Tuesday, February 01, 2011

Marriott’s lack of claims-based authorization costs them millions!

True story. I travel a lot. Typically, I stay in Marriott’s or Hilton’s usually. Last year, I stayed in Marriott’s for more than 65 room nights. I joined their “rewards” program many, many years ago and I’ve noticed that every time I checked out my Marriott invoice would show me as Jackson Shaw, Microsoft Corporation. Well, as of February 1, 2005 I was gone from Microsoft. I never really considered this an issue and I frankly wasn’t ready to spend the time figuring out why it said this or how to get it changed because I simply didn’t care. I didn’t care because it didn’t affect me – until a recent trip.

I checked in very late to a hotel that my GPS couldn’t find in Sticksville somewhere. The person checking me in was also the person who was guiding me to the hotel on my mobile phone so they were happy to see that I finally arrived. As part of his welcome he mentioned: “And, it’s noted here on your file to reduce your nightly rate by $10/night because you work for Microsoft.” I was too tired and a bit too stunned to argue with him. I began to wonder how this little screw-up (Marriott mistakenly believing I was still a Microsoft employee) could be solved by an effective identity management strategy.

That’s when I realized that this is no simple identity management problem. Let’s take a look at the problem, the potential solutions and the possible ramifications.

Fact: There’s an attribute – let’s call it “company” – that is present in Marriott’s frequent stayer program. In my case, that attribute has been set to “Microsoft Corporation”.

Issue: That attribute is being used to calculate discounts to the booked room night cost. In this specific case it was giving me $10 off/night.

Result: For this particular stay (3 nights), Marriott missed out on $30 of additional revenue. No other Marriott staff ever called out a discount to me before but let’s assume I did get $10 off/night in 2009 at all Marriott’s. For 65 room nights that cost Marriott $650. Just a bit of basic math and you could probably say there are 50,000 other people out there that might be getting $10 off/night and if each of them stayed on average 2 nights a year with Marriott that’s $1M right there. It’s pretty easy to imagine that there are lots of companies that get discounts, lots of employees who move from a discounted rate employer to a non-discounted rate employer. I’d say the problem might be even significantly bigger because this is a business traveler issue and most business travelers stay in hotels more than 2 nights a year.

With all this in mind, what solution could we put in place to save Marriott millions of dollars in unnecessary room night discounts?

Solution #1: Traditional IAM solution – Every company that gets a room discount for their employees submits a list of all eligible employees on a regular basis.

Strength: Easy to implement on both sides of the fence. Simple text file exchange via e-mail or FTP. Current IAM solutions should be able this simple scenario. No requirement – that I can see – to change Marriott’s application.

Weakness: Marriott may have to do this for hundreds or even thousands of companies. It may not be a scalable solution. It would not be a “real-time” solution – there would be a finite lag in knowing when someone is no longer entitled to a discount. There’s the inherent data loss issue if files are lost or the FTP site is compromised.

Solution #2: Claims-based IAM solution – Every company that gets a room discount for their employees would have to set up an “authorization” domain so that anyone checking in/out can have their “claim” for a room discount evaluated.

Strength: Provides real-time claim evaluation.

Weakness: Not all IAM solutions support claims-based authorization. This would most likely require a change to Marriott’s application. Microsoft (and all partner companies) would have to set up and expose a service to validate the evaluation context of the claim that someone was entitled to a discount. Is it reasonable to expect that every partner would have the capacity to implement claims-based authorization to support Marriott discounts?

I've said many times that I only play an award-winning solutions architect on TV. I don't see an "easy" solution here for Marriott. Do you? Or is the "easy" solution just "business as usual"? If you were the CIO of Marriott Hotel's what would you do?

1 comment:

William Malik said...

There is a counter-argument regarding the cost to Marriott of having non-Microsoft personnel still labeled as Microsoft employees.

Consider that Microsoft negotiates its discount based on the number of employees it has. So, if the number were reduced to only count current valid employees, Microsoft's bargaining position would be weakened.

Also, Marriott probably doesn't mind so much about the $10 per room; if an ex-employee had to pay full rate for the Marriott they might choose a cheaper alternative. Knowing that he would get a token discount, the former employee has an incentive to stay at the Marriott, if the cost differential between that hotel and a competitor is reduced through the inaccurate loyalty program.

Just some food for thought ....