A dinosaur of a system
A decade ago, ThoughtWorks IT was characterized by its traditional, on-premises environment. Then, the company began to explore its cloud options.
From rapid growth to the cloud
When IT couldn’t keep up with ThoughtWorks’ rapid international growth, they decided to go all in with the cloud and establish a cloud-first initiative.
First, a need for security
With a widely dispersed workforce—ThoughtWorks realized they needed a security strategy to protect against loss of data or intellectual property.
A shift away from Active Directory
A brittle, hard-to-maintain Active Directory proved time consuming and costly. A search for single sign-on led ThoughtWorks to Okta’s identity management solution.
Adding Lifecycle Management
When ThoughtWorks’ provisioning system proved inadequate, they moved to Okta’s Access Request Workflow, which automates the processes of delegating application access requests from IT to the business application owners, reducing the load on IT and improving end users’ productivity.
Mobility management becomes a challenge
With an urgent need for secure, centralized management of ThoughtWorks’ remote devices, including laptops, IT once again turns to Okta and prepares to deploy Okta Mobility Management.
We thought that by far Okta was the best solution, it ticked off all the right boxes, and was true cloud architecture.Philip L. Ibarrola, Tech Ops head of technology, ThoughtWorks
From cloud to mobile to mayhem
As Tech Ops head of technology at ThoughtWorks, Phillip Ibarrola was charged with making the IT systems ThoughtWorkers use better and more efficient. During the past 11 years, he’s seen IT at ThoughtWorks change significantly. “We went from a traditional, on-premises-hosted environment to dipping our toe into the cloud.”
ThoughtWorks has witnessed about 10 to 15 percent growth in headcount worldwide per year. Ibarrola recognized the need to decouple the cost of IT from its headcount. Since the cloud made it possible to scale more quickly, they’ve become a cloud-first organization.
Ibarrola also realized IT didn’t have a carefully considered identity management strategy. All provisioning was done manually or with custom-built integrations in house. “It was all over the board,” he admitted. “We had a lot of brittle sync scripts that would link our systems to our Active Directory. It was brittle and hard to maintain.” When the scripts didn’t work properly, which was often, IT admins found themselves wasting a lot of time and effort tracking down the reasons why users didn’t have access to certain applications and figuring out why new hires couldn’t gain access into the system.
Non-birthright apps, those that new hires were not automatically assigned, were particularly difficult, as they were often managed by different business groups. IT found their current provisioning process cumbersome, having to serve as the traffic cop between multiple parties.
The problems presented from multi-factor authentication (MFA) were also huge. Thirty-five percent of helpdesk tickets were related to issues with physical RSA security tokens. End users spent a significant amount of time responding to MFA prompts. Employees were frequently disabled for more than 30 minutes during MFA and password-reset cycles. Outages often lasted an hour, further eroding productivity.
In a day when everyone works from mobile devices—including laptops—Ibarrola determined to develop a mobile strategy that secures data and intellectual property against loss or theft while still providing a positive user experience. When IT first tried to establish a BYOD (bring-your-own-device) policy, Ibarrola had concerns. “If we did BYOD and mobile-device management, how would that impact our culture of trust and openness?” he wondered.
Search for an open-standards company
Ibarrola knew IT could not support the growing organization with their existing strategy without significant investment. He wanted to leverage SaaS to reduce the support burden.
“We went to the cloud because we were growing so fast, and our internal IT team couldn’t keep up with the growth,” Ibarrola explained. With a new cloud-first initiative and an increasingly important need to support mobile, IT migrated 2000+ ThoughtWorkers to Google Apps.
We went to the cloud because we were growing so fast, and our internal IT team couldn’t keep up with the growth.
With its weak RSA MFA solution in place, employees’ inability to get into their apps proved unacceptable. Ibarrola searched for an identity management system. “We had to do something to improve that situation, not just for IT, but also for our end users.”
Ibarrola believed going with open standards was the best way to ensure interoperability as well as the ability to use best-of-breed applications in the cloud. “We were looking for a single sign-on solution that supported open standards and would allow us to adopt cloud faster,” he said.
Cloud architecture ensures secure identity and mobile management
Ibarrola chose Okta after evaluating a number of identity-access-management solutions. “We thought Okta was by far the best solution; it ticked all the right boxes and definitely had true cloud architecture.” According to Ibarrola, the migration to Okta’s Single Sign-On was relatively quick. Many of their SaaS providers were already SAML supported—and even preferred it for authentication.
Universal Directory enabled IT to deploy a flexible, cloud-based user store to customize, organize, and manage any set of user attributes. “Okta made it easy to integrate Single Sign-On with our back-end Active Directory,” Ibarrola acknowledged. “Resetting passwords through Okta has helped us maintain our Active Directory much more easily for a largely Mac environment.”
Next, Okta set up Lifecycle Management with Access Request Workflow, to automate the process of delegating self-service requests for provisioning applications to business owners. “The end result is that it’s a better user experience with less turnaround time, fewer obstacles, and fewer handoffs.” And IT no longer feels like the middleman between users and business-application owners, thereby streamlining the entire process.
From a security angle, IT looks forward to setting up the auditing component in the Access Discovery Reporting. Ibarrola predicts seeing an improvement in reporting and audit. To protect data and intellectual property, IT can quickly cut off access when an employee leaves the company. Off-boarding users has other cost benefits. “The timely removal of access will allow us to control costs around licenses and subscriptions,” Ibarrola pointed out.
Ibarrola also has his sights on gaining oversight and security of Android and IOS devices. “Okta, as a partner and a vendor, has been great to deal with. They are transparent about what’s going on and what’s coming next.”
More time, less expense
ThoughtWorks now has over 100 apps connected to Okta. IT savings abound. With six provisioning apps enabled with Access Request WorkFlow, IT has eliminated over 1,000 hours of manual onboarding, offboarding, and troubleshooting. With Adaptive MFA, total helpdesk tickets for password resets and MFA credential resets have decreased by 90 percent—an $800K saving. Okta has taken away integration maintenance for 25 apps, and sunsetting RSA has led to an additional $50K in savings.
System outages are down with Okta, leading to $300K of improved productivity. Onboarding has become a lot more predictable and a lot less error prone. When new hires come in on the first day, their birth-right apps are always provisioned correctly. End users spend significantly less time responding to MFA prompts with Okta Verify with Push and flexible policy framework, representing a $400K+ productivity improvement. ThoughtWorks has also realized $200K of security improvement.
Next steps? With employees traveling not just domestically, but internationally at all times, mobility management is a big deal for ThoughtWorks. “OMM for OS X was a big move because prior to OMM, we didn’t have much visibility into our fleet of laptops,” Ibarrola says. “I believe the way Okta is implementing centralized management for OS X is definitely revolutionizing how devices should be managed.”
ThoughtWorks is a 20+ year old global software company and community of passionate, purpose-led individuals that has grown from a small group in Chicago to a company of over 5,000 people spread across 40 offices in 14 countries on 6 continents.