With Okta as the foundation, Moody’s moves legacy systems to the cloud, streamlines M&A, and transforms the customer experience
employees using Okta to access their work
applications migrated from legacy ADFS environment
access for employees of newly acquired companies
MFA adoption rate going into the Covid-19 pandemic
weeks to build a transformative customer platform
- Evolving and expanding for 100+ years
- Moving to cloud-based access management
- A repeatable, efficient M&A process
- Adding automation to secure and extend access
- A more modern, customer-driven strategy
After decades of expanding globally via acquisitions, leaders at risk assessment firm Moody’s realized they needed better processes for integrating new businesses and diverse financial products. A unified, integrated, and extensible identity management solution would be key.
In 2018, the cyber security team chose Okta because of its ability to transform employee and customer experiences while raising the company’s security posture. An Okta Professional Services engagement helped lay the foundation for a new era at Moody’s.
First, the team centralized workforce identity management with Okta Single Sign-On and began integrating acquisitions by syncing their Active Directory domains into Okta Universal Directory. As a result, new employees from acquired companies now have Day One access.
Next, the team began automating identity processes with Okta Lifecycle Management, using Okta MFA to provide easy access while reducing risk. Soon, they added Okta Workflows to the toolkit, giving the team broad freedom to customize and extend identity processes. Okta Advanced Server Access also helped Moody’s remain in strict compliance while creating a frictionless user experience.
Okta Customer Identity solutions, the Moody’s team transformed access to their customer facing applications with a unified, user-friendly product dashboard. Today, the company can respond quickly to customer needs, while staying in strict compliance with regulatory requirements.
Integrating and securing a diverse portfolio
Moody’s, the global risk assessment firm, needed better processes for integrating new business acquisitions and unifying the diverse portfolio of financial products they had collected over the past half-century. After identifying identity and access management as fundamental to their goals, they chose Okta to help transform customer experiences while raising the company’s security posture.
We’ve hardened our security posture throughout the corporate environment, securing all our endpoints while keeping requirements user-friendly. That’s one of the many reasons we love Okta.
Alexandra Dolan, Cyber Security Engineer, Moody’s
Evolving and expanding for 100+ years
John Moody started publishing reference manuals in the early 1900s, providing detailed statistical analyses of the financial markets of the day. Today, the 11,000+ employees who make up the organization that bears his name are still known for helping investors make informed decisions. The tools they use to provide insight and analysis to their customers, however, have changed quite a lot.
Over the past 50 years, the firm expanded around the world, purchasing a steady stream of acquisitions to enhance its offerings. As the company evolved—from ledgers and book publishing to desktop computing to the World Wide Web and the modern, digital age—its leaders had to continually rethink legacy processes and solutions while incorporating the processes and solutions of the businesses they acquired.
George Kurian, senior vice president of cyber security services at Moody’s, has experienced plenty of change in his eight years with the company. “We’ve seen an 800% increase in cloud applications each year since 2018,” he says.
A move to cloud-based access management
That shift to the cloud, along with increasing merger and acquisition (M&A) activity, highlighted a fundamental need at Moody’s for a more unified, integrated, and extensible identity management solution.
Minimizing the time and cost of integrating new employees and new software after acquisitions was a high priority. “On the workforce side, it was taking us 12-18 months to fully integrate newly acquired businesses,” says Kurian.
At the same time, security remained paramount. As Moody’s cloud profile grew, gaps in the company’s authorization and access practices appeared. “In a changing world of security best practices, Moody’s needed to shore up our access management defenses,” he says.
The company also faced increased regulatory requirements for customer-facing products. To meet those demands, many products were set up on standalone private networks, with numerous steps required for access. The result was a convoluted customer experience that still didn’t fully comply with regulations.
After investigating the identity space, Kurian’s team realized that a centralized, cloud-based identity solution could help rid the company of password vaults and post-it notes, and transform cyber security at Moody’s.
They settled on Okta because of its ability to dramatically improve employee and customer experiences, while simultaneously raising the company’s security posture. An Okta Professional Services engagement in 2018 helped lay the foundation for a new era of identity management at Moody’s.
Unifying identity for a repeatable and efficient M&A process
Before Okta, every time a Moody’s acquisition occurred, IT had to migrate the new business’ entire technology stack to Moody’s on-prem data centers. New Moody’s laptops were issued to the new employees, who waited for weeks or months while new Moody’s accounts were created for them and synced to Moody’s corporate Microsoft Active Directory (AD).
Day-one access for those employees seemed unobtainable. To address the problem, the cyber security team moved to centralize identity management with Okta Single Sign-On, providing unified identity across business units in a repeatable and efficient M&A process.
They started by migrating critical cloud applications, such as Microsoft 365, Slack, and GitHub, from Microsoft Active Directory Federation Services (ADFS) to the Okta platform. After that initial migration, they continued moving applications to the Okta Identity Cloud and off of their on-prem network.
“Removing those on-prem restrictions for accessing applications kickstarted our cloud journey here at Moody’s,” says Alexandra Dolan, cyber security engineer at Moody’s.
Next, the team began integrating acquisition ADs into Okta Universal Directory. Using Okta Active Directory agents, the team could quickly sync multiple AD domains and push a new userbase into Universal Directory without spending the time to create new Moody’s accounts.
“To date, we have integrated six new acquisitions this way, syncing their AD into our Okta tenant,” says Dolan. “Not only does the new process give those users Day One access, but it also gives us the tools to secure and manage the new assets and resources in ways that align with our security standards.”
New acquisitions reside on Moody’s Okta tenant within their own networks, with their egress IPs mapped to their unique sign-in policies. Universal Directory’s centralized policy engine and streamlined password management features allow the team to create group or corporate password policies and enforce them using Okta Adaptive Multi-Factor Authentication.
“I can’t stress enough how Okta has made our M&A process so much easier,” says Dolan. “Our most recent acquisition came with an Okta tenant of their own, so that was an easy reconfiguration—our quickest integration to date.”
Adding automation to secure and extend access
The Okta Integration Network helped the team get lots of apps onto their Okta platform quickly. “One of the key benefits we’re seeing with Okta is faster provisioning,” says Kurian. “OIN greatly reduces the overhead of adopting and configuring new tools.”
The team is also migrating on-prem and home-grown applications to Okta. “We’ve migrated more than 70 applications from our legacy ADFS environment so far,” says Dolan. “Okta allowed us to provide off-network access to some of these applications for the first time.”
Increasingly, the Okta platform serves as a hub for Moody’s applications, and that centralization makes a deeper level of authentication and control possible across the corporate network.
Using Okta Lifecycle Management (LCM), the team can map AD groups to the roles permissioned within an application and let Okta push users into the appropriate roles automatically. Deprovisioning is equally as simple: Now, when an employee leaves the company, termination is simply a matter of revoking access to Moody’s Okta platform.
Automation tools within Lifecycle Management help the team secure granular control over application activity, whether it’s coming from administrators or users. Okta Adaptive MFA plays a starring role, using Okta Verify as a factor to provide user-friendly access while enforcing corporate policies and reducing security risks.
“Getting MFA in as part of our authentication mechanism was really important for us,” says Kurian. “So many breaches occur because of poor passwords or access gaps.”
With Workflows, any IT administrator can quickly create customized business processes, such as revoking access for users who are inactive for a specified time period or adding more granular user roles and permissions during account creation. “Because Workflows is no-code, we can automate processes and modernize access at an exponential rate,” says Dolan.
Reducing risk during the pandemic
Moody’s identity overhaul paid off in 2020 when the Covid-19 pandemic turned every home office into a daily workspace. “Within the course of a week, our entire staff was accessing their work remotely,” says Kurian.
Luckily, Moody’s VPNs were the first applications the team integrated with the Okta platform in 2018—a move that forced users to enroll with Okta Verify right away. Because of that foresight, the company had a 100% MFA adoption rate going into the pandemic, which gave them a clear advantage, identity-wise.
Still, the switch to remote work put huge stress on the legacy VPN, which resided in fixed, strategically placed data centers and dealt with licensing and capacity limits. In addition, not all employees and contractors used corporate-managed laptops that they could take home. Allowing unmanaged devices on the corporate network was a risk, along with exposure to services that weren’t yet secured by MFA.
To address those challenges, the team replaced the old VPN with two modern, cloud VPN services—one for managed devices and one for unmanaged devices. “Within six weeks of working from home, we were able to spin up those new VPN networks,” says Dolan.
The new VPNs, accessible via Moody’s Okta platform, not only reduced security risks but also helped catch some of the acquisition technical debt for users who couldn’t access on-prem resources previously. Today, Moody’s cloud VPNs offer 100 access points, alleviating latency and providing scalability for the company’s growing workforce.
Simplified access to ultra-secure financial products
Once Moody’s had workforce identity under control, the team turned their attention to customer-facing products, which had typically been developed in public cloud environments on standalone, private networks.
As a financial services company, Moody’s faced an increasing number of new sovereign security requirements. In the effort to secure customer applications appropriately, Moody’s developers had created a gauntlet of hoops to jump through for access. The complexity caused a lot of customer frustration and still didn’t manage to satisfy security regulators.
“We wanted to elevate the customer experience, while also complying with regulatory requirements,” says Kurian.
Due to stringent compliance regulations, Moody's customers are required to access critical financial products via a bastion and host infrastructure, creating friction for end-users. With Okta Advanced Server Access (ASA), customers have a transparent experience accessing Moody's financial products with the bastion and host security without any friction.
With Advanced Server Access, the team reduced all those tedious access steps to a one-time login, fronted with MFA. “ASA manages secure shell (SSH) and remote desktop protocol (RDP) access to our Windows and Linux servers through one user-friendly app instance,” says Dolan.
The team uses Okta Lifecycle Management to provision groups and roles via ASA, eliminating error-prone manual steps that previously defined the customer provisioning process. “ASA remediates multiple security risks,” says Dolan. “The user lifecycle on all those servers is now automated, with all endpoints fronted by MFA.”
“Out of all the Okta wins we’ve seen at Moody’s, two things stand out,” says Kurian. “One: Our quick pivot during Covid-19. We got a lot of positive comments from customers about how our teams handled it. And two: ASA. Our developers are giving us incredible feedback and we’re able to structure our risk a lot more tightly, coupled to application needs, to put MFA in front of all our resources and then manage them individually.”
Three weeks to build a transformative customer platform
When Moody’s began to overhaul the customer-facing Moody’s Analytics platform, they began to look at Okta as more than solely a workforce solution. Using Okta customer identity and access management (CIAM) products, the Moody’s team developed a user-friendly product dashboard to secure interactions with their external customers.
“We knew Okta had the right CIAM solution when we executed the proof of concept and did a bake-off with two other providers,” says Sarrah Bang, director of technology and innovation product management at Moody’s. “I took an OpenID Connect and a SAML app that already had conductors in the Okta Integrated Network and at my leisure, without having to write a single line of code, was able to demo a federated SSO experience within a week.
“We were so impressed with how easy it was to configure and ship SSO features, such as end-user password reset, email activations, MFA custom security policies—all of that,” she says. “It happened in a matter of days.”
Okta Professional Services played a key role in helping the team set up Moody’s CIAM solution. “Building an identity solution with a standardized customer experience across multiple products, whether legacy or next-gen, while also meeting the individual business needs of those products—that’s not an easy task,” says Bang.
Nevertheless, the transition happened quickly. “Our first Okta product integration was shipped within three weeks of signing our Okta CIAM contract,” she says. “A year later, we have 15+ products onboarded with Okta SSO, and we’re expecting to expand that to more than 30.”
Moving to a more modern, customer-driven strategy
For a company that has grown over several decades through strategic acquisitions, the new, Netflix-like product platform is nothing short of transformative. “Moody’s offers a wealth of award-winning financial applications,” says Kurian. “The problem was tying them all together so we could resell them effectively.”
The dashboard accomplishes that task by linking back to the company’s downstream business systems, analyzing customer behavior to surface relevant products and information while informing direction and roadmaps for Moody’s product development, sales, and marketing teams.
Now, customers can see all the products they have subscriptions for at a glance and also learn about products they’ve never seen before. From the same integrated platform, they can request access to product trials and ask for help when they need it.
“We’re getting to know our customers better,” says Bang. “As a company, we plan to use this dashboard as a pillar to transition from being product focused to being entirely customer driven.”
The quality of Okta’s out-of-the-box solution, plus Okta’s APIs and SDKs, offered the strong developer experience the Moody’s product team needed to extend their solution and address their unique use cases. “We really value Okta’s expertise and their ability to support us,” says Bang. “They helped us build something that we had never built before.”
Lower costs + hardened security, across the entire ecosystem
Identity at Moody’s is now integrated fully across employee and customer applications, so team members can focus less on solving access issues and more on delivering great financial products.
Using Okta B2B Integration, the Moody’s product team easily federates customers with their own identity providers. “Our larger customers can manage the credentials themselves, so we don’t have to do that for them,” says Kurian.
“From a revenue standpoint, we’re seeing accelerated customer provisioning and faster time to market,” he says. “We’ve also been able to lower the cost of our service desks, which is no small feat when you’re dealing with hundreds of thousands of customers across many products.”
At the same time, the team is more confident than ever on the subject of customer and data security. “We’ve hardened our security posture throughout the corporate environment, securing all our endpoints while keeping requirements user-friendly,” says Dolan. “That’s one of the many reasons we love Okta and will continue to purchase their products.”