FedEx: Connecting 340,000 employees to connect the world

A 70s startup with its roots in digital

When he founded FedEx back in 1973, Frederick W. Smith was already setting out to lead a digital transformation. He’s famous for saying, “The information about the package is as important as the package itself.” Legend has it that the idea for his iconic company came from a paper he wrote for an economics class at Yale, outlining how overnight delivery service could work in the computer age.

By 1980, FedEx was connecting drivers and sharing tracking information with customers by way of a nationwide wireless network tied into the company’s mainframe computer. By 1994 when websites were a novelty for most businesses, FedEx.com was already offering online tracking information.

FedEx customers have always expected and received high caliber service based on the latest digital technology, but over the years the company accumulated a wealth of legacy systems and mainframe applications, says Trey Ray, manager of cybersecurity for FedEx. Several years ago, CIO Rob Carter began an IT renewal initiative to modernize the company’s infrastructure.

That journey led to the CIO100 award-winning Cloud Dojo concept, a cross-organizational team of experts practicing and sharing modern development techniques at FedEx. “We use new development tools, such as Spring Boot, Spring Security, and Angular,” says Ray. “We also made an investment in the Cloud Foundry framework.”

Playing identity Whack-A-Mole

Developers, however, found obstacles on the security side of things. “We had spent 20 years spinning up best-of-breed identity and access management (IAM) point solutions,” he says. The company was running a VPN along with on-prem multi-factor authentication (MFA), on-prem federation, and on-prem web access management.

“It was a Whack-A-Mole game, from a security perspective,” says Pat O’Neil, cybersecurity fellow at FedEx. “Each one of those separate IAM solutions was an opportunity to get the configuration wrong.”

Ray agrees. “Although we made these things work together with baling wire and duct tape, the system presented a lot of friction for our software developers,” he says. “They were trying to do things in a modern fashion and having to marry it up with this legacy world.”

The “spaghetti diagram” that constituted FedEx’s IAM infrastructure created headaches and complexity for the rest of the FedEx team, as well. “A FedEx sales guy might have to enter his password five times to get productive in the morning,” says Ray.

In addition, the complex infrastructure limited the company to two identity stores, slowing down acquisition integrations. For a company focused on growing its business internationally and adding new services, that was a problem.

The search for an IAM solution

To solve for IAM, the FedEx cybersecurity team began scoping out identity as a service (IDaaS) solutions. “We read a lot of white papers, watched a lot of YouTube videos, talked to a lot of pundits, and narrowed the field down,” says Ray.

The team put out an RFI which helped to narrow the field even further. “FedEx takes its search for vendors very seriously and is known for being thorough—just ask our Okta sales engineers,” says Ray. FedEx chose Okta.

He outlines six reasons for choosing Okta:

• Interoperability with existing FedEx solutions. “Okta was able to integrate where we needed them to,” says Ray. “We’re a big VMware Workspace ONE shop, for example, and there’s tight integration between Okta and Workspace ONE."
• Ease of implementation. “The ability to use a single admin console to manage our work as security professionals instead of bouncing around in four or five different websites—that was important to us,” he says.
• API availability. “‘API First’ is one of our IT Renewal tenets,” says Ray. “Much of what you can do with the Okta admin console you can also do with APIs.”
• A wide range of MFA options. In addition to Okta Verify with Push, Okta supports hardware authenticators and modern authenticators, such as the FIDO Alliance’s Universal 2nd Factor (FIDO U2F), Yubikey, and WebAuthn.
• Universal Directory and the ability to easily aggregate identities from multiple user stores. “We’re a big company. We buy companies, so that means we have a lot of directories,” says Ray.
• Turnkey compatibility with key development applications, including Spring Boot, Spring Security, and Cloud Foundry.

Going beyond passwords with Zero Trust

As the FedEx cybersecurity team reviewed the company’s IAM infrastructure with the goal of simplifying and modernizing it, they also had in the back of their minds the broader goal of rolling out a Zero Trust security model.

“Compromised passwords are typically the first step in the data breach kill chain. It’s how an attacker gains initial access before moving laterally across the network looking to escalate privilege,” says Ray. “Passwords alone are no longer defendable or adequate for authenticating FedEx identities and protecting our digital assets.”

Rather than “trust, but verify,” a Zero Trust approach treats all network traffic, internal and external, as untrusted activity. For FedEx, that means verifying users and devices, evaluating each login situation in context, and using the results to tailor the sign-in experience according to the level of trust assigned to it.

The company’s identity provider is a big part of that Zero Trust strategy, says Ray, which is why choosing the right provider was so important. “The Okta Identity Cloud with the identity-as-a-service model, using Okta Universal Directory and Okta Single Sign-On was the solution for FedEx.”

Okta’s support of modern authentication protocols, such as SAML 2.0 and OpenID Connect means it can support FedEx apps, whether they be SaaS, cloud-native, or legacy applications.

The team is also taking advantage of Okta’s partnership with F5 to bridge the Zero Trust model to legacy on-prem applications. “The F5 BIG-IP Access Policy Manager (APM) performs protocol transformation using modern methods but still sends users back to legacy applications with all the headers or cookies that each application requires,” says Prashanth Karne, cybersecurity principal at FedEx. In this way, the team can secure all HTTP traffic to and from back-office applications without relying on a VPN.

Okta Adaptive Multi-Factor Authentication allows FedEx to add contextual verification requirements for users. The team is currently focused on Okta Verify, but uses older OATH hard tokens for some use cases and is also piloting modern authenticators, such as FIDO U2F, Yubikey, and WebAuthn.

“When I log into the Okta admin interface, I’m able to use Touch ID on my MacBook and it’s very low friction,” says Ray.

Device Trust is the next Zero Trust building block for FedEx—making sure that each device accessing company apps demonstrates a good security and compliance posture. Ray looks forward to exploring Okta Platform Services, which includes the ability to embed Okta on every device and deliver increased visibility, contextual access decisions, and consistent, passwordless user logins.

Using Okta, the FedEx cybersecurity team manages conditional access across the company from a single access policy engine that covers every application in the network. “That’s the brains of the thing,” says Ray. “It helps us tailor the sign-in experience—whether it’s password only, no password at all, or password plus MFA. The engine helps us build those policies and rules and make those access decisions.”

User behavior analytics comprises the final building block of the FedEx Zero Trust strategy. The team uses Splunk and machine learning techniques to mine the rich identity data they collect from Okta, using it to identify suspicious behavior and make proactive policy decisions.

Zero Trust: A case study

Interestingly enough, Zero Trust often relies on trusted relationships between multiple vendor technologies, and partner teams working together to provide enhanced verification capabilities. FedEx’s relationship with VMware, Okta, and Workday offers a good example.

FedEx does mobile device management with Workspace ONE and uses Workday as their human resources information system. When Workday announced that it was offering the ability to limit self-service access based upon device type, the FedEx cybersecurity team worked with Okta and VMware to set up routing rules to take advantage of that feature.

The flow involves a series of redirects so that Workspace ONE can check device status and Okta can relay that information back to Workday. Users with FedEx managed devices experience low-friction, passwordless access to their Workday information, while those using unmanaged devices get restricted access via username, password, and Okta Verify with Push.

Rapid deployment when it was most critical

In February 2020 when COVID-19 was bearing down on the United States, the FedEx team was still early in the process of integrating all their applications into Okta.

“Because of the increased work-at-home environment, we had to accelerate some of that work,” says Ray. Okta senior customer success manager Ryan Rudnitsky coordinated FedEx and Okta teams for the big push and sent hourly updates to FedEx management as things progressed.

“Over a 36-hour period, we moved Workday, Office 365, Webex, ServiceNow, Salesforce, Check Point VPN, and Zoom to Okta,” says Ray. Both teams stepped up in an extraordinary way, and got it done.

Ray credits much of his team’s success to good communication. Before they rolled out Okta to the company, they worked with the FedEx communications team to create an entire brand for the solution—“PurpleID”—along with a website, informational emails, frequently asked questions, and promotional videos showing users how to enroll in Okta Verify.

When talking to other security leaders who are putting together Zero Trust initiatives, he also recommends securing executive sponsorship. “If you don’t have buy-in all the way up to the CIO and the CISO, you might as well pack it up and stay in the truck,” he says.

Ray recommends dividing the project up into manageable phases. For FedEx it was SaaS apps, then cloud-native apps, and then legacy apps. Working closely with Okta was also important, and they utilized a third-party integrator for help with “some of the more gnarly things.”

One unified cloud for SaaS, on-prem, and cloud-native apps

The results have been well worth it. The FedEx team is making good progress in decommissioning legacy IAM solutions and integrating their approximately 250 SaaS apps, 500+ on-prem apps, and 400+ cloud-native apps into their Okta solution.

“The nirvana for us is being able to flex our applications into consumption and hybrid situations like colocation or even public clouds to be able to handle volume surges, which can be a challenge in our business,” says O’Neil.

“Now with this model,” he says, “we have one place where we can validate our security posture. Dev teams now have just one token to worry about. They do authentication and authorization in a consistent way no matter where they’re deployed.”

The team is also in a position when presented with M&A activity, using a lightweight on-prem agent approach to aggregate identity stores into Okta Universal Directory. That strategy helps them integrate new companies much more quickly.

With one cloud-native platform covering SaaS apps, cloud-native apps, and legacy apps—and one unified directory for the entire FedEx workforce—everyone can log in and get to work with less friction and less fuss. At the same time, the company’s comprehensive Zero Trust strategy means FedEx data and applications grow more secure all the time.

About FedEx

FedEx Corp. provides customers and businesses worldwide with a broad portfolio of transportation, e-commerce, and business services. With annual revenue of $70 billion, the company offers integrated business solutions through operating companies competing collectively and managed collaboratively under the FedEx brand. Consistently ranked among the world’s most admired and trusted employers, FedEx inspires its more than 475,000 team members to remain focused on safety, the highest ethical and professional standards, and the needs of their customers and communities.