Oakland County Improves Service and Decreases Costs with Okta
employees enabled for secure remote work
different government services supported
- A tech-savvy government entity
- A heavy workload
- A consolidated infrastructure
- Sudden standstill
- Secure and convenient
- Reduced technical debt
Oakland County, Michigan, is one of the largest counties in the United States and strives to be one of the most technologically advanced. To get there, the county needed to re-architect an infrastructure made up of fractured, on-premises and cloud systems so that it could efficiently manage access and better serve its 1.2 million citizens.
Citizens want convenient access to services and secure data, but Oakland County’s sprawling IT infrastructure made it time-consuming, expensive, and challenging to meet these expectations. The county faced significant maintenance and development tasks, limited visibility into access and activity logs, and a heavy provisioning workload.
Oakland County decided to reduce its technical debt by modernizing its infrastructure and placing a strong identity solution at its core. After an extensive RFP process, the county selected Okta for its ease-of-use, abundant integrations, and its ability to support a hybrid infrastructure. Then Oakland County began laying the groundwork for a modern infrastructure—with Okta Adaptive Multi-Factor Authentication (MFA) in place to protect the framework.
When COVID-19 hit, Oakland County quickly prioritized agility and remote security over its standardization initiatives. In addition to enabling 5000 employees to work from home, the IT team also needed to address auditor concerns around the variety of remote communications tools in use. Fortunately, Oakland County was able to quickly expand the usage of its existing security tools to all employees, while also improving its security posture by completing the MFA rollout and adding Okta Verify.
Oakland County has also purchased Okta Single Sign-On, which will allow employees to access more than 36 on-premise and cloud-based apps through a single branded dashboard. If users forget their password, they’ll be able to reset it themselves. With Adaptive Multi-Factor Authentication and API Access Management in place, the county has boosted its ability to control and monitor access.
Ultimately, Oakland County will reduce its technical debt even more by sunsetting two legacy solutions: Active Directory Federation Services (ADFS) and CA Siteminder. The county plans to achieve this by integrating Okta and Workday, which will allow them to automatically provision all on-premises apps from the day an employee starts. This will significantly lighten IT’s workload, giving the team the chance to work on more pressing tasks, improve security, and reduce costs.
Okta has been an amazing partner throughout this process, including answering a lot of questions, helping us get things accomplished, and providing good continuity as people have transitioned into this team. Okta’s knowledge transfer as we've moved through the process has been outstanding, too.
EJ Widun, Chief Technology Officer at Oakland County
- A single, unified identity across a complex ecosystem
- Improved security posture with strong authentication and simplified user access
- Decreased technical debt with reduced maintenance and fewer on-premises solutions
- Reduced IT workload with self-service password reset and automated provisioning
- Increased visibility into entire infrastructure
- Increased citizen trust with modernized infrastructure and Oakland County branding
Leading the way
Out of 3,000 United States county governments, Oakland County, Michigan, is one of the largest, with 1.2 million citizens spread across 1,000 square miles. The county provides its people with more than 80 different services, from pet licensing and fire response to birth records and water services. Keeping Oakland County running smoothly is a task that requires a workforce of 5,000 employees and contractors—and a complex IT infrastructure.
Over the years, Oakland County has risen to the challenge, constantly pushing for more streamlined, secure solutions and processes. In fact, the county’s efforts have been so successful that the Center for Digital Government has declared it to be one of the country’s 10 most advanced counties in terms of technology and leadership. The county has even rolled out a Government to Government (G2G) marketplace, where Oakland County shares its solutions and best practices with other governments.
Through this G2G marketplace, Oakland County offers shared services, including their custom-built Tech Debt Check tool, CySAFE and GeoVision, to more than 135 smaller agencies. The county also provides law enforcement guidelines to 200 different agencies through the Courts and Law Enforcement Management Information System (CLEMIS).
“Our philosophy is to build something once and then share it as often as we can, so that we reduce cost and improve the lives of citizens,” says EJ Widun, Oakland County’s chief technology officer. “Not just in Oakland County, either—if we can help improve lives in other places through our technology, we'd like to share that as well.”
Ultimately, Oakland County’s goal is to prepare for the future of all its citizens. “Some are in their older years and others are just coming out of college,” says Widun. “We have to figure out how to bridge the gap between all those different people and what they expect from their technology.”
More than anything, citizens expect their data to be protected with a high level of security—but they don’t want to sacrifice accessibility or convenience. With over 500 cloud-based and on-premise applications and a number of compliance regulations involved—including HIPAA, PCI, and FHI—balancing security and convenience requires strong, integrated IT. Oakland County, however, was working with a sprawling infrastructure and a large number of disparate solutions, which were interfering with the county’s goals.
“We offer services not just to our employees and our contractors, but also citizens, cities, villages and townships,” says Widun. “With 82 different services, I have a variety of connection methods that make it very hard for me to view and manage access to all of them in a consolidated way.”
System maintenance was time-consuming and expensive. It also increased technical risk, a key consideration for Oakland County, which has gone so far as to create a custom application that regularly measures risk within its technical infrastructure and application portfolio. The county considered authentication during this process as well, especially as it related to apps that use custom authentication—and over 50% of them do.
Reducing tech debt was a priority too. To do this, the county needed a single framework that would streamline identity management processes, solutions that are always up-to-date and supported, and ready-built connectors that integrate with major solutions.
To put all of these elements in place, ease IT’s workload, and increase security, Oakland County decided to adopt a cloud-first approach, which would shift maintenance responsibilities to a SaaS provider, and reduce costs by phasing a number of users out of Active Directory Federation Services (ADFS).
“As of today, we’re 80% on-prem, 20% in the cloud, and we're continuing to move more things to the cloud as we go,” says Widun.
An ambitious RFP
Oakland County knew that finding a strong, flexible identity provider would be critical to the success of its modernization initiative. The county wrote an extensive RFP that highlighted the county’s 82 government services, as well as the fact that it needs to secure a law enforcement system with over a hundred legal entities, including court and police records. The whole team worked together to compile more than 100 requirements.
The county wanted a provider that could not only secure and streamline a hybrid infrastructure and a wide range of user types, but also offered identity and access management as a service. After reviewing the proposals, Oakland County invited a shortlist of applicants to come in and run a scripted demo for the county’s 12 use cases. That’s when the county selected Okta.
“The Gartner Magic Quadrant helped us compare the potential vendors,” says Widun. “But more than that, the demo made it very clear that Okta’s easy to use. And since then, my team has not only demonstrated that it’s clearly a simple tool to use, but it really allows us to spend our investment dollars working on the migration and less on trying to get it to work right.”
Okta’s ability to reduce the amount of bandwidth required to support the infrastructure was a major bonus as well, and the breadth of the Okta Integration Network and the convenience of API Access Management meshed well with the county’s buy-versus-build approach. In the end, Oakland County purchased a full range of Okta's Workforce and Customer Identity Products.
A strong start
The county deployed Okta to its IT team and developed a multi-phase implementation strategy. Early on, Oakland County replaced its Active Directory trust with Okta, avoiding the complexities of Active Directory and at the same time improving the security posture over the applications that reside in AWS. “Okta is helping us remove some additional risks with the one and two way trust that gets created when you move and attach your AD and AWS.” says Widun.
The county also set up Adaptive Multi-Factor Authentication (MFA) in order to secure its admin access throughout the modernization process. “We implemented Adaptive MFA as fast as we could,” says Widun.
Oakland County began reaping the benefits of this new layer of security almost immediately. With Okta MFA, the county would be able to implement granular policies--like geo-blocking, for example. That feature would allow Oakland County to set up barrier-free, simplified access for those who are physically located in the county, while prompting outside users for a second factor.
Then COVID-19 arrived, and Oakland County had no choice but to put all of these IT initiatives on the back burner in order to focus on more urgent tasks, like providing citizens with health kits, setting up senior isolation task forces, and deploying grant money to small businesses.
Meanwhile the IT team focused on new challenges of its own. Up until this point, Widun and his team was heavily focused on standardization--but developing agility very quickly became a priority.
“All of a sudden, instead of just using Skype, I've got some groups using Teams, some using Zoom, some using GoToMeeting,” says Widun. “I have a pocket of people on BlueJeans. Court systems were asking to use Zoom."
The IT team also had to figure out how to enable secure remote work for 5000 employees, with only 5% of the IT team working on-premise. With so many groups using so many different solutions, it was incredibly important to ensure strong security across the board.
Oakland County’s IT department has always been focused on security, but as more remote work tools were adopted, Widun’s team began fielding questions from auditors and others.
“Luckily for us, we had a small pocket of remote policies in place,” says Widun. “IT employees use GoToMyPC with a VPN solution, but we were able to extend that usage to over 2000 county employees in a matter of days. We did all of these things at a very nimble level, but those projects that were reducing technical debt stopped moving forward. So now we're focused on how to bring that back and start delivering again.”
A consistent and secure experience
All of these changes came with financial costs, so as time passed, the county had to start preparing new grant applications. Widun’s team has also begun to consider the ways that COVID-19 has changed the needs of the county’s employees and citizens.
“With COVID still going around and rates increasing in different states as they try to go back to work, we're going to see a different type of workforce than we’ve ever prepared for,” says Widun. “Oakland County has always been an on-site, on-premise, highly interactive environment, and we've moved to a remote workforce that may last for a considerable time period. At first, the feedback was simple: ‘Get me out.’ And we did that, but now people not only want out, they’re also asking for dual monitors, documentation, sit-to-stand desks, and better connectivity options.”
By completing the MFA rollout it had been working on when COVID-19 hit, Oakland County will meet the changing needs of employees while also resuming its standardization initiative. The county has also added Okta Verify as a factor, which will allow employees to easily authenticate through their mobile devices.
When Oakland County rolls out the new infrastructure to everyone, Single Sign-On (SSO) and API Access Management will both be in place. Users will be able to access more than 36 on-premises and cloud-based apps through a single user dashboard. Even a forgotten password won’t slow them down much, because Oakland County is also enabling password self-service.
“Self-service is very important,” says Widun. “Especially when you look at the cost of handling incoming calls every week for people who forget their passwords or need to reset their passwords.”
It was also important to layer the dashboard with Oakland County branding, to avoid creating confusion among employees.
While the experience is powered by Okta, all employees see is Oakland County. “Branding it that way was so crucial, and it was one of the major decision points for us when it came to considering Okta—we needed to make sure we could brand it, make it our own.” says Widun.
Simplifying the sign-on process will also improve the county’s security posture. By balancing any friction that could result from added security measures, employees will be more likely to use the tools effectively and consistently.
“We're trying to create a high level of confidence, while simplifying the process for them,” says Widun. “We want to have one login, one ID that gives them access to everything they need, with role-based control layered underneath that to keep everything secure.”
Paying down technical debt
Oakland County also plans to work towards its technical debt goals by replacing ADFS and CA Siteminder with Okta and implementing Workday as its HRIS. Today AD feeds into Okta. But Oakland County is going through a major ERP upgrade, which will include a change to its HR system. When that’s done, they’ll flip the workstream so that Okta feeds into AD.
Workday will integrate with Okta Lifecycle Management, so that any changes made by HR will feed automatically from Workday to Okta. Then, Okta will automatically provision (or deprovision) users with the appropriate cloud and on-premise apps and systems.
Automated provisioning, combined with reduced helpdesk calls and a lighter maintenance workload will give developers more time to work on improving business functionality, and reducing development cycles and complexity rather than manual provisioning tasks.
“We're also going through a universal communications and collaborations strategy, moving to computer-driven, Voice technologies, video and collaboration tools,” says Widun. “That process will also be driven through Okta.”
In the meantime, Oakland County will continue to focus on helping citizens navigate the pandemic by distributing grant money, looking for ways to provide technology to seniors, and figuring out how to bring cost-effective broadband to citizens so that if students have to stay home from school, they can still receive formal education.
“Next, we're going to look at ways to drive a better connectivity experience for our users,” says Widun. “We're analyzing what it means to do remote work, and the best ways for people to connect. So we're changing the way we look at our portfolio of projects and the way we have to execute it. Whether that's by investing in laptops, in docking stations, home offices, or citizen engagement, we're looking at the best ways to invest grant money in a way that keeps citizens engaged, knowledgeable, and safe.”
Although, thanks to COVID-19, it will take longer than planned to completely eliminate passwords, ultimately, that’s one of Oakland County’s most ambitious IT goals. Every year—sometimes twice—Oakland County partners with Michigan State University on a capstone project. To date, the county has worked with the university on over 20 different projects, and it’s implemented almost all of them. “We have a big belief in accomplishing things by leveraging universities, and we've had a long-standing relationship with Michigan State University,” says Widun.
As Oakland County was finalizing its agreement with Okta, it began considering whether or not passwords are still the best way to secure its infrastructure. “One of the things we're concerned about is whether or not passwords are the right mechanisms to secure things today,” says Widun. “We hear about breaches that take place in other organizations all the time, plus the inconvenience of remembering complex passwords, and needing to change them frequently. We asked the students to explore ways we could use passwordless technology with Okta, whether it's biometric, YubiKey, Okta Verify or something else.”
The students were successful in preparing a cost model for a passwordless approach to authentication. Eventually, Oakland County will be able to use it to apply passwordless access across its entire infrastructure.
Throughout the process, Okta will be there to support Oakland County as it works towards an IT framework that delights developers and satisfies citizens--no matter what life throws at them.
About Oakland County
Oakland County is one of the largest of 3,000 county governments in the United States. It has 1.2 million citizens and covers over 1,000 square miles. Oakland County provides 82 government services ranging from pet licensing and water resources to public safety and emergency services. These services are supported by approximately 5,000 employees, contractors, and part-time workers.