45,000 Dentsu Aegis staff switch to a secure cloud over a weekend

Shifting priorities

Part of Dentsu Inc., Dentsu Aegis Network has a vision to Innovate the Way Brands Are Built for its clients, through best-in-class expertise and capabilities in media, digital and creative communications services.

The company continues to grow through a series of mergers and acquisitions, and as it expands, new challenges emerge. Dentsu Aegis’ legacy infrastructure was protected by traditional security tools and a few separate identity platforms. The on-premises framework was expensive and work-intensive, and the IT team regularly spent a significant percentage of its time on maintenance and troubleshooting tasks. As the company expanded into 143 countries across three regions, this infrastructure was no longer feasible.

Dentsu Aegis needed a flexible, secure IT infrastructure that would ease the M&A process for IT while speeding up the onboarding process for employees. It also required a solution that would keep the entire infrastructure protected from breaches during the transition and afterward.

A modern infrastructure calls for a fresh approach to security, and the company had the needs of over 45,000 employees to consider. “Because our workforce is obviously hugely creative, we needed to apply security, but not make it so cumbersome that it slows down our employees’ workdays,” said Paul Timmins, CIO of Global Operations at Dentsu Aegis. “We needed to find a way to look at security from the get-go, but in a very user-focused way.”

Moving to the cloud

Dentsu Aegis decided to go cloud-first, with the goal of moving its entire IT framework to the cloud by 2020. “We're transitioning completely away from global data centres, while also making sure our new tools are all cloud-based or cloud-friendly from the start,” Timmins says.

Before Dentsu Aegis could begin the migration process, it needed a trustworthy identity partner to help pull cloud-based apps together. At the same time, the company was also considering moving towards a Zero Trust security approach. With their rapidly growing ecosystem and shift to the cloud, the traditional network perimeter-based approach to security was no longer sufficient for Timmins’ team.

With so many employees working in varying IT environments all over the world, the Dentsu Aegis workforce no longer fit neatly within its old security perimeter. In order to stay secure, the company threw out the idea of a trusted network, and realised it needed a reliable policy-based Multi-Factor Authentication solution that would verify the identity and permissions of each and every Dentsu Aegis employee.

Okta seemed like the perfect solution. “We recognised Okta as the best-in-class platform,” Timmins said. “Having previously used it myself, I had confidence in the product and its ability to help us on our journey.” The wide variety of integrations available through the Okta Integration Network appealed to him as well—he knew it would provide the flexibility he needed to adopt a range of tools for Dentsu Aegis’ diverse and creative workforce while maintaining the integrity of their Zero Trust vision.

Securing access

Dentsu Aegis hired Okta’s Customer First team to help secure access to the infrastructure by rolling out Single Sign-On (SSO), Universal Directory and Adaptive Multi-Factor Authentication (MFA) for all employees.

By the end of the first Customer First meeting, however, Dentsu Aegis had adopted a robust new two-phase deployment strategy. Their original plan of establishing a strong access management process was still in place, but after a recommendation from Customer First, the company decided to automate provisioning with Lifecycle Management and Workday as a single source of truth.

“We have 143 offices, so of course IT's always going to be stretched. We're not able to be everywhere,” says Timmins. “With a single automated platform, we know that people will have access from Day 1. And it certainly makes life easier—from the support side of things, but also for staff members.”

Phase 1 involved choosing a core set of apps to secure with SSO and Adaptive MFA. The company selected a few best-of-breed solutions, including Office 365, Workday, Tableau, ServiceNow, and Zoom. They deployed 15 applications to 45,000 users across 130+ countries over a single weekend.

“Our roll-out was a testament to Okta. Changing a user's log-on experience is quite a critical action, especially when you’re working with 45,000 identities over the course of a weekend,” says Timmins. “With Okta, we managed to do it seamlessly.”

The company rolled out Adaptive MFA at the same time. By choosing Okta Verify as a primary factor, Dentsu Aegis made it easier for employees to access their work tools from anywhere, and on any device, whether they were logging in via Android, iOS, or even Apple Watch.

“We're now applying MFA to all staff everywhere,” he says. “But we’re also looking beyond that to how we can move into the sort of password-less world that Okta is working towards. Okta's very much at the heart of our Zero Trust vision, which will ultimately include layering MFA on top of our wireless networks as well.”

Dentsu Aegis also benefits from the Okta Integration Network, which makes it easy to integrate Okta with more than 5,500 apps. As a result, employees are able to choose additional apps that work for them, and Dentsu Aegis can breathe a sigh of relief, knowing those individual apps are protected by MFA and SSO.

“We've got a core set of applications that we offer all of our staff, but with such a creative workforce, we certainly see people preferring to use other applications,” says Timmins. “We don't mind which applications they're using. As long as we've got Okta in front of them, we've got security controls we can be comfortable with.”

A delightfully simple workflow

In Phase 2, Dentsu Aegis set up automated onboarding and offboarding by rolling out Lifecycle Management and establishing Workday—its HR system of record—as the single source of truth. Now, when HR adds, removes, or changes a user identity in Workday, the action feeds down through the company’s entire workflow, provisioning the user with all the apps they need to do their jobs on Day 1.

Better yet, IT rarely has to get involved in the provisioning process. “Before Okta, people used to have to log a ticket if an account wasn't created, and we’d have to find out where it had been held up. Now, it’s fully seamless from Workday to Okta, and then through to the rest of our systems,” says Timmins.

Automated onboarding and offboarding has security benefits as well. If HR indicates that an employees role has changed--or they’ve left the company--those access permissions are automatically updated or revoked. As a result, the company is far less vulnerable to breaches caused by credential harvesting and other attacks. IT doesn’t need to check to make sure access has been revoked—the company remains compliant, and IT can direct its attention elsewhere.

Exploring more options

By moving to the cloud, establishing a Zero Trust strategy, and automating provisioning, Dentsu Aegis has accomplished a number of important goals with delightful results. The company has reduced its overhead, secured its modernised infrastructure, made it easier for employees to do their jobs, and freed IT from the provisioning overload that comes with mergers and acquisitions.

Even now, the company is still discovering new possibilities. “It’s the simple things,” says Timmins. “Like, how can we look at branding our Okta platform to make it friendlier for staff, so they recognise that it's very much a Dentsu Aegis Network solution we're using?”

The Okta Integration Network remains a major asset for the company. “We're seeing now that just about every vendor we're looking at is in there,” Timmins says. The large number of integrations available through Okta is critical to the company’s modernisation and Zero Trust initiatives—Dentsu Aegis no longer adopts apps if they can’t be integrated with Okta identity products.

“Okta, with its consumer experience and its very easy-to-use framework has helped us empower staff without adding security overhead,” says Timmins. By tapping into Okta, Dentsu Aegis Network stays more secure with less effort from IT, and the company’s massive, modern workforce benefits from user-friendly security solutions that let their creative juices flow.

About Dentsu Aegis Network

Part of Dentsu Inc., Dentsu Aegis Network is made up of ten global network brands - Carat, Dentsu, dentsu X, iProspect, Isobar, mcgarrybowen, Merkle, MKTG, Posterscope and Vizeum and supported by its specialist/multi-market brands. Dentsu Aegis Network is Innovating the Way Brands Are Built for its clients through its best-in-class expertise and capabilities in media, digital and creative communications services. Offering a distinctive and innovative range of products and services, Dentsu Aegis Network is headquartered in London and operates in 145 countries worldwide with more than 47,000 dedicated specialists. www.dentsuaegisnetwork.com