Avoid the Headaches and Costs of AD Domain Consolidation
For any company, M&As are a huge transition that greatly affects all levels of your team, from your financial department to HR. As more companies become technology companies, M&As have an even bigger impact on IT, with everything from identity management to your Active Directory infrastructure, to your IT security impacted by huge systemic changes. It can be a long, drawn-out process before your company can find its feet again to start walking.
But what if we told you that it doesn’t have to be complicated?
Okta eliminates the costs and headaches of AD domain consolidation during M&As, allowing you to smoothly integrate users across different organisations and give them access to the tools they need.
This whitepaper shares how a range of renowned companies – from News Corp to National Geographic – have benefited from our cloud-based services during such transitions, and more importantly, how you can too.
It’s no secret that mergers and acquisitions have become a prominent corporate strategy, providing a way for companies to access new markets, technology, and resources faster than they could through their own internal efforts. But when every company is becoming a technology company, it becomes inherently more complex to combine unique technology stacks. No longer is it just about ensuring an organisational fit between the parent company and its subsidiary, nor matching corporate cultures and processes. It’s also about merging administrative systems effectively and migrating legacy on-premises systems to the cloud.
In particular, what we see time and again are the headaches—and costs—caused by AD domain consolidation during M&As. It can often take weeks (even months) of effort from multiple IT teams to manage these transitions, and risks abound during the process: end users don’t have access to the tools or resources they need; the company’s security posture is at stake when it’s reliant on the security of its weakest link. Not only is there often a lack of trust established between these disparate user stores, it also becomes a challenge to align local IT operations with those managed by the centralised head office IT team.
The result is that time-strapped teams often look for help in the wrong places—expensive consultants, complicated migration tools, overpriced security reviews, or hours and hours of invested effort by team members whose time could be better spent elsewhere.
There’s a better way. Okta provides a central identity management system to integrate users across different organisations. This allows you to transform your technology stack, create flexible autonomy and efficiency for shared sources, improve performance for end users, and provide oversight and visibility for your teams. The result? An M&A process that’s both repeatable and efficient.
A better solution for AD domain consolidation
Okta’s Universal Directory enables companies to connect an unlimited number of directories and bring legacy data to the web, with no need for AD forest trusts or firewall holes. For example, you may have an environment with multiple AD domains—some trusted, some untrusted. With Okta, you install an AD agent behind the firewall (two for built-in high availability) and Okta will manage these directories from a central admin console.
Of course, data migration is rife with complexity as user information exists in multiple sources and formats. Once Okta is installed, you can run an import to bring any existing users and AD groups into Okta. Okta allows you to transform, manipulate, and apply logic to AD attributes, ensuring your data is clean and reconciled during the process.
Once you install Okta’s AD agents, remote agents authenticate with an AD username and password, while local users can be set up for integrated authentication. Once the user is authenticated to the AD domain behind the firewall, Okta will pick up on that and authenticate them into the cloud and the applications they need.
After you have imported users and groups into Okta, you can begin to grant them access to applications. Your security policies in AD are automatically mapped into Okta, allowing you to configure what applications different users have access to directly from the central admin console. A new user is given a new Okta portal page. When they log-in, they instantly get access to all of the applications and tools they need to do their work and collaborate with their new team members, no matter where they are.
The Okta Integration Network also offers over 7,000 pre-built integrations with different applications. This means that during an M&A, if you have a new company that comes in with a new set of applications, you can either switch their apps with some that you already have, or quickly bring their apps into your own environment rather than taking a month to integrate each one.
Success in practice
Okta is the trusted identity partner for thousands of enterprise companies, helping many of these customers handle M&A transitions efficiently and securely.
News Corp: Greater than the sum of its parts
News Corp comprises a huge range of businesses, from news and information services to real estate, book publishing, digital ad tech and cable network programming. The company has over 25,000 employees worldwide. Some of its acquisitions include Move, Inc. (an online real estate network); Unruly (a social video ad platform); and VCCircle (a digital data and venture capital network).
When Dominic Shine became CIO in 2013, each company was using its own technology strategy and tools. The IT environment patched together numerous SSO solutions, giving users multiple pins, tokens, and access points to keep track of. “Identity was a real impediment to productivity,” says Shine. “Security access to systems was cumbersome. People were unable to work easily when they were not in the office. This was a major issue for a company that needs to be always on 24/7.”
The goal was to give the team the right collaboration tools while ensuring all business units were on a common platform, allowing them to work together to best serve external customers. Okta now provides that single point of entry to their apps and has transformed how News Corp onboards newly acquired companies. Using Okta’s Universal Directory as the single source of truth, the company has saved over 1,000 hours each year on synchronising and consolidating domains after M&A activity. Employees have access to the apps they need two hours sooner than previously allowed.
“There are very few times in IT that you come across a silver bullet,” says Ramin Beheshti, SVP Enterprise, Dow Jones, who is partly responsible for the privacy of the company’s employees. “What Okta promised is what they actually delivered.”
Read the full Newscorp case study here.
Engie: Isolating SaaS from the complexity of legacy
Two years ago, energy company Engie executed a series of M&As to cement itself as a leader in the energy sector, from electricity, to natural gas, to even nuclear power. They are now active in 70 countries, with over 150,000 employees around the world, and €66.6 billion in revenue in 2016.
They needed a new way to pull resources into the company and give employees tools to collaborate. Previously each team worked autonomously and efficiently with their own AD schema, which presented a set of challenges: How could they effectively deploy a solution to every smaller entity? How could they guarantee the quality of the data they imported given the age of some ADs? How could they unite hundreds of small brands and domains into one brand? They had a huge mix of workstations, schemas, and disparate teams to streamline. With a rebrand six months away, there was a real sense of urgency for Lead Architect IAM/Security Frédéric Poncin, and his team.
Okta made it possible for Engie to completely decorrelate cloud applications from on-premise infrastructure so that IT could perform a lengthy AD clean-up project separately from the onboarding of new cloud apps.
Now, with Okta, it takes Engie two weeks instead of two months to add a new domain, and they’ve consolidated over 100 AD domains into one Global Address List for O365. As a result, it took them just six months to roll out Office 365 to 120,000 users globally, even while tailoring it to local business requirements.
For more technical details, watch Frédéric Poncin’s full Oktane17 presentation here.
Planned Parenthood Federation of America: The need for a single source of truth
Planned Parenthood Federation of America is the largest provider of reproductive health services in the United States, with over 50 local affiliates and over 600 health centres around the country. With such disparate, disconnected data stores, the organisation found that users’ identity data was messy and inconsistent, with attributes formatted inconsistently across the board. In order to streamline accounts, PPFA needed to aggregate multiple data sources—whether AD, LDAP, or HR software—consider different schemas, and clean the data so that it was ultimately usable.
Before implementing any IDM system, you need a single source of truth. PPFA’s Isaac Brumer found that Okta made this easy. “If you can create formulas in Excel, you can create Okta expressions,” he told the audience at Oktane17. For example, when assigning locations to users, Salesforce requires four digit location codes whereas OrgWiki requires a string—Okta’s Expression Language ensures the right data is transferred to the right applications during provisioning.
In 2014, an application owner went to Brumer saying, “we need every user account to have a manager and four digit location code... and a flag that tells us if they need manager privileges. Can you do that?” The answer then was, “we’ll look into it.” The answer today? “Yes we can.”
Watch Isaac Brumer demo these best practices here.
National Geographic: Transforming an enterprise
Managing user lifecycles is challenging, particularly when the company has a huge geographic footprint and is undergoing a partial acquisition by another huge organisation. Such was the scenario for Lead Systems Engineer Herminia Gomez when National Geographic (NatGeo) was partially acquired by 21st Century Fox in 2015. Giving the right level of access to the right person at the right time is critical. Deprovisioning them when they don’t need that access anymore is just as important. Gomez found herself tracking down managers across teams to find out whether or not an employee was still with the company—an inefficient waste of time.
Before Okta, PeopleSoft was NatGeo’s system of record that handled employees, contractors, vendors, partners, and special accounts. The partial acquisition by 21st Century Fox resulted in a division of NatGeo —the National Geographic channel became National Geographic Partners (NGP) through the merger, and the National Geographic Society (NGS) remained a non-profit. All media resources, including employees and contractors, had to move to the Fox Network while still sharing access to services across NGP and NGS. Gomez had originally planned to create a two-way trust relationship between NatGeo and Fox. Unfortunately, after a months-long security review, the Fox security team came back with a “No.”
With Okta, Gomez was able to begin the process immediately and make this transition at her team’s pace. Her team ultimately cleaned up directories, eliminating PeopleSoft and 800+ AD accounts, and now use inbound SAML with JIT and Okta Org2Org. As a result, if an account is disabled on the Fox side, it’s automatically disabled on the NGS side. Employees also have automatic access to services, whether they’re owned and licenced by NGS, NGP, or shared across both.
Watch Herminia Gomez present the phases of this transition at Oktane17 here.
You can see from these customer profiles that a cloud identity & access management solution isn’t just for new companies that have a “first mover” advantage. Even organisations that have been around for decades are able to adopt cloud identity and access management with Okta, and because of this, they are able to adapt, move quickly, and effectively embrace new innovations for the business.
The catalyst for effective M&A
Regardless of the purpose of any M&A, IT is the lynchpin of all functions across a business and needs to be carefully considered during a merger, particularly when acquisitions happen on the global scale they do today. Merging systems and directories can be a vehicle for efficiency and growth when done well, or result in disruptions for end users and risks for the company if done poorly. Any M&A requires a fine balance between giving teams the flexibility to use the applications they like while centralising processes at the same time.
Okta makes this possible by providing a single view into all authentication data across domains and directories, leveraging rich, pre-built integrations for provisioning to applications and directories, and importing users and groups from unlimited directories and untrusted forests into a central AD with Okta’s Universal Directory, SSO, or Lifecycle Management.