Today marks the third annual “Identity Management Day,” a day of awareness focused on the importance of identity management for business leaders, IT and cybersecurity professionals, and the general public. Recognized on the second Tuesday in April, Identity Management Day highlights the importance of organizations having an identity-centric approach to all that they build to lay the foundation for a strong security posture.
Target is consistently looking for more ways to encourage weaving security into our everyday lives and protecting our data and systems, so recognizing and participating in Identity Management Day is a great fit for us. In the spirit of the day, this year we are excited to sit down with our Senior Director of Cyber Solutions Tom Sheffield to learn more about how a strong team leveraging technology, engineering, and product maturity can reduce the need to make trade-offs between security and user experience, and how that mindset helps us deliver value back into the business.
Read on to hear more from Tom about what Identity Management means at Target, what skills are needed to be a strong Identity team member, and how our cybersecurity team members work together with our Digital and UX teams to ensure that anything we build is secure and prioritizes the fundamentals of Identity Management.
Before we get started, we’d love to hear more from you about your background and role. And what brought you to the Target technology team?
"I started in a Technology Leadership Program at GE immediately after receiving my bachelor's degree in business information systems. I naturally gravitated towards programming and got my start on developing with Oracle Forms for manufacturing processes. I was then able to work on global enterprise resource planning (ERP) deployments which really opened my eyes to how technology impacts the user through their experience. I then had an opportunity to lead the global rollout of centralized identity management and SSO capabilities. It was here that I learned how to work across teams to meet a common goal.
I had no idea what I was getting into at the time, but I've never looked back. For those of us who started in Identity in those days, we often say 'we didn't choose Identity, but Identity chose us.' Twenty-three years ago, there were separate cybersecurity and Identity functions, but they weren't as interdependent as they are today. In those early days, Identity was focused on productivity – identity consolidation, SSO, centralized provisioning – for end-users and for application teams. Then the Sarbanes-Oxley bill passed in 2002, and Identity played a big role in ensuring compliance relative to access management and appropriateness of access. Identity has always played a role in Cybersecurity - from lifecycle management to multi-factor authentication - but now it's at the core of every organization's Cybersecurity function. Threat actors often use identity as an attack vector, so a solid identity posture is a necessary defense. Today, we see many opportunities for Identity to be a business enabler, whether it be supporting the transition to cloud computing or simplifying the login process for a user to fight fraud. Anything we can do to deliver a quality user experience securely is a win-win!"
Could you tell us a little more about Identity Management and why it’s so important for people both at home and at work?
“In both cases, at home and at work, it’s about protecting access to our digital lives and information. In our personal lives, obviously we want to make sure that our private information like our credit card information, social media, and personal data are all protected from threat actors. In the business world, it’s the same thing. We want to make sure we are protecting Target’s data and reputation, and we do that through strong Identity Management practices. That’s the premise of Identity Management, it’s about making sure the person at the other end of the keyboard or the device is who we expect it to be, and they’re allowed to be there.”
How does the Target tech team balance the needs of speed, quality, and features as they are building products?
"The biggest thing that we strive for is ‘secure by design.’ We want to make sure that the capabilities that we offer are secure, while also offering a great user experience. The best solution, if not deployed well, won’t get adopted. If it doesn’t get adopted, it doesn’t deliver the intended value. That’s why we are hyper-focused on engaging and understanding our colleagues as we design and build our solutions, and then educating them before the solutions are deployed. This helps us to ensure that we provide these secure solutions in a way that is meaningful to our users while also ensuring that the solutions allow them to do their jobs as effectively and efficiently as possible.”
What considerations must be made and balanced when thinking about User Experience (UX) and security in tandem with one another? How do the teams you lead do this successfully? What areas of opportunity are there around this work?
“We believe that considering security versus convenience doesn’t have to be a trade-off for our teams as we are developing solutions. The best products are secure while also making things easier for their users. One very simple example is our use of biometrics within our single sign-on (SSO) program that we call fingerprintID. Instead of needing to type out a long password which can be challenging for users, especially on a mobile device, we can improve that user experience by using biometrics. Simplicity and security working together instead of in competition with one another is a win for all! We leverage FIDO as the authentication framework within that program. FIDO authentications are phishing resistant, cryptographically backed, and significantly stronger than a password to protect you as an individual, along with Target’s data, systems, and processes. It’s not a trade-off; it’s magnifying both the security and the user experience simultaneously to increase the value delivered instead of needing to promote one over the other.”
We’ve heard briefly about the concepts of “design-ins” and designing for security principles. What does that mean for engineers at Target? And what does it look like for designers? How do you encourage the teams to work together towards these common goals?
“Empathy becomes important in these scenarios. Our Product Managers work closely with their customers, partners, stakeholders, and peers to understand their world from their perspective. The best solutions are designed from the customer perspective and leveraging empathy is one of the most effective approaches to see into those perspectives. We rely on conversations with customers, focus groups, shadowing opportunities, and surveys to try to get as close to our customers as possible.
As engineers, we use the same engineering tools and practices that our engineering peers across Target Tech use, and we share the engineering culture. This gives us a chance to see what those engineers go through on a day-to-day basis. If something is hard for us, then it’s ten times as hard for an engineer who is not in Identity because at least we know who to go to inside of Identity when something isn’t working well. We know who to reach out to and can say ‘hey can you make this better, I’m having this problem.’”
What makes a successful technology solution from your frame of reference? How do you measure that and benchmark that with your teams?
“First and foremost, the most important measure of success is adoption. Solutions that are deployed but are not adopted do not deliver the desired value. You’re just delivering output instead of outcomes.
We’ve mentioned this previously but it’s a common thread – empathy is the tool that helps to increase the likelihood of adoption. When launching a new solution to our teams, we try and position the solution from the team member’s perspective as much as a cyber perspective – we prioritize sharing information like here's the value to you, and how this will be easier, faster, and more secure for you while also being more secure for Target. We try to frame it simultaneously from the team member’s perspective and through Target’s lens, but we always lead with the user side. When we deploy a new tool or process, we are asking them to change their behavior or do something differently. It must be enticing to them in order to convince them to take that next step to act.
We also spend a lot of time benchmarking and sharing across peer groups across multiple forums. At Target, we firmly believe that ‘Security is a team sport’ and by working across our network, we are able to get feedback and understand trends, directions and threats across the landscape. Having a strong network of peers across industries helps us understand what they’re doing both for their employee base and consumer-facing support. The importance of getting ahead of the questions and having a thoughtful roll-out of new programs and initiatives has often been overlooked by other companies but it’s something we don’t take for granted and has helped our team get stronger and encourage earlier adoption on some of these efforts.”
What types of technical skills are necessary to be good at Identity Management? What non-technical skills are important? And what do you look for when building your team?
“On the technical side, we are looking for software engineers and software developers to join our team. We are looking for engineers who are not constrained by the tools in our hands but can leverage open standards and technology to extend and integrate across solutions. Leveraging technology, open standards, and open source provides our technologists with the maximum opportunity to deliver value across solutions. With closed systems, we are limited to what the system provides or when – or even if – the provider can deliver what we need. With a strong engineering culture and capabilities plus open standards, you start to get more control over your destiny.
From the non-technical side, I think it ultimately comes back to empathy. We’ve already spoken about how empathy is most important for our Product Managers to be able to see their product through the lens of their partners and stakeholders. But even on the developers’ side, it’s about not being so narrowly focused on what’s immediately in front of me. It's being able to see the bigger picture and understand the impact that what I'm doing has on people around me and then making sure it’s designed and implemented in a way that is going to be acceptable to and usable by them.”
What does Identity Management mean for people outside of the cybersecurity community? And how can consumers be more mindful of their own digital security? What steps would you recommend people take in order to be better informed about this in their daily lives?
"From a consumer perspective, I think there are two core areas to consider. The first is about password security. Never reuse a password. I always suggest using a password manager in your personal life to make it easier to use unique, strong, and secure passwords across every site. The second is about using multi-factor authentication. Always enable it when it’s available. It may be as simple as receiving a message to your phone or your inbox, or perhaps it’s using a mobile application on your phone. When given the option for biometrics or passkeys, I would absolutely take advantage of that. It's proven to be stronger and phishing resistant which cannot be said about passwords and some of those other ways of authentication.”
Are there any examples of work being done at Target that you would highlight as great examples of successful identity management?
“I think it all starts with the basics. We’ve spent a lot of time ensuring that we have robust identity lifecycle and governance processes. We have an integration with our HR system, for example, which helps us to quickly onboard new team members with the base access they need to do their jobs as well as quickly offboard departing team members to ensure that their access is removed. We make sure that all of the accounts in the environment were obtained through a consistent process and are still necessary over time. Collectively, these capabilities help to ensure that our users have the right access to do their jobs.
We have also built a robust suite of access management capabilities. We have a large SSO environment and strive to get all of our internal and external applications integrated into it for a secure and consistent user experience. We leverage multi-factor authentication and work to promote strong password hygiene for our users. Our identity and access capabilities are integrated into the core of Target’s technology ecosystem, simplifying the onboarding and adoption processes for product and engineering teams across the organization.
Once you get the basics in place, then you can start innovating. For example, fingerprintID is one of the things that comes to mind first, as I shared earlier. It allows team members to log in to their corporate systems more quickly and easily than ever before, and in a way that is most secure for Target. This is a win-win for our teams.
Transporter is a solution we developed to support SSL certificate-based authentication and allows our engineers to securely log in to Linux servers without needing to use a shared account. It provides non-repudiation which delights our audit partners and enforces two-factor authentication which reduces security risk. It also works as a command-line interface which enables our engineers to continue working in a way that is already familiar to them.
myPOSID is something we rolled out last fall for our stores’ team members and allows them to log in to a point-of-sale system by using their handheld myDevice. Instead of entering credentials on a screen in front of a guest, they can log in to their myDevice and scan a bar code on the register to get authenticated almost instantly. This is faster for the team member, because it’s a scan-and-go experience versus entering 16 or more different digits to login.”
Interested in learning more, or getting hands-on experience in Identity Management? Target is always looking for Cybersecurity professionals to join our teams and contribute to this great work. Click here to explore available roles on our Cybersecurity team.