Building trust in a fluctuating environment
Allergan pioneers a new pharmaceutical growth model, Open Science, partnering with independent researchers and positioning itself as “a magnet for game-changing ideas and innovation.” To sustain the trusted Allergan brand, identity management will be key.
Getting a handle on identity
As the company engages with outside organizations using diverse apps, competing identity products mount, along with password reset requests. IT implements Okta SSO to establish a common authentication point, then adds Lifecycle Management to automate onboarding and offboarding.
Identity independence wins out
In 2015, Actavis acquires Allergan in a $66 billion deal, with the new, global company taking the Allergan name. IT standardizes identity and access management across the company on the Okta Identity Cloud’s vendor-neutral platform.
Connecting the extended ecosystem
Allergan expands its identity platform to include partners, doctors, and patients—and enlists Okta to power identity for a new tear stimulation device. For added protection, the team implements Adaptive Multi-Factor Authentication.
Streamlining and securing integration and collaboration
As Allergan pursues its strategy, Okta helps streamline access and communication across multiple business entities. At the same time, Okta ensures that company leaders keep tight control over who has access to sensitive information.
In the identity and access management space, Okta is our fundamental platform partner. We’ll continue to challenge and work with Okta in the external partner ecosystem.Mike Towers, CISO, Allergan
Pioneering a new pharmaceutical business model
As anyone in the tech industry will tell you, great discoveries today happen most frequently among small teams of people with the drive and the license to think outside the norm and aim for disruption, rather than steady improvement. Traditional corporate structures don’t often provide the freedom or the motivation that innovators require, which is why the pattern of small startups changing the course of entire industries is by now a modern business principle.
That principle goes well beyond the tech industry. Today’s global pharmaceutical companies find that the driving source of innovation comes from universities and small biotech firms, rather than from their own labs.
Allergan, a branded "growth pharma" leader with global franchises in seven therapeutic areas, has embraced that shift. The company follows an Open Science R&D model, partnering with independent researchers and positioning itself as “a magnet for game-changing ideas and innovation.” When we spoke to Mike Towers, CISO of Allergan, in early 2017, the company had engaged in 13 acquisitions or collaborations in the previous year alone.
Building trust in a fluctuating environment
As CISO, Towers is responsible for protecting Allergan’s digital assets—content, applications, and systems—and enabling growth, organizational change, and internal and external data sharing. He’s also the point man for compliance with government regulations, such as Sarbanes-Oxley (SOX), HIPAA, EU Data Privacy, and the Sunshine Act, which governs pharmaceutical sales practices.
It’s a big job, and an important one. Trust is a cornerstone of the business: First, to build and maintain relationships. It’s important for Allergan to maintain a reputation in the industry among potential business or acquisition partners. The competition for buying cutting-edge biotech firms or partnering in joint ventures can be high, says Towers. “You want to make sure you can go into one of those relationships and adequately protect the transaction, protect the integrity of the data. That could end up being a tipping point, from a competitive perspective.”
Competing identity management solutions
As the company engaged with outside organizations using diverse sets of cloud and on-prem apps, identity and access management played an increasingly important role in keeping Allergan systems secure. In the beginning, people had to juggle many different and competing identity products. “It was very confusing to end users,” says Towers. “They had to remember a lot of IDs and passwords. They were constantly trying and failing to use their credentials.” The help desk was inundated with password reset requests.
As a leader in cloud adoption, by 2012 Allergan was relying on cloud services, such as Box, Microsoft Office 365, and Salesforce, for important business functions. Moving to the cloud helped modernize business processes, but it also added to the confusion around identities. Audits became a huge undertaking, along with ensuring regulatory compliance. If a breach occurred, it was hard to tell where the access came from. When people left the company, removing their access from company applications and data was a time-intensive, manual process.
Allergan IT first implemented Okta as a common authentication point for cloud applications, using it as a single-sign-on platform that employees could use to log into all their cloud apps at once. They went on to automate employee onboarding and offboarding, implementing Okta Lifecycle Management, along with Universal Directory.
With this single, integrated identity and access management platform, IT could master employee or contingent worker profiles from on-prem SAP human resources software, and automate role and group assignments and access. They could also integrate multiple Microsoft Active Directory or LDAP directories, to automatically provision all users to downstream cloud or on-prem applications.
“Okta gives us a foundation to answer the fundamental questions of access management: Who has access to what, and who approved it?” says Towers. With the answers to those questions stored in Okta, audits and breach investigations are much simpler, more consistent processes.
Okta gives us a foundation to answer the fundamental questions of access management: Who has access to what, and who approved it?
Establishing identity after a major merger
In 2015, Actavis acquired Allergan and took its name. “That gave us a chance to completely recalibrate what we were doing,” says Towers. “We reassessed the landscape and did a reconfirmation and reselection of the Okta platform.” Towers implemented more robust governance around Okta provisioning, standardizing identity and access management systems across the new company on Okta.
Okta won out over competing identity platforms primarily because of its independence, says Towers. With Okta, Allergan had the freedom to choose the best business applications for the job, while unifying all those applications onto one identity platform. Universal Directory provided a single source of truth, so that Allergan could consolidate directories between the two companies quickly.
Okta was critical for smoothing the transition to the new, much larger Allergan, says Towers. “[As we were] navigating all those pieces coming together … Okta was a way to give everybody uniform access to the systems.”
Okta Lifecycle Management was also a factor. “The cloud provisioning model that Okta is built on is very attractive because our business is becoming ecosystem-based, not just enterprise-based,” says Towers. Scalability was critical. Allergan IT could move forward with the confidence that Okta would integrate seamlessly with the current business environment, as well as with whatever the future held.
“The cloud provisioning model that Okta is built on is very attractive because our business is becoming ecosystem-based, not just enterprise-based,” says Towers.
Today, Okta provides centralized security across Allergan’s cloud and on-premises applications, networks and other resources. The company’s Okta implementation approaches access management from a broad perspective, using the best automation elements from the identity governance and administration (IGA), which are built into Okta Lifecycle Management.
Engineering a sustainable growth model
Because of its constantly changing and growing business, Allergan’s global support functions faced many challenges. In 2016, senior leadership sought to rebuild core foundational systems with the goal of standardizing on key partners and weeding out legacy infrastructure that no longer aligned with the company’s vision.
“Okta’s role in that journey has been paramount,” says Towers. “We launched the new platform with Okta leading the way in December 2016.” With Okta as the combined company’s master identity and access management system, Allergan IT can standardize on best-of-breed applications without worrying about how people will access them.
“Workday is responsible for who you are as an individual [employee or contingent worker],” says Towers. “Okta is responsible for what that means in the digital world, and what you have access to. That could mean dozens of accounts behind the scenes that you don’t even know exist.” The company has integrated about 300 applications onto the Okta Identity Cloud so far, with 40 of those classified as core entitlements that most employees use regularly.
Because Okta is so simple to use, there’s no danger of users looking for insecure workarounds. “Okta’s primary security benefits have a lot of impact,” says Towers. “First and foremost, [Okta] allows us to immediately translate an HR event into a changing level of access. If you change roles, move on from the company, or relocate, the access is changed accordingly.”
Streamlined integration and collaboration
While Allergan’s Okta-managed digital ecosystem began with internal employees and contingent workers, it quickly expanded to include the B2B partners and acquisitions critical to Allergan’s growth strategy, as well as marketing or promotional partners, third-party clinical operations, manufacturing, and supply chain partners.
Today, many of those partners access common applications across multiple domains. As they communicate and collaborate seamlessly through the Okta Identity Cloud, the company becomes more agile—able to quickly realize the benefits of its Open Science strategy.
“The vision for Okta operating in the cloud and federating appropriately is that [partners or new employees] would be able to log in with the credentials they’re used to using,” says Towers. “It won’t rush us into, for example, moving their Windows or SAP accounts. They can leverage the applications in the systems they use now.”
“Users don’t know where the app is, and frankly they shouldn’t care,” says Towers. “We use Okta to enable access to both cloud apps, such as Salesforce and Veeva, and internal, on-premises systems, such as SAP. All of that is enabled through Okta with the same account, the same password, the same experience.”
Bringing doctors and patients into the fold
Allergan also brought doctors and patients onto Okta, so they could log in to their Allergan accounts or register for programs and services. For an extra layer of protection, the team implemented Adaptive Multi-Factor Authentication for those users.
“Anybody who follows pharma knows that patients have a lot bigger say in their health and medication than they did even fifteen years ago,” says Towers. Some of the most well-known Allergan products have their own support groups, where patients can connect with each other.
The company is also venturing into healthcare management devices. In 2015, Allergan acquired Oculeve, a company developing a hand-held intranasal device designed to help patients with dry eye disease to stimulate natural tear production. Today, Okta powers identity for the app that patients use to manage the device, now known as True Tear, similar to the way they manage their fitness tracking apps.
A foundation for secure engagement
With identity and access management handled across apps, domains, and user profiles, Allergan leaders can focus on building an Open Science ecosystem, sharing data between partners as needed, and offering robust services to doctors and patients. At the same time, using Okta’s control interface, company leaders can keep tight control of who is accessing what.
That combination of air-tight data and application security with collaborative freedom helps the company bring ground-breaking pharmaceutical innovations to market—all while maintaining and building on the trust that the Allergan brand has established over decades with patients and their doctors.
Allergan plc, headquartered in Dublin, Ireland, is focused on developing, manufacturing and commercializing branded pharmaceuticals, devices and biologic products for patients around the world. Allergan markets a portfolio of leading brands and best-in-class products for the central nervous system, eye care, medical aesthetics and dermatology, gastroenterology, women's health, urology and anti-infective therapeutic categories.