When a leading, software development company was outgrowing its disparate array of identity and security solutions. The cloud-based organization needed a cohesive view of all its users to help automate provisioning, improve visibility, and keep employees secure without introducing unnecessary barriers.
The company standardized its authentication workflow by adopting a consolidated, adaptive solution. To do so, they made a major investment in their technology infrastructure, purchasing Workday, Splunk, and a full range of Okta products, including Universal Directory, Single Sign-On, and Lifecycle Management. This investment enabled them to sunset both Duo and Ping.
The company wanted to establish a framework that would focus on protecting people and data, instead of the network perimeter. Okta’s Adaptive MFA was the first major step towards establishing this Zero Trust environment; it added a strong layer of security to all apps and endpoints, and streamlined the user experience from any device—including the Apple Watch.
An integrated approach
At the same time, it was onboarding large numbers of employees, and going through the ISO certification process. Their chief security officer decided to automate the provisioning process by establishing Workday as a system of record to reduce the company’s attack surface, increase access control, and improve visibility. By integrating Workday with Lifecycle Management, IT’s provisioning workload was significantly reduced, allowing the team to focus on more specialized tasks.
A simplified workday
The company is thrilled with the simplicity of its new identity workflow. With Okta involved, access management for employees is so user-friendly and seamless that it fades into the background. Now, it is more secure than ever before, and its workforce is able to focus on what’s important: improving the workdays of their customers.
Our employees don't talk about Okta because it is so simple for them—and that's what I was going for. It's not that I want them to praise IT, it’s that I don't want them to complain about IT and security. I want people to slow down and think about what they're doing, not necessarily stop.Chief Security Officer
- Reduced attack surface with automated provisioning
- Increased access control and improved visibility
- Reduced maintenance and infrastructure costs
- Decreased IT workload, including fewer helpdesk tickets
- User-friendly access experience, including Apple Watch authentication
- Met ISO requirements
- Increased workforce productivity with Day One access to apps and simplified identity workflow
- Consolidated identity and access management into one vendor
In a fast-paced world where everyone is trying to get more done in less time, we need all the help we can get. It’s a need that a leading, software development company based in Utah’s Silicon Slopes, addresses every day.
The company, described as an “operational system of work”, helps teams get out of their silos so they can work more efficiently and collaboratively across departments. So when, after almost doubling its workforce within just two years, the company experienced IT friction of its own, their chief security officer immediately began looking for solutions.
At the time, the company was operating with a fairly basic cloud-based infrastructure with applications pulled together through Amazon Web Services. Off-site employees had to sign in through a VPN, and there was no system of record. The company had Ping in place for single sign-on and Duo for MFA, but only a few apps were connected to the two systems.
“We didn’t have an identity management tool,” says their chief security officer. “We were using Duo but not in any identity capacity—we just used it for multi-factor authentication into about 10 applications.”
This created a major security gap. The company was lacking a cohesive view across all their users and applications. As a company undergoing rapid growth, it needed a centralized solution that would provide the level of security he wanted without creating friction for his employees.
The company’s existing infrastructure simply wasn’t cut out to handle this level of an expansion, from a usability or a security perspective.
“How was I going to get a handle on who’s gaining access? Who's on my network? What data are they’re trying to access? Those are the three questions I’m always striving to answer with everything we do,” said their chief security officer.
He knew the company needed to establish a Zero Trust framework, an approach to security that focuses on keeping individual people and access points secure, instead of simply drawing a border around the entire network. This would give him visibility and granular access control, which he would need in order to efficiently manage access for the growing workforce. “What we had was the exact opposite of Zero Trust. It was 100% trust.”
The company’s rapid expansion created a challenge in terms of onboarding and offboarding employees as well. With no system of record, and so many disparate apps, it was extremely difficult to manage user accounts effectively. “We had people who had left the company years ago and they still had accounts in public-facing systems. So if they wanted to, they could have logged in from home. We’d get the key systems done, but anything outside of that wouldn’t necessarily happen.”
Since their chief security officer was about to apply for ISO 9001 certification, he also needed to make sure that the new infrastructure would enable the company to demonstrate an ability to consistently meet customer and regulatory quality standards.
Putting people first
Security wasn’t the only issue on his mind. He firmly believes that while IT is responsible for keeping the business and its employees secure, it’s also there to help employees work more effectively, efficiently, and creatively. “I don't like being a roadblock,” he says. “I don't like being a speed bump. I want people to slow down and think about what they're doing, not necessarily stop.”
He wanted an access management solution that would provide the necessary protection, while giving a global workforce the flexibility to work from anywhere, on any device.
“Our sales team is all over the place and they need to access assets,” says their chief security officer. “How do I give them access when they're out in the field?” He knew he didn’t want them to have to log in through the VPN; he needed a user-friendly alternative.
A single trusted partner
Since centralizing identity was a key component of their Zero Trust strategy, he needed to streamline the company’s identity framework as much as possible. His preferred approach included consolidating all of the company’s identity and security solutions.
“Why do I need to have more tools, and then more management time in place for those tools? If you have a trusted vendor, you have a trusted business partner,” says their chief security officer. “I don't want to waste administrative time managing different tools and building different skill sets when I already have a trusted business partner in place.”
That’s when Okta entered the conversation. The company met with Okta’s sales team to discuss an interest in establishing a single source of truth and adopting enterprise-grade security solutions. After assessing the possibilities, it purchased a range of Okta products that would work together to provide a standardized, long-term identity solution.
“I went with Okta because I love its configuration,” he says. “I love how easy it is to use. I wanted a positive user experience where they could just click on a button and get into anything that they need whenever they need it. It was going to be like, ‘Oh, here's a portal that has all of my applications. I don't have to bookmark everything.’”
A seamless experience
With the help of Optiv and Okta’s Professional Services team, it took less than a month to retire Ping, and only a week or two to sunset Duo. The teams were both on-hand to help deploy the Okta products that replaced them, but the process was so simple that the company was able to handle most of the rollout itself.
It started with Okta’s Single Sign-On, Universal Directory, and Lifecycle Management, which provided the scaffolding for a seamless, consolidated infrastructure by pulling together all of the company’s cloud-based apps—including G Suite, Office 365, Box, and Zendesk.
With these Okta products in place, the company’s employees can access all their tools by signing into a single portal, eliminating the need to enter separate passwords each time they access a different app. “People don't talk about Okta,” says their chief security officer. “Our employees don't talk about Okta because it is so simple for them and that's what I was going for.”
Their chief security officer wanted to extend that same simplicity to employees working off-network and on a range of devices, but he needed to ensure that sensitive data was protected by strong, ISO-compliant security solutions. Passwords alone, no matter how complex, weren’t going to provide the Zero Trust security he was looking for.
He found his ideal solution in Adaptive Multi-Factor Authentication (MFA) with Okta Verify. Once the product was deployed across the organization, it improved visibility so that he could identify the most high-risk apps. Armed with these insights, he was able to add extra security layers around the apps that needed it.
“We've implemented 19 security policies, covering everything from data retention to acceptable use,” says their chief security officer. “I run a risk-based security organization, so I don't want to run anything off-compliance, but my policies are based on what we actually do now.”
With these policies in place, if a user requests access to an application that contains more sensitive data, they’ll be prompted for a second authentication factor. Employees have been particularly impressed by the convenience of using Okta Verify with Push to authenticate on their Apple Watch.
“People love being able to just click on their watch to say ‘Approve’ without ever having to pull out their phones,” says their chief security officer. “People have actually gone out and bought smart watches just because they make it so easy to log in.”
On the other hand, if a user is working on-network or needs access to a low-risk app, they may not need to provide a second factor. It’s a granular approach to security that aligns well with his desire to keep the company’s employees happy and its data secure.
With SSO and MFA in place, the company doesn’t have to completely rely on passwords. “This has been fantastic for our employees--and we get a lot fewer password resets now--because they just go to the Okta portal and get in that way,” says their chief security officer. “We only do password resets once every 180 days, because it's all behind Multi-Factor Authentication. It’s actually more secure than if we were changing passwords every 30, 60, or 90 days because I don't have my users creating passwords they're going to have to remember all the time.”
Overall, employees have been extremely receptive to the new authentication process. “Once I showed our CEO how to log in on his laptop while he’s up in the air, it went really well because he led the charge,” says their chief security officer. “With offline abilities, they can literally get access to anything, anywhere without having to go through a VPN. ‘It's like no, just let me go to my portal, let me do the two-factor authentication.’”
Now that the company’s infrastructure is consolidated and there are strong security solutions in place, it’s automating the provisioning process, an identity initiative that will resolve one of his initial pain points: a high-friction user management process that overwhelmed IT and didn’t always catch orphan accounts.
The company has integrated Workday with Universal Directory, making Workday a single source of truth for all the company’s identities. Next, it will set up groups and apply role-based access controls so that when a new employee starts, they have access to 25 core applications on Day One. “When IT does their new hire training, they’ll just take them to the Okta portal and say ‘here you go’,” he says.
Outside of these core apps, their chief security officer wants to hand the responsibility of provisioning users over to business unit managers—the people with the best sense of which apps their unit needs, and which team members should have access. To accomplish this, He’s putting approval processes in place so that managers can make requests for their preferred apps, and IT will only need to get involved if maintenance is needed.
“We have a culture—not at the company, but in general—that IT owns all identity,” says their chief security officer. “I'm trying to move away from that and Okta’s allowing me to do it.”
About the Company
The first modern work management application that connects enterprise work, collaboration, and digital content into an Operational System of Record (OSR). It has helped thousands of companies successfully transform their businesses into more modern enterprises that increase revenue, improve customer experiences, and eliminate cost, including Cars.com, Cisco Systems, Comcast, iProspect, Schneider Electric, and Trek.