Enhancing security across the Seven & i Group

In the fall of 2019, Seven & i launched a project to enhance security throughout the group. In addition to revising the group’s Basic Policy on Information Security, the company established the Security Management Office to support the establishment of secure environments at each operating company and to evaluate security controls. While promoting security enhancement throughout the group led by the existing Information Management Committee, it became necessary to also improve the security level of 7iD, which already had approximately 15 million members at the time.

Renewing the membership platform due to the separation of e-commerce sites

At the same time, to provide more convenient services, Seven & i decided to reconsider the groupwide integrated online retail platform “omni7.” Specifically, the company aimed to improve maintainability and accelerate the frequency of service releases by transitioning the online shopping sites that were operated as subdomains of omni7 to be managed by each group company.

Accordingly, a project to renew the unified 7iD membership identity platform was launched. The membership ID platform, which originally started as an omni7 member ID service, was operated as part of the omni7 platform at the time. However, with the sunsetting of omni7, it was decided to rebuild it as an independent service.

Establishing in-house development and operations

To enhance security and renew the membership identity platform, it became necessary to develop and operate the system in-house.

Outsourcing system development often presents the challenge as it makes it difficult to maintain a comprehensive understanding of the project. Hirokazu Watanabe, Senior Officer of the Group Digital Systems Unit at the Group DX Headquarters of Seven & i Holdings Co., Ltd., said the following:

“If we rely on partner vendors to build our system, our ability to detect security risks may decline, and security reviews and corrective measures by experts may no longer be effective. Furthermore, we needed to develop the system in-house to increase our security controls.”

Seven & i has been building a unified service infrastructure in a hybrid cloud environment with the aim of strengthening the use of IT in both the “offense” aspect of realizing new value creation and the “defense” aspect of maximizing business efficiency. To efficiently operate the 7iD membership identity platform while maintaining high quality as a group, Seven & i felt it was necessary to consolidate expertise in security, as well as the development and operation of the infrastructure, which is the key to “defense.”

Implementing OIDC while adhering to existing user authentication

Measures to enhance the security of 7iD began with the assessment of the current Single Sign-On (SSO) function. As a result, it was discovered that the SSO of 7iD at that time could cause various problems due to its proprietary standards. The biggest issue was the inability to determine whether the security of the communication procedures and sequences between systems was guaranteed due to the company-defined specifications. In addition, the cost of understanding and implementing these specifications was expected to be a barrier for operating companies when building services.

Consequently, the decision was made to adopt OIDC, an industry standard specification, as the SSO function of 7iD. Preserving the existing user authentication system is a prerequisite for adopting OIDC. While the SSO would comply with the OIDC standard, the structure of the old membership platform necessitated the continued use of the current user authentication process, including the login screen.

In renewing the membership platform, it was necessary to run the old and new membership platforms in parallel, maintaining the proprietary system (old platform) while launching the OIDC system (new platform). This was due to the structure of the e-commerce site at the time. The Seven & i Group had several online retail sites other than omni7. The membership management of these non-omni7 sites was linked to the omni7 platform.

When omni7 was split up, the sites built on this platform had to have an OpenID Connect Relying Party (RP) capability, while non-omni7 sites had to maintain their existing user authentication functions as they were. Hirokazu looked back on the situation at the time.

“When we separated 7iD within the omni7 platform, unifying everything to OIDC would have been ideal, but we were concerned that doing so would have made it impossible to meet our cost and schedule requirements. We wanted to adhere to the standard specifications, but also be able to build in our own functionality to provide to existing services.”

Applying to hybrid cloud environments that ensure high security

Seven & i Group’s hybrid cloud is composed of a private cloud and a public cloud. Due to the sensitivity of information to be managed by 7iD, it was deployed on a private cloud built within the company’s own data center.

Private clouds have extremely high security measures in place. To achieve this, only software that meets high security standards is used for components such as databases and application servers. An architecture that could fit into such an operating environment was also essential for the rebuilding and operation of the new 7iD.

Highly flexible architecture

For 7iD’s new architecture, Seven & i considered using packaged software and Identity as a Service (IDaaS). However, these options were quickly ruled out, as adopting them on a scale targeting 50 million members would be challenging. More importantly, they would not align with the company’s decision to develop its software in-house and keep the existing authentication system operational in parallel with the new system.

Ultimately, Seven & i adopted Authlete. The major deciding factor was Authlete’s high level of flexibility. Authlete specializes in OAuth/OIDC protocol processing and token management and provides these functions as APIs. Its architecture aligned with Seven & i’s in-house software development policy while utilizing existing systems such as user authentication and membership management.

Swift compliance with latest standard specifications

One of the reasons for adopting Authlete was its high level of OIDC compliance. While in-house software development was a prerequisite for the project, it was undesirable to internally implement the OIDC standards as it did not contribute to Seven & i’s competitive advantage. Prime examples of this are protocol processing and token management related to OAuth/OIDC. With that said, however, even though these functions are not core to its business, they could become a major security issue if not implemented correctly and kept updated to reflect changes to the OAuth/OIDC specifications.

Considering these circumstances, Seven & i valued that Authlete implements many of the broad OIDC specifications and is quick to stay up to date with the latest specifications. Based on this track record, the company believed that by incorporating Authlete into 7iD, it could offload the burden of ensuring proper implementation and keeping up with specification updates. Hirokazu said the following:

“We believed Authlete was the optimal solution for ensuring compliance with standard specifications while still developing the parts for existing services ourselves.”

Support for on-premises environments

Authlete provides two deployment options: a cloud version (using APIs managed and operated by Authlete in the cloud) and an on-premises version (installing and operating Authlete software within the company’s own environment). Because 7iD was to be deployed in Seven & i’s own datacenter, the availability of an on-premises option was an essential requirement. Authlete was also evaluated for its compatibility with Seven & i’s operating environment, which has highly secure measures in place.

Enabling OIDC-based secure SSO environment

The restructuring of the membership platform was carried out in several phases. The first phase was in early 2022. 7iD, which had previously been part of omni7, was separated and made independent as a new membership identity platform.

In the spring of 2022, the OIDC authentication feature was added to the new membership platform. Then, in the summer of the same year, omni7 was split into six e-commerce sites. These sites were modified to support OIDC to rely on the new membership platform. Omni7 was then closed after the migration of all online retail sites was completed.

In the summer of 2023, the OIDC feature was also made available for mobile apps, enabling SSO between each company’s e-commerce site and app.

Business benefits recognized by top executives

The benefits of SSO, including those for mobile apps, became apparent immediately after it was launched. SSO between apps was particularly effective.

The “7-Eleven app” provided by Seven-Eleven Japan is a service used by over 24 million 7iD members. The ability to smoothly switch from the 7-Eleven app to other apps without having to re-authenticate users has contributed greatly to the acquisition of new app members.

In fact, when the official app for “7NOW,” a delivery service that allows customers to easily have Seven-Eleven products delivered to their homes, was launched in September 2023, the number of users suddenly increased due to the influx from the 7-Eleven app.

The keywords “SSO” and “OIDC” had also permeated the management team at Seven & i.

“Top executives used the terms SSO and OIDC in company-wide meetings to explain the customer referral effects to all employees. It was invigorating, and I sensed their high expectations."

It has become a groupwide principle to ensure that the services and apps newly launched by Seven & i Group are compatible with SSO and OIDC.

Shortening time-to-market and improving vendor management

Using Authlete in the membership platform and being fully compliant with OIDC not only enhanced security and improved usability, but it also produced additional benefits.

First, Seven & i established a “common language” by moving away from proprietary specifications. There is a wide variety of services linked with 7iD, and this number is expected to continue to increase in the future. In such a situation, if the 7iD membership identity platform defined and implemented its own SSO specifications, it would require a lot of effort to get the developers of each service to understand the proprietary specifications.

By adopting the industry standard OIDC and ensuring strict compliance with it using Authlete, the time and effort required for service integration were reduced. This accelerated SSO integration with 7iD and was the driving force behind shortening the time-to-market.

Furthermore, the adoption of OIDC has also contributed to strengthening control over the development structure of the 7iD membership identity platform itself. Typically, a development team for large-scale system development is inevitably multi-layered and divided into different groups, raising concerns that the system’s detailed security implementation could become a black box left to the external contractors. Seven & i, which operates a very large membership platform with a target of 50 million users, is no exception.

To eliminate this issue, Seven & i has established a system where employees learn OIDC themselves, enabling them to instruct vendors on the type of OIDC system to build and how it should be implemented. By collaborating with partner vendors to advance development and operation, the company has achieved a very high level of in-house development.

Business benefits derived from the operational stability of Authlete

The source of these various benefits is the operational stability of Authlete. The OIDC infrastructure built using Authlete has been running smoothly without any major issues since its release.

"Operational stability is essential for an authentication platform. When building the OIDC infrastructure, we did not encounter any problems that were attributable to Authlete. Using Authlete enabled us to proceed more smoothly.”

By using Authlete to support the new OAuth/OIDC specifications, reliable implementation was quickly available, allowing Seven & i to focus on developing features necessary for its business.

The role of 7iD at Seven & i will continue to expand. 7iD is essential in realizing a world where various services inside and outside the group work together to enhance benefits, centered on the customer’s ID, through synergies in financial services within the group and close collaboration with partner companies. Hirokazu explained his expectations for Authlete as follows:

“We envision use cases in which ID federation will be expanded to business sectors other than retail, such as finance. With that worldview in mind, we are maintaining compliance with the OIDC standard. Even if we need to support specifications such as FAPI in the future, we feel reassured knowing that Authlete will be able to flexibly support them.”

Authlete will continue to support the evolution of 7iD through its reliable implementation of OIDC, swift support for new specifications, and provision of high-quality software.

¹ Domestic figures are as of the end of February 2024, while overseas figures are as of the end of December 2023
² As of the end of August 2024
³ As of the end of June 2023