Hey Hey MFA - AMAG Pharmaceuticals Talks Creating A Password-Less Environment at Bio-IT World

Guest post from Nathan McBride, vice president, IA & chief cloud architect, AMAG Pharmaceuticals

Update: We've posted the full deck from Nate's presentation here.

Implementing a cloud and mobile enterprise for AMAG Pharmaceuticals began with just a rough sketch in 2008. Six years later, we are officially and fully in the cloud. No more Exchange, no more SharePoint, no more eRoom and (definitely) no more Active Directory for AMAG Pharmaceuticals. We’re now a fully mobile, browser-based, BYOD organization. (And with a staff of only seven full-time IT folks to boot.) What was one of the biggest factors in making this dream a reality? Our continued exploration and use of MFA across our environment.

Nate McBride, AMAGThis is the focus for my presentation, “Security in the Cloud: How AMAG Protects Company Data with Multi-Factor Authentication,” at Bio-IT World tomorrow. (I’m presenting at 12:00pm at the Seaport World Trade Center if you’re in Boston.)

We think of our MFA-related efforts at AMAG in two big phases – pre-2011 and post-2011. We define the earlier window by a few key milestones, namely deprecating Active Directory and replacing our data center with Google Apps (ultimately using it as our “master” directory). It was also a relatively opportune time to play around and brainstorm what our authentication strategy needed to like in this new environment.

We got serious in 2011, deciding to tear down and rebuild our authentication strategy from scratch. Following loads of discussions and theoretical models, as well as an intense 24-month product testing and research period, we ultimately embraced Okta as our primary layer of authentication (as well as Google’s two-factor authentication strictly for Google Apps). We also partnered with Okta to figure out how to successfully create a “password-less” environment. It’s a goal that’s been three years in the making – and much easier said than done.

Chicken + Egg

Our belief throughout this initiative was that once a user is pre-provisioned a device (all AMAG employees are given iPhones and iPads), they should have everything they need forever and never need to manually enter or reset a password. The issue we kept coming back to was the inability to spontaneously generate and provision user accounts. A very tricky chicken + egg predicament in many ways. No matter how we sliced and diced it (and we sure as hell tried), a password was needed at some point in the user lifecycle – largely because it was nearly impossible to eliminate the “exceptions” when services require manual entry of credentials for access. (For example, our ERP system maintains a separate and distinct user authentication directory.)

So how’d we do it?

I’ll add my Prezi to this post later on this week, but a few lessons learned in the meanwhile:

- Our success hinged on us cutting the Gordian Knot in some ways, acknowledging that there are strange places that passwords rear their ugly heads.

- Don’t let those realizations limit your roadmap. We ultimately chose to manage and secure our most sensitive information in an environment fully protected without passwords (and one where we can auto-provision any user) and another that manages outliers.

- You need vendors that are willing to come along and work on your “crazy plan” until it’s successful – and that’s exactly what Okta has done since 2011.

- The security stack you build should be built out of a balanced view towards managing the endpoint, managing the user and managing the data.

- Do not settle on one security model. You should keep it flexible enough to change as improvements to technology become available.

I’d love to hear from you if you have questions or comments. Feel free to reach out on LinkedIn or on Twitter.