As one of the world’s largest retailers, with about 500,000 employees and 2,700 stores, just keeping the lights on is a full-time job for Kroger. But maintaining the Cincinnati, Ohio-based company takes a lot more than that. The company is responsible for supporting more than 300 applications used by staff at its various locations, including stores, distribution centers, and manufacturing plants.
One of the biggest challenges Kroger has, in fact, is ensuring that all staff members are fully vetted and authenticated, since they often need to access applications that contain sensitive data.
“At every step, we want to be confident that you are who you say you are when you’re using any of our systems,” said Rob Lenhof, corporate information security technology manager at Kroger.
While Kroger has long focused on identity and access management (IAM), it ended up with a handful of different IAM tools, largely due to mergers and acquisitions over time. Lenhof’s team did its best to consolidate these systems, but the task grew more complex as time went on.
To make matters worse, Kroger’s existing single sign-on software, Symantec SiteMinder, would soon reach end of life. The team considered sticking with its existing IAM tools before realizing that doing so would require manually rewriting hundreds of applications. So, the team abandoned that idea.
Yet Lenhof still wanted to find a way to consolidate its IAM tools as much as possible.
“Our nirvana state is having everything consolidated, with one place that verifies that you are who you say you are and provides access to data and applications you need to do your job,” Lenhof said.
The ideal state would also mean less reliance on legacy authentication protocols.
Legacy IAM Tools Create Migration Challenges
The first step in meeting those goals was to move identities from SiteMinder into Microsoft Windows Azure Active Directory (AD) using Microsoft’s Cloud Connect Sync. Azure AD is a system for managing end user identities and access privileges. While Azure AD was an improvement, it wouldn’t satisfy all identity requirements. For example, it couldn’t protect the many web applications Kroger uses.
Kroger decided to replace its legacy IAM tools. The problem was, Lenhof said, Kroger’s hundreds of applications all required usernames and password, and the way each used authentication and authorization varied greatly.
“We needed to find the balance between end user productivity and security,” Lenhof said. “You don’t want to require a user to do multifactor authentication 10 times a day.”
Yet multifactor authentication is critical and must be part of any identity authentication process, and legacy authentication protocols don’t support it, he added.
To fill the gaps, Kroger adopted Strata’s Maverics Identity Orchestration Platform, which unifies and automates identity management, providing authentication without having to modify any source code. The software works as an abstraction layer that decouples applications from identity and natively integrates with all cloud platforms, cloud identity systems, and on-premises identity and app infrastructures.
Before diving in, the team started the transition by taking stock of all applications currently in use. For example, there may be an obscure line-of-business application that runs checkout registers at one of the 20 brands under Kroger.
With a full list of applications, the team started by converting its own applications first. “Our thinking was that if we can convert those applications successfully without interrupting the business and without impact to the end user, we could move forward,” Lenhof said.
After migrating applications, the IT team could fully move to Azure AD and shut down SiteMinder.
Benefits of the IAM Upgrade
Today, the company uses Azure AD for authentication. Once a user is authenticated, Maverics takes over to orchestrate authorization and provide any additional attributes that a web application would expect to see from a signed-in user.
Because the IAM upgrade had been completed before the COVID-19 pandemic, Kroger found itself prepared for the dramatic changes to come. Shopper’s preferences shifted, leaning more toward online ordering and pickup than in-store shopping. As a result, Kroger had to quickly scale up and out some of its applications. However, in terms of IAM, there was no disruption, Lenhof said.
Now that the system is working well, Lenhof is ready to move onto other projects. One of those projects is to standardize identity policies across multiple platforms. The team also is considering a passwordless approach to access, which Lenhof said would make processes even easier.