Expedia’s Software Development Engineer shares her expertise on unified identity systems and scalable technologies
In light of recent high-profile data breaches and cloud security incidents, the conversation around cloud vulnerabilities and how to mitigate them has never been more urgent. Gartner predicts that by 2025, 99% of cloud security failures will result from customer errors, despite the increasingly sophisticated safeguards implemented by cloud providers. Misconfigurations and gaps in expertise remain major issues as organizations expand their cloud usage. As seen in recent data breaches, these missteps highlight that cloud security is not solely the providers’ responsibility but a shared obligation between vendors and clients.
To address these growing concerns, we’re speaking with Asha Seshagiri, a lead software engineer specializing in Identity and Access Management (IAM) at Expedia, who has over 12 years of experience working with cloud-native technologies at companies like IBM, Visa, and Expedia. Asha has been instrumental in developing One Identity, a unified authentication platform across Expedia’s multiple brands, and One Key, a loyalty program that serves millions of users. With cloud security challenges becoming more complex, Asha’s expertise offers crucial insights into how businesses can balance innovation with security, particularly in large-scale cloud environments.
You contributed significantly to developing the One Identity solution, which unified the authorization system across multiple Expedia brands, including over 300 million user accounts. How important do you think it is for large companies like Expedia, operating across several brands and services, to create unified identity management systems? How does it affect user experience and security on such a large scale?
Unified identity management systems like One Identity are crucial for large companies operating across multiple brands, such as Expedia. They streamline both user experience and security processes. From the user’s perspective, having a single set of credentials to access various platforms greatly enhances convenience. It reduces the need to manage multiple passwords, simplifies login across different services, and builds trust, as users experience seamless transitions between brands while retaining control over their personal information.
On the security side, centralizing identity management allows for uniform security policies and more consistent access control. Advanced protection mechanisms like multi-factor authentication (MFA) and behavioral analytics can be applied across all platforms, enhancing security without complicating the user journey. Additionally, consolidating user data into a common platform mitigates risks associated with fragmented systems, allowing for quicker responses to potential threats.
Overall, this unified approach not only improves security but also ensures that both the user experience and security measures scale efficiently as the business grows, providing long-term operational benefits.
In the One Identity project for Expedia, users could authenticate via various methods, including passwords, one-time passcodes (OTPs), and social logins. How did you manage the integration of these diverse authentication methods while maintaining a balance between ease of use and high security for such a large user base? Additionally, how did microservice architectures help support this system as it scaled to millions of users?
Integrating multiple authentication methods in the One Identity project required balancing user convenience with security. Each method — passwords, OTPs, and social logins — offered different levels of accessibility, and our goal was to create a unified experience without compromising security.
We used microservice architecture to support this integration at scale. Instead of relying on a monolithic system, we split the platform into smaller, independent services, each handling specific aspects of the authentication process. This allowed us to develop, update, and scale individual components — such as password management, OTP processing, and social login integration — without disrupting the entire system. As user demand grew, we could easily add more capacity or introduce new features by updating only the relevant microservices.
On the security side, we employed behavioral analytics and anomaly detection to monitor user activity and quickly identify potential security threats. This proactive approach, combined with a flexible microservices architecture, allowed us to maintain a high level of security while offering a seamless login experience for millions of users across various Expedia brands. This architecture ensured that both security and user experience scaled efficiently as the platform grew.
Moreover, you were instrumental in developing the framework for One Key system at Expedia, which unified loyalty programs across more than 20 travel brands, serving millions of users. How do you see the future of loyalty programs in the era of digital transformation?
Loyalty programs are becoming a central part of how companies engage with their customers, and digital transformation is reshaping how these programs operate. The work we did on building the framework for One Key at Expedia is a great example of how loyalty systems are evolving. By unifying the rewards across multiple travel brands within the Expedia Group, One Key allows customers to earn and redeem points seamlessly across different platforms—whether they’re booking flights, hotels, or rental cars. This kind of unified experience is exactly what users expect in the digital age.
Looking ahead, I believe loyalty programs will continue to shift towards personalization and real-time rewards. Customers are increasingly looking for programs that not only provide points but also deliver highly relevant offers, tailored to their behavior and preferences. This requires systems that can process vast amounts of data quickly, analyze it, and adapt to the user’s needs in real-time.
In short, as loyalty programs become more dynamic and customer-centric, they will need to continue evolving to deliver the personalized experiences that users now expect.
At IBM, you worked on optimizing cloud security solutions, particularly with the KeyProtect project, which focuses on encryption and key management for cloud environments. How have data security approaches evolved with the widespread adoption of cloud technologies, and what are the biggest challenges companies now face in protecting their data, especially in hybrid and multi-cloud environments?
As cloud adoption has increased, data security has shifted from protecting on-premises infrastructure to securing data distributed across multiple cloud environments. The KeyProtect project at IBM, where we developed encryption and key management solutions, was designed to address these challenges, especially for companies operating in hybrid and multi-cloud environments.
One of the key shifts has been the need for effective encryption key management. Ensuring that data is encrypted both in transit and at rest is critical, but managing access to decryption keys is equally important. To help companies maintain strong security without the complexity of building key management systems from scratch, we provided KeyProtect APIs. These APIs allow businesses to integrate secure key management directly into their systems, eliminating the need to develop on-premises solutions.
Automation was crucial in this process. By automating key management and threat monitoring tasks, we enabled companies to maintain high levels of security without sacrificing performance. This automation helps streamline the integration of security solutions into existing systems, ensuring that data remains protected while minimizing the operational overhead associated with manual management.
In short, as cloud security evolves, automation and integrated APIs are essential tools that help businesses navigate the complexities of data protection in hybrid and multi-cloud environments.
Many companies face challenges when implementing cloud solutions, especially when it comes to scaling and security. What advice would you give to organizations that are just starting to move to cloud platforms?
For companies just starting their cloud journey, my biggest advice is to plan for scalability and security from the very beginning. It’s easy to focus on getting up and running quickly, but if you don’t build a strong foundation, you’ll face challenges later when your needs grow.
Start by adopting a cloud-native approach, where applications are designed to take full advantage of cloud features like elasticity and microservices. This makes it easier to scale without having to re-architect down the line.
On the security side, I recommend prioritizing automation for things like monitoring and threat detection. Using tools that integrate security directly into your cloud infrastructure will help ensure you’re always protected as you scale. And don’t forget to implement strong access controls and encryption—those are non-negotiables for cloud security.
Given your experience in developing scalable solutions, how do you see the future of cloud computing and its impact on the industry as a whole? What technologies do you think will dominate in the next 5-10 years?
Given my experience with scalable solutions, such as the development of microservices at Expedia and Visa, and cloud-native security systems at IBM, I believe the future of cloud computing will be driven by even greater flexibility, automation, and security enhancements. Over the next 5-10 years, I see serverless architectures and edge computing playing a significant role. Serverless computing, which allows developers to run code without managing the underlying infrastructure, is gaining traction because it enables companies to scale more efficiently. For example, at IBM, we leveraged containerization and microservices, allowing us to scale specific components independently, which is a key advantage of cloud-native approaches.
Edge computing will also become critical as industries like healthcare, manufacturing, and autonomous vehicles require real-time data processing. Instead of routing all data to centralized cloud servers, edge computing processes data closer to where it’s generated, reducing latency and improving performance. This is particularly relevant in my work on secure systems, like KeyProtect at IBM, where data security at the edge is as crucial as in the cloud.
Security will continue to evolve, and I expect zero-trust architectures to become the norm. In systems like the ones I developed at Expedia, where we unified identity solutions across multiple platforms, continuous authentication and authorization were essential for securing distributed cloud environments. Zero trust will enhance this, ensuring that every user, device, and application is authenticated regardless of their location.
Lastly, artificial intelligence and machine learning will be fully integrated into cloud operations, driving automated resource management and threat detection. At Expedia, we implemented event-driven architectures and monitoring systems, which allowed us to automate responses to performance and security issues. AI will enhance these capabilities, making it easier for companies to scale securely and efficiently while optimizing resources in real-time. Combined with technologies like Kubernetes and Docker, which I worked with extensively, these trends will dominate the cloud landscape.
