From Complexity to Clarity: AdventHealth’s Journey to Modern Identity Management

My name is Wade Ellery. I’m the Field Chief Technology Officer at Radiant Logic, and I’m joined today by David Moosavifazel and Andrew Pagles from AdventHealth. They’re going to be giving a presentation today on From Complexity to AdventHealth’s Journey to Modern Identity Management.

Just to give you an introduction as to who our gentlemen are today presenting the information, David is a data focused architect with a demonstrated history of working in the healthcare industry and is skilled in the requirements analysis system design, base SAS Extract Transform Load and data mining. David holds a master’s degree in management business analytics track from the University of Central Florida. And Andrew holds a Bachelor of Administration Management and Information Systems from Andrews University and a Master’s in Science of Information Systems from Nova Southeastern University. He has held several additional roles at AdventHealth, including Enterprise Technical Architect. Andrew lives in the Orlando area, and is the Manager of Identity Management at AdventHealth.

Gentlemen, I’m looking forward to your presentation. I’m going to go ahead and turn the floor over to you and say thank you very much for joining us today.

Thanks, William. So welcome, everyone. Thanks for joining us today. We’re happy to share some of our journey with Radiant Logic. I’m David, I’m the Director of Identity and Domain Services here at AdventHealth, here with Andrew, who is the Manager of our Identity Management team.

So we’re going to start off by giving just a little bit of background around AdventHealth kind of as an organization. We’re across nine different states. We’re one of the largest hospital networks in the US. We manage about one hundred and eighty thousand different workforce identities. We’re just hit a hundred thousand employees, so that was a very big milestone for us as an organization. So we’re very excited about that. And then we have around thirty eight to forty thousand contingent workers that we manage as well as another additional forty thousand providers. So there’s quite a large population across Advent that we manage, and this adds some complexity by being a national corporation across all the different states in the US.

So we’ll kind of start with kind of the problem that we were facing here at AdventHealth. We had three kind of main things that we were trying to deal with whenever we were looking at modernizing our identity platform. Our existing platform basically got designed, created, architected fifteen years ago when we were about a quarter of the size that we are today. So we constantly under provisioned, under scaled. We weren’t able to move as fast as the business needed us to move. That product has changed hand many times, and there were no real new features or new functionality that were coming out with it. So it was one of the things that we constantly felt like we were behind the eight ball because our vendor wasn’t necessarily a partner with us.

Because of that, it also introduced a lot of technical debt. We’re very blessed here because we have a large group of developers that help us bridge gaps whenever some of the platforms in the past haven’t been able to either live up to their sales expectations or the functionality doesn’t exist or it’s too hard to manage. So when we wanted to move forward with a new design, we wanted to try to reduce technical debt as much as possible, reduce custom code, and try to take some of the risk out of our current identity platform.

The other thing that was really important is that lack of scalability. There was no amount of resources or processing that we could throw to fix some of the fundamental design issues that we were facing because of how the system was designed originally. It was never built to grow as quickly as Advent has decided to grow. So we had to make sure that whatever we were modernizing was able to grow at a much more rapid pace than we’ve ever been able to deal with in the past.

Some of the challenges. So one of the things that we’re going through as we grow at AdventHealth, we’ve also made the business decision to do the worst and the craziest thing in identity, replacing basically all of our upstreams and our core downstreams inside of three years, as well as replacing our identity platforms. So we’re right now on our journey to Workday as we move away from a legacy ERP system. We also changed our provider credentialing system this year that just went live. So those were some core things that we’re changing.

We also recently went live with Epic in the past three years. So changing all of those different upstream and downstreams have been a big burden on the team. So we wanted to make sure that we went with the right vendors to help support our vision for where our identity team should go. The other thing is AdventHealth is growing aggressively. Every time we turn around, there’s either an acquisition or opening a doctor’s office. So we need to be able to be flexible and deliver the business value at the speed of the business. And every time we get into a new acquisition or new markets, there’s definitely new complexities that we are asked to accommodate for almost every one of those new acquisitions.

Yeah. So I’ll talk about the solution. Right? So we kind of broke it up into three pillars: one, giving us the ability to have governance over all of the data that we store and house within our identity platform; two, the provisioning; and three, the overall management of the identity. I’ll kind of move from left to right on that.

From a governance perspective, it gives us greater assurance and auditing capabilities to understand where the data has come from from our upstream systems. One of the, kind of piggybacking off of what David said around the challenges, we have three different datasets, which to some they’re probably like, well, that’s not that complex. But it really is because we have different datasets that, from a user standpoint, we’re accounting for and being able to build that single identity record across all three systems.

It also gives us the control and complex control features that we really needed to ensure that as we start to share data out of the identity data management platform, we have that control and oversight. Around the provisioning, with Radiant Logic, it has really allowed us to simplify a lot of the things that we’ve done from a provisioning and IGA perspective that we’ll share here in a little bit through the simplification of the data model that we provide to the IGA platform.

It gives us better insight into what has been provisioned, what’s not been provisioned, as well as give us, the goal is what is and what should be. Right? And then like I mentioned, it gives us a single pane of glass with the three disparate sources of data for our nonemployee population or our contingent workers as well as our contracted providers and then our actual employees of AdventHealth. It gives us the ability to kind of control the plane across the identity spectrum, whether you’re a nonemployee or a volunteer and you’re an employee of AdventHealth. We can kind of keep your records unique and in sync across those product sets.

So this is kind of like the layered foundation of what we did from an identity data perspective. Really, RadiantOne being the foundation for our data in the system that we’re using to scale the model. It gives us better unified data. We can scale with the business. We don’t have guardrails and restrictions around what our legacy product used to provide us.

We’ve been able to simplify provisioning logic by utilizing Radiant to be that conduit for us. It gives us consistent reporting from an identity data perspective as well as helps us reduce technical debt, removing some of the customizations and work that we’ve done from a custom development perspective. And then lastly, I think the empowerment of the team.

I think one of the, I’d like to say probably the hero story, is one of our engineers being able to pick up the product and really run and scale with the product and figure out how to implement, make changes, improve processes, things like that in probably less than a year’s time has been probably the most foundational thing that we’ve seen come out of our journey with Radiant Logic.

I think one of the things that has really made a difference for us is with Radiant, it has lowered the barrier to entry for new people getting into the identity field. One of the things that we have found in the past is it’s really hard to find experienced people that have some sort of knowledge in the identity space. And being able to take someone that’s learning and willing to grow and throwing them into something like Radiant where it’s more configuration, it’s not as much development, has been huge.

You can learn that the product is stable. You’re not constantly worried about some of the things we’ve worried about in other products. One of the other core things for us is I feel like provisioning products come and go as they iterate through, but there’s a core value in understanding your identity data. So whether you use a SailPoint or a Saviynt, all of those products become easier to use if you understand and have a data management product to help support those things.

I think that that’s one of the things that we’ve run into with a lot of our other folks we know in the industry, that it’s so hard to use those tools for data management because they’re built for provisioning and they bolt on some sort of data management. Once we’re able to do a lot of that, it made a huge difference in our implementation of our provisioning and IGA product because it’s basically just there to move data for other things.

It has been a game changer for us to have something that enables us to easily put data together. So that way SailPoint or Saviynt can just do what they do best and not be focused on trying to also put together data from all of these sources. It’s not to say that they can’t do it. It’s just we’ve realized that being able to decouple those products allows us to have a little more flexibility in how we accomplish and deliver the services that we are trying to offer.

It allows us to prioritize the data, prioritize how we want to send data to different applications and systems. And so we can build the custom attributes or data models to suit the system need versus kind of having to rely on the IGA products to do all the above and try to do the provisioning.

That was definitely one of the big problems when we talk about our legacy systems, that people were scared to touch the system because not only was it trying to do data management, but it was also trying to do role provisioning. And so one mistake would immediately mean negative downstream impacts if a mistake is made.

One of the things that we’re also working towards from a Radiant perspective is testing scripts so that we can validate data when inputs meet the right outputs. And so we can validate our identity data before it even gets to the provisioning platform, and we can feel comfortable and confident that we’re sending the right information to the places that we expect it to be.

The other thing that Radiant is really focused on is helping us support where I think we, like everyone, are on a zero trust journey. Obviously, Radiant isn’t a product that is zero trust, but it’s helping us understand our users better. We have much more detailed, and we’re much more confident in the data we have about our users, so we can make better decisions about what they should and shouldn’t have access to.

Just because we have a more holistic picture about each user, in my mind, that’s been a huge change for us. Even things like helping support data integrity. So if we go to Workday, everyone’s job code changes, everyone’s departments change. Radiant really helps and supports us in making sure that we can migrate all of that data in a real easy way, that we’re not worried about having tons of legacy data like we had to deal with in our previous platforms.

One of the other things, just decoupling the data from the provisioning, is that to process data in our legacy systems, not even getting to the actual interaction for provisioning, would probably take us weeks, if not months, to process the level of data that is going to be changing as we move into Workday.

One of the things, especially this year, in this first quarter and almost second quarter, we’ve been able to move our entire organization’s provider scope from a legacy product to a new physician credentialing system in a matter of seven days just due to how that system processed. Whereas we could have essentially taken all that data right out of the system today and have it available today.

The accomplishments and the tooling here are really allowing us to accelerate and move things a lot faster than we would have historically been able to. One of the other things that I think that we don’t necessarily have on this slide, but it’s also been a great asset to us from Radiant, is that we have a really solid model to onboard sources.

As we need to onboard a new credentialing system, a new nonemployee system, a new HR system, we can set those things up much more quickly because of the model that Radiant has enabled us to build and support. So a lot of the worry around getting user data into one of our systems has been greatly reduced just based on the partnership that we’ve had with Radiant to build out something that is really scalable and flexible.

And I mean, the response times from a directory perspective have been great. We’ve been able to really leverage it. After we’ve done some tuning to the directory with the help of Radiant and their support folks, we are able to load large amounts of data very quickly and process it in ways we’ve never been able to do as an organization.

So there have been some really core business functions that we’re able to support that would be a much bigger issue to do in the past. To add, a lot of the things that we’ve historically seen, just because we have three disparate sources of systems to provision off of today, is that it allows us to also have the data cleanliness and hygiene that we need in order to ensure that provisioning is working the way we expect it to.

Whether it’s data validation to ensure that we don’t create an identity before we have all of the data that is needed to effectively take the steps needed to provision access or create an account or create an identity, the tooling within the product has really allowed us to put our best foot forward as we continue in our IGA and identity journey.

Alright. Let’s move on to some key takeaways. I think we’re all here for a reason. Identity data is an important factor in that. Historically, it’s been often overlooked. The things that we do from a provisioning and just an identity program perspective are hinged upon what identity data we have.

Where do we get the data from our systems? How do we interact with it? What do we send to the downstreams? Identity data is absolutely critical to an IAM program. It is the foundation. I know we all know that cliche term or phrase “garbage in, garbage out.”

We may get some garbage from some of the upstream systems, but we can put checks, put data validation in, put transformations in within Radiant to allow us and enable us to continue to move forward with the data that we get from these upstream systems or reject it so that we don’t continue to perpetuate issues in our provisioning products or other downstream systems that connect.

I see we have some questions. I see Brandon has asked, does your organization have a single source of truth for onboarding both employees and nonemployee populations? Is your HR system used to manage both employee types?

Yeah. So we do have two separate sources of truth for nonemployees. Employees are only in our HR system, and our nonemployees are managed in a separate nonemployer risk management product. And then, do you handle Epic SER? I’m not sure what HK is, but we are on the journey still of moving to Epic provisioning with our new IGA product.

We do have Epic SER, EMP, etcetera, on our legacy product, but we’ll be live with our new provisioning platform in July. Excellent, gentlemen. I have a couple more questions of my own, if I can, to ask here. One, you mentioned earlier on, I think, the importance of identity to an IAM program. What was it originally that sparked your recognition for that?

Because for a long time in this industry that I’ve been in, identity has been sort of the redheaded stepchild of security and of business enablement. But now it’s really at the forefront. How did that transition happen for you guys? When did the light come on? If you can describe the epiphany, if there was one.

So I think one of the core things for me personally is that I have a strong background in data. And so it was very apparent to me very early on: if we don’t have clean data, we’re either constantly cleaning up bad data or trying to build workarounds for bad data. It always came back to data.

It always, I think, kind of shocked me that people didn’t necessarily associate identity with some level of data management just because it is the core and underlying foundation of everything identity, in my personal opinion. But I think that whenever you start to, as a practitioner, the more you get into the day to day, the more you realize you spend most of your time with data.

As you’re moving data, you’re cleaning data, you’re changing data, it’s a core skill set that you need to be really effective in this industry.

Excellent. Along that line, and what comes to mind for me, you’ve invested a lot in, like you said, cleaning up the data, garbage in, garbage out, or quality in, quality out. What processes have you been able to implement to ensure that the data stays clean? There’s get clean and there’s stay clean.

There are post processes to make sure that new inputs are done right and things are checked early. How have you been able to sort of stay ahead of the mess, not just regenerating itself? We’ve been able to leverage a lot of the technical features within Radiant to build pipelines that automatically do the data validation for us.

Being able to prevent or essentially sideline those identities that don’t have the necessary information from the sources has really enabled us to safeguard our systems from having that lack of quality coming in and lack of quality coming out. A lot of the native functionality with pipelines allows you to build that feature set into what we’re doing.

And I think that’s one of the things too. We talked a little bit about having our folks be able to build those pipelines without being full on developers and understanding all of the .NET code in the world. It’s very restrictive, but we’re still able to get done and accomplish a lot of the core things that we need to have done and entrusting some of those folks to get that experience.

So honestly, I’ve been really proud of our team and watching them grow. We are very blessed to have a really strong team, but their ability to get up to speed with this quite quickly is really impressive.

Excellent. We had a couple more live questions come in too, so I’ll touch back on those. One says, I may have missed this, but are you using Radiant to provision accounts to other systems? If so, how many targets do you have? And I think you addressed that a little bit peripherally.

But yeah. We are not using Radiant as a provisioning engine at this time. We are considering options for our nonperson identities, mostly from a cost savings model as well as the fact that we don’t really need them in our IGA platform too much because there’s not much that we directly manage on the nonperson account side that requires us to do that.

And so we’re going to elect to leverage connections back to our Active Directory to manage that. And so Radiant does provision primarily; the main downstream from Radiant is our IGA platform, which then goes to all the other downstream sources, Epic, Workday, whatever those things might be. So it basically feeds directly to our IGA solution.

Excellent. And that’s a very common model we see: Radiant doing aggregation and then preparing the data so that the IGA system, like you said earlier, can focus on what it’s good at, do its access requests and provisioning logic.

Another question that came in: are you using Radiant Logic’s virtual directory? That goes back to the ability of Radiant to represent data in multiple views simultaneously to only make appropriate attributes available to the requesting systems. So are you filtering the data you’re delivering based on demand?

We didn’t really touch on this, but yes, absolutely. I feel better about what we share and who we share it with today than I’ve ever felt in the past. I know exactly what groups have access to what. We’re very thoughtful about whenever we create additional data views.

We are using a lot of the virtual processes in Radiant to share some of that. But it has been a game changer just from an information protection perspective. It’s one of the things that I’m ecstatic about. I just don’t know if people really like to hear about it.

But from my perspective, trying to manage any sort of LDAP or database or anything from those perspectives has been a challenge. Considering we deal with really sensitive data, this makes it a lot easier for us to keep track of who accesses what and when.

So yes, absolutely. It works fantastic. The speeds are great. We haven’t seen issues. We have hundreds of thousands of records in that system that get processed all the time, and it works really well.

Excellent. Another question here: are you enriching the HR user datasets from other sources before provisioning to downstream systems? I would say yes. So we don’t use Radiant just as a virtual directory. We also have, well, it’s also a meta directory. And so we have different ways of enhancing data for things that we care about.

For example, if we need to know the last time someone logged in, we want to store that data inside of Radiant. We can pull all that in, and we have a separate HDAP that stores and holds all of that information, and it can help us make decisions in downstreams.

One of the things that we do is our preferred name, for example, is one that’s big for us because our contingent workers want to have preferred names, and our contingent worker system doesn’t store that. So we can store that in Radiant and then use that to send to the downstream system. So we’re absolutely using Radiant to enhance data from all of our upstreams, and we use that to get to those further downstream views, I would say.

Excellent. So you mentioned earlier, you touched a little bit on Zero Trust, that we’re all on a Zero Trust journey, and that’s music to my ears, because I started about five years ago asking everyone I ran into, Do you know what Zero Trust is? Are you doing Zero Trust? Are you on the Zero Trust journey?

For a couple of years, I would get a yes from the network segmentation folks, because they were out separating their network on a Zero Trust model, but the identity team was way later in the model. But it is now a journey towards a better, more secure, less standing privilege model in the platform. And you mentioned, I think, a little bit about how you’re using Radiant Logic there. I think the idea of it being that identity store where you can get the information you need to make the decisions at the decision point.

Are you moving towards more of a policy driven access control as you move down your Zero Trust journey? I think it’s a combination of both policy as well as access driven in the sense of leveraging identity data to target the right populations of users to enforce whether it’s application-level security as well as what things a user can actually gain access to on the network, and using the identity data through our IGA platform to then feed all of that data back into our Zero Trust platform.

I think that the way I see it is that we fit into helping support that Zero Trust model. So we can then make sure that the other downstreams have either the information or the data that they need to perform the right actions at the right time. So supporting them to build that more policy driven information.

Because today, in our past, we haven’t been able to provide them data that I felt consistently good enough to lock people out of systems or enable people to get into systems. And so because we’re changing that, I feel a lot more comfortable in a position of saying, Hey downstreams, yes, you can trust the things that we’re doing. You can make these decisions that are real time. You can trust that we’re going to be doing the right things at the right time because we know more about our users than we ever have before.

One of the things that we’re also continuing to explore is how do we enrich that data further so that we can make even better decisions and provide that data back to those downstreams so they can tighten the controls or open the controls based on the things that we have from a data perspective.

Excellent. Couple more live questions here. Do you use RadiantOne for fine-grained and coarse-grained authorization or authentication? So are applications or access management platforms querying Radiant for that fine-grained or coarse-grained conversation too?

We use it a lot for accessing SAML assertions or things whenever we deal with SSO. That’s primarily what we’ve used it for for the LDAP functionality. I would say those are the core things that we use it for; as far as any sort of SaaS app that needs any sort of additional data, all of it comes from Radiant. That’s our source of truth for all of our IDP information.

And then, do you have an identity persona model? Persona is a word that we see in the healthcare industry because you have a lot of people who work in multiple roles. I may be a surgeon in the morning, a professor in the afternoon, and I may run my clinic on the weekends, and I want one identity and one login because I’m a surgeon and life should be about me. But you have all these different systems that are looking for a whole different persona when they show up.

Do you guys have that challenge in your organization? How are you addressing it so far? Yeah. We absolutely do. One of the things that I love about Radiant is I think that we’re ahead of our data model, ahead of where current SaaS IGA vendors are.

For example, in our implementation, we have an easy way to send those personas anywhere we need to. The problem is most downstreams can’t handle all of that additional data yet. And so we have a pretty clear model as far as how we prioritize data in our personas. If you’re an employee, that gives different weight and value to things than if you’re a doctor, than it does if you’re a student or if you’re a volunteer.

But if you’re all of those things, one of the things that I love about Radiant is I think that we’re ahead of our data model relative to where current SaaS IGA vendors are.

My computer just shut down. No. We can still hear you, though. We can’t see you. Yeah. So it basically covers those for a lot of those different things.

Okay. Excellent. So you are able to manage the data context, format, and quality in Radiant, and then you let the role management be done inside the IGA platform, which is that story of “better together.” Let each platform do what it does best, and you’ll get the best results.

If I heard correctly in the beginning, you keep full-time and non-full-time employees in separate databases. Is that correct? And how do you handle transitions from contractor to full time? That’s a question we get a lot because there’s a lot of people who come on in one role and end up in another.

Yeah. We’ve worked very heavily. It’s not perfect. We work with our HR teams very closely to try to make sure we account for that as a part of the conversion process from nonemployee to employee and vice versa. That happens as well. Right? And so asking the right questions upfront, trying to get that level of certainty and data at that level, that’s one piece of it.

There’s other aspects of utilizing sensitive information like last four of social, date of birth, things like that, so we have some confidence level in matching across those systems because they are different. I think that also leads into your identity verification.

Yeah, and that’s another big thing that we’re looking to accomplish through our identity verification solution. By using that identity, that unique ID, every time we can with certainty know that it’s Bob Smith transitioning between nonemployee to employee or vice versa, or even from a provider, because there are three separate distinct sources.

Excellent. Good question here. Are you using Radiant’s SaaS version or on-premise deployment of your platform? We are on prem.

Okay. Excellent. Do you have any plans in the future to go to SaaS? We offer both, so I didn’t know if it was on your roadmap. But I think with health care, you guys are very much a brick-and-mortar organization because you have hospitals. You can’t go totally virtual.

I don’t think we’ve looked much at the cloud offering just yet. We are definitely trying to become a more SaaS-first company. But for the things that we are doing and for where our SSO platforms exist today, it really didn’t make much sense for us to go full cloud with the product set.

Okay. Excellent. And then, how do you address the rehire scenario? Do you use previous or do you create a new identity record? So if I have worked there, do I always have an identity with you guys or do I get washed out?

That’s one of the beauties of what we’re doing from an identity data perspective, and we’ve elected to use that even previously in our identity platforms. But for whatever scenario you’re leaving and rejoining the company, we strive to ensure that you have the same identity record, utilizing the same username that you previously had. That’s one thing that we really strive for.

Excellent. Okay. Well, I think we’ve addressed all the open questions at the moment and everything that I had to add on. I really appreciate the effort and the time you spent sharing your platform with us and your modernization model and what you’ve done, the success you’ve had with that. I also really appreciate the engagement with the questions here. I think the second half of this webinar, with your back and forth, was an even richer set of information.

So on both sides, thank you very much. And David, I don’t see you on the screen, but I’ll wave and say thank you. And Andrew, I appreciate your time, your interest. Anyone that has any questions at all, definitely reach back to your account executive or directly to us at Radiant Logic. We’d be happy to talk to you more completely.

If you are going to be at Identiverse this year in Las Vegas in June, we will be there in force, so come by and see us. Keep your eyes open for the next set of webinars coming from Radiant. We’ll have more materials that we’ll be sharing and building this out.

Andrew and David, again, a great afternoon, and thank you both, gentlemen, for your time. Appreciate it. Thanks, everybody.