Being responsible for cybersecurity in a large member organization like BlueCross BlueShield of Tennessee (BCBST) provides a lot of interesting challenges. As Tennessee’s largest health benefits plan, we serve more than 3.4 million people, employ more than 6,000 and partner with tens of thousands of providers. BCBST has a lot of users to support.

While our organization’s security is foundational to me and my team’s role, security and experience go hand-in-hand in today’s enterprise environment. Offering easy-to-use online tools is a big part of our jobs, and it plays a critical role in BCBST’s ability to provide the best healthcare service delivery.

We’re tasked with continually developing new member portals and new lines of business, while raising the bar on our member experience. Of course, this also carries some complexity when managing the volume and types of user identities we’re responsible for. Having the right technology partner and solutions is key to our ability to deliver. We’ve found that in Ping Identity.

Before Ping: An outdated infrastructure that couldn’t support our requirements
Where we are today is a huge improvement from where we started. To be able to respond quickly to organizational needs and requirements, we knew that our existing infrastructure needed an overhaul. It had been in use for a long time, and much of the tribal knowledge that went into building it was no longer there.

Our pieced-together solution required multiple vendors and a lot of effort to configure and maintain. We had a single login page for end users, but it wasn’t particularly good. We also wanted more control over messaging and outages, plus session timeouts for different user types.

Active Directory (AD) had outlived its usefulness as a customer identity repository, and wasn’t able to provide the flexibility or the features that we needed to manage user identities and their attributes. We tried extending it with a virtualized directory of customer data, but that created issues in synchronizing data across systems and governing access at the fine-grained level we need to.

We needed a technology refresh of our critical identity and access management (IAM) infrastructure to address the needs of millions of identities. Among our requirements were:

• Federated single sign-on (SSO)
• Multi-factor authentication (MFA)
• A unified source of member data
• Session management and control
• Support for standards, including OpenID Connect, OAuth and SAML

We found the capabilities we needed in the Ping Identity Platform. And in the Ping team, we found a willing and capable partner.

After Ping: A single CIAM platform built for speed, scale and superior experience
Once we finalized our decision to centralize on the Ping Identity Platform, it was time to deploy and start the migration. We chose to deploy incrementally, addressing our most critical IAM needs first.

We started by deploying Ping Identity’s SSO, access management and MFA solutions. This allowed us to consolidate our federated SSO using industry standards, centralize session management for web apps and provide user self service and password management. Next, we deployed PingDirectory to provide a unified source of customer data that could handle the scale we required.

“The deployment was the best of any system deployment I’ve been involved with. We had fully functional PingFederate and PingAccess up and running in a matter of hours.”

As part of our migration, we added new login pages and adjusted sessions for each customer type. So far, we’ve successfully migrated:

• 2.4 million customer identities—with minimal impact to users
• 35 BCBST web apps and APIs
• 4 external customer portals and 1 internal portal
   

We’re continuing to migrate inbound SSO, and we’re still migrating passwords using PingDirectory’s data synchronization capabilities. We anticipate completing these initiatives by first quarter of 2019.

While we continue to reap the benefits of using the Ping Identity Platform, we’ve already achieved some big wins and reduced the time it takes for many tasks:

• Significantly faster upgrade and patching cycles
• Reduced setup time for outbound SSO, new external application deployment and new APIs
• Ability to quickly deploy new user types (e.g., customers)
   

By moving to Ping, we’re able to deliver convenient, secure authentication to our members. We’ve also gained flexibility, easier administration, better security and greater data integrity and accuracy. Finally, a unified source of customer data improves not only security and governance, but also our users’ experience.

Overall, the Ping Identity Platform makes us a more agile organization that can build better experiences for millions of users. To learn more about how we’re working with Ping to support our growth initiatives and deliver better member experiences, attend our presentation at IDENTIFY New York on November 7, 2018.