Cloud-First Agility to Securely Remote Enable Your Workforce
In my previous blog, I introduced the concept of why hybrid, cloud-first, identity solutions are fundamentally different from those with an on-premises-first focus, providing you with a huge competitive advantage. Over the next few blog posts, I’ll be digging deeper into these differences, and detailing the advantages you’ll get by adopting Okta’s cloud-first approach.
My theme for this post is agility. The concept of agility has always been synonymous with cloud computing. If a capability or business function is offered as a cloud service instead of a discrete set of on-prem products, a customer can immediately start consuming without worrying about installation or configuration. Being able to stay focused on their core competence provides businesses with a clear competitive advantage.
While agility is important for any business, in this age of Covid-19 and social distancing, it has become even more critical. Suddenly, organizations world-wide are forced into a reality where their established workforce must transition to working from home, while simultaneously ensuring safe business continuity. In a matter of days, cloud-based service providers like Zoom, Slack and Okta have become indispensable, as they allow customers to focus on their core business—without worrying about the availability of these essential services for their workforce. Meanwhile, large companies with on-premises applications, only accessible through the local corporate network or a VPN, are discovering they cannot scale with this new reality. Conversely, they’re quickly discovering the power of a zero trust security model, which can solve this problem. In essence, companies who have already embraced and implemented zero trust had little transitioning to make: employees had access to the same resources (whether cloud or on-prem), while companies that held onto their traditional, legacy infrastructure were incapacitated.
Let’s get into the specifics of how Okta’s cloud-first approach provides unmatched agility.
Let’s start with what it takes to get an identity solution up and running. With Okta’s cloud-first hybrid approach, the lead time to deploy is a fraction of what you would need with an on-prem-first approach. Since most of the heavy-lifting is done in the Okta identity cloud, you don’t have to spend cycles implementing and customizing on-prem IAM software. Okta on-prem components like the Active Directory (AD) agent, or Okta Access Gateway (OAG) to enable hybrid access, have a relatively low footprint and can be deployed rapidly. Even relatively large deployments can be up and running in a matter of days. A great example of this agility is the recent deployment at FedEx. In the light of the Covid-19 pandemic, the company had to accelerate its go-live to enable secure remote access, rolling out Okta to 85,000 members in a matter of days.
A deployment like this would be unthinkable with an on-prem-first approach. It would take weeks,even months for basic steps like installing, configuring and integrating on-prem components—especially across multiple environments (including development, test, production, etc.) And, in large deployments, this would mean multi-node clusters along with load-balancers, databases, etc. Furthermore, to provide for high availability, such a deployment would need to be replicated in two or more data centers. In the real world, as you work with different IT groups and external system integrators to get all these pieces working together, you would need to add many extra buffers. We’re talking about months to just get it off the ground... Why this huge lead time? An on-prem-first approach requires that the identity logic runs on-premises, in your data center, as shown below.
Diagram of a heavy on-prem footprint that adds to your maintenance woes and slows you down
It’s important to note that this requirement for lead time doesn’t just go away by choosing to deploy servers in Infrastructure as a Service (IaaS) environments like AWS or GCP, instead of your own data-center. It shaves off the overhead of managing servers, but it doesn’t alleviate the challenge of installing and configuring legacy IAM software. Many on-prem-first vendors highlight their good devops practices by providing containerized images of their solutions. But these steps provide very small incremental benefits that can’t compare with the benefits of a cloud-first hybrid approach. By completely off-loading to an IDaaS vendor like Okta, you get a huge, immediate boost to your deployment agility.
Cloud-first, hybrid solutions like Okta are built entirely in the cloud from the ground up, they’re not just old, legacy on-premises software running in IaaS. Innovations like the highly redundant cell-based architecture that enable Okta to stay "always on" require serious investments and must be engineered from the ground-up as a part of the cloud service. Despite what on-prem vendors may say, an on-premises IAM environment can’t simply be lifted and shifted to IaaS to magically address high availability and reliability requirements. This difference becomes apparent when you read through the fine-print of Service Level Agreements (SLAs) of the cloud options offered by most on-prem-first vendors.
Since they cannot offer zero downtime upgrades, you’ll find that they slip in clauses for scheduled maintenance windows. And because they have not built in enough redundancy, they simply fall back on the SLAs offered by the underlying IaaS provider.
While rapidly standing up the SSO/MFA solution is a key value proposition of Okta, the real agility of a cloud-first hybrid approach becomes clear when you start integrating apps. Here, Okta’s value comes from one of the largest catalog of 6500+ pre integrated apps, so you can rapidly integrate apps with a few simple steps. Even for complex, legacy, on-prem applications like Oracle EBS or Microsoft SharePoint, Okta Access Gateway provides a rapid integration path. Alliance Data Systems is a great example of an organization that leveraged the rapid integration capability of Okta and OAG to protect a large number of mission-critical, legacy workloads.
In contrast, an on-prem-first approach typically relies on proprietary agents and SDKs for integrating apps. They typically refer to it as an “integration toolkit” or “custom agent”. These toolkits invariably need developers or system integrators to install, configure and maintain hundreds of agents or custom integrations. This approach not only leads to a vendor lock-in, but also requires significant developer expertise that can be hard to find. A large deployment with hundreds of customized, proprietary integrations requiring constant developer oversight can slow down your organization to a crawl.
User Lifecycle Agility
Next, let’s talk about what it takes to on-board users, whether employees or consumers. Okta’s cloud-first approach leverages a low footprint LDAP/AD agent to quickly sync users from existing on-prem directories to Okta’s Universal Directory, an integral part of the Okta Identity Cloud. In conjunction, Okta also supports the ability to source employee information with pre-built integrations with leading HR platforms like WorkDay, BambooHR, UltiPro, and others. To add to the comprehensive Lifecycle Management (LCM) and provisioning that Okta always had, new capabilities around flexible workflows provide a big boost to the on-boarding agility. It allows you to easily configure granular actions like adding users to specific Slack channels or Box folders based on HR roles, automatically sending welcome emails, etc.
Zero code workflows in Okta to automate identity-centric business processes for user on-boarding
Now, contrast this with the on-prem-first hybrid approach that legacy IAM vendors offer. To start with, these vendors typically depend on a flavor of their own on-prem directory that would invariably come with a host of challenges around replication and maintenance. Customers often underestimate the sheer cost and complexity of maintaining multiple on-prem directories and ensuring they all stay in sync. A lot of the on-prem IAM vendors also don’t offer advanced life cycle management or workflows as an integrated capability, forcing you to build custom code or integrate with a full-blown Identity Governance & Administration (IGA) product, slowing you down further.
Another area, often overlooked during IAM evaluations, is the M&A agility that a cloud-first hybrid solution from Okta offers so you don’t have to deal with complex on-prem directory consolidation projects every time you acquire or merge with another business entity. Okta’s cloud-based Universal Directory provides flexible attribute-mapping and transformation to fast-track identity consolidation tasks that can take significantly longer with legacy, on-prem directories.
Finally, let’s look at the long-term need for maintenance agility. Okta’s cloud-first approach almost eliminates overhead for staying current on releases or having to patch software. While there are pieces of the solution, such as small agents, running in your data center, very little of the identity logic is in them, therefore updates are small and quick. You can focus on your core business without having to worry about staying up to date. You can rest assured you are on the latest and greatest version of the product as Okta’s “always on” service ensures zero downtime upgrades, averaging every week or two.
Contrast this with an on-prem-first approach, where you must wait for vendors to publish their latest releases (ranging from once a quarter to once a year). You are also constrained by how quickly your IT can undertake these upgrades. In large deployments, these upgrade projects can often take months, with complex customizations that invariably break because of their lack of backward compatibility. To be fair, in recent years these vendors have made incremental improvements in reducing upgrade time. But this is not about shaving off a few weeks from an otherwise complex upgrade project—it should be about gaining agility in an order of magnitude greater than anything legacy on-prem IAM can provide.
In essence, agility is not just about getting the latest cool feature, but about staying one step ahead of the bad guys. And when it comes to staying current on vulnerability fixes and patches, agility is no longer a luxury; it can have a direct impact on your reputation and bottom-line. Flaws are found in products all the time, some with terrible security implications. Remember Heartbleed or Cloudbleed or any one of the hundreds of known vulnerabilities? Delays in being able to update your critical identity infrastructure can significantly expose your business, employees and customers to all sorts of security issues. Do you recall the Equifax breach that cost the company over a billion dollars? It was due to unpatched servers that they knew about but, due to competing priorities, never got around to patching. That is when the importance of staying current on releases and patches becomes crystal clear.
Agility in your core competence
In this second post of my cloud-first series, I’ve laid out how Okta’s cloud-first hybrid approach allows any IAM solution to be more agile. But what really matters is the agility it brings to your business’s core competence, be that manufacturing, banking, healthcare or retail. By extension, this allows for agility in responding to your customer needs and disallowing your identity solution to slow you down. The brilliance of an IDaaS solution like Okta is removing the burden of managing an on-premises identity solution so that your spotlight remains on your core competences. And it’s this focus that will determine your ultimate success.
For yet another angle, check out our Is Legacy Identity Infrastructure Holding Your Enterprise Back? whitepaper.