Merz: Prescribing a leading-edge IAM for frictionless and secure customer care

Friedrich Merz founded Merz in Frankfurt, Germany in 1908. Invention and innovation have been at the core of everything Merz does ever since and it has expanded to deliver a wide range of products from dermal fillers to cold baths and treatments for neurological movement disorders.

Today, Merz is a global enterprise with more than 4,000 employees and a presence in 28 countries. Merz has three businesses: Merz Aesthetics, Merz Therapeutics and Merz LifeCare, which all help people ‘live better, feel better and look better.’

Still a family-owned business, Merz attributes its long-term success to its continued willingness to innovate and its unshakable focus on its customers’ needs. “From a technology point of view, we are always looking to improve. But the most important thing is that we provide our customers with the most well-rounded service, and the highest standards of security,” says Nima Attarzadeh, Senior Manager of Identity & Digital Services at Merz. 

Providing optimal security for customer data

In 2017, this drive to constantly improve the customer experience and secure their medical data led Merz to embark on an ambitious digital transformation strategy. At the time, Merz’s services were spread across multiple platforms due to the company having acquired multiple companies in different countries, so there was a need to harmonise and optimise the IT services.

“We had multiple instances, multiple platforms, and multiple sign-ons,” says Attarzadeh.  “This was challenging to manage internally and customers potentially had to deal with different experiences at Merz.”

This lack of centralisation led to a growing burden of operations management on the Merz IT team, which was maintaining customer identities in multiple places. But, Merz’s customers could rest assured that their data remained secured to the highest levels as its IT team worked towards Okta’s Zero Trust model. 

Merz’s Zero Trust strategy is rooted in Identity and access management 

Seeking a solution to support its top-quality services with a modernised infrastructure optimised for ease of use and security, Merz reached out to Okta. Choosing identity and access management as the foundation for its Zero Trust strategy, Merz partnered with Okta to protect its clients’ data and credentials, while enabling its workforce to better manage access for all apps with centralised access controls and policies.

Merz honed in on identity and access management as a key driver for its strategy for expanding all three of its business areas of aesthetics, therapeutics, and consumer care. “The different parts of the business might grow in different ways, but there will always be key factors in common across the business: trust, innovation, data security, and a positive user journey,” explains Attarzadeh. “From a technology point of view, identities are our most valuable assets. They are how we interact with users. We needed to ensure that the right identities have the right access to the right tools.”

After evaluating a range of options, Merz chose to partner with Okta for its digital transformation because of Okta’s trusted security products, competitive pricing, and global presence. These factors make a compelling package for the Merz team because it aligns with its long-term strategy. And, by leveraging a range of Okta products to build out its customer portal, Merz deployed a smoother, more intuitive experience for customers without compromising on security. The Merz team opted for Universal Directory, Single Sign-On (SSO), Adaptive Multi-Factor Authentication (MFA), Lifecycle Management, and API Access Management to bring this vision to life.  

“Using our services before Okta, our customers would potentially have to create multiple accounts to log in to multiple platforms,” says Attarzadeh. “Now, customers can access all our services through one portal using Single Sign-On. With self-serve password resets, they don’t depend on IT support to access what they need, and with Multi-Factor Authentication rolled out globally, they get a better service that is also secure. ” 

Merz’s customers now access all services via a single sign-on

Once the customer portal had been successfully completed, Merz turned its attention to its employees with Okta’s range of Workforce Identity Cloud products, beginning with Universal Directory and SSO. These help employees, customers, and partners access central and strategic services, while Merz manages their identities from a central location.

Because SSO enables self-service password resets, IT support tickets have been greatly reduced. This has increased productivity for users who no longer risk being locked out of their accounts, while freeing up the IT service desk to focus on other tasks. “Having Okta as a single source of truth for user identities makes it easier for us to have a clear view of who is signing in to what, so we can provide state-of-the-art security alongside a better customer experience,” says Attarzadeh.

More than 200 apps connected via the Okta Integration Network

Merz further streamlined its operations by connecting more than 200 apps via the Okta Integration Network and using Lifecycle Management to automate certain identity-centric processes, such as the provisioning and de-provisioning of applications for users joining or leaving the company. The integration also helps Merz speed up deployment processes and save on connector maintenance costs with Okta’s pre-built integrations. In addition to these cost savings, with Universal Directory, Merz has eliminated its dependency on Active Directory Federation Services (ADFS), significantly reducing hardware and maintenance costs.

With the Okta Integration Network, API Access Management, and Lifecycle Management, Merz makes it easier than ever for its employees to access their most valued tools, such as Salesforce and Microsoft 365, through a centralised dashboard, regardless of the device being used. 

“Okta pulls a lot of great features into one place for us,” says Attarzadeh. “It provides a unified sign-on experience, improves security, and gives us a centralised place to manage our identities in the cloud.” 

The road to GxP compliance and a Zero Trust security model

To deliver the highest levels of service to its customers, Merz requires the same from its partners. Choosing the Customer Success and Support package gave the company access to enhanced levels of support from Okta, including a dedicated Customer Success Manager who regularly meets with Attarzadeh and his team. The package helps to ensure not only that Merz successfully integrates Okta’s products into its new identity infrastructure, but also that Merz is always at the forefront of new Okta developments and able to rapidly implement improvements. 

With strong support from Okta’s security and compliance team and a dedicated customer success manager, Merz is now pursuing one of its most ambitious objectives yet: compliance with the US Food and Drug Administration’s Good Practice (GxP) guidelines. Merz needs this in place because as soon as it is working with patients’ data or data that can impact products, it must ensure that the involved services are qualified and validated. Merz has finalised its GxP validation for Okta SSO, which allows it to also utilise GxP relevant Systems via Okta – ensuring that its services meet the industry standards of safety and quality globally. 

For much of 2020, Merz worked closely with the Okta team to provide the necessary technological framework and documentation to satisfy the GxP regulations. This meticulous work is now completed. 

Meeting GxP requirements with Okta

“The GxP validation process for pharmaceuticals is a very demanding one,” explains Attarzadeh. “Okta has been essential in helping us understand the technical requirements and providing the necessary technology framework that will set us on the path to full compliance. In fact, the GxP validation has broken new ground not only for Merz but also for Okta, which can spread the benefits out among its customers. It’s been one of the highlights of our partnership.”

Partnering with Okta also means that Merz gains access to the wider community of Okta’s customers. “It’s really useful sometimes to have non-commercial discussions with peers and get a sense of how they use the Okta tools for their own purposes,” says Attarzadeh. 

After GxP validation, Merz has continued to work on improving its platform. The company is now using a lot of workflows that help with security and automation. Merz is also planning to use advanced Lifecycle Management features to automate as much of its employees’ workflows as possible for improved efficiency, transparency, and consistency. Meanwhile, customers can rest assured that their data is secured to the highest levels as Merz’s IT team works with Okta towards a Zero Trust model. 

“I believe that identity is our most central and strategic asset,” says Attarzadeh. “Okta is an essential partner in protecting our identity platform and building customer initiatives around it. I’m very happy about our partnership and collaboration.” Florian Strempel, Group Head of IT Security at Merz, agrees: “We always found a quick solution for our challenges when working with Okta.”