Root Insurance: Revolutionizing insurance by empowering its workforce

Root Insurance, founded in 2015, has emerged as a trailblazer in the insurance industry by leveraging cutting-edge technology and a customer-centric approach. Since its inception, Root Insurance has experienced remarkable growth, disrupting traditional insurance models with its innovative usage-based policies and personalized customer experiences. In October 2020, the company went public, further solidifying its position as a leader in the industry. With a rapidly expanding customer base and operations spanning more than 30 states, Root Insurance has become a trusted name for millions of drivers seeking affordable and tailored insurance coverage.

Root’s Identity team: Efficiently fueling the business

Root’s security organization is at the center of what keeps the innovative business securely scaling. The agile, remote Identity management team has a clear mandate to protect Root and its customers and to foster workforce productivity through simple and efficient access governance while upholding the highest standards of data protection and regulatory compliance. As part of that approach, Identity management engineer Chaz Millfelt places a strong emphasis on maintaining tight access controls, ensuring that employees only have access to the specific resources required for their job functions. 

In Millfelt’s view, lowering the barriers for Root’s workforce to access what they need is core to how the organization maintains least privilege: “If you create a great experience for people to request access only to the resources they need to do their job, inherently they'll have less risk than if access was going wild.”

“If you create a great experience for people to request access only to the resources they need to do their job, inherently they'll have less risk than if access was going wild.” - Chaz Millfelt, Root Identity management engineer 

Additionally, Chaz and his team partner with internal risk and compliance stakeholders to certify access to critical resources, ensuring that Root can meet compliance challenges as a publicly traded company. 

Since 2019, Root Insurance has partnered with Okta, harnessing the Workforce Identity Cloud to streamline lifecycle management processes and create easy and secure authentication experiences for its workforce of over 1,000 technologists and insurance claims specialists. As the company experienced significant growth during the pandemic, Root Insurance leveraged Okta's solution to automate and simplify employee onboarding and offboarding, ensuring a seamless and secure process as the business scaled. Relying on Workday as a Source enabled Root’s team to provision birthright access as part of onboarding, eliminating hours of manual work and enabling a growing business that was adding upwards of 70 employees a week at its peak.

Challenge: The manual processes stalling an agile team’s core priorities

Root has made Okta its Identity standard, taking advantage of over 200 integrations and strong multi-factor authentication to securely support its workforce’s access needs. These integrations span major technologies like RingCentral, Google Workspace, Slack, and custom-built applications tailored to the unique needs of Root's business. 

But as the company's workforce has expanded, Root's lean Identity team has reckoned with an onslaught of non-birthright access requests. With over 500 IT help desk tickets per month solely for access requests, Root faced the challenge of trying to parse employee requests and manager approvals on one system, while manually provisioning access on another. Aside from creating more manual processes, the separation of systems created information silos.

Those silos were particularly challenging in the face of access certification needs. Across 12 critical systems, Millfelt’s team had to rely on spreadsheets to compile user names along with their respective managers. Tagging managers in each resource spreadsheet became the method to seek approval for continued access for individual employees. Ensuring the right managers provided approvals for the correct employees proved to be a daunting task. Additionally, chasing down managers who hadn't provided their responses further complicated the process. As this labor-intensive process recurred every quarter, Root's resource-constrained team found themselves spending over 100 hours annually to meet compliance challenges, diverting focus from driving business agility and larger technology-centric outcomes.

“It was like herding cats. It was a nightmare to manage and to get right. And this happens quarterly for all of our financially relevant systems. It was eating up a ton of time and resources for us and for our GRC partners.” - Chaz Millfelt

Results: Unify governance with core access management

Root has been an early customer of Okta Identity Governance, and has used the bundled offering of Lifecycle Management, Workflows, and Access Governance to meet its compliance challenges in a scalable way and to find other automated solutions for its business.

Root has been able to transition almost all of its access certifications to Okta Identity Governance, cutting the time it takes to complete access certifications down from over two hours per resource to mere minutes.

Because Okta Identity Governance and access certifications are tied into Okta’s unified solution, Milfelt can configure certifications to directly pull an employee’s manager from Workday and automate recurring certifications. Root’s certification campaign response rate has shot up to over 90% and climbing using Access Certifications, enabling Root’s security and governance teams to focus on more strategic priorities than chasing manager approvals, while also critically staying within compliance expectations.

Root’s certification campaign response rate has shot up to over 90% and climbing using Access Certifications

Using Workflows, Root has automated deactivation events in Workday to automatically scan and revoke SaaS app licensing, create tickets for IT to track hardware, send an email to some third parties to ensure access is removed from their systems, and transfer the departing employee’s meetings to their manager to avoid any abandoned meeting invites. Workflows helps eliminate manual tasks for Millfelt’s team and helps close potential security gaps across providers and resources.

Root plans to tap into Access Requests to help automate the 6,000 annual requests they receive, cutting down on service desk tickets and getting its workforce fully documented and reviewed access as quickly as possible.

Millfelt’s next set of priorities for Okta Identity Governance is focused on two upcoming capabilities: deeper and finer-grained governance for critical resources like cloud infrastructure, and bringing more access certifications capabilities to Slack to enhance user experience and decrease the turnaround time for certification campaign reviews.

Learn more about Okta Identity Governance and how it can benefit your organization here: https://www.okta.com/products/identity-governance/.