Charting a secure path to the cloud
MidSouth Bank was in the midst of rapid IT modernization when an audit revealed it wasn’t doing enough to secure its cloud applications. The company had to act quickly: like all banks, its business survival is built on trust and protecting customer data.
Changing technology demands modern solutions
MidSouth Bank also had to act strategically to adapt to a changing IT environment. Okta facilitated the transition from on-prem, legacy systems to the cloud for its hardware, software, and security by integrating seamlessly with the apps MidSouth was already using—and those they planned to adopt in the future.
Embracing identity as the new security perimeter
With an increasing number of MidSouth employees working remotely, and cloud applications becoming the norm, the old network security model was no longer enough—identity had to be the new security perimeter. Committing to a Zero Trust model of security, MidSouth turned to Okta for a robust identity management solution.
Quick adoption by employees
After an internal awareness campaign, MidSouth did a “big bang launch” of its new identity standard. MidSouth chose its time keeping application as the initial application to deploy Okta ensuring all employees were guaranteed exposure to the new technology. Employees adapted quickly and with enthusiasm, even requesting additional Okta solutions be deployed faster than planned. Within weeks, MidSouth saw 100% adoption of the new technology.
Before implementing Okta, the bank’s security team could see less than half of their users’ authentications. Now, all of MidSouth Bank’s applications are in one console and authentications are easy to track. This is especially important during offboarding, when former employees’ access must be quickly and completely revoked.
Okta is the most approachable identity platform I've ever come in contact with. It delivers everything it says, and it happens in a very easy and quick way.Daniel Hereford, CIO and SVP of Technology for MidSouth Bank
- Reduce complexity and operational costs
- Robust security posture using a Zero Trust security model
- Fast and easy deployment supporting hybrid environments
- Accelerate innovation and adoption of new cloud-based technologies
- Scalable, agile, and reliable systems
- Facilitates remote work—anywhere, from any device
A community bank built on trust
MidSouth Bank takes pride in staying true to its southern roots, offering high-touch services from friendly faces, and built on the ethical principles of responsible banking. From its first no-frills bank built in 1985, MidSouth now has 42 thriving locations in Louisiana and Texas, with 600 employees managing $1.7 billion in assets.
Although MidSouth is a full-service community bank delivering a complete range of personal financial services, its business banking division is rapidly becoming an important part of their business offerings.
“Our customer focus is on commercial clients with high net worth and higher financial needs than the retail customer,” says Daniel Hereford, chief information officer and senior vice-president of technology for MidSouth Bank. “We have a broad range of products to service really anything—from payroll to very complicated commercial lending.”
Mission: securing ‘rapid modernization’
Hereford joined MidSouth Bank in 2018 and was tasked with formulating a new strategy to meet the company’s business and technology goals. “My job is to implement a rapid modernization of our back-end processes and our customer-facing processes,” Hereford says. “Really charting a path toward the future, adopting a lot of cloud applications, a lot of modern work processes.”
His first challenge was waiting for him on arrival: an audit showed that MidSouth Bank was not appropriately protecting its cloud applications. That had to be addressed immediately—security and customer confidence are crucial in a highly regulated industry like banking.
“Trust is something that takes a really long time to earn and establish—and it takes seconds to lose it,” says Hereford. “If we lose the customer's trust, we will essentially lose that customer forever. Trust is very, very, very important.”
Integrating with a hybrid environment
Hereford knew that the key to modernization lay in moving toward the cloud and away from on-prem technology. But it wasn’t going to happen immediately: MidSouth is a community and commercial bank with a hybrid IT environment, meaning it holds significant legacy on-prem hardware and software, along with a growing suite of cloud services.
“That presents a really interesting challenge,” he says. “I’d love to take us to cloud-only, but the reality is, we don’t have unlimited resources. There are some applications I cannot upgrade, or cannot upgrade quickly. I really have to build our strategy around trying to look forward, keeping one foot in the future, but also servicing our existing infrastructure.”
Any security solution MidSouth selected would have to integrate smoothly with both traditional and cloud IT. And it would have to be able to do it quickly.
“The speed, the pace, all the business units wanted us to modernize as fast as we could,” Hereford continues. “I knew that the cloud applications were the way to go for that. But we had to figure out a way to implement the cloud applications, but have them interact with our hybrid, on premise, mostly older applications.”
Establishing identity as the new perimeter
Just as banks have traditionally relied on hardware and software entirely housed and maintained on-prem, “MidSouth Bank invested everything in on-prem security,” says Hereford. “That’s been everything we do; everything we’ve learned has been focused around a network perimeter-based security model.”
But MidSouth Bank knows it’s time for a major security shift. Not only is its technology moving beyond the walls of the bank, but the people using that technology are, too. “We have a plan for our workforce to be 20 to 30% remote within three years,” says Hereford. “That’s a huge transition for a bank that has only ever had employees at our brick and mortar locations. Work that used to happen only in a 100% trusted facility now has to be able to happen anywhere in the world, on whatever device they want to work on.”
In that changing environment, the traditional network perimeter security model does not hold up. The next challenge, Hereford says, is to find the best way to secure access for trusted individuals, wherever they are. It’s the concept of Zero Trust: all network traffic is inherently untrusted; the identity of users must be verified.
“Identity is the new paradigm, or the new perimeter, we’re trying to protect,” Hereford explains. “We’re not going to show trust in any device. We're going to make sure that users prove who they are in a very immutable way so that we can at least trust that session.” MidSouth needed a secure identity solution that would do just that.
Streamlined integration for immediate action
With an immediate security issue to fix, Hereford went to the market to look for an identity and access management solution that would be quick and pain-free to implement. He needed a platform that would work with MidSouth’s legacy systems while helping the company transition to a more modern IT environment.
Okta was the clear choice. MidSouth Bank was already running a number of applications, including Office 365 and UltiPro HR system, that Okta could integrate with directly. The Okta Integration Network was readily capable of interacting with both cloud and on-prem applications—exactly what MidSouth’s hybrid environment demanded.
“We needed to take action, and I knew Okta could help us with the speed we needed,” Hereford says. “We were able to make a very quick decision.”
Hereford was also looking ahead and saw the value in Okta’s flexibility and reach. “I understood that Okta was really going to be a platform,” he says. “We could buy what we needed today, we could integrate things that we had today. And then we could move on for the future.”
Hereford points to two distinct Okta solutions that would immediately help MidSouth move toward the Zero Trust model of identity-based security: Adaptive Multi-Factor Authentication, which requires different factors for authentication (ie, passwords, biometrics, push notifications, and others), and Single Sign-On (SSO), an efficient single access point for a suite of cloud applications. These, along with Universal Directory—a central, secure directory to manage all users, groups, and devices—would become part of MidSouth’s initial Okta deployment.
Okta vs. ADFS
Not everyone was immediately on board with Okta SSO, however. Part of the MidSouth team was committed to ADFS, a single sign-on solution by Microsoft, as the basis for an identity solution platform. “I told them I didn't think it was extensible enough,” says Hereford. “I didn’t think it was easy enough. It was going to take a lot more time to do what we needed to do with ADFS versus Okta.”
The Okta Identity Cloud easily integrates with Office 365; ADFS requires local infrastructure and maintenance, which Hereford was trying to move away from. Hereford chalks the resistance to Okta up to lack of familiarity. “Through the proof of concept process, through our demonstrations, the rest of the team became quick adopters,” he says.
MidSouth’s security team, on the other hand, took no convincing. “They were more aware of Okta and excited about the approach Okta was delivering,” says Hereford.
A partnership for accelerated implementation
Although Hereford and his team quickly concluded that Okta offered the right identity solution for their security needs, they also had to be certain the implementation and deployment went right the first time. “We were responding to an audit,” Hereford stresses. “We were trying to do all of this as fast as we could.”
To make sure they selected the most relevant Okta products and services, and didn’t miss any steps along their accelerated implementation and deployment plan, Hereford and his team partnered with Alchemy Technology Group, a tech consulting firm.
“Even though Okta is easy to implement, we wanted to go even faster than most companies would,” says Hereford. “We needed to partner with someone that would help us identify our objectives and help us do it quickly. Alchemy helped us figure out exactly what services we needed to make the implementation a success.”
Representatives from Alchemy led early scoping conversations to confirm the technology was a good fit. “A customer like MidSouth Bank is sophisticated and they understand what they want,” says Wes Davis, co-founder and partner with Alchemy. “They already know that Okta is a marketplace leader. They lean on us to help them address some of their use cases and give them confidence that they're making the right decision.”
With Alchemy’s assistance and support from Okta, moving ahead to deployment happened within two to four weeks. “That’s a lot faster than the typical,” Hereford says.
Planning started with a proof of concept, which “was very easy – extremely easy, in fact,” according to Hereford. “We did a few initial demos to make sure that the scope of our work matched the product's capabilities, and to make sure we knew exactly which products in the Okta portfolio we needed.”
The successful proof of concept led into the official implementation period, including building the product to scale and testing to ensure it met availability requirements. “And then we did an internal campaign to introduce people to the technology, what it was going to do for them, and what problems it was going to help us solve,” says Hereford. “Okta helped us a lot with awareness-building. There was a lot of marketing material, an adoption use kit, that Okta helped us put together. And then we launched.”
Fast adoption by users
With the initial deployment of Okta, MidSouth Bank’s transition to a more robust, identity-driven security model had begun. “Our primary goal was Multi-Factor Authentication, at least out of the gate,” says Hereford. Thanks to Okta’s flexible solutions, MidSouth Bank saw full employee adoption within a couple of weeks.
As Hereford notes, some employees were uneasy about using their mobile devices for work—they just weren’t used to their phones being a secure option. The solution: Okta Verify, which asked the end user to verify their identity by either entering a verification code or approving a push notification sent to their mobile device. “That became our corporate standard,” says Hereford. “And we saw 70 to 80% adoption very quickly.”
The other 20%? Due to specific work situations, these employees needed a different authentication factor. Again, Okta had the solution: a lesser-known feature called Voice. “This was not anticipated, and it was not in the proof of concept,” says Hereford. “We quite literally turned it on within the first week of going live. But it was absolutely no problem.” As a result, Midsouth Bank achieved 100% adoption of the new technology and the confidence that their data is secure.
As users explored the technology, they asked questions about the Okta dashboard and looked to move more of their applications there. “The dashboard was not something that we went looking to adopt immediately,” says Hereford. “But the users spoke and we responded to it.”
‘A tremendous enabler’
Hereford achieved his goal of launching Okta within a month. Right away, Okta integrated smoothly with the cloud and on-prem applications already in use by MidSouth Bank, including Office 365 and the HR information system UltiPro. This offered benefits across the board—especially for the security team. “By tying all that into Okta, especially Office 365 and some of our other cloud applications, we can offboard someone in five to ten minutes,” Hereford notes.
The visibility Okta offered was also crucial for the security team. “Before Okta, we couldn't see more than half of the authentications going on in our organization,” says Hereford. “But with Okta, all of the applications are put in one console and the security team has more visibility than they've ever had.”
“I would never get a report that said somebody logged in at 9 p.m. and that's not usual for them. I would have no way to see that before Okta was part of our organization.”
For a small IT team, being able to manage HR tasks quickly and efficiently “has been a tremendous enabler.”
Hereford says MidSouth’s relationship with Okta is just beginning. “The next step of our implementation with Okta will be to embrace lifecycle management fully,” he says. “We want to automate as much as we can in onboarding and offboarding. We have a lot of other applications that will be able to work with Okta right out of the box. We feel like we can get a really quick time to value by furthering our partnership.”
Like all banks, MidSouth has to meet sophisticated governance and regulatory standards and is looking into an identity and governance solution—it could be an Okta-only solution or Okta in partnership with another organization. He would also like to see MidSouth adopt a stronger customer-facing identity platform, which may also involve Okta. “Either way, Okta is going to be part of the conversation—most likely the foundation of the conversation,” he says.
That commitment is not surprising, given Hereford’s positive experience with Okta thus far. “It’s the most approachable identity platform I've ever come in contact with. It delivers everything it says, and it happens in a very easy and quick way.”
About MidSouth Bank
MidSouth Bank opened its first Louisiana branch in 1985, in the midst of the Gulf South’s oil and gas industry collapse. It emerged from the 80s with a seasoned team of professionals that knew how to guide businesses through tough times and a loyal group of customers ready to grow. Since then, MidSouth Bank has further established itself as a trusted community and commercial bank, expanding to 42 locations across Louisiana and Texas. Its 600+ employees serve a variety of key industry sectors that drive the economic engine of the Gulf South.