Disrupting the Retail Industry
After opening its first warehouse in the United States 1983, Costco became the first company to grow from $0 to $3B in sales within its first 6 years and is now a multi-billion dollar global retailer with operations in 8 countries; ranking among the Forbes Global 100. Even as the years passed, its customer commitment remained the same- offering the best value to its members by carefully choosing select products based on quality, price, brand and features- thanks to leading merchandising and operations teams.
That said, while Costco is best known for its physical warehouses throughout the United States, recent growth has been driven by its online channels- ecommerce, mobile and digital initiatives- as well as international expansion (including ongoing expansion in China). And going forward, even more digital channels like “Costco Next” will continue to roll out.
“Our objective with Orchid is to transform the largely (90%) manual process of on-boarding an application- which can take weeks after release- to one that is highly (90%) automated and accomplished in days.”
Business Agility, Driven by Data
Underpinning all of these initiatives is a critical IT infrastructure, including an evolving set of applications along with accompanying identity technologies. In recent years, the security and IAM teams have worked around the clock (and around the world), to support business initiatives and sales growth.
But to get Costco and its business to the next level, these teams will shift to not only support but more actively enable the business. “2024 brought a fresh approach and commitment to ‘speed in delivery’,” CISO Jon Raper notes, “in which the emerging power of data analytics can be harnessed via a range of new applications which join those currently in use.”
Potential Speed Bumps to Success
However Jon continued “this strategy is dependent on more than just agile application development. Fast, secure and compliant on-boarding, with appropriate user authentication and authorization flows, will also be essential. Essential to user experience. Essential to business continuity and cyber security. Essential to regulatory and legal compliance.”
The Costco team faced three primary challenges:
1. As a true multinational company, in which different countries are given substantial freedom to chart their own path (and develop their own applications), it can be difficult to simply identify all of the applications currently deployed, let alone assess their identity technologies and flows;
2. With application developers expert in the target purpose of each application, rather than the very latest identity technologies and practices, it can be difficult to understand (let alone ensure the best practice use of the latest) authentication and authorization flows that have been implemented; and
3. Given the acute shortage of identity and access management experts within the industry, Costco must often look outside of its teams for the specialized skills needed to integrate applications into its IAM stack, making it a costly and continuous proposition.
Jon was quick to acknowledge the major investment made by the Identity team. “Today, Costco’s IAM team works tirelessly with application owners to properly on-board new applications; an effort that can take days, weeks, and even months, depending on the complexity of the application.”
Achieving Speed to Delivery
An innovator by nature, Costco CISO Jon Raper, set out to find an identity tool that could address these challenges. His first investment, in 2022, was an Identity Governance and Administration (IGA) tool. While this offered a powerful platform to guide identity and access management processes, it was dependent on the integration of each application which was often easier said than done. Two years into the deployment, Jon is happy with the consistency and compliance this IGA tool brings, but he continues to look for ways to bring more applications into the tool faster.
That brought Orchid to Jon’s attention, as it offers Costco:
- A transparent service that will passively identify applications with native identity controls that are installed on each host anywhere in the world;
- A robust analytics infrastructure, leveraging Large Language Models, that automatically maps those identity technologies and protocols, as well as authentication and authorization flows, built in by the developer;
- Comparison of these native capabilities against major privacy regulations and cyber security frameworks to identify exposures and calculate an overall risk score;
- Integration with IAM tools, like IGA platforms, to avoid recurring, bespoke, integration work; and
- Interaction with ticketing and workflow tools, like ServiceNow or Jira, to kick off and track efforts to remediate exposures and improve identity security posture.
According to Jon, “our objective with Orchid is to transform the largely (90%) manual process of on-boarding an application - which can take weeks after release- to one that is highly automated (90%) and accomplished in days.”
Among other things, this automation promises to speed the on-boarding process from an average of 4 weeks to just 1. Right now, the IAM team works tirelessly with application owners to understand an application’s native authentication and authorization flows - a manual process that takes weeks of effort, constituting the majority of time for a new application to go live. But with the intelligence provided by Orchid, the process becomes more of a quick validation rather than deep exploration with the application owner. Not only that, the out-of-the-box connectors from Orchid promise to help organizations avoid the heavy cost of custom integration services per application, while its ability to augment native identity controls raise the strength and consistency of identity security posture- across applications and around the world.
Not only is Jon enabling application developers to continually transform Costco’s business operations and customer engagement, he is actually raising the bar in terms of cyber security. As he calls out, “with the user credentials serving as the #1 entry method of threat actors (as reported in the 2024 Verizon Data Breach Investigations Report for example), identity is the new perimeter. Enforcing strong and consistent identity controls, while still deploying applications faster, with Orchid is a huge cyber risk reducer."
An Even More Intelligent and Agile Costco
Looking forward, Costco will be ready to maximize the latest data and applications to accelerate growth and continue transforming the retail industry, thanks to an efficient IAM team that is to safely Speed Time to Delivery.
.png)
.png)
.png)
