Retail businesses have always been customer-centric, but the definition of customer-centricity has changed. In the past, consumers were satisfied with attentive store associates and broad selections of goods. Now, they want a digital experience as well, and even if they’re not shopping online, they want to know they can trust a merchant to protect their personal data. And there’s plenty of data. Merchants are gathering customer data in unprecedented volumes, and those data stores are particularly attractive targets for cyber criminals.
Last year alone, Kmart, Forever 21, Saks, and Brooks Brothers were just a few of the brands that made headlines when they failed to protect customer data from attackers. These thefts don’t go unnoticed by consumers. According to the KPMG Cyber Consumer Loss Barometer, 20 percent of shoppers surveyed said they’d stop shopping at a brand if it were breached. Over 30 percent said they’d postpone shopping at a breached brand for three months. Adding to the cost of lost business are the costs of remediation, business disruption, legal expenses, identity repair and monitoring, regulatory penalties, and other clean-up costs, which average about $7 million for every breach.
Hackers may slip into a retail organization’s network by hopping over from a vendor’s network. A typical mid-sized vendor has hundreds or even thousands of trading partners, and no assurance that any one of those providers is mounting a strong defense of its networks. Merchants may invest heavily in security, but many don’t pay enough attention to their greatest vulnerability: identity and access management. They might as well put their entire business into a giant safe and scribble the combination right next to the lock. One might say, identity is today’s firewall.
How Optimal IdM Supports Retail Transformation
Merchants have traditionally relied on security solutions that focus on employee activities and internal security. These solutions were designed to manage a fixed number of users performing a set number of tasks. But that’s not how business works anymore. In addition to scaling access to accommodate seasonal employees, retail businesses need to be able to scale access for customers as well as software development teams and other technologists. And, of course, access must convenient for everyone; otherwise, customers will go elsewhere and internal users will lose efficiency and overload the support desk with calls for password resets.
Single Sign-On and Federated Identity
One way Optimal IdM helps merchants do business safely in the digital marketplace is with single sign-on (SSO). Federated SSO lets users log into multiple systems with one set of credentials. The credentials are stored at a trusted identity provider (IdP), like Optimal IdM’s secure LDAP repository, and then referenced by service providers (SP) — which are other applications or services that trust the IdP. For users, this translates into greater productivity and freedom from the frustration of multiple passwords in disparate, untrusted application directory silos. Optimal IdM’s SSO Federation Broker can be setup as an IdP, SP/RP or reverse proxy. We support literally thousands of legacy on-premise applications (even custom applications developed internally) as well as virtually every SaaS application on the market.
Monitoring & Reporting
A single IdP (even one that is split up into multiple, redundant, load balanced and geo-distributed) allows for a single source of monitoring, reporting and troubleshooting. All authentication (AuthN) attempts can be logged and, optionally, dropped into third party SIEMs. Some customers take advantage of our embedded Virtual Directory technology into our SSO Federation Broker, to provide additional reporting detail. For instance, we can provide DN translation to show familiar names for users across hundreds of untrusted A.D. forests — e.g. to convert a nearly unusable A.D. SID into a familiar name like JOHN DOE. This one simple feature will take your reporting to a whole new level of productivity.
A Single Point of Management for Identity Security Access Policy
Additionally, Optimal IdM’s SSO Federated Identity solution also supports multi-factor authentication MFA at the Broker level and supports MFA policy in the cloud, on-premise, or in a hybrid environment. Realize that the most ubiquitous directory services vendor can’t reach to/from the cloud to on-premise in the same architecture. Nor can they provide the per-application/per-user support for MFA that Optimal IdM provides.
Virtual Directory Services
Optimal IdM’s Virtual Directory technology, Virtual Identity Server (VIS), is embedded into our SSO Federation Broker service and provides a unique differentiator. Brick and mortar retail environments which often have branch office servers, multiple A.D. forests, other LDAP directories distributed per store/branch can greatly benefit from our Virtual Directory technology. VIS provides a single view of all connected directory services (thousands of them) into a single management console — without synchronization. VIS also provides an enhanced application environment that allows organizations to rapidly and easily deploy applications to existing multiple Active Directory forests or directories without extending the AD schema to third-party applications. Multi-forest Active Directory gives organizations a single real-time view of identity data from any data store. For more information on Optimal IdM’s Virtual Directory, download our 101 Uses for a Virtual Directory whitepaper.
Migrating from one LDAP directory to another (e.g. from SUN to Active Directory or even consolidating A.D. forests) is a complex challenge that many businesses avoid or pay hundreds of thousands of dollars in consulting dollars to consolidate. VIS can easily and immediately, solve that problem by emulating the old LDAP platform while proxying requests to the new LDAP environment. Merchants can make decisions based on what they want to do, not on what their directories will allow. Optimal IdM’s Virtual Directory may be the missing piece for retail brick and mortar implementations.
Identity Access Management for Retailers
Every customer vertical has unique needs related to identity management. Retail has several. Retail companies have many branches and a transitional workforce outside the home office, which include contractors and seasonal workers. Because of this, retail is being hacked from within and from exterior forces in the branch offices. As you read a few of these examples, remember this: “Identity is today’s firewall!”
Median turnover rates for part-time retail workers have been as high as 74.9 percent in 2013. Every admin who administers a directory service is aware of the amount of work it takes to provision and deprovision users to each application a new employee needs to use. Productivity in retail requires quick access to systems and services in the stores; however, most organizations do not have the same urgency to deprovision (disable or delete) a user account in the directory service(s) when they leave. Often there are thousands of orphaned accounts in those systems. Not to mention, the primary concern for a terminated user is immediate, real-time denial of access. Many identity management vendors cannot provide real-time access denial as their systems rely on a synchronization cycle between directory services and possibly some workflow decisions between systems, like HR and payroll. While the workflow could kick off immediately, there could be a significant waiting time for the synchronization cycle to complete. This window of time waiting on a synchronization cycle (or even on a helpdesk or admin to manually disable/delete/deny access) puts you at risk during that window of time.
Disconnected Directory Services
Islands of disconnected directory services put retail companies at risk. Orphaned objects, privileged accounts, lack of password policies are just a few of the issues that lead to major security issues. Multiple A.D. Forests provide another obstacle. Often companies pay hundreds of thousands of dollars to pull in consulting services to consolidate and/or migrate many forests into just a few. This, in our view, is often a waste of time, resources and money. What if you could connect, manage and authenticate to hundreds of A.D. forests in a matter of moments? #OptimalDifference
Optimal IdM’s customers have often asked us to tackle unique workflow and customization needs in the authentication process. Most vendors are not able to meet these needs because they offer a cloud option that requires companies adopt to that vendor’s offering — often at a compromise of compliancy or secure business processes. But Optimal IdM is different.
Why Optimal IdM is Different
Optimal IdM provides a distinctly separate, siloed, single-tenant private cloud solution to each and every customer. You share nothing with our other customers. This means we are able to adapt and customize our offering to your business and compliancy requirements, rather than vice versa. Optimal has some of the largest, most complex federation implementations on the planet. With our concierge services (included in all of our solutions), customers simply call us with needed customizations and configuration changes, and we’ll do them for you — no expertise needed in your staff. Learn more about the OptimalDifference. Call or contact us today.