Removing AD: Thoughtworks confident in better security, increased productivity with Okta
apps connected to Okta
of IT savings
- Adopting cloud-first to meet growing needs
- Embracing the future of work
- Reducing support burden through SaaS
- From authentication to the end of AD
- Designing an AD-removal strategy—and enjoying the benefits
Global software consultancy Thoughtworks is experiencing an impressive annual 10 to 15% growth in headcount. As the company became more distributed, diverse, and geographically dispersed, it began moving away from traditional on-prem IT and toward the cloud.
It also embraced a best-of-breed approach: employees use software and applications from a variety of vendors, and overwhelmingly chose to work on Mac laptops. Thoughtworks was longer a Microsoft-only shop—and Microsoft’s Active Directory became a challenge: brittle, clunky and difficult to maintain and upgrade. Onboarding was cumbersome and authentications frequently didn’t work, keeping employees away from critical tools.
Productivity was suffering and the support team was overworked. The IT team turned to Okta for an identity management solution that would be easy to integrate and fully support its move to the cloud.
Thoughtworks implemented Okta’s Single Sign-On and MFA—two big wins that quickly improved the user experience. Universal Directory and Lifecycle Management streamlined access, and provisioning and deprovisioning. Then the IT team was ready to take a major step: removing Microsoft AD completely.
The strategy was two-fold: first, no new resources could be attached to AD. Then, one by one, existing AD dependencies were targeted and replaced. It was a deliberate process and well worth the effort: support and maintenance expenses have fallen, and employees—now better able to work securely, from anywhere—are more productive.
Identity solved for a global, mobile workforce
As Thoughtworks grew rapidly and internationally, IT made a move to the cloud and mobile, leading to problems with security and a hard-to-maintain Active Directory. In a move away from Active Directory, they selected Okta’s identity-management system for its 100% cloud technology along with multi-factor authentication capabilities.
“Already we’ve seen benefits in terms of not relying on AD for delegated authentication...It’s led to a lot less anxiety because we know that AD is not a critical part of our infrastructure anymore.”
Phil Ibarrola, Tech Ops Head of Technology
A cloud-first mindset
As Tech Ops Head of Technology at Thoughtworks, Phillip Ibarrola is responsible for making the company’s IT systems more efficient, secure, and accessible by employees. It’s a critical role for the global software consulting firm, where employee productivity is directly related to revenue: ThoughtWorkers need to be able to work reliably from any location.
As work has become more distributed and geographically dispersed and the company has grown, Thoughtworks’ IT systems have changed significantly. “We went from a traditional, on-premises-hosted environment to becoming a cloud-first organization,” Ibarrola says. Cloud-based applications and systems enable the company to scale quickly to keep up with an annual 10 to 15% growth in headcount, while also saving costs compared to traditional software. “In 2011 we thought the cloud was the future of work,” he says, “and we still think the cloud is the way the marketplace is going.”
As part of its transition to the cloud, Thoughtworks has embraced a best-of-breed approach to technology, and wants to leverage the right tools and services from a variety of vendors. Over time, ThoughtWorks has moved away from being a Microsoft-only shop, getting rid of Microsoft servers, diversifying its application stack, and adopting Mac laptops for a majority of its workforce.
Streamlining a cumbersome IT ecosystem
With fewer Microsoft devices and more cloud-based software, Thoughtworks’ dependence on Microsoft’s Active Directory (AD) was becoming a challenge. “Microsoft AD was becoming a less important, and less interesting, part of our infrastructure,” says Ibarrola.“It wasn’t evolving with us.”
That led to a complex and cumbersome IT environment. All provisioning, for example, was done manually or through custom-built integrations. “It was all over the board,” Ibarrola shares. “We had a lot of brittle sync scripts that would link our systems to our Active Directory. It was clunky and hard to maintain.” Non-birthright apps, those that new hires were not automatically assigned, were particularly difficult, as they were often managed by different business groups. That left the IT team having to serve as traffic cops between multiple parties.
If AD fell out of sync, or scripts didn’t work properly, IT admins spent considerable time and effort tracking down the root cause—while employees were left idle. “If our authentication systems don’t let workers in because of a failure of AD, that translates into hard dollars—our people can’t enter timesheets or bill clients, or work, period,” Ibarrola says, “because they can’t get into any business-critical apps.”
“There was a significant amount of risk that we couldn’t control about Active Directory because we don't have the expertise and we can't attract the expertise,” he continues.
That lack of know-how also gave rise to serious security concerns. “We’re a 25-year-old organization that had a very legacy model of network security,” Ibarrola says. “Because we don't have a lot of expertise around Windows, we probably didn’t have the greatest level of monitoring to our Active Directory servers. So we could potentially have people brute forcing our Active Directory servers internally and we either wouldn't be aware of it or we wouldn't be aware of it until it was too late.”
A heavy support burden
To mitigate these risks, Thoughtworks deployed RSA as a multifactor authentication (MFA) solution. Unfortunately, RSA negatively impacted employee productivity: over 35% of helpdesk tickets were related to issues with physical RSA security tokens. Employees spent a significant amount of time responding to MFA prompts and were frequently locked out of their systems for more than 30 minutes during MFA and password-reset cycles.
Many Thoughtworks employees work remotely using laptops and mobile devices, which raised more concerns. When IT first tried to establish a BYOD (bring-your-own-device) policy, for example, Ibarrola wondered, “If we did BYOD and mobile-device management, how would that impact our culture of trust and openness?” Ibarrola and his team were determined to develop a mobile strategy that secured important company and client data, and provided a positive user experience.
Search for an open-standards company
Ibarrola knew IT could not support the growing organization and their existing strategy without significant change. He wanted to leverage SaaS to reduce the support burden. “We moved to the cloud because we were growing so fast, and with legacy, on-premise software, our internal IT team couldn’t keep up with the growth,” Ibarrola explains.
IT first tackled their core business productivity applications. They migrated 2,000+ ThoughtWorkers from Microsoft’s on-premise business suite to Google Apps. Next, Ibarrola tackled the problem of the cumbersome RSA MFA solution and employees’ inability to get into their apps. Ibarrola searched for a better identity management system that would fully support the company’s move to the cloud. “We had to do something to improve that situation, not just for IT, but also for our end users,” he says.
Ibarrola believed going with open standards was the best way to ensure interoperability, as well as the ability to use best-of-breed applications. “We were looking for a single sign-on solution that supported open standards and would allow us to adopt cloud faster,” he said.
Cloud architecture ensures secure identity management
Okta’s Universal Directory enabled Thoughtworks’ IT team to deploy a flexible, cloud-based user store to customize, organize, and manage any set of user attributes. Next, Thoughtworks implemented Okta Lifecycle Management with Access Request Workflow to automate the process of delegating self-service requests for provisioning applications to business owners. “The end result is that it’s a better user experience with less turnaround time, fewer obstacles, and fewer handoffs,” he says. And IT no longer feels like the middleman between users and business-application owners, thereby streamlining the entire process.
Reducing reliance on AD
With the Okta Identity Cloud in place, Ibarrola and his team saw they could also remove Microsoft Active Directory from their infrastructure. “We didn’t want to depend on AD anymore because it was fragile. It was an area of risk, and we had a better alternative,” he says. Not only would removing AD streamline the overall IT environment and strengthen security, but it would reduce costs. “That was an added benefit: we could remove AD from our enterprise agreement and lower our overall spend with Microsoft,” Ibarrola says.
Ibarrola's strategy was twofold. First: ensure that no new applications or other resources relied on AD infrastructure. “That made the transition manageable,” Ibarrola says. “We had to draw that line in the sand.”
Second: begin to strategically replace components of Active Directory. Ibarrola and his team identified all the applications and resources—including printers and networks—that depended on AD. “Once we had a pretty good catalog, we prioritized and started a hit-list essentially. Then we started turning them off one by one and incrementally forcing people out of their dependency on AD, moving people away from AD.”
Removing AD has to be a carefully planned, deliberate process, but one that Ibarrola says is well worth the effort. “Already we’ve seen benefits in terms of not relying on AD for delegated authentication,” Ibarrola says. “It’s led to a lot less anxiety because we know that AD is not a critical part of our infrastructure anymore.”
Network equipment and Wi-Fi are the only remaining items integrated to AD, and Ibarrola expects Thoughtworks will be fully AD-free within six months.
More time, less expense
Today, Thoughtworks has over 100 cloud apps connected to Okta. “We’ve long taken a cloud-first approach to most of our core services—we first went to G Suite in 2008 and we pride ourselves on being early adopters of Okta, Zoom, Box, and others. The tools that enable collaboration in our distributed, dispersed work environment are all going to be cloud managed. It’s the future of work.”
With Okta Lifecycle Management enabled for 16 apps, Thoughtworks has eliminated over 1,000 hours of manual onboarding, offboarding, and troubleshooting.
Onboarding has become a lot more predictable and a lot less error prone. When new hires come in on the first day, their birth-right apps are always provisioned correctly. To protect data and intellectual property, IT can now quickly cut off access when an employee leaves the company, and Thoughtworks also uses the reporting within Okta to support any potential audits. Efficient offboarding also has cost benefits for cloud-based applications. “The timely removal of access allows us to control costs around licenses and subscriptions,” Ibarrola pointed out.
With Okta Adaptive MFA, total helpdesk tickets for password resets and MFA credential resets have decreased by 90%—an $800,000 savings. Plus, end users spend significantly less time responding to MFA prompts with Okta Verify with Push and flexible policy framework, representing a $400,000+ productivity improvement. Thoughtworks has also realized $200,000 of security improvement.
Additionally, Okta has eliminated costly integration maintenance for 25 apps; sunsetting RSA has led to an additional $50,000 in savings. Also, reduced system outages have contributed to $300,000 of improved productivity.
“Okta is the crown jewel for all of our authentications,” says Ibarrola. “We feel much more confident because we know that Okta has all the monitoring and analytics in place. Our passwords and our primary identity store is with Okta—knowing that Okta’s team of experts is protecting that is definitely better than we could do internally.”
Looking ahead, Ibarrola is working toward implementing Okta’s Advanced Server Access for Thoughtworks’ remaining on-prem Linux servers. “Okta, as a partner and a vendor, has been great to deal with,” he says. “They are transparent about what’s going on and what’s coming next.”
Thoughtworks is a 20+ year old global software company and community of passionate, purpose-led individuals that has grown from a small group in Chicago to a company of over 7,000 people spread across 43 offices in 14 countries.