoke application access in shared access situations.
As Ayoub El Aassal, Head of Security for Qonto, explains, these issues and many more are unsolvable without identity and access management (IAM). “You can enforce access policies and punish people for not maintaining up to date credential lists, but only single signon guarantees results because it enables centralized identity management.”
With OneLogin, we can exponentially scale security to go hand in hand with business growth.
Solutions
Enter OneLogin. “We chose OneLogin because it elegantly solves a difficult equation involving flexibility, security, and automation,” says El Aassal. With robust support for integrations within OneLogin, Qonto deployed 60 apps within three months. “We’re a relatively small security team. OneLogin provides APIs that streamline integration and makes it easy to create OneLogin accounts and automate many core processes,” says El Aassal. He also appreciates that OneLogin unleashes innovation. “We can easily scale, such as by connecting an app with 1,000 users using just three lines of script.”Benefits
- Streamlined onboarding process
- Reduced operational burden
- Enhanced security
The Story
El Aassal recognizes the many ways to approach IAM. “It’s relatively easy to tackle it through more bureaucracy and manual work: Email rounds to notify which people are leaving or getting promoted, weekly controls to ensure that all users across dozens of applications are up to date, quarterly verifications of password policies, and so on.” But this approach hardly scales and, past a certain threshold, becomes cumbersome and inefficient.
Qonto realized that its salvation lies within automation and technical innovation. Enter Onelogin. “We chose OneLogin because it elegantly solves a difficult equation involving flexibility, security, and automation,” says El Aassal.
With robust support for integrations within OneLogin, Qonto deployed 60 apps within three months. “We’re a relatively small security team. OneLogin provides APIs that streamline integration and makes it easy to create OneLogin accounts and automate many core processes,” says El Aassal.
He also appreciates that OneLogin unleashes innovation. “We can easily scale, such as by connecting an app with 1,000 users using just three lines of script.”
Streamlined Onboarding and Increased Security
In the past, when new employees requested app access, each request generated a ticket for the team owner of the tool. This used to be the norm and overwhelmed teams over time. Now, it’s an anomaly for the security team to receive those tickets.
When employees and contractors join today, their access permissions and rights are set automatically, based on their role and/or groups. This reduces friction during onboarding, enabling workers to access needed apps without delay. “Before, we were unable to enforce app access in such a granular way,” El Aassal explains.
At the same time, Qonto no longer needs to dedicate one engineer to spend a full day every two weeks provisioning app access for new joiners since OneLogin handles this automatically. “OneLogin eliminates frustration for new users and for our security team,” continues El Aassal.
As El Aassal says, “Most companies treat security as a fortified castle. We are breaking down this model and rebuilding security, using SSO as a central brick to propagate and control identity, and applying different controls in line with the perceived threat level and context. That’s a vastly different approach from simply slapping a VPN onto an app and considering it secure.”
One good example of “eliminating the moat” is using OneLogin’s policy-based Multi-Factor Authentication (MFA), which protects Qonto’s employees from phishing attacks. According to El Aassal, there’s no excuse for not having MFA in place. In fact, he says it’s the only reliable way for Qonto to secure its critical apps against phishing. “Forget about phishing simulations and employee training. One of the most efficient ways of dealing with phishing is robust MFA. Users are protected without being aware of OneLogin platform,” he explains.
Moreover, OneLogin provides a clear view into application access at all times, making it easy to automatically identify and alert on any suspicious behavior. “Imagine you want to gather access logs from all your internal applications, parse them and define suspicious behavior...that’s impossible. But with OneLogin, it’s just a click away,” explains El Aassal.
With OneLogin in place, Qonto doesn’t have to worry about security as it scales and yet knows new workers are empowered to work efficiently on day one.
El Aassal knows Qonto could support its rapid growth without OneLogin. But he also knows Qonto’s engineers would be bogged down. “They would be frustrated spending so much time managing a routine process instead of being freed to develop innovative ideas and solutions. Plus, new employees wouldn’t get a good feel for our company,” he continues.
Going forward, El Aassal plans to further enable his vision of breaking up the old security “castle” by putting all apps behind OneLogin. “We don’t want security where we rely on assumptions of trust. ‘This partner comes from this IP address therefore they are allowed passage.’ It’s a start but it’s not quite enough. We are working on ways to systematically prove elements of security every step of the way, transparently and efficiently. OneLogin is one important component among many others to achieve that.”
In fact, El Aassal is taking advantage of integration between AWS and OneLogin to assign rules on the spot to users who need application access. This makes it possible for those users to access all needed resources via a single account versus the multiple accounts needed in the past. “We can easily assign these temporary access rules. It’s just one example of how we use – and plan to use – OneLogin to enable the best security with the most flexibility,” he concludes.