CONA Services sweetens identity management in IT services for Coca-Cola bottlers

CONA Services operates and supports IT business applications for 12 of the largest independently owned Coca-Cola bottling companies in North America. By providing IT support, bottlers can concentrate on distributing Coca-Cola products rather than duplicating IT administration and systems. But siloed identity management gave rise to protracted support cycles for bottlers’ employees who needed to reset multifactor authentication for new devices and made guest access difficult. It also increased the risk of process breakdowns and made extra work for CONA Services and the respective bottler IT departments. After rolling out Microsoft Azure Active Directory to avoid duplicate effort, CONA has redeployed IT teams to more productive work, saved hundreds of hours, and strengthened user identity security.

We’ve saved hundreds of hours in lost work time since rolling out cross-tenant access policies in Azure AD…. Now, we can focus on other security initiatives and help with new systems that can further the business.

Karthik Cherukuru: Identity and Access Developer and Analyst

CONA Services

Few people sipping a refreshing Coca-Cola beverage pause to reflect on the vast data infrastructure that ensures a reliable, nearby source for those cold drinks. The Coca-Cola Company has more than 500 brands and 3,200 kinds of beverages sold in over 200 countries and territories around the globe. To make such large-scale product distribution easier, the beverage manufacturer implemented a system of local bottling companies strategically located near its biggest markets.

CONA Services LLC (Coke One North America) delivers IT services to the Coca-Cola bottling companies in North America, providing cutting-edge solutions and common business applications in a model that allows bottlers to avoid reinventing the wheel. But that distributed structure became a disadvantage when CONA needed to secure internet-facing applications with multifactor authentication and resetting those authentication requests became cumbersome and frustrating for everyone. CONA adopted Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra, and used cross-tenant access policies to simplify the process and heighten security for the bottling companies while giving them a far better user experience and saving time and support costs.

Delivering B2B technology services that flavor customer interactions

CONA Services originated as part of Coke One, a worldwide program launched by a consortium of 10 international Coca-Cola franchise bottlers that pooled their resources to optimize costs and avoid duplicating IT investments. That venture’s success led to the creation of CONA Services and its subsequent foundation as an independent company in 2016 to support 12 bottlers across the United States and Canada. Now supporting more than 500 bottling locations in North America, CONA processes over $24 billion USD in revenue every year. It delivers a common IT platform for bottling companies, offering hundreds of applications that include the core business apps each bottler needs.

While the bottling companies still run their own local networks, devices, and handle Microsoft 365 support, CONA Services takes care of the business applications that form the collective information backbone for the bottlers. “Having a common business process across the North American footprint of all Coca-Cola bottlers gives our biggest customers—large retail grocery chains and hospitality customers—a common entry point into interacting with our bottlers,” says Sean Campbell, Senior Director of Risk, Compliance, and Cyber Security at CONA Services. “And sister organizations within the Coca-Cola system also use our systems, so we influence the user experience for thousands of people who might never have heard of CONA.”

Story Image 3

Elevating identity management with the CONA 2.0 program

To counter the inefficiencies of on-premises systems and bring added functionality, CONA Services began an organization-wide systems initiative in 2018. Its CONA 2.0 program was a portfolio of projects aimed to migrate from a mostly on-premises landscape to a cloud-dominant hybrid environment. The company wanted to make the most of agile methodologies and feature-rich software as a service (SaaS) applications while also providing an internet-facing, mobile-ready user experience. That transformation made CONA one of the largest single-instance SaaS environments in the world.

To enable this transition, CONA decided to take advantage of Azure AD, and specifically, B2B guest user features. This allows bottlers to use their own IDs from their home tenants to access applications in the CONA portfolio. “We can use B2B guest features in Azure AD within the bottling companies’ tenants and then deploy all the applications as needed, which provides users with the access they need faster and easier,” says Campbell. “That was a big factor in our decision to use Azure AD as our cloud directory for these applications.”

Story Image 4

Struggling to deliver multifactor authentication

SaaS deployments come with risk, and CONA wanted to make sure that every user who accesses an SaaS application is protected with multifactor authentication. In early 2020, CONA gave bottlers the news that it would require Azure AD multifactor authentication registration for all users in April 2020. “Our business applications were largely on-premises until 2019, and we didn’t have a large SaaS footprint then,” explains Campbell. Bottling company employees previously accessed on-premises apps with local credentials or Active Directory Federation Services, which simplified management across multiple bottling companies. But CONA Services found that the setup couldn’t enable multifactor authentication.

The company decided to use Azure AD for its upcoming deployment of major SaaS applications. “This gave us a pathway to multifactor authentication and the ability to use B2B guest features,” says Campbell. “However, it created a need for multiple multifactor authentication registrations.” If bottlers also enabled multifactor authentication for their environments, new employees had to register for it both with their company tenant and with the CONA tenant, creating frustration for users and a complicated support scenario for IT. That frustration worried CONA. Additionally, it wanted to direct IT time toward more value-added work, but the hundreds of access-related help desk tickets it received every month confined its skilled workers to repetitive, time-consuming tasks.

Karthik Cherukuru, Identity and Access Developer and Analyst at CONA Services, is part of the team that provides access for bottler users like the sales associates and delivery drivers who distribute Coca-Cola products all over North America. Those users can’t function without systems access to perform operations like entering orders or completing deliveries. Cherukuru experienced their exasperation firsthand whenever he helped users who upgraded their mobile devices. “In some cases, resetting multifactor authentication for a new device would take about four days,” he says. “That was partly because the support ticket took two days to get to us from the guest user’s tenant. It was very painful for everyone.”

That pain had far-reaching impact. “Our bottlers’ products can’t be sold and delivered if users can’t access the system,” explains Andreea Ursu, Director of Identity and Access Management at CONA Services. “Our team could work with them to ensure access, but when bottlers encounter that kind of difficulty, it damages their confidence in us and can undermine our efforts to deliver highly secure solutions.” That loss in confidence threatens the goodwill on which CONA Services had been built and creates the risk of bottlers losing business.

With security as the cornerstone of everything it does, CONA made it a top priority to better manage user identities for both the bottlers’ employee and guest accounts. But the company lacked a good way to verify that reset requests came from their bottlers’ users, which introduced another risk. And with its large customer base’s need for always-on performance, the company also wanted to create a seamless user experience.

Support for multifactor authentication resets became a demanding job for Ursu’s team throughout major deployments and into the first days of 2022, with up to 1,500 support tickets per month. Assessing the features in Azure AD, the CONA Services IT team found strong incentive to hasten adoption.

The CONA Identity and Access Management team first set up administrative units—a mechanism for admins at the bottlers to be able to quickly take care of their own multifactor authentication requests without going through CONA. This worked well in that it enabled these admins to determine in which tenant the issue existed and to take action with the user without opening a secondary CONA ticket. The team then set up cross-tenant access policies, a long-awaited feature, easing the transition for users with multifactor authentication rules that didn’t force them to register for multifactor authentication in the resource tenant. This enabled bottler users to have one multifactor authentication registration for their local and CONA applications. Now, B2B guest users seamlessly access applications across both tenants, significantly reducing user confusion and the need for admin intervention.

Help desk tickets decreased dramatically following the adoption. When cross-tenant access policies were fully deployed to all bottlers in July, multifactor authentication–related tickets dropped to 36, and monthly help requests are now in the single digits. The reason for that dramatic improvement is no mystery—users who need to reset their multifactor authentication registrations now have more options to self-recover, and if they’re still stuck, they only have to open a single ticket on their home tenant.

That simplicity has created change throughout the entire CONA network and the companies it supports. “We’ve saved hundreds of hours in lost work time since rolling out cross-tenant access policies in Azure AD,” says Campbell. Adds Cherukuru, “The reduction of support tickets every month from hundreds to single digits is a great win for our team. Now, we can focus on other security initiatives and help with new systems that can further the business.” All 85,000 CONA users are now required to use multifactor authentication with Azure AD, accessing 158 enterprise applications with a frequency of about 2 million monthly sign-ins.

Doing more with less, empowering North American bottling companies

Campbell appreciates the efficiency of a connected set of Microsoft solutions. “We enjoy all the benefits of our relationship with Microsoft and use its solutions to cover many of our business, productivity, and security needs,” he says. “Our bottlers use Microsoft 365 and other Microsoft solutions, so adopting Azure AD as our primary cloud directory was our avenue to bring guest users into a common resource tenant. That enhances our ability to use single-tenant applications across multiple legal entities.”

The new identity policies are sparking vigor in the CONA Services IT department. “Our team is learning so many new things because we have the time to attend Microsoft learning sessions,” says Cherukuru. “By using cross-tenant access policies, we’ve made it possible to repurpose our support team to bring new value to our customers.” Campbell reflects on the changes that have rippled through CONA and all the companies it supports. “Everyone is starting to see overall benefits,” he says. “From a user experience perspective, there are even more advantages.” With less focus now on mundane tasks like responding to help desk tickets, the team can focus more time on meaningful research on new innovations. He hopes to bring passwordless ease to bottlers and B2B guest users for even greater convenience. But security-focused CONA prizes the safety gains most. “We’ve freed so many hours through our Azure Active Directory adoption,” concludes Campbell. “Most of all, we’ve enhanced security by reducing complexity, and we’ve set the stage for our next steps in user experience improvements.”

Find out more about CONA Services on Twitter and LinkedIn.

  • Share this story!