HubSpot strengthens Identity security through phishing-resistant MFA
reduction in help desk access provisioning tickets
of logins to Okta come from registered devices and use phishing-resistant MFA
of access-request tickets resolved via automation
months to roll out phish-resistant enforcement to all HubSpot laptops
“In the last year, Okta has become one of the single most important pieces of our security stack. From a security perspective, it’s only increasing in importance.”
Eric Richard, SVP of Engineering and Chief Information Security Officer, HubSpot
In today’s high-touch digital world, it’s harder than ever for brands to engage with consumers. HubSpot has tapped into this realisation and is focused on helping companies embrace modern consumer behaviour to create the best possible customer experiences. Around the globe, more than 7,000 HubSpot employees strive to make marketing fun and scalable for its users with a CRM platform that empowers teams across marketing, sales, service, and operations to work smarter.
Behind the scenes, a small and nimble team uses Okta to manage security and Identity for the entire organisation. “If we didn’t have something as easy and smooth as Okta, it would take a team that was at least five times as big,” says Andrew Meinert, HubSpot’s Director of System Operations.
A trusted Identity partner since 2012
Before Okta, Active Directory was HubSpot’s primary user database. But with its basis in on-premises apps, manual provisioning, and limited security, it needed a modern, cloud-based option to properly scale. At the time, HubSpot was a hyper-growth startup, adding 30-50 employees every month, which made onboarding alone a cumbersome task for a company without a formal Identity and access management (IAM) solution in place.
It was time to implement a full-fledged solution that could grow with HubSpot’s evolving directory and IAM requirements. The team implemented Okta in 2012 and remain early adopters, enthusiastic beta testers, and strong partners.
HubSpot’s direct connection with Okta staff is a huge advantage that saves time and helps Meinert’s team accelerate operational efficiency. “I’ve seen functionality grow and evolve, and one of the consistent high points is the partnership we have with the product and engineering teams inside Okta,” he says.
This is in large part due to the excellent support from HubSpot’s Customer Success Manager within Okta. “A real advocate and fantastic resource, they’re extremely responsive and efficient,” Meinert says. “They are instrumental in connecting us with the Okta engineering team to expedite the iterations we’ve achieved related to devices and access.”
An unexpected challenge enhances security
A change in Identity strategy was triggered by a rise in social engineering and phishing attacks that were bypassing traditional two-factor authentication (2FA). The security team realised more protection was necessary and rose to the challenge by accelerating plans to upgrade to Okta Identity Engine (OIE).
"OIE was a real game-changer for HubSpot because it gave us access to FastPass, phishing resistance, and a holistic, end-to-end solution,” says SVP of Engineering and Chief Information Security Officer Eric Richard. “We can get granular on a per-application basis and integrate device trust and user information to make the right front-end authentication choices.”
The adoption of OIE marked a transformation in HubSpot’s Identity model. In addition to distinguishing users with a password managed by Active Directory, Meinert and his team now have a concept of what devices people are using. “We can leverage all those attributes to make smarter, informed access decisions,” he says.
Today, 100% of all logins go through phishing-resistant multi-factor authentication (MFA), which protects HubSpot against real-time credential phishing across all platforms. “It’s so easy to get to a phishing-resistant state with Okta,” Meinert says.
The powerful switch allowed HubSpot to reach its goals of implementing phishing resistance and enhancing security around device registration. One unexpected benefit was device posture assessment: HubSpot now relies on Okta to enforce robust device security policies. In a BYOD world, it’s effectively using Okta Verify to meet many of the needs traditionally provided by a mobile device management (MDM) solution.
The HubSpot team also saw significant value in integrating Okta with their existing EDR platform. By combining insights from Okta Verify and the configuration and state signals from security scores on managed devices, Richard and his team are able to further strengthen their security posture. “As you start using Okta as the gate point, it changes your whole world,” Richard says. “Okta creates a very efficient loop that reassures us that our security stack is working well.”
Reducing provisioning request tickets by 80%
Especially in rapidly growing organizations like HubSpot, manually provisioning accounts is tedious and time-consuming with cascading inefficiencies quickly overwhelming IT. To automate and manage the entire lifecycle as users join, change roles, or leave HubSpot, Meinert’s team uses Okta’s Lifecycle Management, which conveniently integrates with AD.
“We take advantage of every app with a SCIM integration to enable end-to-end lifecycle management,” Meinert says. The team assigns applications at the employee-type level for interns, contractors, and employees, and membership to those groups is automated from their HRS system and other integrations.
“Once that flowed down to our application configurations, onboarding became a lot easier,” Meinert says. New employees can request certain applications, like ServiceNow, and gain access the next time they sign into Okta. “The ServiceNow Okta integration alone has reduced our end-to-end help desk access provisioning request tickets by at least 80%.”
On the opposite end of the life cycle, Okta gives HubSpot IT peace of mind. “We know that when Okta offboards a user, their access to G-Suite, Slack, and any other app is terminated, which eliminates lingering risks,” Meinert says. Otherwise, the team would have to manually ensure those sessions are revoked within each app, slowing everyone down and adding to overall management costs.
A powerful partnership with limitless growth potential
For HubSpot, Okta not only acts as its Identity partner to increase security and reduce onboarding time, but it also significantly improves the end-to-end employee experience, requiring 80% fewer resources to maintain and lessening the burden on IT.
“In the last year, Okta has become one of the single most important pieces of our security stack,” says Richard. HubSpot implemented a large amount of Zero Trust privileges through Okta, and is using it as a backstop for much of its security. Looking forward, HubSpot has a strong foundation in place to go 100% passwordless in the near-future.
“Okta is behind our device registration, phishing resistance, and device posture assessment, effectively helping us deliver on a Zero Trust strategy. It’s all of those — and one day it will also help us go passwordless,” Richard says. Adding value and increasing efficiencies without needing more developers on deck means that for HubSpot, the more they can get behind Okta, the better the organization's overall productivity and security will be for the entire workforce.
HubSpot is a CRM platform that connects everything scaling companies need to deliver a best-in-class customer experience into one place. Our crafted, not cobbled solution helps teams grow with tools that are powerful alone, but better together. With HubSpot, customers come first, customisation is simple, and teams are unified through a connected CRM. Create a delightful customer experience with HubSpot.