Today’s post was written by Sue Bohn, Director of Program Management at Microsoft, and Simon Cheng, who is responsible for Identity and Access Management at lululemon.
Happy New Year and welcome to the next installment of the Voice of the Customer blog series. My name is Sue Bohn and I am the director of Program Management for Identity and Access Management. Last time, we featured The Walsh Group. I’m really excited about this blog featuring lululemon. Holiday shopping for my family becomes a piece of cake with a trip to lululemon! My niece has nearly every color of Align leggings! The story of lululemon here inspired me to reflect on what you can achieve when you step back and look at where you want to go.
Simon Cheng, responsible for Identity and Access Management at lululemon, is today a strong believer that every step towards cloud Identity and Access Management makes you more secure, but that wasn’t always the case. Read on to learn more about lululemon’s experience implementing Azure Active Directory (Azure AD).
Too many apps, too many passwords
At lululemon, our journey to Azure AD began with two overarching business requirements: 1. Secure all our apps and 2. Simplify user access. We knew, based on the typical behavior we’ve seen in the past, that most of our users were likely using the same corporate password across all the apps they use, including the ones we don’t manage. This meant that if even just one of these apps had security vulnerabilities, a hacker could exploit the vulnerability to get into our corporate resources. And we would have no idea! Our security is only as strong as the weakest app being accessed, and so if you can imagine the challenge was that we had over 300+ applications! To protect our corporate resources, we needed to ensure that the authentication process for each app was secure.
Our shadow IT environment wasn’t just a security challenge, it also frustrated our users. Over and over we heard there are “too many portals and too many passwords.” This sentiment drove our second business requirement, which we boiled down to an overriding principle: “Not another portal, not another password.” So, our solution needed to address security and simplify user access without reducing business flexibility. The obvious answer was to consolidate identities, and this quickly led us to Azure AD and Microsoft Enterprise Mobility + Security (EMS). As an Office 365 customer, our users were comfortable and familiar with the Office 365 sign-in experience, and so it was an easy decision. Once we had chosen a solution, our next big task was rolling it out without disrupting our users, which is really where my concern was—would our users embrace it?
Single Sign On (SSO) sells itself
When we began the rollout of Azure AD, our top concern was whether our employees would comply. As it turns out I completely underestimated our users, and my concerns were really nothing. Within three months of the Azure AD rollout, our users loved the SSO experience so much that the business units came to us requesting that additional apps get rolled on. Even risk-based Multi-Factor Authentication (MFA) enforced by Azure AD conditional access policy feature went smoother than I expected. We hardly heard any complaints and even fewer calls on how to set it up. For highly sensitive apps, such as our financial and HR apps, we followed a recommended approach to enforce MFA at every sign-in. For several other less sensitive apps, we were able to prioritize user experience and protect them with risk-based conditional access rules.
In 2013, we had two apps onboarded: ServiceNow and Workday; now we have over 200! And every single one of our 18,000 users are protected by conditional access and MFA. I am really proud of this accomplishment as it has enabled higher productivity for our organization while maintaining stronger security because our employees are using it! This experience taught me not to underestimate our users, and I think this is because they are familiar with security measures, having already learned to do so through consumer services such as social media. Had I known this when we started, I would have deployed Azure AD much sooner.
The cloud allowed us to implement more security features faster than we ever could on-premises
Once we had Azure AD deployed, our next project was to implement Azure AD Privileged Identity Management (PIM). Azure AD PIM allows us to enable “just in time” administrative access, which significantly reduces the possibility that our administrative accounts will get compromised. Launching PIM was an eye-opening experience! This is a capability that is very labor intensive and time consuming to operate typically.
I am constantly delighted with how fast I can deploy services in the cloud, Azure AD PIM being a prime example. More often than not, the trap I’ve seen organizations fall into is that they plan based on capabilities that exist within solutions rather than what’s needed to secure their users. This is exactly where Azure AD and cloud wins over on-premises solutions. My takeaway has been that it is better to step back and plan what needs to be done for my organization and then just let the cloud services roll in almost automagically. Of course, where there are gaps, I work directly with the Azure AD engineering team!
Just in the last year, we have deployed, from pilot to production:
- Azure AD Connect implementation and Self Service Password Reset (SSPR) migration from the old tool (6 weeks)
- MFA registration, Azure AD conditional access, and Azure AD Identity Protection (7 weeks)
- Microsoft Advanced Threat Analytics (3 weeks)
- Group-based licensing (3 days)
- Azure Information Protection (8 weeks)
- Azure AD Privileged Identity Management (3 days!)
- Countless apps (each in a matter of hours!)
Learnings from lululemon
A big thanks to Simon! It is always great to learn from our customers’ deployments. In lululemon’s case, the need to take a step back and develop a plan based on the security goals, rather than a set of capabilities, really hits home. We can always plan something in the confines of what we currently have, but the fact is that new features get rolled out at cloud speed. It is great to see customers like lululemon deploy services in the cloud so quickly and benefit from them. Come back to our Secure blog to check in on our next customer blog and also read some other articles around Identity and Access Management and Zero Trust Networks.