In today’s issue of the ‘Voice of the Customer’ series, we dive into the world of fashion with ASOS. ASOS is an online retailer devoted to “fashion with integrity.” With customers all over the world, the company’s ecommerce site must support multiple languages and regulations. It’s critical to the business model that customer data remain safe.
To achieve its business goals, ASOS employs over 4,000 people. It can be challenging to manually provision and deprovision accounts to so many users. Roles change all the time. We invited Mark Lewis, infrastructure architect at ASOS to share how Azure Active Directory (Azure AD) automated user provisioning helps protect the organization and its customer.
Azure AD helps keep our customers’ data safe
By Mark Lewis, Infrastructure Architect, ASOS
ASOS is a global online retailer based in London with offices and warehouses across the UK, the US, and Europe. We aim to be the number one fashion destination for twenty-somethings globally. To reach this goal, it’s important that customers trust us. My role in earning that trust is cybersecurity. If we want customers to return to the site, they must believe their data is safe.
As an infrastructure architect at ASOS, I’m focused on leveraging Azure AD to enhance the security of the organization. For example, we use single sign-on (SSO) and multi-factor authentication (MFA) to protect identities. Recently we enabled Azure AD automated user provisioning, which helped with both security and productivity. In this blog I’ll walk through why we chose Azure AD, our challenges with manual provisioning, and the benefits of turning on automated user provisioning.
Why we chose Azure AD: Identity is the new security perimeter
It used to be easier to protect organizational resources. Software and systems were attached to Active Directory, so each user had one account to manage. The security perimeter was the physical office. That all changed with the expansion of software as a service (SaaS) apps and mobile devices. Now employees access their email from anywhere on their smart phone. They have multiple SaaS accounts dotted all over the internet. The firewall is no longer able to safeguard the organization. To protect our data, we needed to transition to an identity-based security model. We set up an Identity and Access Management team to develop and deliver this new strategy. Azure AD supports the new strategy.
Challenges with provisioning: Inevitable human errors put us at risk
Once we had Azure AD in place, we needed to address provisioning. We support several SaaS apps. However, each team and each role use a different mix of those apps. One of our Tech teams was responsible for creating and closing every user account. When an employee was hired, administrators provisioned identities for all of their apps and accounts. This process could take as long as two hours per employee, depending on the number of apps the user needed. When a user switched roles or left the company, the process was repeated.
As you might imagine, a manual approach is prone to the occasional human error. It was too easy to forget an account. If an administrator missed an account for a new employee, it resulted in productivity loss. If they forgot to deprovision an account when an employee left, it created a security risk. Even if no mistakes were made, there were still issues. The longer an account is active the greater the risk of compromise. Our goal was to remove leavers from accounts within hours of their last day. We struggled to meet that objective because members of the Tech team were having to use a manual, complicated, and time-consuming process.
Azure AD automated user provisioning: better security and increased productivity.
To better secure the organization, creating and closing accounts needed to be much easier. Azure AD automated user provisioning allowed us to do just that. It was easy to implement across several apps because Azure AD supports the SCIM (the system for cross-domain identity management) protocol for provisioning. Now, when a user is hired, they are created in our human resource platform. The details about the employee, such as name and job title, cascade down to Azure AD and out to all the applications the employee may need. On the first day of work the employee is up and running right away.
So far, we’ve onboarded Workplace by Facebook, Slack, ServiceNow and Atlassian Cloud. Users love that they can sign in once with their Azure AD credentials and access all their apps. Soon they will also be able to use those credentials to access an in-house application that supports customers, warehouses, and suppliers. We have also approached other SaaS companies about supporting the SCIM protocol so that we can extend automated user provisioning to additional apps.
Azure AD automated user provisioning meaningfully decreased the human errors that could have made us vulnerable. Now, when a user leaves the company, they are made inactive in Workday and that information flows to Azure AD and all their accounts. I am much more confident that all the relevant accounts are closed. Azure AD reporting provides another fail-safe. We use it to double-check that users have access only to the apps they need and follow up on any issues. Customer data is much safer now that we’ve enabled Azure AD automated user provisioning.
An important part is what's still to come. The Identity and Access Management team is working on identity governance, which will further simplify access granting and access revocation. When everything is set up, we may be able to remove provisioning entirely from the service desk. Human Resources will be able to provision the appropriate accounts through Workday. App managers will make decisions about which apps users should have access to.
I hope the ASOS story gives you some ideas on how you can use automated user provisioning in your own organization. If you are looking for other tips from our customers, take a look at the other stories in the ‘Voice of the Customer’ series.