M&A agility: High on the priority list
EBSCO’s business model involves a constant cycle of buying and selling a diverse portfolio of companies, which creates both security risks and user experience challenges. IT resolves these by focusing on identity and access management.
A clear identity opportunity
EBSCO IT decides to standardize on Okta for identity across the company. With Okta’s Universal Directory, they see a future where they can easily manage identities across multiple Microsoft Active Directory domains, simplifying the user experience and boosting security.
Speedy SSO and MFA rollout
The team’s first priority is rolling out Okta Single Sign-On (SSO) and Okta Adaptive Multi-Factor Authentication (MFA) for employee access. After first connecting eight smaller applications, the team quickly transitions all 6,000 Office 365 users to Okta. Implementation time: Three months.
With Okta SSO and MFA, EBSCO removes the need for employees to keep up with multiple log-ins. IT takes security to a new level, centralizing policies, improving visibility into user access, and implementing consistent governance among its many business units.
Adding M&A agility to the mix
Next, the EBSCO team implements Okta Lifecycle Management and Universal Directory for seamless M&A integration and automated provisioning and deprovisioning. With SAP SuccessFactors as a master, HR updates translate automatically to relevant accounts without IT’s continuous involvement.
Okta’s Universal Directory was really the key for me. Taking the traditional Microsoft AD environment, moving it to the cloud, and then managing down—it’s just a great idea.Willie Clemons, Director of Identity and Access Management, EBSCO Industries, Inc.
- 6,000 employees among multiple, diverse, and fluctuating subsidiaries accessing Office 365 and other applications seamlessly and securely
- 30 apps integrated into Okta, with 60 more to come
- 3 months to implement Okta SSO and MFA across the company
M&A agility: High on the priority list
In 1936, Elton B. Stephens realized he was making more money weekly managing sales people part-time than he could make in a month as a newly-minted attorney. That was the start of Birmingham, Alabama-based EBSCO Industries, Inc., one of the largest privately held companies in the United States.
Today, the 75-year-old company includes a diverse and fluctuating portfolio of businesses across 23 countries. In addition to its longstanding digital library service, EBSCO sells outdoor products, standing desks, real estate, and insurance. Mergers, acquisitions, and divestitures play a major role in the way the company operates—and in the way IT staff members approach their work.
“The company buys and sells, and it’s a constant cycle for us,” says Willie Clemons, director of identity and access management (IAM) at EBSCO.
While Clemons joined the team at the end of 2018, Principal IT Security Architect Al Dixon has been with the company for seven years. EBSCO’s many lines of business create an IT governance challenge, he says. “We need to be able to spin on a dime—to bring new companies in, get them on our email system, and bring in their directory services.”
Identity is key to that project, says Clemons. “We want to be agile enough to onboard users with the applications they need, and to take them out if they’re no longer with the company.”
Too much mundane, manual work—along with too much risk
Initially, EBSCO owned many identity and security tools. The team had worked with Microsoft, Duo, and Ping for some time and came to the conclusion that they needed a more mature IAM platform that could help them integrate and separate domains easily and provide one cohesive and scalable IAM strategy for the entire company.
Clemons says it’s often easy for large organizations to think in siloed terms, settling for point solutions, such as Duo for MFA, without looking at the bigger picture. On the other hand, large stack solutions, such as those offered by Microsoft, focus too heavily on their proprietary technology to solve broad IAM challenges effectively.
“Microsoft gives you the capability to do a lot of things—but not easily,” says Clemons. His team of five initially included two engineers and three account administrators who spent their days manually creating and managing employee accounts. “We needed to get away from doing those same mundane tasks, and get our people educated in an application that they could pick up quickly and start doing more with,” he says.
Despite their best efforts, the company had also suffered through a number of password spray and DDOS attacks. The team knew they needed to upgrade their multi-factor authentication (MFA) strategy and reduce the risk of compromised passwords. To do that, they set out to bring the company’s entire identity toolset together under one unified umbrella.
“The perfect fit for a company that is both growing and shrinking”
As EBSCO continued to acquire new companies and tackle new industries, it needed a cloud-based identity solution that could connect its entire infrastructure, from the latest cloud technologies to legacy on-prem applications and data.
Because the company’s businesses vary widely and are constantly being bought and sold, its infrastructure had to be able to adapt and integrate quickly with each new business. At the same time, the company needed to maintain consistent access and security governance policies across all of its business units.
Clemons says Okta’s workforce identity solutions offered an opportunity to transform the entire EBSCO user experience, while providing a comprehensive solution to security threats. He had used Okta previously, and was thrilled to join a company that prioritized identity at the executive level, where he could build on his Okta experience. “I saw Ryan Loy, EBSCO CIO, speak at a conference,” he says. “It was the same thing: Identity is first. I felt really good coming into the company—they had the right vision.”
“Okta is the perfect fit for a company that is both growing and shrinking,” he says. “In the old days, working with Microsoft AD FS, you may be okay working with two domains. Three starts getting cumbersome, and after that it starts getting really bad. Being able to keep the infrastructure the way it is and align Okta on top of it to share those identities—that’s the way we want to go.”
Some of EBSCO’s businesses would continue using AD, and others would bypass it and go straight to Universal Directory. Either way, Okta offered a comprehensive solution to the company’s broad identity challenges. “Taking the traditional Microsoft AD environment, moving it to the cloud, and then managing down,” he says—”It’s just a great idea.”
A manageable transition to an SSO and MFA standard
The EBSCO team’s first priority, however, was to standardize employees across the company on Okta Single Sign-On and Adaptive Multi-Factor Authentication. They started with VPN users. “We figured we’d hit those more technical users first, and see what kinds of issues we ran into,” says Clemons. “Once we got them registered, that would set the stage for everything else.”
“Once we got that going, we started connecting some of the smaller applications to Okta and working our way up to Office 365,” he says. “Office 365 was a huge security risk for us.” To keep the transition manageable, the team broke up the implementation into thirds, bringing on 2,000 users at a time.
After all the care the team took to prepare, deploying Okta SSO and MFA was a piece of cake, says Clemons. Today, they have integrated about 30 applications with Okta and are on track to add another 60 applications in the next few weeks.
“In the end, it’s all about communication,” says Clemons. Leaders in EBSCO subsidiaries are thrilled when corporate IT calls them personally to discuss IT changes. “It’s important that they feel like we’re helping them, rather than just commanding them to do things,” he says.
The EBSCO team is making strides toward simplifying and consolidating its IAM infrastructure. “We’ve removed Ping. We still have some Duo users that we’re going to get rid of this year, and we’re getting to the point where we’ll get rid of Microsoft, as well, in terms of MFA.” he says.
“Okta gave us an opportunity to make the user experience better, so employees don’t have to keep up with multiple log-ins,” he says. “Many were on separate domains, not even tied to us. The user experience was pretty bad.”
From a security perspective, EBSCO IT is now in a much better place to centralize policy decisions and implement consistent IT governance guidelines among its many business units. The team is also happy to have greater visibility into who users are and where they’re coming from. “Visibility is critical when you start looking at employees who are all over the world,” says Clemons.
Dixon agrees. “If you know an employee typically logs in from France, and suddenly they’re logging in from Lickskillet, Alabama, you know you need to take action and investigate that a little closer. MFA helps us with that.”
Clemons hopes to see metrics shortly that report a significant shift in EBSCO’s IT security position. “First and foremost, we don’t want risk exposure,” he says. “If we can cut down on the number of attempted hacks into our network and the password compromises, that’s key for us.”
Adding M&A agility to the mix
After laying the groundwork with SSO and MFA, the EBSCO team looks forward to diving in and working some automation magic. “The main idea behind Okta is to get our arms around locking down accounts and being able to provision and deprovision quickly,” says Clemons. With Universal Directory, they can easily manage multiple untrusted Active Directory domains. “That will allow us to bring in and take out businesses as they come and go,” he says.
To implement Okta Lifecycle Management and Universal Directory, EBSCO IT plans to use the same approach as they did for SSO and MFA. “We’re going to start with the applications that we believe Okta will work well with. ServiceNow, for example. We expect to have very few issues provisioning that one.” Office 365 is also on the short list.
The team plans to use their human resources information system, SAP SuccessFactors, as a source of truth for employee profiles by connecting it to Universal Directory. That way, accounts get provisioned and deprovisioned automatically as HR changes employee profiles within SAP SuccessFactors, without input from IT.
Room to grow, with identity at the forefront
Clemons is visibly proud of how quickly his team has picked up Okta. “We have six people who can administer employee accounts today,” he says. “It’s very intuitive. With a traditional identity solution, it’s very difficult to take people who’ve been provisioning—and that’s all they’ve done—and turn them into something else.
“My team has been able to step right in and take on administrative tasks—partly because of their eagerness to learn, but also because Okta is simple to pick up. That has been a big asset,” he says.
With so much complete in just three months of working with Okta, Clemons says the team is ahead of schedule. “Okta’s been very helpful along the way,” he says. “They have a good implementation roadmap in terms of customer success, project management, and end user education. Okta’s professional services team was really good at keeping us on schedule and within our budget.”
Looking ahead, Clemons would like to see the company implement Okta for customer-facing applications, as well. Also, he says, “the Advanced Server Access product that I saw at Oktane19 is really interesting. Okta offers a security infrastructure standard that’s well beyond what many corporations today have in place—even those that have been operating in the cloud for a long time.”
“What we saw at Oktane really impressed us.” Going forward, he says, “the corporate standard for us will be Okta.” As the company proceeds with plans to grow 75% over the next five years, Clemons feels confident about the company’s security position. “We’re going to keep identity on top of it all,” he says.
EBSCO Industries, Inc., is a conglomerate that includes EBSCO Information Services, as well as other companies in the areas of information services, publishing and digital media, manufacturing and distribution, real estate, and insurance services. Family-owned and based in Birmingham, Alabama, EBSCO was started in 1944 by Elton B. Stephens and his wife, Alys, and is one of the largest privately held companies in the United States.