As we’ve covered in earlier posts based on events at the recent Navigate ’16 conference, the enterprise adoption of cloud technologies is accelerating. One such company that is rapidly adopting cloud computing is Weight Watchers. As Paul De Graaff, head of security and compliance at Weight Watchers, said during the Navigate ‘16 Identity Panel, by the end of this year Weight Watchers, except for a small amount of local storage, will have transitioned to cloud entirely. To get the scoop on that transition, and a number of the challenges associated with identity management in their move to cloud, we sat down to speak with De Graaff.
Prior to his work at Weight Watchers, De Graaff served as chief strategy officer at Vanguard Integrity Professionals and as global information security officer for American International Group. De Graaff has also held information security positions at the at Depository Trust & Clearing Corporation, IBM, UNISYS, and ABN/AMRO.
During the customer panel discussion, you mentioned that Weight Watchers is near completion of its transition to cloud, with only a small amount of local storage expected to be remaining by year end. Can you tell us a little about that strategy?
The strategy was that of our former CTO, and continues to be our goal. We are very much cloud driven. We’re a lean IT organization that’s very focused on the value add technology can bring, not on having to manage servers and having lots of technical stuff for the sake of technical stuff. At first, we decided to move to cloud what could be easily moved to cloud and let the vendor manage that infrastructure while we managed apps and data.
Then we moved to special purpose clouds, such as database management and other special purpose cloud services. After that, we created a private cloud where we ran our own servers. Our environment is about 3,000 servers, which is sizable but didn’t justify the cost of a colocation data center. So the value of cloud made perfect sense for us.
What has been your strategy to retire the on-premises systems, has it been slowly over time?
Yes. We’re about 98% virtualized already, and we have a couple of physical servers still left, like some large databases that just doesn’t run very well in a virtual environment, but the rest is all cloud or virtualized and about to be moved to the cloud. At a lot of companies, this is happening in an ad hoc fashion. They haven’t planned it, but now they’re probably starting to plan to move to cloud.
Were there any significant challenges regarding identity management in Weight Watchers’ move to cloud?
The challenge with identity, and it’s still a challenge, because we haven’t solved all of it, is managing how people connect to their services and making sure everyone is provisioned accordingly. We use a lot of SaaS, but what happens is people forget that users need to be provisioned to these cloud services. People need access, and that access needs to be managed. You just can’t send a list of IDs and passwords up into the cloud.
Getting different teams to understand this required a lot of education.
We had to educate people that before they onboard new servers that people had to be properly provisioned to those servers, and that access also needed to be managed. SailPoint provides us this ability.
Are there any lessons learned as you transitioned from on-premises identity management to cloud identity?
We didn’t do [automated] on-premises identity management, so we were basically doing everything manually. In my prior job, we were a SailPoint IdentityIQ customer. That was all on-premises in a very complex environment. That environment was 4,000 applications, compared to the roughly 70 applications at Weight Watchers.
The main lesson learned here however, is to not just throw technology at these challenges, because if what you are doing now is poor, it’s just going to be amplified when you move to the cloud.
Another lesson learned is around making the business understand the benefits of having a mature identity management program. Single Sign-On is an easy sell because they see it in action, and everyone hates entering passwords all day. The provisioning, the onboarding and off-boarding of people – that’s a much harder sell.
They don’t notice the benefits of rapid provisioning until later. They’ll see that a new person is hired and that they are productive on day one. Historically, before a person gets all their accesses, there are at least a couple of weeks that go by. But when it’s managed properly, a new person comes in, and we can have them setup before their paperwork is completed. We take in data from HR, and we pull entitlement information from another system. So when a person completes their training, for instance, they have access right away.
This not only cuts out an enormous amount of paperwork, but it also creates an automated audit trail. Every time access changes for a user, it’s logged, such as revoking access when someone leaves the organization, or changing access when job roles change.
As Weight Watchers moved from manual to automated identity management, have you found an improvement in the day-to-day life of your end users?
Absolutely. Now it’s like people get access on the first day when they come on board. We are still adding more applications to the system. But it grew quickly, as people saw the model and how easy and fast it made user management.