Expediting M&A Integrations with Identity

Lindsey Bly: Hello, everyone, and welcome. Thank you so much for joining us in this virtual session. I'm Lindsey Bly. I'm on the product marketing team here at Okta and I'll shortly be joined by Neeraj Malhotra, who is an IT leader at Broadcom. Today we have some really great content for you around expediting M&A integrations with identity. Before we jump into that content, I want to talk a little bit about some housekeeping items.

Lindsey Bly: So first of all, of course, we have this safe harbor statement to cover, which just calls out the fact that this presentation may contain some forward-looking statements. The other item I want to call out is that we will both be available via chat throughout this whole presentation, so if you have any questions, comments, concerns that pop up, feel free to drop them in the chat and we'll be there monitoring it and we'll get back to you quickly. My only request is that you say whether the question is for Okta or for Broadcom, so we can be sure to triage it to the right person. And with that, let's go ahead and get started.

Lindsey Bly: So as with any type of growth—enterprise level growth—M&A comes with a number of challenges for IT organizations. And M&A in particular, because you're combining people, processes, technologies from disparate companies, can be really difficult and present a number of pretty substantial challenges for both IT and businesses. I want to talk about some of these challenges in context of what we've seen from a few of our customers. The first one is a challenge that News Corp faced, and that was really having any sort of IT efficiency when it came to M&A: so making sure that mergers and acquisitions were not a massive burden on the IT team. News Corp, prior to Okta, spent thousands of hours each year just to consolidate and synchronize their AD and LDAP directories resulting from M&A activity.

Lindsey Bly: The next challenge that we see organizations face, somewhat related to the consolidation and synchronization of directories, is an inability for organizations and new users and new team members to collaborate with each other. This was something that ENGIE previously faced, as it took them two months to add a new domain following an acquisition. And not only was this time consuming for IT, but, again, it prevented those new users from collaborating with their new coworkers.

Lindsey Bly: Lastly, another common M&A challenge that IT organizations can face is highlighted by Allergan. So Allergan, if you don't know, is a massive pharmaceutical company operating in a highly regulated industry. So when Allergan conducts M&A visibility into the security and compliance and who has access to what, it is really, really important. And prior to implementing Okta, they had challenges around that visibility, which increased risk and concern during time of acquisition.

Lindsey Bly: Now, these IT challenges can translate directly into business challenges when it comes to M&A integrations. These are stats we've pulled from a Deloitte report. Deloitte does an annual report on the state of M&A, which is a really, really great research piece; if your company's undergoing M&A, I recommend taking a look. And some stats I wanted to highlight from there are around organizational efficiency and how IT can help impact M&A.

Lindsey Bly: The first is that 50% of organizations surveyed cited efficiency issues when it came to mergers and acquisitions; 47% face cost issues; and 44% dealt with speed issues. Now, all of these things kind of bubble up into this one staggering statistic at the bottom here, which is that 84% of organizations surveyed actually do not realize the expected value of their M&A activity. And when you really dig into this, it's often related to the ability to effectively integrate those people processes and technology that we previously spoke about.

Lindsey Bly: We've seen a number of our customers, a number of our IT leaders within our customers, really take this by the horns and use IT as a change agent to create agility and efficiency when it comes to M&A. And they're doing this with Identity at the core for efficient and secure M&A processes. There are four key areas that we see these IT teams start to focus on when it comes to enabling efficient and secure M&A, and I'll walk through each of these in this slide.

Lindsey Bly: The first is creating a single source of truth. So developing a single source of truth not only allows you to have visibility into who has access to what, what types of applications you have, it also creates the foundation for things like automating IT, ensuring a positive user experience, and enabling collaboration across organizations. Now, we see organizations do this by consolidating and synchronizing directories into one single pane of glass where they have visibility into everything that's going on. They kind of apply global policies across both their existing organization and any acquisitions that may happen.

Lindsey Bly: We also see these organizations put an effort into eliminating user friction. So when organizations go through mergers and acquisitions, it can be a really trying time for employees, and we actually know that turnover rates during times of M&A are often higher than they are throughout the remainder of the year. This is often due to the uncertainty that employees face when they're acquired or when an organization acquires another company. As an IT organization, you can make employees feel more comfortable by providing day-one access to the applications that are absolutely critical to their job, and by making sure that they know the tools that are available to them. This is what we see a lot of leaders in this space do. We also see IT teams look to reduce some of the friction that can be a result of IT processes. So, how can you make things smoother for these acquired employees? Not just by providing access to the apps they need, but by also making things like password resets and access to those applications really, really seamless.

Lindsey Bly: The third thing that we see IT leaders do when it comes to M&A is increasing IT agility. So, as someone who's attending this session, you're probably either undergoing M&A or have undergone some M&A in your organization, and you've seen the impact this can have on your IT team. M&A—things like consolidating directories, manually provisioning access, manually provisioning applications—can be a drain on your IT resources, especially when you're talking about hundreds, or thousands, or tens of thousands of employees that you're acquiring during an acquisition. So, we see a lot of IT leaders look to increase IT agility when it comes to M&A processes. This is something that Neeraj has done a great job at Broadcom with, and he'll speak to some of the things that he's put in place there. But this typically revolves around automating things that are automateable.

Lindsey Bly: So how can you automate provisioning requests? How can you automate password resets? And really think about the infrastructure that you're using, so that your IT team can automatically scale up their infrastructure with a cloud solution instead of being bogged down by manually maintaining and growing servers.

Lindsey Bly: The last piece that we see organizations or IT teams really contribute to around agility with M&A is reducing attack surface. So times of M&A, not only can they increase employee turnover, but they also introduce risk when it comes to an organization's security posture. And this goes back to the idea that there's a lot of uncertainty with the employees. Acquired employees often might not know what applications they should have access to or what types of email their new companies should be sending, and it really opens up an organization to a lot of vulnerability.

Lindsey Bly: At the same time, when you acquire an organization, you don't necessarily always have visibility into the security of their tech stack. So what we see a lot of companies do is to make sure that employees only have access to the applications that they need, and that there's not lingering access left out there. We also see them implement robust policy frameworks at a global level. So, what are some of those security measures that you have in place for your typical organization? Also think about how you can overlay things like additional multi-factor authentication on top of your acquired company, while maybe your IT team is figuring out which applications they're going to keep and which applications will sunset.

Lindsey Bly: How does Okta actually help with this? Okta, as a modern identity access and management provider, we've helped a number of organizations, including those that I mentioned at the beginning of this session, really increase agility and security when it comes to mergers and acquisitions. Now, there are a few things that we help do. The first is often going back to that single source of truth. So, organizations who use Okta will often end up using Universal Directory as a way to consolidate and synchronize directories, both legacy and modern, to create that single source of truth. Then, from that single source of truth, they'll start to layer on Single Sign-On, which provides end users with access to the right applications at the right time, and makes sure acquired employees feel like they have the tools that they need to do their job.

Lindsey Bly: On top of Single Sign-On, a lot of these organizations will choose to overlay Multi-Factor Authentication, often including more stringent rules when it comes to a newly acquired company before they're able to completely evaluate and vet the technology that that company is using. Lastly, Lifecycle Management is Okta’s automated provisioning and deprovisioning product. Automating provisioning and deprovisioning, as we spoke to before, can have a number of impacts during times of M&A. The first is making sure that those acquired employees have access to the right applications: nothing more, nothing less. It makes them feel at home in their newly acquired company. It can also improve security posture by removing rogue accounts that may still have lingering access from an acquisition. And then lastly, it can greatly impact your IT team’s efficiency if they no longer have to manually provision access to all those newly acquired employees.

Lindsey Bly: And with that, I'm going to hand it off to Neeraj, who's going to go into a little bit more depth around how Broadcom has increased and expedited their abilities around M&A.

Neeraj Malhotra: Great. Thank you so much, Lindsey, for that wonderful introduction, as well as for giving us an opportunity to talk about how Broadcom has handled mergers and acquisitions. And thanks to everyone who is joining this session. So, let's go ahead and talk a little bit about myself.

Neeraj Malhotra: I'm responsible for various areas in Broadcom IT. I've got over 20 years of experience, and I also support various teams from an identity as well as a client-technology perspective in Broadcom. Some of the areas that I'm responsible for, of course, are identity and access, client security and technology, IT tools and automation, software and operating system management, as well as the end-user experience. So as you can see, I have a fairly wide area of responsibility, and there's a lot of synergies across these areas, but everything starts with the identity and access platform.

Neeraj Malhotra: Let's talk a little bit about Broadcom. As you can see, Broadcom has a very rich history. It goes back to some companies likeAT&T, LSI Logic, CA Technologies, and Symantec, just to name a few that have started many, many years ago. As you can see in this timeline, Broadcom is the culmination of a rich history from various companies. In addition, in this chart, as you can see, we have a breakout between semiconductor as well as software as two of the key focus areas for the company, and these have grown over the years through acquisition.

Neeraj Malhotra: So, it's really important for us to have a successful method and process behind how we acquire companies and also how we integrate their IT systems to ensure the most productivity for the end users, while reducing friction for the work that they need to do to be productive. As Lindsey mentioned, there are a lot of key challenges. There are a lot of problem areas that can happen during an M&A. Each company that you acquire has its own uniqueness, so to speak, and being able to navigate that uniqueness and incorporate that into the Broadcom process is a big challenge. So we'll touch a little bit more on challenges in the upcoming slides and on how we've addressed them through the partnership with Okta.

Neeraj Malhotra: So let's talk a little bit about the partnership that we've had, and a little bit about the history of our relationship with Okta. We started our history with Okta back in 2012. That was when our CIO looked at the environment and decided that it's really critical to have a relationship with an identity provider who can provide security as well as a single source of identity for all of our SaaS applications. It was decided early on that we need to move off of the on-premises legacy methodology of applications and productivity tools to a cloud-based solution. So in 2012, we started a relationship with Okta and primarily was focusing on the Single Sign-On and common identity platform.

Neeraj Malhotra: As the slide builds here, you'll see that, over the years, we have slowly but surely grown in our relationship with Okta, incorporating technologies and services from an Okta perspective that have helped us with the challenges that we experience with M&A, as well as with standard daily operational activities. Everything from migrating from OID to AD authentication, to using Workday as a master, which gave us the ability to have a common customer identity, as well as having a Lifecycle Management, application entitlement control, utilizing Workday attributes, provisioning applications for end users using rules as well as standardization inside Okta, to what we've started recently, which is the M&A and onboarding automation.

Neeraj Malhotra: We've found that the partnership with Okta has really enabled us to be successful, and has reduced a lot of the friction associated with M&A. And then we're looking forward to continuing to work with Okta to grow our partnership with them to include inbound customer IDP federation. And this is for our customer Okta tenant.

Neeraj Malhotra: Let's talk a little bit about how the growth has happened via mergers and acquisitions for Broadcom. As you can see in the bars that have shown up here, we have internal workforce in the red, and we have customers in the gray. We started our journey back in 2012 with about 4,500 employees who were part of the internal workforce, with really no customer involvement from an identity and Single Sign-On perspective. But over the years, as we transitioned our services as well as our customer identity over to Okta, you can see that there has been a significant growth in both the employee count as well as the customer count. And a lot of this is attributed to acquisitions. So if you reference the previous slide, you can see that each of these key bumps that you're seeing were directly related to an acquisition.

Neeraj Malhotra: The growth, as you can see, has been pretty significant. In the last eight years, we've had over an eight-fold increase in the employee headcount, and over a 250-fold increase in our customer headcount. Similarly, there has been a growth on the application side. As you can see, early on in 2012 we started with as little as four applications, and we're planning to end the year in 2020 with well over 320 applications. This translates to an 80-fold increase in just the number of applications that are supported in our customer and employee Okta tenants.

Neeraj Malhotra: Okay. So let's speak a little bit about the challenges and how Okta has helped us. There are three key areas that we focused on. One is day-one access, one is user experience, one is the burden on IT. As Lindsey mentioned, it's really important to ensure for a successful merger and acquisition that the end users that are being brought into the Broadcom ecosystem have a great user experience and are also able to access their tools and their applications on day one. It's really important for the leaders of our business that everyone is on a common collaboration platform, is able to access the applications they need to, is able to receive the support, training, and, of course, their access, their credentials, and sign-on information on day one: the moment they start working with Broadcom. At the same time, from an IT perspective, if we can help reduce friction and we can help reduce the burden on IT, it would be very helpful.

Neeraj Malhotra: So from a day-one-access perspective, we have a common collaboration toolset in Broadcom, and we'd like to make sure that employees are able to collaborate with their Broadcom peers and also be able to access resources, network, and get access to applications and services that they need to be productive on the first day. From a user-experience perspective, it's really important that not only can folks access the tools and use the tools, but they should have a great experience doing it. We need them to be able to get their credentials, get access to Okta, get access to the support and training that they need to really minimize disruption and improve productivity for them.

Neeraj Malhotra: And at the same time, one of the key areas for our CIO was how we can reduce the burden on IT. As acquisitions happened over the years, you can see there are various scales of the acquisition sizes. They've happened at various frequencies. We've had acquisitions as small as 20 individuals and as large as 15,000 employees. So you don't know what's going to come until it's announced, and we have to be agile and ready to be able to bring that acquisition on board as soon as possible and make the folks productive.

Neeraj Malhotra: So what we did was we worked closely with Okta, and we looked at each of these areas.As Lindsey mentioned in one of her slides, there are some core services and functionality that Okta offers, which greatly reduce not only the friction, but also improve the employee productivity while reducing the IT burden. So let's touch on those areas real quick.

Neeraj Malhotra: So from Okta and Broadcom's partnership, we looked at these key functional areas and services from an Okta perspective. SSO of course, Single Sign-On, is a common authentication platform for Broadcom's tools and services. As Lindsey’s slides showed, there's Lifecycle Management and also using Workday as a master. This is critical for account provisioning and also having a common identity source. Universal Directory, so, even though you have your user sitting in Workday, you need to be able to bring them into a system like Okta to be able to have a common identity that can be referenced by other applications. As I mentioned, we're planning to have well over 300 applications by the end of this year available in Okta, and all of those applications need to have a common user identity. It doesn't make sense to have some applications connecting to Active Directory or LDAP and some others connecting to Okta, it really reduces the benefits that are offered by a common identity source.

Neeraj Malhotra: Groups and rules. So this is one of the key areas where I feel Okta has made us very successful. Being able to manage application entitlement via Okta rules and groups is very critical. This allows us the ability to only show applications to users that they are entitled to. And it also gives us the ability to tightly control things like who gets multi-factor enabled, who gets what functional multi-factor. Whether someone can use email as a factor or can use SMS, etc. And that goes into the next point, which is ThreatInsight and MFA. With these two items, we're able to meet the requirements from our corporate security officer's perspective.

Neeraj Malhotra: We need to be able to offer multi-factor for our applications, especially those that are GDPR, PII-related. We need to be able to monitor any incoming threats and be able to address those quickly. Whether it's blocking their network access, whether it's restricting them via IP, ThreatInsight gives us the ability to see that. And then one of the other areas which we felt was very critical is API access: being able to not only use API, but do it in a secure fashion. Okta affords that through the API Access Management. We're able to tightly control who has access to what in Okta. So we have a lot of applications out there which leverage API for simple things like creating users, assigning users to groups, making modifications to a user's profile. A lot of this is being enabled through API access.

Neeraj Malhotra: And then in terms of security and in terms of reducing transition time for legacy systems, we are leveraging Okta Advanced Server Access, as well as Okta Access Gateway. These are two things that we're actually looking at this year. So we're in the process of actually trialing these and going through POC scenarios.

Neeraj Malhotra: And then finally Workflows. So this is something that Okta is announcing, or is announcing shortly, which is designed to help improve efficiencies and service delivery directly inside Okta. As you'll see in one of my slides coming up, we have workflow engines that are outside of Okta, and they're used to kind of help keep everything integrated and interconnected based on triggers from Okta logs. So when we heard that Okta has the service ability to offer workflow control right inside Okta, we were really excited because we can now selectively move workflow management directly into Okta and leverage Okta's built-in functionality to control the automations that are triggered from Okta's perspective.

Neeraj Malhotra: So, let's go ahead and talk about how we've actually implemented some of these solutions in Broadcom. We'll start with where our source of truth is for identity. As I mentioned before, Workday is a source of truth for our user identity for employees and contractors. Everything starts with a Workday data load. So our HR team loads users into Workday, and that, via the Workday to Okta connector, feeds Okta with the base identity information about a user. Okta then kicks in and takes over for account provisioning, as well as application and service provisioning, and credentials and welcome emails. So Okta becomes a source, effectively, for all user identity that is fed from Workday.

Neeraj Malhotra: The next thing that happens is we handle account and application provisioning through Okta. So, specifically for these applications listed here, Webex, G Suite, Box, and Active Directory, Okta's provisioning and lifecycle management services are key. We don't use any other form of workflow management. This is out-of-the-box Okta functionality, which is part of their LCM capability and user provisioning capability. We do have a workflow automation tool. We happen to have selected a tool called Workato, and this one is used to trigger from events that occur in Okta to actually go do something for us. And one of the key areas is that, when a user joins the company, they need their credentials. They need to be able to sign on into Okta and set up their account. So we decided early on that we need a mechanism to do this, which can scale.

Neeraj Malhotra: If you're doing 20 people or 50 people, sure, you can do it manually. You can create a spreadsheet, you can go and provision services, provision accounts, provision credentials, and then you can set up a mail merge, and you can deploy it. But if you're doing 15,000, 20,000 employees, a spreadsheet is not going to cut it. It just becomes extremely difficult. So this is where the concept of having an API connection to Okta is really helpful. So what we effectively have done, is we have this workflow automation tool. It triggers off of a lifecycle event that happens in Okta, which is the creation of an Okta user, and then, obviously, the activation of that user. And what it does is it populates a repository where we store the credentials for the user. In our case, it's actually utilizing a Google Sheet. And then this Google Sheet is updated via the workflow automation tool, and it's put into a state where one of our management team can actually go and trigger the distribution of the credential email.

Neeraj Malhotra: In this particular example, what we've done is we've built an interface that our directors can go into, they can actually select a list. The reason the selection is there is we have a, well, usually in an acquisition you've got global presence. So you've got individuals from various parts of the world, and you don't want to send a credential email at midnight to someone in Germany, right? You want that email to be at the top of their inbox when they wake up in the morning and sign into their email system. So what we did was we use the automation tool to basically build lists based on geographical location and time zones. So when it comes time to send a credential email after we've received the okay from our CEO, the directors can go in here and, let's say, select Germany, and then they can click the button that says “send welcome email.” So what the automation will do is, it will pull the list just for the users in Germany and it will distribute the email.

Neeraj Malhotra: As an example, here's a snapshot of a live email that we use that was sent for the recent Symantec integration. And we use a similar methodology. But the key thing here, to enable all of this functionality, you need to have API access. You need to have event logs and event triggers that you can key off of. You need to have provisioning services that are efficient and don't rely on any manual intervention. All of these things are very critical, so we reduce friction from an IT perspective, as well as reduce friction from an end-user perspective.

Neeraj Malhotra: So, where are we going with Okta this year and in the near future? One of the key things we've done over the past is, every time Okta has come up with a new service or solution, we've worked with them to be part of their beta program. We've worked with them to be part of their POC,and have helped give them feedback, whenever there's a new service, from a customer perspective. So what we're looking to do is continue to extend the use of Okta services. One of the key areas, as I mentioned, is Okta Workflows which is coming out, as well as Inline and Event Hooks. We were part of the beta for that. And what we're looking specifically for with those two is to replace or supplement the workflow automation tool we're using today, which is Workato. Workato is great, but why have that workflow tool outside of Okta when Okta can do it all for you, especially for services related to applications tied into Okta?

Neeraj Malhotra: The other thing we're looking into is Okta Access Gateway, as well as Advanced Server Access. These are some of the key things, from a service extension perspective, that we're looking for. The other area is, as I mentioned before, the Workday integration to Okta. Today, we're doing it using Workday imports. While that works very well, there are more efficiencies that we can have. Okta offers Real Time Sync, and it allows us the ability to remove Workday imports. It allows us the ability to remove custom reports, and it takes the whole concept of adding a user to Workday or making a transactional change in Workday seamless. We don't have to wait for an import to run to bring those changes from Workday into Okta. It's going to be seamless and efficient.

Neeraj Malhotra: The other thing is, from an HR perspective, as you can imagine, when you have this level of mergers and acquisitions happening, there's a lot of churn. So you have a lot of transactions that happen, which we call conversions. Users may be changing their status from an employee to a contractor, or vice versa. Their hire dates may be shifting due to visa or other LOA related issues. It's good to be able to give the control back to HR, so IT doesn't have to be involved for every single transaction. So this is where the real time sync functionality is really critical for us. We're looking to implement that later this year.

Neeraj Malhotra: And then continuing to optimize our onboarding experience. As I mentioned before, we focused a lot over the last year on optimizing the onboarding experience and reducing the burden on IT. We're now growing and looking at how we can reduce the burden for other areas, such as facilities teams, HR teams, payroll teams, etc. We've looked at various ways where we can trigger from Okta or leverage API access to Okta to give these teams the ability to also automate the services that they offer.

Lindsey Bly: All right, thank you, Neeraj. Those were some great insights and some amazing work that you've done at Broadcom. And with that, I want to thank you all for joining us over the past 30 minutes or so. We appreciate your time, and we hope that you found this session helpful. If you have any further questions, we will be here for the next few minutes answering them in chat, and we look forward to any questions you may have and hope we can be helpful. Thank you. Bye.