Maximizing User Access to Software-as-a-Service Applications

Founded in 2010 by Margaret Black-Scott, a former vice chairman of global wealth management at Morgan Stanley with more than 30 years of industry experience, Beverly Hills Wealth Management (BHWM) is a boutique registered investment advisor (RIA) firm. BHWM is dedicated to offering professional, personalized investment advice and services to high-net-worth individuals.

In order for the firm to remain competitive and provide attractive services to both clients and wealth advisors, BHWM needed to establish business relationships with strategic partners delivering a variety of services, from fixed income inventory and strategies to banking and insurance.

To support these efforts, the burden was on John Stuart, CIO of BHWM, to build a sophisticated, flexible, and scalable IT infrastructure without incurring millions of dollars in capital costs for software licenses and hardware. He developed a phased master technology plan that could support multiple custodians, agency/ principle trading partners, trust administration, insurance services, and back-office service providers.

Realizing the True Potential of SaaS
Key to the master IT plan was a software-as-a-service (SaaS) strategy that could provide wealth managers and support teams with access to leading software solutions, reducing the need for BHWM to acquire in-house hardware or software systems. “As an independent advisory firm, we will grow and thrive with our SaaS application partners—so we view them as essential in our ability to compete against larger, more established financial services firms,” said Stuart.

BHWM’s SaaS application strategy required flexible, secure interfaces that personnel could use to access various partner systems during their daily activities—with the ability to access up to 16 industryleading software solutions, depending on the employee’s role. One important requirement was the ability to manage multiple user accounts on a wide variety of different SaaS solutions, each with its own user interface, management tools, and security model. In addition, BHWM needed a tool for easy management of CRUD (create, read, update, delete) processes for user accounts on partner systems to enable employees to deliver the high levels of service required by their demanding clients. Since various SaaS applications provide differing provisioning/deprovisioning capabilities, whatever solution the company chose would have to be able to handle a wide variety of varying management interfaces.

Something about SSO
With the goal of making user access convenient and seamless, IT developed a secure internal portal, code-named “Maestro,” that delivers on the advantages of single sign-on (SSO). With SSO, users don’t have to remember multiple user ID/password combinations, and they can access multiple applications with a single mouse-click. Maestro has virtually eliminated calls to the help desk from users needing to reset a lost or forgotten password. The system uses Security Assertion Markup Language (SAML) technology to establish trusted identity federation relationships with BHWM’s SaaS provider partners.

To realize these benefits, Stuart sought an identity and access management (IAM) solution that could combine provisioning/deprovisioning, account management, and secure access control for users, and the ability to scale as BHWM continued to grow and add both new employees and additional SaaS solution provider partners.

“The flexibility, security, and other capabilities provided by McAfee Cloud Identity Manager will enable BHWM to leapfrog other RIAs in the industry …”

John Stewart, CIO, Beverly Hills Wealth Management

Toward Client Self-Service
While today’s system is designed for internal users, BHWM plans to offer self-service capabilities for clients to access SaaS partner applications for reporting and portfolio analysis. This will require a solution that can be easily branded with the BHWM identity and scalability to support much larger numbers of users as the company expands. And, because BHWM is in a regulated industry governing the company’s handling of client financial assets, the solution must provide end-to-end security. Finally, in line with BHWM’s strategic outsourcing strategy, all systems must be able to run in a hybrid cloud on a variety of virtual machines hosted at a third-party service provider.

A Comprehensive Solution
To meet these complex requirements, Stuart conducted a comprehensive evaluation process. Among the solutions evaluated, only McAfee Cloud Single Sign On could deliver the necessary security, flexibility, and scalability. Not only can McAfee Cloud Single Sign On deliver a BHWM-branded experience to users, but the system can be tailored to meet the needs of both internal and external users—with both provisioning/deprovisioning and standards-based SSO capabilities.

A Seamless User Experience
For target systems that don’t support the SAML standard for federated SSO, McAfee Cloud Single Sign On provides the ability to create custom connectors that support HTTP forms. Using the custom connector, the solution captures credentials the first time a user logs on to the target application, encrypts and stores them in a secure database, and then replays them whenever the user attempts to log on to the SaaS application.

McAfee Cloud Single Sign On also runs as a credential interface to the Maestro portal front end. Users log onto the portal with their internal credentials and, once authenticated, are shown a personalized page with icons organized by application function or the SaaS application itself. Any SaaS application that is injected into the portal through an Iframe is rebranded and tailored to work in the user’s environment. Users never have to leave Maestro, and they never see the applications they are not allowed to run. To launch an application, they click on its icon; there is no need to enter additional credentials. McAfee Single Sign On also has a strong authentication feature based on out-of-band delivery of a onetime password (OTP) that BHWM can implement in the future.

Moving Forward
BHWM is currently in the process of completing its web infrastructure, starting with an externally facing customer portal powered by Maestro and then moving to deliver McAfee Cloud Single Sign On to internal users. Custom connectors will be provided for SaaS partners that use HTTP forms for user authentication and authorization. BHWM is expected to begin deploying the system early in 2012. McAfee Cloud Single Sign On logging and reporting capabilities will enable BHWM to rapidly develop compliance reports that can be used to address regulatory requirements concerning access to sensitive, personal customer data.

A Foundation for Future Growth
BHWM foresees rapid growth in 2012. Stuart anticipates that the flexibility of McAfee Cloud Single Sign On will enable the company to seek out other RIAs that don’t have the technology infrastructure, capital investment, or resources to keep pace with technology trends, innovative ideas, and client-driven consumerization. Firms that operate in a legacy RIA environment but want to leverage the Maestro service, can be provisioned with the pre-designed efficiencies and partner relationships built by BHWM along with integrating their existing partners and services that continue to provide a competitive advantage.

The Maestro-McAfee Cloud Single Sign On combination will soon have a license opportunity for existing RIAs as an all-in-one RIA SaaS solution. The greatest benefits are to internal BHWM users that are offered the entire Maestro suite with SSO, Internet sites, and more. “The flexibility, security and other capabilities provided by McAfee Cloud Single Sign On will enable BHWM to leapfrog legacy RIA environments and offer an architecture to harness the entire financial services Rolodex* in a seamless, connected experience,” said Stuart.

Beverly Hills Wealth Management

Customer profile

Investment counseling and services for high-net-worth individuals


Financial services

IT environment

SaaS infrastructure with application user portal


  • Leverage partner SaaS applications to create competitive advantage
  • Provide internal users with single sign-on (SSO) to SaaS applications from a single portal
  • Manage provisioning and automated de-provisioning of SaaS accounts
  • Comply with industry and regulatory security requirements
  • Deliver a branded user experience
  • Scale the system to meet future growth plans

McAfee solution

McAfee Cloud Single Sign On


  • Increased end-user convenience and productivity
  • Stronger security through elimination of multiple passwords and use of SAML for federated SSO
  • Flexibility to add new SaaS solutions quickly and easily as company grows
  • Integration with enterprise identity repositories for automatic provisioning and de-provisioning
  • Solution that leverages a costeffective, hosted hybrid cloud environment