With SailPoint, AmeriGas Moves Identity to the Cloud
Founded in 1959, King of Prussia, PA-based AmeriGas has 1.7 million customers and 1,900 distributors in all 50 states. Since its founding, and with $31 billion in annual sales, AmeriGas has grown to become the nation’s largest propane distributor.
With roughly 10,000 employees and contractors at its seasonal peak, AmeriGas had considerable identity and access management challenges.
To better manage those identities, AmeriGas set out to build a new identity program. A program that would help to improve employee productivity, provide rapid access and termination from applications, enhanced application access governance for Sarbanes-Oxley applications, and improve audit results. The identity team also sought to build an identity program that would quickly scale to other business units.
The need for a mature identity management program
With thirteen identity data sources, up to 10,000 identities and 1,600 user roles, 3,200 access profiles, and more than 48,000 entitlements, AmeriGas had a considerable need to mature its identity management program. And in a typical week, AmeriGas undergoes a substantial amount of identity changes: hundreds of entitlements and accounts are added, passwords changed, and accounts disabled. “That’s a standard week for us,” says Christopher Martin, identity and access security manager at AmeriGas. “There’s always a lot of movement with our identities,” he adds.
Martin, hired in January to help move AmeriGas’ identity management effort forward, invested his first few months evaluating the company’s existing identity process, policies and control points, with an eye toward identifying opportunities for improvement.
After baselining their identity program, Martin and his team evaluated many of the leading identity management programs available on the market, with a strong preference toward finding a cloud-based platform.
After their thorough evaluation, AmeriGas selected IdentityNow from SailPoint. SailPoint IdentityNow’s cloud-native architecture runs on Amazon Web Services (AWS) and leverages the AWS platform’s security, availability and elasticity. According to Martin, the team chose IdentityNow because IdentityNow will help them to successfully execute against established best practices, meet their cloud-first objective, provide for lower maintenance compared to on-premises applications and require less customization. Since it is delivered from the cloud and does not require hardware or software installation, they can rapidly and efficiently deploy and administer their identity services from the cloud which allows for simplified administration without the need for specialized identity expertise. IdentityNow also provided the connectors they needed to get moving swiftly.
IdentityNow’s ability to help the team operate within industry-established best practices proved to be a key advantage. “We were building an identity program with a team of people that had minimal identity experience,” explains Martin. While the team did have robust security and risk experience, none had a strong background in identity, Martin explains. “We knew we could lean on SailPoint’s best practices,” he says.
IdentityNow helps AmeriGas move cloud-first
Today, AmeriGas is utilizing IdentityNow’s primary features.
One of AmeriGas’ early and primary benefits resulting from its switch to IdentityNow was self-service password management. “Went live with self-service password management in April 2018, and we gave the organization something that they never had before: a password management tool that was accessible outside of the network,” says Martin.
Because the staff accustomed to calling the service desk when they needed a password reset, it took some coaching to get adoption of the self-service portal to where the team wanted. However, through the service desk referring staff to the self-service portal, they were able to gain widespread adoption over time, Martin explains.
The password reset self-service portal provided a considerable return on investment. Within the first twelve months of the self-service portal, there were more than 10,000 resets conducted. “At $18 per reset, there’s been a quick and significant return,” he says.
Another area of success proved to be the improvement in AmeriGas’ access certification process. Access certification is the process of vetting system access entitlements to make sure that users have access to the right applications and resources.
Such certification of access is crucial for security and mitigating the risks of unauthorized access. It’s also essential for regulatory compliance such as those applications that are part of financial management and reporting, as is the case with Sarbanes-Oxley. “We spent a lot of time developing, testing, and running pilots so we could go live in October,” Martin says. In their most recent certification campaign, Martin explains that there were about 1300 users who had their access certified.
Martin and his team also sought to enhance their provisioning efforts. Previously, the AmeriGas team was using a system that provided necessary provisioning capabilities to Microsoft Active Directory and email. “Their primary Active Directory group would enable users to log into the network. Everything else was access requested through ServiceNow and manual fulfillment,” he says.
To modernize their provisioning system, the identity team qualified user roles based on their job function. These roles would help users get provisioned more quickly. “We went live with 550 roles based on job codes,” Martin says. Currently, those applications within IdentityNow are provisioned within the first day. Since IdentityNow is built from the ground-up on AWS as a complete multi-tenant SaaS platform which enables all new and updated features and maintenance updates to be automatically delivered, requiring zero downtime and IT effort, this frees up AmeriGas’ IT resources and allows them to focus on what matters most, their business.
What’s next for AmeriGas? This year they’re moving their primary identity source of truth from Ceridian to SAP Success Factor and moving the identity processes they have in place now for their financial business unit to a second business unit. Further ahead, Martin explains, they’re planning to add more sources for identity automation for Azure Active Directory, Ariba, and ServiceNow. They also plan to leverage more identity attributes and leverage more machine learning to help optimize identity governance.
“We’ve come a long way, and we’ve learned quite a bit,” says Martin. “Importantly, I think we delivered much higher than most people’s expectations,” he adds.