HPE GreenLake and Okta: Going from Zero to Launch in just 60 Days



Jeff Janovich: Hi everybody. My name is Jeff Janovich, delivery program manager from the education services team here at Okta and welcome to Octane20 Live where we are here with Travis Tripp, architect from HPE GreenLake, looking to cover their journey of going to the cloud with Okta. Go ahead and take it away, Travis.

Travis Tripp: All right. Thank you very much Jeff. Yes, I am here from HPE and we've had a wonderful journey with Okta the past six to nine months and I'm happy to be here to share it with you. So today we're going to cover first an overview of what the HPE GreenLake business is, understanding what we're doing, why we needed Okta. We'll talk about how we chose our solution, like how did we get to Okta, and we'll talk a little bit about how we deploy Okta and manage it, our experience with Okta services, and then there's some Q&A with Jeff at the end and a short closing.

Travis Tripp: So with that, let's get going. A little bit about HPE in case you haven't heard of us. Hewlett Packard Enterprise is the long form of that. We were technically founded in 2015, but if you look back into 1939 that's when we were really founded with Hewlett Packard and in 2015 is when we split. So with that, we are a global technology and services provider. We have customers in over 150 countries and our annual revenue is around $29 billion. So if you look at the past and think about technology as it's evolved, your perspective has changed. Back in 2000 everybody said, "Hey, don't get into a car with a stranger." In 2010 people said, "You really shouldn't be meeting up with people from the internet." And now in 2020 what do we do? We meet up with strangers from the internet so that we can get into their cars.

Travis Tripp: If we take that and we apply that to what we are seeing the trends in the overall industry, back in 2000 everybody was saying, "You can't do anything without corporate IT." By 2010 those were changing. But people said, "Well you can do things outside your corporate IT but don't let any of your sensitive data outside of your own network." Well here in 2020 our data is everywhere, and our developers and our scientists run their applications wherever it makes the most sense for them.

Travis Tripp: So this is actually where we introduced HPE GreenLake. It is the market leading as a service offering right now. It delivers on-demand capacity and planning. We combine the agility and the economies of public cloud with the security and performance of on-premises IT. With HPE GreenLake, we offer our customers a managed cloud experience that accelerates their transformation. So we design, build, manage, and optimize their on-premises and off-premises clouds so that they can experience the same cloud-like benefits of fast deployment, scalability, and paper use economics anywhere. So in fact, this is why we are here today. So I'm going to show a brief video here, which is our CEO Antonio Neri announcing GreenLake Central, which is where we brought Okta into our picture.

Antonio Neri: Today we are solving a problem no one else has addressed. We are bringing in the on-premises IT experience to a modern cloud standard. We are unifying for all users from the edge to the cloud. And to deliver a world-class hybrid cloud experience to your enterprise, we are putting you actually in the driver's seat. I'm thrilled to announce HPE GreenLake Central, the cloud experience that comes to you, to your apps, and data wherever they live. With HPE GreenLake Central, you can accelerate your digital transformation journey. Like any mother cloud experience, it is simple and agile. Depending on what your role is, you get a personalized experience, whether you are the CIO or IT operations, developer, finance, or legal. You have the information, context, and tools you need instantly. Nobody else can deliver this kind of agility, visibility, and control across on-premises workloads and across multiple clouds all together into one experience. It is a powerful innovation to help you better run your business.

Travis Tripp: All right, so GreenLake, we just announced GreenLake Central. That was 2019. However, our business, GreenLake services, it's been around for several years and we are accelerating momentum. We have customers in 56-plus countries. We have a total contract value of over $3 billion and our year-over-year growth has been double digit. So that is why we needed to come up with GreenLake Central. So GreenLake Central is that portal and platform that our customers can use to have that single pane of glass for that experience, whether on premises or off premises.

Travis Tripp: And GreenLake Central is why we needed to bring in Okta. A key part of our experience is unifying that identity. So with that, let's talk about the identity and access management part of GreenLake, which is why you're all here and watching this. So going back, thinking about the IAM evolution, similar to the evolution of technology and services that we've seen across the industry, back in 2000 everybody was basically inventing their own website login mechanism. A lot of the standards that we rely upon today, they weren't there. By 2010 a lot of people were saying, "Hey, we don't necessarily have to invent everything, but let's just go ahead and run our own thing from Apache or somewhere else that supports SAML." Well, in 2020 when we took a look at this, we decided that we wanted to use a company whose entire business is to provide world-class identity as a service, because for GreenLake our IAM goals were clear.

Travis Tripp: One, we wanted to provide a unified IAM control plane. This means we need to unify our identity across services. We need to unify access across services and, because HPE has a vendor-neutral strategy, we need to be cloud- and service-provider neutral. Next, it is of utmost importance to us that we protect our customers, our partners, and our employees. This means we follow all of the principles that you would think about when it comes to security. Principle of least privilege, separation of duties, access approval delegations, ongoing attestations, transparency. We wanted all of our APIs that we develop to be developed under the premise of Zero Trust APIs, and using industry standards is very important for us, as well as taking advantage of things like adaptive policy management.

Travis Tripp: Finally, we really needed true multi-tenancy. We have a lot of customers and those customers depend on us to ensure that their data is separate from other customer’s, from other people. So we use per-tenant users, groups, and single sign-on, per-tenant authentication policies, and per-tenant authorization policies. So that's why we chose Okta. We wanted our customer’s security to be our number one priority. That multi-tendency we're talking about, industry standards, those authentication and authorization policies. We also wanted to take advantage of some things that we got from Okta, like the AI-driven attack mitigation. Finally, when we were doing our evaluation, we looked out and we relied on industry analysts to help us make our decision. And when we looked there, Gartner's telling us that Okta is up there in the upper right of that magic quadrant of who can execute and who has the vision to do so.

Travis Tripp: So let's get back talking about some of the real nuts and bolts of IAM. And this is one that we talk about almost every day inside of GreenLake, the principle of least privilege. So this simply states that any actor must be able to access only the information and resources that are necessary for its legitimate purpose. So when we start looking at that and thinking about how can we apply this to policies, what does this mean? Well it starts with your identity based policy. This one's easy, who are you? Right? But then you start getting additional types of policies that get overlaid such as your network access policy. Where are you coming from? What are you trying to access? Where is it? Your resource based policy. So this may be, here's a specific thing that you're trying to get and it has specific rules about how it can be accessed and when it can be accessed.

Travis Tripp: And then we have organizational or boundary constraint policies. This could be where your entire organization says we will or will not allow access to this service. There are other types of policies out there. And you can find them. But for us, these are things that we keep in mind and ultimately it's what tells you this is what somebody is allowed to do. So having Okta, we use a full Okta organization per tenant in our system. So what this means is we get the full capabilities of every, for every tenant, an Okta org. We provide secure defaults and then, when we need to, we can do per-tenant customization as required for that specific customer. An example of some of the policy controls that we take advantage from Okta are password policies, account lockout policies, we have network location policies, MFA policies, and API service client policies.

Travis Tripp: Those are just some of the many different policies that we can come in with secure defaults. But then on an individual organization basis, we can fully customize it to meet their needs. So let's talk a little bit about our conceptual architecture of GreenLake Central. First of all with GreenLake Central, our goal was that single entry point for customers, partners, and HPE employees for everything as a service, which is our company's goal to provide everything as a service within the next two years. What this means is even for HPE employees, they come in to essentially an admin portal in our system, which actually is backed by yet another Okta organization. And within those portals, within each tenant, we have a set of services that we have enabled specific to support that tenant. So we have HPE admins, we have our delivery and operations people, and they have services that they need in order to do their job.

Travis Tripp: Next we have our customer tenants and they may have a set of services that are not the same set of services as any other tenant. They may be taking advantage of a couple services from us, a few services from one of our partners, and this keeps extending out. And sometimes those services are ones that we built from scratch for GreenLake, sometimes they’re ones that we have existing in HPE that we are now bringing out and exposing as a consumption-based model for our customers. So how does this apply to Okta? Well, Okta has something called a hub-and-spoke architecture. With that hub-and-spoke architecture, it starts with basically a routing layer, and you get an Okta organization and that Okta organization acts as a hub. In that hub you allow all your users to initially log in there, or at least it looks like they're logging in there.

Travis Tripp: The reality is Okta has some very rich identity provider routing mechanisms, so they can look at individual users, maybe on their email address or some other field that you determine. They're actually very customizable there. And based off of, say, their email address, it can route to the correct identity provider in order to log them in. Well, in our case, if a customer has not configured their own identity provider, it means we're routing to another Okta organization. But let's talk about that admin portal of HPE. So the admin portal of HPE is actually backed by another Okta org and that Okta org we have connected up to our own HPE internal active directory and PingFederate. So when our own HPE employees log in, the login router within Okta looks at that and says, "Oh, I know that this should be logged in and do the single sign-on via HPE’s own identity mechanism."

Travis Tripp: At the end of all of it, the user ends up logging in to the Okta tenant for HPE and they are issued an OAuth access token specific to that tenant. For each of our customers when they log in, they will get routed into their own Okta organization and they get issued access tokens from their own Okta organization. Now if they don't have their own single sign-on provider connected in, the authentication is actually provided by Okta. So all of those sign-on policies, MFA, everything, password policies, all those will apply and can be managed through Okta as basically local system accounts. As soon as that customer decides that they want to go ahead and connect into their own single sign-on, we will connect them in just like we have done over here for HPE. They will get connected in through one of the many mechanisms that Okta provides.

Travis Tripp: So it could be AD sync, it could be SAML, could be OAuth OIDC, any set of mechanisms that allow that customer to log in. And so with this we are able to provide that base identity login. Additionally, all of those services that we have connected into, we actually use the identity federation, the apps within Okta, to connect up from that customer's org over to any services that are supporting that customer's org. So for example, if they're using our managed private cloud offering or they're using our continuous compliance for public cloud offering, those are all independent services that are connected via the apps in Okta. So that then the cross launch or the identity federation just works seamlessly. So our users simply log in, they never even really understand or see that they're even going into Okta. They type in their email, they're routed to the correct identity provider, and then they're able to access the various services via GreenLake Central. vTravis Tripp: Now in GreenLake Central, we actually provide a front end that has a lot of rich data and brings it all together in one look and feel. But the great thing is this complexity of identity behind the scenes from Okta, it's not even visible to the customers. We've taken care of all that and we take advantage of all of Okta's APIs to do that. Which brings me a little bit to somewhat of a pain point. So when you go to do some sort of a rollout like this, and I really don't care if it's one organization or many organizations, you really need to look and think about automation. Okay? Within HPE, people know me for many times saying, ”Humans are the enemy of security and reliability.” And I genuinely mean that. So for us that means if we have configuration that needs to be done for a particular customer or on behalf of them, it all gets encoded into a configuration and a managed state.

Travis Tripp: Now with growth, complexity becomes exponential. And again, ongoing management requires automation. So this is why we actually chose Terraform. Below is an illustration of that configuration graph for some of our organizations. So from Terraform you can generate these configuration graphs and you can see that all of these little dots and circles, these are configuration items that we have chosen to manage in Okta. And we do that all via versioned Terraform configuration for each of these. And when we need to make a change, we simply go in, we will make configuration changes specific to either a specific organization or that will apply generally. We get that all checked in and then it gets rolled out. So this way we can always recover the configuration that's required to manage this organization.

Travis Tripp: So you might say, "Whoa, wait a minute, that sounds difficult. How do we do that?" So the point of this talk was to talk about how quickly we did it. So let's talk about that journey that we went on. That 60 days from kickoff to that first customer login. So last year, pre-August 1, we were obviously already working on GreenLake Central. It's a very powerful system and product. And we had previously plugged in an enterprise-grade identity provider open source based solution. So basically looking at that 2010 thing we were talking about and the more we looked at it and the more that we wanted to ensure that we were always taking care of that customer's identity, the more we said we need to be looking at bringing in somebody who that's their whole job. And that's where we were doing some evaluations with our Okta solution architects. On August 1, we internally made the decision that that's it, we're going to choose Okta.

Travis Tripp: And so we got the wheels in motion on that. And then on September 1 we officially kicked off our professional services engagement with Okta. That's where we brought in some members of their team and we started co-developing with them basically. In between there, we had HPE’S R&D go through Okta Education Services. Right after October 1, so we're actually talking just 30 days from when we really did our first kickoff with Okta, in 30 days we did our first demo to analysts of GreenLake Central running fully backed by Okta. And then on November 1 our customers were logging in to the new Okta-based solution. So, then December, that video I showed you, that's where our CEO was announcing and launching Okta. So if you really think about that, from the time we really got engaged with Okta Professional Services to when we had customers logging in, it really was only 60 days. We were able to transition and transform that quickly.

Travis Tripp: So how did we do that? We worked a lot with Okta's Customer First team. For me, they really felt like extended members of our team. We had a customer success manager, we worked with their Education Services and we worked with their Professional Services organization. The Professional Services, what did that look like? Well, first we elaborated our use cases and our technology environment. We drafted that high level architecture. We created the project timeline and staffing plan. We created and delivered a customized training plan for Okta for our organization, and they worked directly with us in implementing our initial architecture manually, so we would talk to them, talk to our use cases and then put them in place, and then finally they provided development assistance with that automation that I was speaking about.

Jeff Janovich: All right. Awesome Travis, thanks for that awesome explanation and walking everybody through the amazing story that HPE has gone through. We'll take just a couple of minutes, folks, to cover some Q&A with Travis here to get his thoughts and ideas around, initially really, just what his time was like working with the Okta Customer First team. You mentioned, Travis, about Professional Services really becoming an extension of your own team. So tell the folks a little bit about how it was working with Professional Services, and working with this aggressive timeline that you all had to get GreenLake Central out.

Travis Tripp: It was really great, Jeff. We brought them in and from the point of kickoff all the way up through the end, it was really like they were in our daily meetings. We interacted with them every day. We had a few guys that we just turned them loose to work directly with our developers, so we had working sessions some days where we were working all day long in the same room where we would just side-by-side, while virtually, because we were all working remotely, and it was really awesome. I felt like we came to count on them and we really built up a lot of rapport between the team members and it was just a good experience and it accelerated our knowledge as well. It helped us to make some decisions more quickly because we were able to leverage their experience and that was... Honestly, that was critical for me.

Jeff Janovich: Nice. Awesome. Very cool to hear that. I'm sure Professional Services definitely feels the same way with working with your team, with how great of a project this really was. Let me move on to the next question. It's definitely a little more near and dear to my heart, if you will. Had some great time working with you and your team as well. You talked about your education path and the customized training plan around Inbound Federation and Okta Essentials. Explain to the folks really just kind of how, working with you, came up with the custom plan and your experience overall with Education Services and how that helped ramp your folks up to get moving on the project?

Travis Tripp: Yeah, it was really great again, Jeff. I kept thinking, "Uh-oh, I’ve got to tell Jeff do we need to change something again or make some other change." Because we had a complicated situation. We have people in basically every continent of the Earth that we wanted to get trained and we had differing timelines of when it would make sense to train them. And the Professional Services team, when we were working with them, they first identified that our R&D people needed to get some of that org-to-org training. So that's where I worked with you. You identified, we got that custom one day class for our R&D team so that they were all up to speed on doing the proper org-to-org federation.

Travis Tripp: And then from there we identified the Okta Essentials: planning, the timeline, the people. And I remember I was even having to change people out from under you or switch that around right up to the day that we did it. But in the end I think we ended up educating 50-plus people from HPE, whether that's R&D or some of our delivery and operations people on Okta. So it went great. I mean if there's one thing that I think people should do, they should take that Okta Essentials training class.

Jeff Janovich: Awesome. Awesome. Very glad to hear. And it was, I think it was about 53 people if I think right. But no, it was great. You know, working with you and the team, and I know the classes went well, so I could definitely appreciate that feedback and comments around education. Next question I know is a little more near and dear to you as well. Working with your customer success manager, or your CSM. I know you mentioned to me a couple of times how they really became a part of your team and helped keep you on track and worked with you throughout this entire process to make sure that you and your team had exactly what you needed, and then sometimes also pushed a little bit to make sure you stayed on track. If you could, let the folks know really how your CSM helped you plan and prep for this deployment of your customer portal.

Travis Tripp: Yeah, so the CSM, our customer success manager, David, from the very first time I met him, he called me up and said, "Listen, I want you to have my phone number and I want you to know that you can call or text me day or night, whenever, for anything." And I didn't know if I was going to believe him or not, but he actually held true to that. There were a few times when I was worried about something on the weekend or an evening that I did text him or call him and he was right there. And in fact, there were a number of times that he was following through on watching what we were doing, what our goals were, what our rollout plans were, that he helped us to identify some key points that we needed to have delivered on certain dates, and he was pushing through with that on my side.

Travis Tripp: And I know that over on the Okta side he was helping the Professional Services team to ensure that they were meeting our dates as well. So I would say end-to-end, he was right there with us from start to finish, helping us to identify everything that we needed, to ensuring that we got it out there on time.

Jeff Janovich: Awesome. Awesome. Very glad to hear that. I have just one more quick question for you and you could please feel free to take as long as you want to answer it. I'm sure the folks listening and watching are thinking about all of this. Just hearing your amazing story and what you all went through with having such an aggressive timeline. There are folks really looking at these sessions and listening to your story and are curious about what kind of advice you would give. If they have a similar deployment or even if it's not similar, just a deployment of their own, about things that you would recommend, best practices, things that you enjoyed, things that went well, things that didn't, anything under the clouds, if you will, to make sure that they really have their step in the right direction. So if you wouldn't mind, what kind of advice would you give and then, please, feel free to continue on with your story there.

Travis Tripp: Yeah, sure. So I think that this plays well into my next slide, which is my lessons learned. To start with, it is so important to know your own business goals and use cases. We knew what we were trying to do with GreenLake. We really had spent a lot of time, this is not something that we just pulled out of a hat in August and suddenly we were running with it. We actually knew what we were going to do. We knew what we wanted to do. The thing that we had not fully decided was what technology we were going to use to enable some of it. And us being able to know our business goals and use cases and take that to our Okta solution architects even before we engaged Professional Services was absolutely critical. I think that if we had not done that, this easily could have taken us much, much longer.

Travis Tripp: Which brings me to the next point. You really should engage with those solution architects. Tell them what your problems are and feel free to talk to them about what you're already doing, what you've already tried, tell them what other vendors have told you. I mean, we were talking with quite a lot of people and we also already had implemented our own enterprise-based open-source solution. But when you're able to bring that in, you know your use cases and goals, and you can really work with those solution architects up front, it's going to help you to come to the right solution, right decision no matter what you choose. Once you have made that decision, like we made that decision to go with Okta, one mistake we made was we didn't train some of our staff early enough. They had already been involved, had already been playing with Okta, thought, “Okay we can do this.”

Travis Tripp: Well we could do it, but we did waste some time in that we didn't get them formal training soon enough. So if there's one thing that I could look back on and do, I would have gotten a subset of our org onto that Okta Essentials training right away, the second we made the decision, so that when we walked in with Professional Services they would have not had to identify that there were a few gaps in our knowledge. And that's okay, because it was awesome. We got Professional Services engagement like, "Hey, you know what? It'd be helpful if you took this federation class." And so we took our R&D team and put them through the federation class and that helped tremendously. So in that regard, again, get Professional Services engaged early, once you get past that initial evaluation. Once you've made that decision, get the proper training, get PSN and you're going to run.

Travis Tripp: Finally the next couple things, automate everything. Do not rely on some person to make changes for you. It's not scalable. I think that maybe if you're a really small organization, you could have one administrator and it might work out for you, like just super small, but if you want to be enterprise class and you actually want to have a secure and reliable system, automate it, put it all under configuration management. That's the way we roll. That's how we do things.

Travis Tripp: Periodic reviews. We've done this, we do periodic reviews on the features in Okta. We do periodic reviews on the changes that are coming. We also have periodically gone through our configurations and had Okta handhold us if you will, in ensuring that we are staying up-to-date on having the correct and most up-to-date security recommendations that they have. We do that monthly and quarterly, depending on the level of depth that we're doing. So definitely plan on doing that. Don't just think that you've rolled it out once and you're done. You need to stay up-to-date.

Travis Tripp: And with that, I mean that's what enabled us to launch GreenLake Central. It was so exciting for our team to be able to see our CEO stand up there and say, "Hey look world, we've now put all of our GreenLake services under this GreenLake Central umbrella and it's all unified." I mean that was a tremendous accomplishment for us and we know that it was partially enabled because of our partnership with Okta and going through everything there.

Travis Tripp: So I cannot understate just how awesome it was to see that all come together and to know that we were building on top of such a secure platform. So with that, I would like to invite you to go and find out more about HPE GreenLake. You can go to this link for more info. We have a lot of good information there about what all the services are that we provide. And thank you very much on behalf of Okta. And I'd like to thank the Okta team for having us here, from Hewlett Packard Enterprise and HPE GreenLake, thank you for joining us. And feel free to reach out if you have any further questions.

Join us in the journey that HPE took to launch HPE GreenLake Central, an advanced software platform with unified identity from Okta that provides customers with a consistent cloud experience to manage and optimize their entire hybrid IT estate. Learn how Hewlett Packard Enterprise successfully deployed Okta's org2org integration solution at record speed.