Recently, a prominent domain registry and web hosting company experienced significant M&A growth. Each acquisition, however, came with its own IT infrastructure and Active Directory environment, creating redundancies, identity siloes, and a lot of legacy solutions. This fragmented infrastructure made provisioning a time-consuming, cumbersome process. At the same time, an uptick in executive travel called for stronger off-network security. To rectify all of this, the company turned to Okta.
A holistic solution
The company purchased a full range of Okta’s workforce products, including Single Sign-On, Universal Directory, Multi-Factor Authentication, Lifecycle Management, and API Access Management. These products not only played a part in helping consolidate and secure IT infrastructure, they also enabled an efficient Office 365 roll-out.
The future is flexible
Next, the organization reduced its IT workload by setting up Okta integrations with SaaS applications like Slack, Workday, and Splunk. It also set up automated provisioning. It’s a team effort, with ServiceNow operating as a policy engine and Okta’s Lifecycle Management carrying out the provisioning tasks. Both of these initiatives will help streamline employee onboarding and company growth.
Securing access, reducing risk
The company is rolling out Multi-Factor Authentication in multiple phases, with the first phase focusing on its most sensitive groups. Executives, or people with accounts that may have been compromised are already protected. This extra level of security, combined with the added visibility by integrating Okta and Splunk, helps the company detect suspicious activity.
The big win is for the end user. Okta has made our role a lot easier in terms of provisioning and deprovisioning—users aren't going to have access to random apps. Giving a single pane of glass with the Okta dashboard really makes it easy for the end user.Senior Systems Engineer
- Increased security
- Reduced IT workload
- Day One access for employees
- Reduced maintenance and labor costs
- Ability to sunset ADFS
- Added flexibility and reliability
- Improved agility for a better M&A experience
- A more streamlined infrastructure
Navigating the learning curve
Over the past few years, a prominent domain registry and web hosting company has significantly expanded its offerings and acquired a number of companies. It’s been an exciting time for the organization, but the growth has also created identity challenges, beginning a few years ago when the company picked up a Europe-based business with a little more than 1,000 employees.
Each new acquisition came with its own IT infrastructure and Active Directory environment, so the mergers created a fractured infrastructure with redundancies, identity silos, and outdated on-prem solutions. All of this presented provisioning challenges. “We started with a very manual, multi-step process,” says the company’s software development manager. “There were probably four or five people involved in getting every person the stuff they needed for Day One.”
According to the company’s senior systems engineer, the organization began looking for an identity solution that would help consolidate multiple Active Directory domains. “The goal was to create a brand-new Active Directory forest,” she says. “We needed a way to make the consolidation transparent and change where our apps were going to authenticate.”
The company also needed a solution that would help it adhere to security guidelines laid out by two European regulatory bodies. “Since we we’re based in the US we weren’t totally familiar with the requirements, because we’d had zero exposure to them before the acquisition,” says the senior systems engineer.
Planning out a workflow
The company faced these new challenges head-on, developing a modernization strategy that placed the Okta Identity Cloud at its core, and included an Office 365 rollout. It adopted a series of workforce identity solutions, including Single Sign-On, Universal Directory, Adaptive Multi-Factor Authentication, Lifecycle Management, and API Access Management.
The company kicked off deployment by working closely with Okta to consolidate all users into a single tenant, eliminating any need to manage multiple instances, and mapping attributes from their global users to ensure GDPR compliance. It also set up ServiceNow to work as a rules engine to help automate its unique workflow requirements.
Now, the workflow begins when recruiters add a new hire to Workday with a start date attached. That start date automatically triggers an event in ServiceNow. After ServiceNow runs the information through a series of rules, the software triggers the creation of an Active Directory account that meets all necessary security requirements, including password complexity. Then the Okta agent does its incremental import and creates the accounts in Okta. Then Lifecycle Management takes over, provisioning users with the apps they need to do their jobs. The automated workflow provides employees with access starting on Day One, reducing the workload for IT and improving the employee onboarding experience.
The workflow also initiates when a user changes roles. HR makes the adjustment in Workday, and the changes flow all the way through to the Okta dashboard, where the user is automatically provisioned with a whole new set of apps. It works the other way too; if a users’ new role doesn’t require access to certain apps, they’ll automatically lose access. This workflow makes IT administrators’ jobs much easier. The provisioning process kicks in as soon as HR sets up or changes an employee account, and IT rarely has to get involved.
By automating the provisioning process, the company has also improved its security posture. As soon as employees leave access is revoked, so there’s no opportunity for attackers to take advantage of orphan accounts.
Okta and O365
While the organization was getting all the necessary infrastructure in place, Okta was working on fulfilling a special request. The company wanted a softlock feature: a sign-on policy that temporarily blocks access to Okta after a number of incorrect sign-on attempts. Once Okta developed the feature, the company was able to do an incremental import from Active Directory Federation Services (AD FS) to the Okta Identity Cloud. Now, Okta has made this a built-in feature that all customers can benefit from.
“We went live one night with Office 365 and the next day everybody had O365 chiclets on their dashboard,” says the senior systems engineer. “That was huge for us because we only used AD FS for Office 365 connectivity. Once O365 was live, we were able to able to retire our whole AD FS environment.”
Factoring in security
In 2017, the company zeroed in on Multi-Factor Authentication (MFA). With executives travelling all over the globe, it became increasingly important for the company to take proactive measures to protect against malicious attacks. The company began with a Tableau integration. “This was a big win,” says the senior systems engineer. “Our Tableau environment wasn't stellar when it was originally built, but it’s become an enterprise-class solution.”
Tableau contains extremely sensitive data, so the company mandated that users would have to enroll in MFA. The senior systems engineer says that’s what kicked off MFA adoption within the organization. “It wasn't at the org level so much as it was at the app level,” she says. “From a security standpoint, it was reassuring that at least these users were enrolled with MFA—and getting users enrolled was half the battle.” Shortly after, the company went live with Amazon Web Services (AWS), enforcing MFA enrollment here as well.
The company also automatically enrolls users in MFA whenever it detects a breach or attack. “If I see malicious activity, I'll talk to the security department and then we’ll blacklist the IP,” says the senior systems engineer. “Then we work with the user to get them enrolled in MFA.”
MFA has made it much easier to detect possible breaches or attacks in the first place. The company is now able to pull data from various sources, including Okta syslogs, into their Security Information and Event Management (SIEM) system, where it’s consolidated, enriched, and normalized. By mapping all access requests to each Okta-generated username, incident responders can now search for a username and see all the access activities of that user. The result: higher productivity and a reduction in successful attacks.
There are at least two stages left in the rollout to implement MFA more broadly —enrolling all new hires, and going back to enroll all existing employees. As new acquisitions are brought into the fold, MFA is set up immediately.
M&A made easy
The benefits of the infrastructure modernization became obvious when the company acquired a US-based company with approximately 850 users. Like the European company, this organization didn’t use Okta, but this time, because the parent company had modernized its IT infrastructure, it was able to apply the knowledge it had gained the first time around.
Last time, it took the parent company about three weeks to onboard all the new users but this time around, it only took three days. The team was able to immediately place new users into Okta and enroll them in MFA, including enabling Yubikey for additional flexibility.
“We figure we could onboard around 1,000 employees in a day if an M&A situation called for it,” says the company’s development manager. “We could do full AD profiles with Office 365 licenses and accounts, and the entitlements they need to do start doing their jobs on Day One.”
The company is currently using VMware to run a Virtual Desktop Infrastructure (VDI) pilot in the hopes that it will allow its call center reps to work from home. Anyone using VDI will be protected by MFA.
The workflow for the VDI project starts with a RADIUS request for Active Directory credentials, which triggers Okta MFA Verify with Push to send an authentication request to the user’s watch or mobile device. Then the VDI itself prompts for credentials. So far, the pilot is going well, and the organization is excited about the results—especially since it will hopefully be rolled out to a massive population. “The end users were happy with the VDI project,” says the senior systems engineer. “They just thought it was the greatest thing.”
The company also ran a security risk analysis, and the results were extremely strong. “Okta really saved the day for this,” says the senior systems engineer. “Without Okta, I don’t think this would ever have come to fruition.”
Overall, the company has about 200 active apps, and 75-80% of these are connected through either SAML or OpenID Connect (OIDC). The company also has a homegrown app that it developed and coded using Django, and manages with Okta’s API Access Management.
“I think the big win is for the end user,” says the senior systems engineer. “Having a dashboard in a single pane of glass, and being able to say, ‘Oh I know I have to go to Okta for that,’ it really just makes it easy for the end user.”
Of course, it’s all much easier for the IT team now, too. Every month, it provisions about 500 new employees and with the new workflow, it only takes a couple of minutes to provision a new employee.
Now, when the company makes product purchase decisions, whether or not it can be integrated with Okta is a major consideration. “Basically, your app needs to integrate with Okta,” says the senior systems engineer. “It needs to have SSO and support SAML or OIDC, and if it doesn't, we’re not going to go with it. It’s just that flat of an answer.”