Best Buy Delivers Efficiencies, Pleasant User Experiences for Employees, Vendors, and Contractors

Walking into a Best Buy is a consumer electronics dream. Upon entering, you see the familiar and welcoming Best Buy “blue shirts” and know your electronic goals will be met. In the store, you will also see other shirts with logos of Best Buy partners like Apple, Microsoft, Samsung, and more, who collaborate with the company to help customers meet their varying technological needs. It’s truly a pretty awesome one-stop-shop experience, but did you ever stop to think about the complexity of the systems that allow these groups to work together in a shared space? For example, a Microsoft employee will probably not want to use an iPad, and an Apple employee should not be able to see Microsoft customer information and sales data. There are countless complexities with all of these vendors operating together in the same store. And all of these complexities are occurring in more than 1,100 locations globally.

Fortune 100 consumer electronics retailer Best Buy has not only nailed these very complex and numerous use cases, but it has done so with astounding efficiency. I recently had the pleasure of chatting with Greg Handrick, Director of Identity and Access Management (IAM) and Cryptography, and Vinodh Rajagopalan, Associate  Engineering Director of IAM, and they explained how identity is driving efficiencies and secure yet pleasant user experiences for their employees, vendors and more.

Greg set the stage by explaining, “IAM is 100% centralized at Best Buy. Our team has global responsibility for all enterprise identities, which includes all employees, contractors, non-human accounts, bot accounts and vendors. We have a total of 180,000 identities under management.”

Best Buy began its journey with Ping in 2009, using PingFederate with a very niche use case. By 2020, Best Buy was experiencing issues with its IAM infrastructure, which consisted of Oracle Access Manager, Microsoft ADFS, SecureAuth and some homegrown solutions, all running on-premises. Vinodh explained, “Things were too complex. We didn’t have great support from our existing vendors, and we also began finding some bugs. But what was really important was our increasing need for flexibility and the ability to customize certain solutions.”

Best Buy then embarked on a very comprehensive RFP that included 450 unique use cases. After proving it could meet Best Buy’s various needs, Best Buy decided to consolidate all of its IAM for every user base except for customers onto Ping. Best Buy chose Ping because of its ability to provide a flexible and customizable solution, while also offering a migration path to the cloud. 

Vinodh gave an example of the customization requirements: In the store, a Samsung employee can access systems to see customers’ phones and plans and they often need different personas in order to access different systems. Best Buy manages these personas and their access to data and apps. While these apps are similar, they can’t see each other’s data, so they needed to create different personas to access different apps. One person even had 42 identities!  

“To solve the problem, we allow users to login with their email address, and then we detect what app they are logging into, how they are logging in, etc. Once authenticated, they can use their same password, which makes it easier for them,” Vinodh said. “We can intervene in the authentication process in a safe and secure way and establish a session for that persona. None of the other products we looked at could do this and it was a huge game-changer for us.” Now, rather than having to remember multiple account names and passwords, each user only needs to keep track of one.

Best Buy was running two data centers with 70 virtual machines (VMs) and wanted to move to the cloud. By moving off-premises, Best Buy wanted to reduce costs, eliminate human-based errors and automate processes like patches and updates. “We were in the data center and Ping allowed us to get into containers off-premises. It was a flawless, ridiculously smooth migration and it’s a testament to Vinodh’s team,” Greg said. 

Best Buy worked with Like Minds Consulting on the architecture but conducted the migration with its own team. Greg explained, “We had additional security hurdles to clear.  IAM is considered a “Tier Zero” service; we’re required to use standalone architecture segregated from the rest of the company so we can control access and credentials. We set up a separate AWS account, deployed the containers, added auto-scaling capability to them, installed PingFederate on top of those, opened it up to application consumers and boom–it just worked.”

In the cloud, Best Buy was able to reduce its 70 VMs to just seven containers. Vinodh said, “During Thanksgiving (our busy season), with our previous system we utilized 70% capacity. With Ping in the cloud, we barely touched the capacity with 25%. We were able to handle the increased load in a much more efficient fashion.” Greg added, “Moving containers to the cloud means that scalability just happens for us: We don’t have to worry about memory, patching, DNS, etc., everything is now simplified. We now have multi-region high availability in those seven containers, running more capacity at a much reduced cost and overhead.” 

Vinodh also shared the value of mistake reduction and operational time savings as provided by Ping and the cloud. Specifically, Vinodh mentioned the value of running a self-healing and self-monitoring system, which eliminates human errors by destroying corrupt configurations before they take live traffic. Best Buy has also gained operational efficiencies through automation. Vinodh said, “We reduced our team capacity by 20%, but now we are more productive. We have moved those team members to DevOps to provide more value rather than spending time on things like patches and upgrades.” 

Speaking of efficiencies, Best Buy set an ambitious application migration goal and met it easily. Greg explained, “We migrated 280 existing apps and added 120 new apps during the migration process. We completed it in just about 10 months, excluding our retail holiday period.”

Best Buy was successfully combating security attacks and further upped the ante with PingOne MFA (multi-factor authentication). Greg relayed that the Best Buy Chief Information Security Officer (CISO) was concerned about phishing vulnerabilities with SMS. As Greg tells the story, “Vinodh just said, ‘no problem, we can just turn it off’ and we did. Push (MFA) became the de facto standard.” Greg added, “Now our CISO says, ‘I can just ask you guys for things and they just happen. That was never the case with our previous system.’” Greg further elaborated, “PingOne MFA has been wonderful. We shut off our corporatewide SMS and deprecated one-time password tokens. When we’re talking about MFA, it’s a no brainer, it just plugs right in. The Ping portfolio has been a huge enabler for us, giving us flexibility we never had before.” 

Greg summarized the identity journey by saying, “For our internal teams, we are able to give them the modern technical features and future flexibility that we didn’t have with our legacy products. And the value is just so much higher with Ping than it was with our previous products.” He added, “We do not want to see ourselves in a breach report. We can do all the things we need to best serve our customers in our stores, and that's what we focus on.”

Learn more about the Best Buy story during Ping YOUniverse October 8-9 in Miami, FL!