The world’s top athletes and stars are only as successful as the teams that help them shine. While they may not be on the pitch or the stage, Wasserman Group’s marketing and talent management efforts support some of the world’s biggest names in sports, music, and entertainment in more than 28 countries. Managing talent and brands requires the company to always be on and operational, which means they depend on a global, flexible team to meet their clients’ needs.
Since their founding in 2002, the company has acquired more than 20 other organizations and scaled to more than 4,500 global employees, including an expansive repertoire of freelancers. Enabling Wasserman’s teams to deliver at speed without compromising security is the primary mission of their identity team. “We started our identity journey needing a simple option for single sign-on,” says Bill Schechtman, SVP of IT. “I chose Okta, and even as the landscape and our needs have changed in ways we never could have predicted, Okta has grown with us.”
Centralizing identity to minimize manual work and secure company data
Even with Single Sign-On in place, the team was still managing most of their identities manually, and those workflows didn’t support Wasserman’s need for speed. “We effectively used Okta as a password manager,” says Schechtman. “But as both cybersecurity and our own organization have grown more sophisticated, any time we see an opportunity, we ask if we can do it with Okta.”
The Wasserman HR team would share a spreadsheet of new hires, and the identity team would grant each new employee access to every application they needed. This process took hours per user, and for freelancers who may only work on a project for a few days or weeks, every hour counts. “When managers have to request access to applications individually, it’s tedious for our team and also leaves room for errors,” says Peter Hua, IAM administrator. Users also needed to be manually offboarded. Any delay in that process introduced unnecessary risk to the business since unused credentials are potential attack vectors.
The team needed to automate their onboarding and offboarding processes to improve speed to access without leaving proprietary data exposed. Their first step was to centralize their identity management into a single solution to lay the foundation for a robust identity security fabric. “With one source of truth, we can standardize on attributes and drive automation across the business,” Hua explains. “The more we can trust our data, the more functionality we can build on top of it.”
Enabling a fast, global team with identity automation
Wasserman unified identity with Universal Directory, providing a single source of truth to connect to their HR platform, Workday. Once an employee is added to Workday, all of their relevant data is fed directly into Okta. That information is then used by Lifecycle Management and Workflows to automatically grant the user access to the full suite of applications they need for their role 24 hours before their start date, so they’re ready to work on their first day. “With Okta, getting a new user the right resources is just a simple click,” Hua says. “We’re spending a couple of minutes instead of hours.” This time savings allows Wasserman’s identity team to focus on optimizing their environment, gathering feedback from other teams, and further improving onboarding processes. For example, the team’s next stage of onboarding automation involves shifting away from managers’ requesting access for specific applications to a fully automated, role-based access control.
Workflows are also helping augment some increasingly complex needs within Wasserman’s onboarding journey. During mergers and acquisitions, new additions to the group are treated just as any other employee, effectively eliminating potential hiccups during the business transition. They’ve also simplified even the most complicated of freelancer access journeys. If a freelancer is already working on a project and is then scoped for a new one, a Workflow extends the user’s end date and reassigns relevant applications rather than fully onboarding and offboarding. “The entire onboarding process is now self-sufficient, and our end users never have to worry about whether or not they have access,” Hua says. “Automating that process also helps improve our reputation,” Schechtman adds. “When we acquire a company, they don’t really know who we are. For a new person to come in and immediately have access to everything they need in a single, easy-to-use dashboard has a big impact on their first impression of our brand.”
Using Okta Identity Governance (OIG) in tandem with these automations means the IAM team also has a place to protect, manage, and audit access across all of their resources. Any applications needed outside of a typical onboarding are available via flexible self-service requests, ensuring users get what they need, while IT maintains standardized control policies to secure company data.
Providing easy, secure, and phishing-resistant access
Securely onboarding or offboarding a user is essential, but the company also has to keep data safe as those users go about their day-to-day operations. With Single Sign-On and Adaptive Multi-Factor Authentication (MFA) users can get to the applications they need easily while the IT team maintains their high security standards. “For us, usability means getting the right people access and protecting that access with phishing-resistant MFA, so they can perform their jobs, we know our data is secure, and everyone’s happy,” Hua says.
The team introduced FastPass to migrate the business to a phishing-resistant MFA model; this change has helped ease both the end user and IAM team experience during mass password resets. “We have to cycle our passwords every so often,” Hua says. “During our last cycle, our 3,000 FastPass and Okta Verify users simply continued on with their days because they’re fully passwordless.” These authentication solutions, together with OIG, help ensure the Wasserman team has a fully secure lifecycle for every employee account, a practice that will scale as the team expands. “The support we have with the Okta team is unlike any other vendor relationship,” Schechtman adds. “They help us solve even the smallest issues, but more importantly, they really show us what Okta is capable of and help us choose solutions that will improve our security posture as we grow.”
Using integrated threat protection to gain real-time insights
As identity-based threats grow more sophisticated and complex, the team knew they needed to do more to improve their security posture to match. By layering Identity Threat Protection (ITP) into their security stack, Wasserman can now detect threats in real-time and respond automatically before damage is done.
Rather than relying on a separate SOC team to report suspicious behavior, the IAM team has information about these threats at their fingertips. “Before ITP, it could take several hours for our SOC team to reach out about an alert and manually investigate the threat, app by app, until we could find any information,” Hua says. With ITP, the team can automatically update a user’s risk score based on a threat, block access, universally log them out of all connected apps, and share relevant data points in minutes.
This efficiency is especially important for the company’s freelancers who typically bring their own device (BYOD). Using ITP with OIG means the team has direct insight into each device’s IP address, so only approved devices can access Wasserman files. This ongoing evaluation improves overall security and further reduces the risk of a data breach. “ITP proved its value to us almost immediately. I was notified that Okta logged a user out and locked their account based on suspicious activity,” Schechtman shares. “We can set our security policies in Okta, and ITP helps us maintain those standards automatically and continuously.”
Building an identity security fabric for end-to-end identity visibility
The Wasserman team sees additional opportunity to expand their Okta footprint as they learn more about their own identity infrastructure. The team is exploring Identity Security Posture Management (ISPM) to have a single pane of glass to monitor, manage, and secure their entire Okta environment. “Using ISPM gives us the visibility into our downstream applications with granular, actionable data,” Schechtman says. “We have new insight into non-human identities that helps us manage them just as easily as we do our employees.”
From their ISPM dashboard, the team can easily review when employees last accessed applications and prompt logouts. Combining this with monthly access review campaigns in OIG, they can understand when users last used an application with a few simple clicks and make recommendations for retiring unused software licenses, further reducing business costs. With the data collected and monitored in ISPM, the team has already uncovered hundreds of unused software seats and has been able to reduce licensing costs by more than 40%. Greater insight into licensing costs also means Wasserman can settle true-ups with vendors by comparing actual license usage in Okta versus vendor estimates, potentially saving even more during contract renewals.
Coupling this additional visibility with plans for ongoing access certification campaigns, Wasserman can continuously monitor, evaluate, and enforce least privilege across all of their applications. By integrating governance and security, the team can be confident that users always have appropriate access at the right time to minimize risk. This growing Okta identity footprint helps Wasserman create a resilient identity security fabric to protect every user before, during, and after authentication. “We’re just scratching the surface of what we can do with Okta,” Hua adds. “I’m excited that we can continue to get more secure without compromising on usability.”
About Customer
Wasserman Group is a marketing and talent agency operating at the epicenter of sports, music, entertainment and culture, serving talent, brands, and properties on a global scale.
Headquartered in Los Angeles, Wasserman’s presence spans 28 countries and more than 68 cities, including New York, London, Abu Dhabi, Amsterdam, Hong Kong, Madrid, Mexico City, Toronto, Paris, and Sydney.
