On 4 March 2024 at Gartner’s UK Identity & Access Management Summit, Simon Langley, ASDA’s Chief Information Security Officer (CISO) joined Steve Bradford, SailPoint Senior Vice President (SVP) on stage for a discussion around how to successfully implement a strong identity security program.
In an engaging Q&A, Simon shares how his team matched the pace and velocity of a changing identity landscape and digital ecosystem, all while continuing to enable the business. He also revealed how, as one of the UK’s largest supermarket retailers, ASDA implemented a robust identity program designed to help improve compliance, user experience, and employee lifecycle management across 138,000 users, outlining key steps and pitfalls to avoid along the way.
Read on to discover ASDA’s successful transformation journey to a unified identity security program.
Hi Simon, thanks so much for taking the time to share your story. Let’s begin with the basics: please give us a little background on the ASDA brand.
ASDA is Britain’s third-largest supermarket chain, with around 829 stores and £20.4 billion in revenue. We’re a longstanding company based in Leeds in the UK, and we were previously owned by Walmart before a takeover in 2021.
Walmart is an enormous organisation with annual revenues of about half a trillion. It does lots of things very well, but its size can also breed inflexibility and you often simply have to follow what the leadership tells you to. That meant at ASDA, we had little freedom to manage our own identities or IT infrastructure. Now that we’ve separated from Walmart, we’ve been effectively building new infrastructure from scratch, which is a big ask for a £20bn company.
Could you tell us more about the demerger from Walmart, and where you are in your identity program today?
Of course. Previously, our identities were all Walmart identities, part of their on-premises active directory (AD) forest. So, when we left, we had to set up a completely new identity for each employee – all 138,000 – the majority of which are frontline staff, people in shops and warehouses, and so on. We also have around 6,000 contractors, which we manage on a separate system. Today, all of these people are now logged into Workday, integrated with SailPoint, and SailPoint ServiceNow for request management and more.
Most of our products today are cloud-based rather than on-premises. Similarly, many businesses across Europe are shifting to the cloud for a variety of reasons – could you tell me what was behind ASDA’s decision to do so?
Lots of organisations today talk about being cloud-first, but we made a conscious decision to become almost cloud-only. The cloud offered an interesting opportunity for us to completely reshape our identity management – it was like a greenfield site for a £20bn company.
Early on, we decided we didn’t want to tie ourselves down to infrastructure, so this immediately lent itself to using software as a service (SaaS) or cloud-hosted solutions. Then, looking back to my experience as CISO and sponsor for the identity program at (UK supermarket) Morrison’s, we looked at SailPoint solution as a potential tool. Fast forward, I realised that it fit perfectly with ASDA’s new infrastructure and the future of where we’re heading. So, we went with SailPoint Identity Security Cloud and so far, integration has been straightforward – it’s gone really great.
What was the sign-off process and the building of the business case like for your new identity program? Are you being held accountable for whether you’ve achieved your initial goals?
It was important to me to make sure we had the right funding upfront, so I had to clearly demonstrate the value of what it is we’re delivering and to keep the board informed.
We have a monthly security government forum where I present and report on all sorts of security risks. Fortunately, senior colleagues haven’t been too picky regarding progress against my program scope, and only really want to hear about anything that could go wrong and the plans to mitigate against it. It’s really been about risks and issues and expanding on progress, rather than having to answer to what we’ve done.
As an identity expert, could you explain the importance and business value of identity to those who are unfamiliar with it?
As a CISO, what I care most about is any security risks to the business. Cyber incidents and data breaches are a big concern, but so is identity. There are some areas of our business where we have a really high turnover of staff, for instance, over Christmas we take on thousands of short-term workers. Even if we only need them to work for two days, but it takes us a week to give them an identity on our systems, they won’t be able to do anything except twiddle their thumbs and we’ll be paying them for nothing. So, we need to efficiently onboard people to make sure people quickly have the correct access rights.
A lot of access provision in the old-world environment was largely done manually. I don’t know how many people Walmart has working on identity alone, but I think they have almost 2,000 security staff. Most of us don’t have the resources to replicate that, so we need to rely on technology and services like SailPoint.
How are you reaching identity to the day-one retail employees, presumably recruited on quite short notice, who need to have privileged information supplied?
We’re doing that effectively through the local management, whether that’s the general store manager or team leaders in the depots. We have lots of materials like knowledge articles and scripts, and we have training facilities that we can use to test these things out.
You touched on contractors earlier, could you explain what ASDA is doing in regards to non-employee identity?
It’s been a bit of a battle in all the CISO positions in my career. I’d always prefer our contractors just went to our HR system because it already contains an identity infrastructure, but HR teams often disagree.
At ASDA, we ultimately decided to adopt SailPoint’s Non-Employee Risk Management tool, which is effectively designed for managing people who are not full employees but still need access to systems. Fortunately, if you already use SailPoint Identity Security Cloud implementation it is straightforward.
Great. Now, let’s move on to a more obvious question. Please share with us three learnings or identity security best practices with our audience.
This might not come as a surprise, but one of the biggest lessons I’ve learned is the importance of data quality. And most of the data quality issues we’ve had have been associated with the actual ownership of that data. We had to build a full set data set correlated from multiple data sources, so getting clean data, and an agreement about whose responsibility that data is, is really important.
Next up is change control, or technical change control to be specific. One of the key lessons I learned from my role at Morrison’s is that we didn’t focus enough on bringing employees with us, we didn’t spend enough time on training or business change management. You can’t treat identity as a technology project, you have to bring your colleagues with you and ensure they’re technically educated so that the C-suite workers know their responsibilities, and the everyday workers know what to do too.
The third essential pillar is finding the right partner for your identity program. Providers that can demonstrate their experience, have strong references around how they are to work with, are responsive, and seek out problems and help you to solve them in advance are all positive indicators. I’ve worked with SailPoint in the past and this was important in our decision to work with them at ASDA, too. I know we can just ask them at any time to help fix an issue for us, and they’ll do so.
And what about pitfalls that people need to look out for?
The first one is getting engagement right. We’ve discussed engagement with senior leadership, which is clearly important for things like funding. But it’s also important to engage with the business at the lower level, because we’re going to end up integrating staff with hundreds of complex applications and we can never be sure of how they’ll use them – where they connect from, what devices they use, under what circumstances they might be connecting, do they need temporary access or delegated access, etc. In the past, we waited for colleagues to come to us, but they didn’t, and then they expected everything to magically work.
Also, as I’ve mentioned, another pitfall is treating identity as purely a technology project, like a tool you can just plug in and play. There are a lot of processes and team structures to build around it, and this is why it’s so important to have the right specialist partner. This way, you can make sure you’re treating it as a proper program. One of the mistakes I’ve previously encountered is taking a bad process and a good piece of software and trying to change the software to meet the bad process. It needs to be the other way around – staff must align with the software to ensure the system runs well.
Now, it wouldn’t be a technology discussion without touching on AI. Given the scale and the complexity that you’re dealing with, where do you see AI in ASDA’s future?
There are a couple of areas in which I see it bringing obvious benefits to us. We’ve got our basic infrastructure in place, around 10 big applications that via SailPoint ServiceNow are integrated into SSL and SailPoint. But we’ve still got hundreds of much less significant applications to integrate. So, using AI to automate, or at least help speed up, some of the onboarding of those applications would be really helpful in terms of time, money, and resources.
Role mining (the process of analysing business data to group users and access permissions and simplify the review process) is another big use case. Employees only tend to understand their section of the applications and don’t know what happens elsewhere. Using AI to role mine and map would be very helpful.
Discover more customer stories.