Takeda puts identity at the forefront of its Zero Trust strategy

At Takeda Pharmaceutical Company, integrity and trust have been foundational to the business for over 240 years. As Takeda grew into a pharmaceutical giant these values came to include securing the digital privacy of patients and caregivers while guarding the critical data supporting the company’s life-saving research, along with providing high-quality medicines.

In the modern information age, digital security is a tougher task than ever—one that company leaders take extremely seriously. Trusted digital experiences are critical to Takeda’s growth, and essential for delivering on those core company values.

Chief Digital Trust Officer Mike Towers joined Takeda in 2018 with a mandate to implement a Zero Trust security strategy—evaluating each login request in context, rather than treating internal and external logins differently.

Towers and Bob Durfee, head of digital engagement and DevSecOps, both had previous experience using Okta for identity and access management (IAM). Prior experience combined with a thorough market analysis and RFP process left the pair with a clear leader. “We weren’t going to bet this company on anything other than Okta,” says Durfee.

Together, they created TakedaID, an authentication platform built on Okta technology—and put identity at the foundation of Takeda’s Zero Trust strategy. The success story that followed raised the bar for keeping private information private, while also streamlining digital experiences for the Takeda community.

From walled gardens to distributed communities

Like many organizations, Takeda operated on a traditional network access model where with server rooms and on-site networks protected by firewalls and accessible from the outside only through complex VPN tunneling protocols. Additionally, IAM encompassed a series of authentication siloes for the company’s many separately branded medical therapies, with no standardized security controls.

That all changed with the rise of the Zero Trust security model. According to Okta’s State of Zero Trust Security 2022 survey, 55% of companies have a Zero Trust initiative in place today—more than double the number last year. The healthcare industry is ahead of the curve, with 58% of survey respondents reporting an initiative underway—up from 37% last year.

The Covid-19 pandemic played an influential role. In 2019, healthcare organizations like Takeda already faced increasingly targeted data security threats and consumers had been pushing for simplified digital experiences. Then, the pandemic spread across the globe, raising the stakes and the pressure even more.

For Takeda and the community it serves, the world changed almost overnight and Takeda stood ready to quickly adapt.

Taking Zero Trust from zero to 60

Takeda is a large, global organization. “We have a huge set of applications,” says Durfee. “Mike Towers uses the 18-by-18 concept: Some applications are 18 minutes old, and others are 18 years old, so how do we develop the new while protecting the old?”

The team started by securing employee and contractor applications and access with Okta’s Workforce Identity Cloud. They paired Okta with Zscaler to create an end-to-end Zero Trust solution, reducing the attack surface, improving the user experience, and enabling increased agility and simplified management.

Next, they built on the workforce solution and harnessed Okta’s Customer Identity Solution;to create TakedaID—an identity platform unifying Takeda brands, business units, and the entire Takeda ecosystem. TakedaID secured and streamlined external digital solutions for patients, healthcare providers, plasma donors, and partners.

Strong, layered protection is built into Takeda’s entire identity solution thanks to Adaptive Multi-Factor Authentication (AMFA), which evaluates risk factors, such as location and device, and tailors login workflows accordingly.

“We think of it in terms of a slider bar,” says Durfee. “When there’s higher risk, we slide that bar to add more friction. If somebody wants to log in and see the lunch menu, that’s low risk—I’m not going to challenge them with a second factor. But if somebody wants to see the small molecule design for one of our therapies, we’re absolutely going to challenge them.”

Employees are often surprised when they don’t have to tunnel in through a VPN to access sensitive information remotely. “AMFA along with specific group membership actually locks things down while also providing critical access to approved users,” says Durfee.

The team also makes good use of Okta ThreatInsight, a no-cost Okta service that detects and blocks high-volume credential-based attacks. Using the global network intelligence driven by Okta’s network effect, Okta identifies and automatically blocks suspicious IPs pre-authenticaion. Meaning attempts from blocked IPs do not impact a legitimate user's ability to access their account, helping to avoid account lockout. “ThreatInsight is another important piece of our Zero Trust toolkit,” says Durfee. 

Durfee’s favorite Okta tool is API Access Management. While it extends Takeda security policies to APIs, protecting the company against API breaches, it’s also a business enabler, allowing developers to pull in additional information about users to create capabilities they might not otherwise consider. “There are so many things you can do with it,” he says. “Everybody talks about AMFA, but for me API Access Management is that underrated feature that people should pay more attention to.”  

Identity as a catalyst for secure, streamlined digital transactions

70,000 Takeda employees and contractors access critical business applications using Okta, and over three million healthcare providers, patients, and donors access critical healthcare services and resources using Okta-powered TakedaID.

By treating each user as an unknown, potential attacker and making sure they are who they say they are each time they try to access sensitive information, the Takeda digital trust team simultaneously secures information more effectively and streamlines digital experiences.

Today, the key to secure authentication at Takeda is identity. “Identity is not infrastructure—it’s security, first and foremost,” says Towers. “Okta is central to security at Takeda because it helps us make sure that identity is a reliable decision point for all Takeda business transactions.”

“The concept of the location-based network has gone away, with a few exceptions to satisfy FDA requirements around manufacturing and operational technology,” says Durfee. “We don’t think in terms of network anymore—we think in terms of application access. And the key to application access is identity.”

Next up: Passwordless

Durfee is quick to emphasize that Zero Trust is a journey, not a destination. “Our adversaries are always going to pivot, so we need to pivot as well,” he says. “There are always things we can do to improve our security posture.”

The Takeda team looks forward to taking full advantage of Okta Identity Engine, Okta’s new set of building blocks that allow customers to create customized identity experiences. “It’s going to simplify the identity process and open up things like passwordless authentication,” he says. 

“Passwordless will change the way we work by increasing security and decreasing user friction,” says Durfee. “Passwords constitute a vulnerability that attackers can exploit. Getting rid of them is a benefit, security-wise.”

Positioned to grow and lead—securely

Today, because of the hard work of the Takeda team and their partnership with Okta, the company leads its industry in Zero Trust and digital innovation. “Takeda is a tech pharma company,” says Towers. “Because we’re data-driven, digital plays a vital role.” Doctors, patients, and donors all rely on the privacy, reliability, and resilience of data across Takeda—from research and development to manufacturing and sales.

Maturing the company’s Zero Trust posture secures the business now and into the future, as the company expands into post-treatment care. “Takeda has already launched a number of programs to engage directly with people suffering from diseases within our focus areas,” he says. “Growing that part of the business requires an additional level of patient trust, and Zero Trust plays a vital role in maintaining that trust.”

About Takeda

Takeda is a global, values-based, R&D-driven biopharmaceutical leader headquartered in Japan with offices in 80 countries and regions. The company is committed to discovering and delivering life-transforming treatments, guided by a commitment to patients, employees and the planet. Takeda focuses its R&D efforts on four therapeutic areas: Oncology, rare genetics and hematology, neuroscience, and gastroenterology. It also makes targeted R&D investments in plasma-derived therapies and vaccines.