Customer Solution Case Study
/ Hotelier Prepares for Rapid Move to Cloud with New Identity Management Solution
Overview
Country or Region:United States
Industry:Retail—Hospitality
Customer Profile
Hyatt is a global hospitality company with 451 hotel and resort properties in 43 countries. It is based in Chicago, Illinois, and employs 106,000 people worldwide.
Business Situation
Hyatt needed to consolidate its Active Directory structure, automate identity-related tasks, and simplify system audits to prepare for its migration to Microsoft Office 365.
Solution
Hyatt deployed Microsoft Forefront Identity Manager 2010 to centralize and automate identity credential management needed for the cloud migration.
Benefits
- Migration of 1,000 user credentials a day to cloud
- Day-one employee productivity
- IT time freed for new projects
- Lower support, licensing costs
- Faster audit compliance
Michael Blake, Chief Information Officer, Hyatt
Hyatt was preparing to migrate its 70,000 information workers to Microsoft Office 365for cloud-based email and collaboration. It first needed to consolidate its Active Directory Domain Services and automate user-credential management. Hyatt worked with identity and access management specialist FishNet Security to reorganize its directory structure, deploy Microsoft Forefront Identity Manager 2010, and create a centralized identity and access management portal. Thanks to the cleanup of the directory service and automated efficiencies, Hyatt was able to migrate as many as 1,000 employees a day to the cloud service and has achieved “day-one productivity” for new employees, granting them access to needed applications on their first day of work. The IT staff has more time to spend on revenue-producing projects, and Hyatt can complete audits in one-sixth the time.
Situation
Hyatt is a global hospitality company whose name is synonymous with quality, comfort, and service. Hyatt and its franchise partners operate hotels and resorts under the Hyatt, Park Hyatt, Andaz, Grand Hyatt, Hyatt Regency, Hyatt Place, and Hyatt Summerfield Suites brand names. As of March 31, 2011, the company’s worldwide portfolio consisted of 451 properties in 43 countries on six continents. Hyatt employs 106,000 people.
Unify Operations
As Hyatt expanded its global footprint between 2005 and 2009, it bifurcated into two organizations, focused on the US and international markets. The two sides of the business ran independently, with employee email addresses even having different email domains. However, the decentralized structure bred expensive redundancies, and management wanted to trim costs and also achieve greater consistency in the tools employees used and procedures they followed.
In mid-2009, Hyatt went public, which accelerated management’s goal to unify the company. Hyatt merged the management structure of its two businesses and asked all departments to work on consolidating and simplifying policies, procedures, and tools.
Hyatt Chief Information Officer Michael Blake wanted to extend the unification strategy to the company’s technology, giving all employees a consistent set of tools for doing their jobs effectively. One of the key technology unification projects that Hyatt decided to launch, in mid-2010, involved the migration of its companywide email messaging infrastructure from IBM Lotus Notes to the Microsoft Business Productivity Online Standard Suite, later renamed Microsoft Office 365. For organizations of all sizes, Microsoft Office 365 unites familiar Microsoft Office applications with the power of Microsoft Exchange Online, SharePoint Online, and Lync Online into one connected, online solution.
“From a strategic standpoint, cloud computing makes sense for Hyatt,” says Blake. “We’re very thin at the top in terms of executive management. We outsource application hosting wherever we can, and we have a very lean core IT staff, using contractors for many tasks. With cloud computing, we can put subject matter experts in charge of key applications so that we don’t have to manage those applications ourselves. It reduces our capital and staffing costs.”
Consolidate and Automate
Before Hyatt could migrate 70,000 information workers to the cloud, it needed to clean up the Windows Server 2008 R2 Active Directory Domain Services directory service structure. The company had hundreds of Active Directory user domains with no centralized management structure. “Even though we used Active Directory as our global directory service, we had to synchronize Active Directory with four separate human resources applications, and we used our legacy identity management platform to separately manage access to our reservation system,” says Steve Lieberman, Product Line Lead for Identity and Access Management at Hyatt. “Nothing was unified or integrated, and IT managers at each hotel property were responsible for provisioning and deprovisioning users with application credentials. Depending on how busy these people were, it could take days for new employees to gain access to the applications they needed.”
Migrating tens of thousands of email accounts to Office 365 would require automated efficiencies that Hyatt did not have. “Once we consolidated and centralized our domain structure, we would need an automated system for managing it,” Lieberman says. “Additionally, Hyatt would need to maintain a dual email infrastructure during the phased migration to Office 365.”
Simplify Audits
Hyatt had another motivation for consolidating its Active Directory infrastructure: better compliance with audits that would be required of it as a public company. “We needed to be able to audit employee access rights on a quarterly basis, and it was impossible to do that in a decentralized environment,” Lieberman says. “Our audit team had to gather information from multiple business groups and properties, which was usually a six-week process.”
Solution
Hyatt decided to deploy Microsoft Forefront Identity Manager 2010 to gain centralized management and automated efficiencies related to handling identities, credentials, and identity-based access policies in its environment. By using Forefront Identity Manager, Hyatt would also be able to empower employees with the ability to reset their own passwords and manage routine aspects of identity and access.
“I wanted every application to be authenticated under a single platform, and Forefront Identity Manager provided a single place to manage identities across a broad range of operating systems, email and collaboration tools, databases, directories, and applications,” Blake says.
Hyatt engaged FishNet Security, a member of the Microsoft Partner Network with Gold competencies in identity and access management (IAM), to help with its strategic approach to cloud readiness and directory service consolidation. FishNet Security worked with Hyatt to develop an IAM roadmap that would enable the immediate cloud migration and support the ongoing mail coexistence infrastructure. As a trusted advisor to Hyatt, FishNet Security helped build a three-phase program to address the immediate cloud migration needs, but also established the foundation to enable future cloud application adoption.
Phase 1: Mature Infrastructure and Processes to Support Cloud Readiness
Hyatt recognized the need to first mature its internal process and platforms and automate user management functions before proceeding with the migration to Exchange Online. From August to November 2010, Hyatt worked closely with FishNet Security to aggregate and link multiple human resource (HR) systems to an enterprise directory based on Active Directory. It also collapsed multiple global Active Directory domains into a single forest to support the cloud synchronization service.
By using the Forefront Identity Manager 2010 portal, FishNet Security enabled e-provisioning of new users from the aggregated HR systems to the hybrid application infrastructure of Lotus Notes and Active Directory (used for Exchange Online). Hyatt was also able to use Forefront Identity Manager to centralize and automate email distribution list management, based upon authoritative data from the HR platform, which further enhanced corporate communication processes.
Phase 2: Empower End Users, Automate and Standardize Management
Building on the success of Phase 1, Hyatt and FishNet Security began Phase 2, in November 2010, to further extend Forefront Identity Manager to support an improved user experience and additional automation. During this phase, Hyatt and FishNet Security broadened Forefront Identity Manager portal access to hotel IT managers, who were able to use it to provision and deprovision new non-employees (contractors) and create and manage security and distribution groups.
After six months of cloud-readiness work with hotel IT managers, Hyatt started migrating employees to Office 365 in April 2011. By using Forefront Identity Manager, Hyatt was able to migrate as many as 1,000 users a day to the Microsoft cloud service. As of June 2011, Hyatt had migrated 6,000 employees and was gathering user feedback before proceeding to the remaining 100,000 employees.
Also during Phase 2, Hyatt replaced the legacy identity management platform with Forefront Identity Manager for the purpose of managing access to the hotel’s central reservation system, its primary revenue-generating application. The corporate IT staff gained the ability to manage identities more effectively through the Forefront Identity Manager administrative console rather than jumping between multiple access and reservation applications.
By adopting Forefront Identity Manager, Hyatt was able to eliminate the mail management tools within Lotus Notes and automate those processes through the Forefront Identity Manager portal. “We outsource our help desk, and Forefront Identity Manager helps us isolate support staff members into certain categories,” Lieberman says. “Instead of giving them access to everything, we can give them authorization to do certain tasks such as create new accounts for contractors or add employees to certain security groups. Also, they’re able to perform these help-desk activities from within the portal rather than jumping between applications.”
Phase 3: Empower Information Workers and Support Day-One Provisioning
Phase 3gave employees direct access to the Forefront Identity Manager portal so that they could perform self-service password resets, create email distribution groups, and self-serve group management and membership. Through the portal, employees can also update their profile, search for coworkers, and request access to applications.
Also during Phase 3, Hyatt plans to improve visibility to audit data by using the identity and access management data in Forefront Identity Manager to create customized reports by using Microsoft SQL Server 2008 Reporting Services.
Benefits
By strategically preparing its identity and access management system before moving to the cloud, Hyatt was able to quickly and painlessly migrate thousands of email accounts from an on-premises to a cloud-based solution. It was also able to achieve “day one” employee productivity, free up time for its IT staff, reduce support costs, and improve audit compliance.
Migrate 1,000 Employees a Day to the Cloud
Thanks to a well-orchestrated access and identity management system adoption guided by FishNet Security and anchored by Forefront Identity Manager, Hyatt was able to migrate to Office 365 with a 97 percent success rate. “Achieving a 97 percent success rate for a cloud migration is unheard of for an organization as large as Hyatt,” Blake says. “The 3 percent failure was user error. There’s no way we could have managed the migration without Forefront Identity Manager, which made sure that all the user information was input correctly according to Active Directory data.”
By using Forefront Identity Manager, the Hyatt IT staff was able to automate the process of migrating existing email account data into Exchange Online. With Forefront Identity Manager, the Hyatt IT staff can assign new email account creation to the HR staff. “In the past, new employees were brought on board by the HR staff, which would pass their names on to local hotel IT support teams for email account creation,” says Lieberman. “With Forefront Identity Manager, when a new employee is added to the HR system, it asks if they need an email account. If they do, Forefront Identity Manager automatically creates one for them in Active Directory. This automation puts us far ahead of where we were six months ago.”
Provide Day-One Employee Productivity
This abbreviation of the new-employee onboarding process means that Hyatt has been able to achieve its goal of “day-one productivity.” “Day-one productivity is important for a company as large as Hyatt and growing as fast as Hyatt,” Blake says. As Hyatt expands its use of Forefront Identity Manager, it will add employee self-provisioning for even more applications, and replace paper request forms for certain kinds of IT support with online requests submitted over the Forefront Identity Manager portal.
“We’ll do the same for email traffic,” Lieberman says. “Opening up portal use will allow self-service requests for distribution list access rather than handling these over email. A list owner will receive email notification that someone is requesting access to a list, and the list owner can approve or reject the request from within the email message.”
Free IT Time for Revenue-Producing Projects
Automating application access requests has unloaded IT staff members of routine work, freeing them for higher-value activities. “All the paper-based processes for requesting employee and contractor accounts will be replaced with online requests,” Lieberman says. “The process of onboarding a contractor used to be extremely time-consuming, requiring three hours of paperwork plus a series of approvals. Using the Forefront Identity Manager portal is saving at least a day’s effort per user request. Now I can focus on my job, which is leading the identity and access management program, rather than dealing with paperwork.”
Blake adds, “Forefront Identity Manager is enabling us to focus on managing our hotels and making operations smoother, better, and faster. We have more time to focus on enhancing applications that drive revenue and customer preference.”
Lower Support and Licensing Costs
Hyatt also anticipates a reduction in its contract help-desk costs as it empowers employees to take care of their own password resets, distribution list management, and security group management. Not only will Hyatt require fewer help-desk technicians, but also those whom it does require will be focused on resolving more important issues than password resets. By adopting Forefront Identity Manager, Hyatt will also save ongoing maintenance and support cost associated with previous identity and mail management tools.
Deliver Better, Faster Audit Compliance
With its consolidated access and identity management system, Hyatt is also better able to comply with the audits required of it as a public company. “Today, audits take less than one week versus the six weeks required before,” Lieberman says. “Our audit staff only has to go to one place to gather needed data, and it gets higher quality information from Forefront Identity Manager, since smaller properties just couldn’t provide some of the needed information. As we tie more applications into Active Directory, we’ll be able to make Forefront Identity Manager the go-to location for any audit request.”
Windows Server 2008 R2
Windows Server 2008 R2 is a multipurpose operating system designed to increase the reliability and flexibility of your server and private cloud infrastructure, helping you to save time and reduce costs. It provides you with powerful tools to react to business needs faster than ever before with greater control and confidence. For more information, visit: