Luke Fairless, Technology Director – Security and Capability at Tesco, tells us how the company is using an identity and access management solution from OneLogin to secure its distributed workforce.
With the exception of its banking operation, Luke Fairless oversees cybersecurity strategies across Tesco’s range of operations including its Express businesses, superstores and metros in the UK, Ireland, Europe, Asia and other global offices.
His team looks after everything from risk compliance through to digital forensics, the Security Operations Centre and identity access management.
He’s also tasked with ensuring security awareness and education across all 450,000 colleagues in offices, shops and distribution centres.
Tesco was looking for a multi factor authentication solution that would provide visibility over account access and ensure sensitive employee data did not end up in the wrong hands.
Here, we find out more about the solution Tesco chose and how it is already providing benefits.
Tesco is increasingly using cloud services and while it is only office staff and store managers who have access to email, the wider workforce is accessing pay slips from the cloud.
“Anybody working in stores or distribution centres, as well as offices, need to be able to log into that,” Fairless said.
“And we want to be able to protect it because pay slips have got a lot of information on them that you could use to try and do an identity takeover of somebody.
“Increasingly we want to be able to make these self-service so if you need to change your bank account details then you can just do it yourself online rather than needing to come through your personnel manager.
“If you’re allowing people to do that though, you can imagine an attacker could change that bank account detail to their own just before the monthly paydays.
“And then suddenly people’s salaries don’t end up in their own bank account, they end up in a fraudster’s bank account.
“So the need to be able to protect those accounts is crucial and it’s been a need that we’ve been able to see for a year or two, but we can increasingly see it as a need as we go forward.”
Enterprises are now required to have a second factor of authentication in place as username and password information – something you ‘know’ – are increasingly easy to pass on to attackers, even if only accidentally.
Fairless turned to OneLogin for a solution, won over by the ease of use and partnership approach the vendor was able to offer.
The second factor now used by Tesco employees is a mobile phone – something which employees ‘have’ and much harder for attackers to access.
The solution protects against unauthorised access to critical corporate data while cutting management time and costs for the business.
“We trawled quite a wide net through the market,” said Fairless. “We ended up looking at eight solutions and got down to a shortlist of three.
“OneLogin wasn’t the biggest or the most established – they were quite a new player in the market. But the thing that really made them come through was user experience and that’s from two different angles.
“It was very important to us that if we were going to ask 450,000 people to use this thing – many of whom are not what we would describe as digital natives – we wanted it to be an easy experience for them and we wanted it to be intuitive.”
Equally important, he said, was a solution that would be intuitive for administrators.
“With some of the solutions we looked at, when we looked at the administration side and how they would set up security policies it was very complicated and you could see how they could easily make mistakes that then would compromise the reason why you bought the solution in the first place.
“So OneLogin seemed like they had really concentrated on user experience from both angles.”
The solution was initially rolled out in the UK over a nine-week period which finished in June this year and then expanded to Europe and Asia, which took around four weeks.
Initial teething problems centred around the inputting of international phone numbers but OneLogin were very responsive in resolving the problem, said Fairless.
Tesco now has 140 applications which are integrated with OneLogin.
“We’ve got tens of thousands of colleagues now across the world that are all using adaptive multi factor authentication,” said Fairless.
“For example, I’ve just been to Malaysia, India and the US. And in each of those locations, which are unusual for me because I’m normally based in the UK, when I first go to log into one of those 140 apps that are covered by OneLogin, I get a notification on the screen saying ‘we just sent you a message to your phone, please confirm in order to continue’.
“And I then get a push notification which asks ‘is this you trying to log in?’. You then approve it and login immediately.”
For the remainder of the time the individual is in that country, they’re not repeatedly asking to confirm their identity as the solution recognises that it is a legitimate login.
“It’s about providing us the assurance that these logins are from bona fide individuals, but not overburdening the individual by having them have to do this process every single time, only when something looks unusual,” said Fairless.
Tesco received the ‘Most Collaborative Award’ award from OneLogin for demonstrating a fast implementation and deployment of the solution through cross-departmental team efforts. What’s the key to this success?
“A really big thing for us was that we wanted colleagues to understand why we were doing it, not just be the security team saying ‘you must do this’,” said Fairless.
“So we worked with the corporate comms team to create a video which took about five minutes for colleagues to view, explaining why we were asking them to do it, what it would achieve and then talking them through the specific steps for installation.”
Although there is an app version, employees can also subscribe to the solution as text messages instead, so if they have an older phone, limited storage or an incompatible device, they can use the SMS option instead.
“By working with the comms team, we got this really clear and quite compelling story that folks could go through and then working with the Service Desk team to be able to put FAQs and self-help and other things on there for the education side.
“Then working with OneLogin, and we’re still doing this, we have a number of observations and builds for them as we’ve gone through.
“So being able to work with OneLogin and them being really reactive to us, suggesting this stuff and helping, I guess, from our perspective, us helping them develop their product, from their perspective, them helping us get this thing rolled out across all of our users.
Advice for other CEOs looking for an multi factor authentication or identity access management solution?
“I think it’s tempting to go with a vendor that maybe you already use. Because it will seem like they’re going to take a lot of the complication and the stress away, because you deal with them already – maybe it’s an add on product or something they already do,” said Fairless.
“But instead of taking that for granted, I would recommend diving into how it is actually going to work, what it’s going to look like for the user and what it’s going to look like for the admins.”