For more than 20 years, I’ve been handling cybersecurity at BMC. I’ve got a lot of bumps and bruises to show for it, but I’ve also had the pleasure of seeing Okta and Netskope work together to help us build out an identity-first cloud security.
As one of the largest software companies in the US, BMC faced a huge challenge when we moved to the cloud. We had traditional protections—rogue system detection, network admission control, trusted devices—but as our business pushed for services that were internet-accessible, those protections disappeared. Cloud-based infrastructure improved accessibility and productivity, but we couldn’t find a security solution that worked with our compliance requirements.
That was when we discovered Netskope. They help industries understand the features of cloud use—such as shadow IT and mobility—and we brought them on to tackle device trust as they teamed up with Okta on the identity management front. And in partnering with these organizations, we learned a number of things when it comes to building identity-first cloud security.
Strong strategy sets a foundation
If you’re moving to the cloud, start with a comprehensive strategic plan. What are the capabilities that you need to put in place to facilitate a user’s experience when they’re logging in from an untrusted network? Secure transport is a given. You also need strong authentication supported by a device trust layer as well as a presentation and publishing capability for internal applications. Every IT service area thinks their software should be a requirement for access, but you need to be deliberate about which you include. The more there are, the higher the risk of impacting productivity.
Device trust saved the day
BMC has over a hundred SaaS applications and approximately 7,000 employees. When we enabled device trust, we made sure to account for variations across our services. Some of the device trust solutions we considered had global policy settings that meant you couldn’t make an exception for a single app; if an app didn’t allow a security setting, you would have to disable that setting globally in order to continue using it.
When we implemented device trust we focused on the risk area of employees with portable devices, but again, we had to be thoughtful about variations and exceptions. If we implemented device trust in R&D—where there is no portability risk—that would have unnecessarily burdened employees and risked undermining our effort. Netskope’s device trust brought us the flexibility to improve user experience while allowing us to use weaker authentication methods that provide seamless user access to applications.
BMC chose several factors to secure devices—was the device joined to their domain? Did it have a BMC certificate? And did it have disk encryption? If not, access could be easily blocked. Of course, once you’ve secured the device, you still need an identity manager to provide single sign-on (SSO) access.
Okta and Netskope work together
We bundled Okta Mobile with Netskope device trust to facilitate access to services. If an attacker gains my username and password, they still can’t log in. This doesn't differ from what you see with Okta mobile, but it addresses greater risks, like biometrics.
Whether apps are sanctioned or shadow, we need to report on user compliance while enabling them to move fast. Netskope and Okta work together with adaptive multi-factor authentication (MFA) to achieve this. Okta SSO and MFA provide authentication and sign-on capabilities, while network zones are integrated with Netskope to perform device checks. Whether they’re in the office or on the road, we can enforce our device management policies. Don’t forget to build a steering configuration so you can move slowly and deliberately to ensure you don’t interfere with business operations.
Fight the friction
At BMC, I encountered a lot of resistance. Shadow IT is driven by friction from old legacy IT practices and security, and users were concerned we might see that again. These control points are strong enough to take us back to that era, so it’s important to balance security needs with potential business impact. Get leadership on board, and make sure the benefits are clear. Engage support personnel early on, and make comprehensive FAQs that explain the why as well as the how. As you deploy, prioritize lesser-used applications to work through any potential issues, so by the time you get to the big ones you’ve worked out any kinks.
At the end of the day, you want to enable users to consume the apps they want while still abiding by your policies. Okta and Netskope help you do that—without being intrusive to the end user.
Read more about how Okta and Netskope partner to deliver comprehensive access control and data security in multi-cloud environments, or check out the video below to hear more about BMC's security strategy.