Akumin scales Identity management processes with Okta Workflows

Situation: Manual processes + lack of integration contribute to Identity risk and threaten strategic initiatives

Akumin is a trusted partner for hospitals, health systems, and physician groups all over the United States. Since its founding in 2013, the company has grown to become the country’s No. 2 overall radiology services provider, with roughly 1,000 hospital relationships and an operational footprint of 48 states.

In 2021, three large-scale events highlighted the need to modernize Akumin’s Identity infrastructure: 

1. Akumin acquired Alliance Healthcare Services.
2. The company embarked on a hiring spree.
3. Akumin initiated a large-scale migration to Google Workspace. 

In the midst of these changes, Kyle Kortvely joined Akumin as a System Administrator. He and his team began to identify several key challenges:

• Tedious processes for operational tasks, like generating reports: IT experts were spending valuable time manually generating security audits and reports, that were critical to protect patient confidentiality and meet regulatory requirements.
• Slow, error-prone process for on/offboarding: PowerShell and manual scripts limited the company’s ability to integrate the acquisition and keep up with hiring demands.
• Significant demands on help desk administrators: IT tickets continued to grow, making it hard for the help desk admins to respond quickly, slowing down some key processes.

Solution: Using Okta Workflows to implement no-code automation, integration, and delegation

Akumin was already using Okta’s core Workforce Identity Cloud, and Kortvely understood that Okta Workflows — a no-code Identity automation and orchestration platform — could enable a massive transformation. He quickly began to automate tasks like security audits and on/offboarding customization. Ultimately, Workflows helped the team become more productive by relieving them of many manual tasks.

Whenever I’m making a Workflow, it’s probably the happiest I am in my work: it makes my job easier, it makes someone else’s job easier — and it just works. When I deploy it, everyone benefits. - Kyle Kortvely, System Administrator at Akumin

Getting started with Workflows was easy, even without a coding background. “I’m not a programmer, but I started by playing around with templates and the more I got my hands on it, the more fun I had. And that really jump-started my mind to start thinking outside the box about specific areas where Workflows could immediately help.”

Automate custom reports to support security initiatives

Kortvely first applied Workflows to power custom reports, such as identifying employee MFA use and frequency. While Okta has a curated list of pre-built reports that help admins detect potential security risks and understand how end users consume apps and services, Kortvely wanted to go deeper than these out-of-the-box reports allowed.

To help users gain detailed insight and address specific information needs, Kortvely used Workflows to automate creation and scheduling of custom reports. One example is a report that reveals users who haven’t yet configured their MFA factors. While Kortvely used the report primarily to audit security status, in the future the same report can be connected to an Action to prompt those users to complete their MFA enrollment.

Automatically create tables and reports that include exactly — and only — the data you need

Provisioning time cut by 80% — with the migration to Google Workspace on schedule

When Kortvely arrived at Akumin, the IT aspects of user onboarding were performed manually, with the aid of PowerShell scripting. Prior to the acquisition, Alliance followed a similar approach.

But this onboarding process took 10-to-12 minutes per user and required a member of the IT team to execute. It simply couldn’t scale to keep pace with the company’s hiring plans and evolving technology infrastructure.

So Kortvely created an automated onboarding flow to provision users, focusing on immediate requirements: speeding up the process, removing the manual element, and enabling the Workspace migration.

Catching and resolving duplicate names

When Kortvely joined, the combined company had several thousand employees and was still hiring. As a result of the acquisition, they had two Active Directories, which provided its own complexity between differing IT and HR practices for managing associates. Duplicate names were proving to be a major hurdle. While these kinds of problems are common when identity systems are merged during a merger or acquisition, they delay productivity.

Kortvely was able to create a Workflow to catch and fix conflicts during identity creation, including duplicate usernames or emails. He quickly expanded the flow to check domains, assign specific user roles and place users into groups, and provision access to applications. The complete flow executes mistake-free in about 20% of the time of the PowerShell-aided manual approach.

Catch and fix conflicts during identity creation, such as duplicate usernames or emails

Kortvely felt satisfied about what he had been able to accomplish, but the real proof came when he took a leave of absence: “Automation has made onboarding, provisioning, and other activities so fast, reliable, and easy. I was on a leave of absence for a few weeks, and there were no issues — it was such a relief.”

Tightening offboarding security by customizing de-provisioning 

Ensuring access is revoked when an employee leaves or is terminated is a critical aspect of security and compliance, but is often easier said than done.

In the current state of deprovisioning, Akumin is in the process of having Workday as the source of truth, but is staging out these steps and slowly moving away from the legacy Active Directories. Kortvely explained that the HR department might suspend a user in Workday, but not notify the IT team until a day or two had passed — especially for Friday departures. Additionally, with manual deprovisioning, it might take days or even weeks before a user’s access was completely removed from the many different systems used by Akumin.

Recognizing the risk, Kortvely explored how to apply Workflows to close this security gap.

The result is a powerful flow that uses an API call to determine if a user’s Workday account is suspended or revoked, which subsequently triggers a collection of actions, including:

• Assigning the user to a special security group, which Kortvely described as “a holding cell”
• Denying access to Okta
• Disabling access to Google Workspace

Once IT confirms with HR that a user has left or been terminated (rather than temporarily suspended for some other reason), then full — and automatic — deprovisioning occurs.

By using Workflows, Kortvely ensured that suspended users immediately have their access revoked and that the wider deprovisioning is timely and comprehensive.

Non-destructively de-provision employees

Accelerating help desk ticket resolution with delegated flows

Using Workflows, Kortvely and the team had addressed important and urgent needs for Akumin, but they weren’t finished yet.

Within the organization, there was a concern that too many people had super-administrative privileges — a byproduct of the manual processes and the need to keep pace with IT tickets. 

To address this potential security risk, Kortvely turned to Okta’s delegated flows feature. Delegated flows can be assigned by super admins to admins in their org. When an admin is assigned a role with Run delegated flow permission, they will have access to a delegated flows list within the Okta Admin Console, where they can run flows that are assigned to them in a resource set.

In other words, delegated flows allow admins to run flows that would otherwise be limited to super admins.

Kortvely describes the delegated flows he built as his “magnum opus” because not only does the collection include the onboarding work, but also a number of additional flows that allow the help desk team to address a range of common ticket requests — including assigning users to mailboxes, changing email names, adding an alias, configuring a leave of absence.

And simplifying these tasks has a real impact, as “A ticket that might sit in a queue for 2 or 3 days until a super-admin could address it can now be completed on the same day — safely, securely, and reliably — with delegated flows: just hit a button.”

Results: A more efficient and secure identity infrastructure

So far, Kortvely and team have introduced nearly 30 workflows to automate a wide range of Identity management processes and tasks within Akumin. The impact has been immediate and highly visible throughout the organization, with benefits including:

• Stronger security posture: From enforcing MFA to tightening least-privilege access, Workflows allowed Akumin to better manage Identity risks.
• Reduced costs: Workflows was critical to Akumin’s successful migration to Google Workspace, allowing the project to finish on time and within budget.
• 80% faster (and error free) provisioning: Workflows enabled Akumin to automate the IT aspects of user onboarding, cutting per-user time by 80% — which was essential to keeping up with the company’s growth — while eliminating human error from the process.
• Secure offboarding: Prior to Workflows, 1-to-2 days could pass between an employee leaving and IT being informed, and weeks might pass before a user was fully deprovisioned. Workflows quickly remediated this. 
• Faster resolution of IT tickets: Delegated flows allowed admins to address a wide range of tasks right away, improving the employee experience.

“I really do look forward to making any kind of workflow – it’s one of the single-most cathartic things I get to do when working.” 

Moving forward with Okta

Kortvely takes great pride and enjoyment in what the team continues to achieve, eagerly describing how, “Whenever I’m making a workflow, it’s probably the happiest I am in my work: it makes my job easier, it makes someone else’s job easier — and it just works. When I deploy it, everyone benefits.”

Looking ahead, he’s excited about the potential of Low-latency flows, and of extending Okta’s importance within Akumin: “I saw the demos of Identity Governance, and I’m excited to try and implement all that it has to offer.”