Our Customers Are Tidying Up IAM—Here’s How

We’ll be the first to say that modern identity and access management (IAM) systems are complex. On the one hand, they need to be powerful enough to deal with multiple identity silos and application technologies. And on the other, they need to operate with legacy infrastructure. With the wrong system in place, this complexity can cost time and money, impact productivity, and compromise user experience.

The good news is that businesses are increasingly able to clean up and simplify their IAM with modern solutions that also guarantee excellent user experiences. Having worked with hundreds of companies to enhance their IAM infrastructure, we’ve seen the benefits of this first hand. In this post, we’ll feature two customers that have experienced the payoffs of implementing simplified IAM experiences: Cypress Semiconductor and Mercy Corps. Here’s how they did it.

Cypress finds identity success

Cypress Semiconductor employs 7,000 people worldwide in its efforts to design and manufacture flash memory controllers, microcontrollers, and PSoC solutions. While the company is dedicated to offering streamlined technical solutions, its end-user experience was complicated by multiple identity and password sources spread across LDAP and Active Directory (AD). It also struggled with limited adherence to password policies, low Multi-Factor Authentication (MFA) utilization, and manual account lifecycle management. Adding to the complexity, the organization was expanding its cloud-based strategy and M&A activity.

To wrangle what had become a user experience headache, Cypress launched a Single Sign-On (SSO) project with Okta in 2017. This included deploying password syncing across LDAP and their secondary AD, rolling out MFA for HR, and integrating SSO for an initial 20-plus apps.

The changes set off a domino effect.

  • Cypress found it needed to enhance and establish IAM standards, which it did over the next two years by integrating more than 80 additional apps, including Office 365 and its internal and external websites.
  • The company also established MFA for their VPN, and enhanced its best practices with a lifecycle management automation program based on its HR product, SuccessFactors.
  • Adaptive MFA was also set up to identify behavior changes and “impossible travel”, an advanced behavior detection tool that catches potential compromises.
  • It also deployed custom account automation for ITSM, Qualtrics, and Zoom.
  • Cypress rounded out its overhaul by setting up SuccessFactors-as-a-Master and automating the LDAP and AD sync.

As they conducted their deployment, the company faced a few common hurdles. To start, employees required training on changes in processes and policies, and needed to be notified via bulletin board and video flyers. At the same time, existing HR onboarding and offboarding processes didn’t fit the Okta and SFaaM feature set, which added additional complexities. Lastly, when it came to deploying MFA, the company had to avoid security questions as a factor as they weren’t secure enough for VPN access.

Cypress addressed these issues by using Okta’s toolbox and developing the Cypress Key, an MFA exception case built within Okta’s API. This factor enables the business to verify users by providing them with a unique 16-digit code and asking them to provide six randomly generated digits whenever they log in.

As a result, Okta has helped Cypress to address its MFA problem, while also simplifying its onboarding and offboarding processes. As Brad Burton, IT Principal Engineer at Cypress, puts it: “Okta got us 80% out of the box. We used Okta’s toolbox and world-class API to make the next 20% happen and solve the problems we were facing.”

SSO comes to the aid of Mercy Corps’ user experience

International aid organization Mercy Corps helps communities all over the world with capacity building, resilience, and humanitarian and disaster response. It has over 5,000 team members in 42 countries, and the organization was facing both logistical and cultural obstacles in its IAM infrastructure.

A diverse team across the world meant that the company operated in different ways depending on the setting, with naming conventions that were sometimes difficult for English-language-based systems to assess. To bring all these systems into alignment, Mercy Corps had to take a more nuanced approach by starting small, testing, and adapting.

As part of this strategy, it adopted an Okta environment of custom web apps built on various systems, including AD, LDAP, an HR system, and MS Navigator. However, its LDAP was antiquated, which posed a number of problems. The system couldn’t process modern characters or accept write-ins from anything but the existing LDAP user interface. It also couldn’t be fully retired until all dependent systems were migrated to Okta. To address these constraints, Mercy Corps developed an enterprise data governance practice that streamlines data flows between Okta and other systems.

Alongside these changes, Mercy Corps also deployed Okta SSO across over 20 apps, which removed regular login frustrations for both end users and admins, increasing their availability to focus on more important tasks. Moving forward, the company plans to go a step further and explore the possibility of enabling seamless, passwordless logins for their employees.

They also deployed MFA for system admin roles, adding another layer of security for that critical personnel, with plans to roll it out en-masse in the near future. By capitalizing on this new infrastructure, Mercy Corps will soon be able to retire LDAP and integrate Okta with its HR-as-a-Master to streamline onboarding and offboarding.

“With Okta, we’ve been able to halve the number of user logins, and are on our way to true SSO.” says Mercy Corps Enterprise Architect Brad Goettemoeller. “Our employees have gone from having regular login frustrations to “it just works.”

One IAM solution often leads to another. Tackling a user experience pain point with a best-in-class IAM service can open up optimizations that didn’t initially seem feasible for your team. Whether distributed across the globe or rooted in legacy systems, your company’s IAM problems do have a solution.

For more information about how Okta can help your business simplify identity and access management while delighting your users, check out the following resources: