Byte-size Bulletins

How Lush's authentication update helped them make your data safer

Written by Rachael Brown | Nov 18, 2021

Lush was first founded in 1995, as a family-run cosmetics retailer offering ethically sourced, environmentally sustainable and creative and innovative products.

If you live in the UK, you've probably visited one of it's sweet-smelling stores, lined with greengrocer style displays of signature bath bombs, glittery soaps and premium skin and hair care products.

The ethical approach Lush takes to doing business extends to every level of their organisation, including IT.

Historically, Lush has tried to do everything they possibly can in-house, from reseaching packaging to testing products, to keep the business self-reliant and free from outside corporate forces. This is also true of their IT, with Lush managing aspects of their technology strategy other companies would outsource.

The companies ethical standards in the realm of IT are prominent in how it handles customer data. The company goes far beyond just complying with GDPR (General Data Protection Regulation), refusing to use data for targeted marketing or any other purposes.

But Lush found as they were integrating more and more into third-party platforms that for them to maintain their careful use of customer data, they needed to reconsider their approach to something - authentication.

Lush’s online presence is heavily service-oriented, meaning they have lots of loosely coupled microservices that require third party support. These third parties all had different authentication standards, and trying to maintain them all was an issue for the company.

In addition to this, when Lush tried to develop a new customer chat function, they found their internal authentication system was creating massive roadblock and access issues for them.

These situations then prompted the company to investigate the option of having their authentication handled out of house.

Lush eventually settled on an outside provider for their authentication, dramatically cutting the time the Lush IT team spent on maintaining their internally built authentication system.

The company didn’t need to focus energy on becoming experts in authentication and authorisation, and experienced improvement in their security and privacy. Allowing Lush to continue and strengthen the ethical way in which they handle and use the data of their customers.

This is a problem many medium to small businesses will face as they struggle to remain true to their values whilst adequately protecting customer data. In a time where IT and business have become one in the same, balancing the need for independence and self sufficiency with security and efficiency is paramount.

It's a balance every organisation needs to be successful going forward. 

Image Credit: Lush.com