Hybrid IT Journey with Okta
Rob Beahm: Hi, and welcome to the Hybrid Journey with Emerson. This is a Hybrid IT Journey with Okta. I'm Rob Beahm. I'm a senior customer success manager at Okta. And today, we'll be speaking with Matt Freeman, who's a senior manager of identity management at Emerson. First, we'll start with some safe harbor. As you know, Okta is a public company, so we just wanted to flag any forward-looking statements that we share here are subject to change. Please feel free to read the safe harbor note in-depth at your leisure.
Rob Beahm: Great. So, we are your speakers here today. As I mentioned, I'm Rob Beahm. I've had the pleasure of working with Matt and his team at Emerson for the last two years. I'm excited for Matt to share his journey with Okta and to describe how they began with us, where they are today, and where they look to go in 2020 and beyond.
Rob Beahm: Hello, Matt. Would you like to take a minute to introduce yourself and describe your role at Emerson?
Matthew Freeman: Yes. Thank you, Rob. As Rob mentioned, I'm Matt Freeman. I'm a senior manager responsible for the identity management service at Emerson. Emerson's a leading manufacturing and technology company that's headquartered in St. Louis, Missouri. Emerson operates two business platforms: Automation Solutions, and Commercial and Residential Solutions. The picture that you see on the top left is of a refinery where you'll find products from our Automation Solutions business. Then the bottom right picture is typical of buildings that use products from our Commercial and Residential crew. Across these lines of business with our corporate group, Emerson operates with 80,000 employees and 700+ locations globally.
Matthew Freeman: Here, I have a slide for you which provides a high-level view into the authentication architecture that we use at Emerson. We leveraged two Okta tenants to serve as our identity providers. One of the tenants is for use by our workforce globally. This tenant is primarily comprised of AD-mastered accounts. The second tenant is for use by our customers and partners across the globe. Products from Okta that we're currently using include the Universal Directory, Single Sign-On, Adaptive Multi-Factor Authentication, and the Access Gateway. Within Okta, we've integrated over 450 applications. These applications exist on premises in the cloud, a hybrid on prem in the cloud, and often need to be accessed and used by mobile devices. Currently, my team is working on and planning to enable our customers and partners to be able to bring their own identity when accessing Emerson business systems across our infrastructures.
Matthew Freeman: Before we dig into Emerson's journey as an Okta customer, I would like to share a short story about "More Okta," which you see in quotes under the timeline. At home, I share an iPad with my eight-year-old son. Occasionally, I use the device for searching Okta's capabilities and features. My son uses the iPad for YouTube. Often, his YouTube session contains Okta ads and videos. One day, he told me that he likes to listen to and watch the Okta videos and would like to understand more about how Okta works.
Matthew Freeman: So, I gather up the patience that I feel I need to take Trey through a simple explanation of how Okta works and why my company uses it. After I give him a simple explanation, he looks at me and says, "So, your job wants more Okta." That served as a good reminder that it really does work to keep things simple and that there is often a less complicated way to view an issue problem. And so Rob, let's dig into the details behind "More Okta."
Rob Beahm: Yeah, that's great. Thanks for that. I love that story. So, let's talk about Emerson's cloud journey. Can you tell us how you began your journey with cloud in Okta?
Matthew Freeman: Yeah. Emerson had a few existing cloud solutions, but for me, the decision we made to start using Office 365 across our enterprise is where I marked the beginning of our cloud journey. The reason why I feel like it's at the beginning of the journey is because the Office 365 solution is going to be used by our entire workforce, and a high volume of the Emerson data is going to start moving out of our data centers and into a cloud solution, the environment. So with that in mind, it became paramount that we integrate Office 365 with secure access while making it very simple for a person to use and access the data.
Matthew Freeman: We started looking at Okta after we determined that the existing solutions we were using could not meet our requirements. The other solutions that we had in house did work, but were not as simple or as modern as what we were trying to deliver to the workforce as they started using Office 365.
Rob Beahm: Great. Can you tell us about the implementation process?
Matthew Freeman: We selected Okta in March of 2016 and immediately began working to integrate it with our Office 365 tenant. In April, we registered our 10,000 existing users of Office 365. As you can see, we were able to work with the Okta technology very quickly, and to work with our partners to integrate Okta with our existing Office 365 environment. That came about very quickly and seemed very promising. The following month, we were able to extend Okta and Office 365 to our remaining 45,000 employees that we were targeting for Office 365 and Okta.
Matthew Freeman: Following the cutover, the most common question I received from our leadership team was, "How did you do it so fast?" The keys to our success were sponsor, resources, and technology, and I'm going to elaborate a little bit on those keys. The best thing that our sponsor did was to hold a daily stand-up meeting where we had to identify our successes and our blockers. By bringing the group together, we were able to quickly address the issues and ultimately deliver on time with two cloud-based solutions being integrated: Okta and Office 365. Okta and Emerson really provided talented resources for us to work with in bringing the integration together. The Okta technology enabled us to move fast, and we started to see what the cloud can do.
Rob Beahm: So, tell us about your early impressions. What was the experience early on and what challenges did you face?
Matthew Freeman: Right away, we were able to experience the speed at which cloud-based technologies allowed us to operate. I think that was one of the promises of cloud technology we enjoyed experiencing: evaluating Office 365 and then implementing the solutions we looked at to make everything simple and secure. The cloud solutions like Okta addressed how we can move quickly, and that really came to fruition in the project that we had. We were able to adopt cloud technologies and quickly move along a project that I think would normally take a really long time. With the adoption of the cloud-based technologies, with Okta, we started to experience a lot more updates to the product than we were accustomed to. Previously, our identity technologies were more static. With Okta, the product was evolving very quickly and it was much easier to deploy updates than it had been with our legacy solutions. We had to get our arms around how to handle and work with all of the updates and new features that were coming along.
Rob Beahm: So, you got this cloud journey in flight, but how did you expand into hybrid mode and how did you become an early adopter of the Okta Access Gateway? What led to those decisions?
Matthew Freeman: Soon after our successful Office 365 go-live, we began to receive a lot of interest in integrating applications with Okta. One of the use cases that emerged from our business units required our business partners to access an application that was in our data center. However, the application didn't support traditional federation technologies like SAML. In order to solve that use case, we determined the best approach was for us to use a gateway technology and an Okta tenant dedicated to the use by our customers and partners.
Rob Beahm: That's great. Then, as you started moving in, Okta had a customer success manager role that was available. Can you tell us what the driver was for bringing on a CSM?
Matthew Freeman: There were a couple of drivers that prompted us to add the enhanced support that we get with a CSM. During our first year as an Okta customer, we experienced a few issues and outages where I just didn't feel like we got the level of support we needed in operating an enterprise service used by all of our employees. And especially when I think about the promise of these cloud technologies, I wanted my team to be focused on engineering and integrations, not on support issues. We didn't quite see that our first year, so we looked at how we could solve that, and that's what got us looking at the CSM.
Matthew Freeman: The second driver we had was the updates, which we already talked about. Once we started using the Okta technology, we really wanted to understand how we could best leverage it, and how we could drive as many integrations and use as many capabilities as Okta was delivering. Without the CSM, we were struggling to get information and understand all of the updates. By adding the CSM, I felt like we got better information about each of the updates and more opportunities to participate as an early adopter, which I feel is important because it just takes a little bit more time to understand the features and the capabilities before you deploy them.
Rob Beahm: Yeah. And you guys have been great early adopters of betas and new features. So, as we kind of move forward in time, can you tell us about your ERP solution and challenges you faced with the Oracle EBS?
Matthew Freeman: Yeah. So, our integrations with Okta have really grown organically at Emerson. There's not been a mandate that all applications must integrate with Okta and the Single Sign-On solutions that we have. And along that path, our business started asking about integrating with Oracle EBS, as it's one of the most common applications we use at Emerson. A common approach for systems like EBS is to synchronize passwords from Active Directory. With our first EBS integration, we encountered an environment that contained sensitive data and was internet accessible. So, using a password synchronization capability wasn't going to be a secure way to solve our problem. Ultimately, we decided to integrate with Okta, and we leveraged the gateway to authenticate into Oracle EBS and help us extend some of the security controls that we want around sensitive data and internet accessible applications. And so ultimately, we were able to keep that application and make the access simple and secure.
Rob Beahm: Something that might be of interest to a lot of listeners is how you guys have handled hourly workers and shop floor workers. Can you talk a little bit about your experience with the hourly workers?
Matthew Freeman: During this time, we started to get other applications besides EBS; we began looking at cloud solutions that really served the basic needs of all of our employees in moving those applications to the cloud. So, we’re talking about things like HR systems, payroll systems, and environmental health and safety applications. Those are all things that all Emerson employees need to access, and we saw a big shift with those applications moving to the cloud. During this time, we went from first extending our Okta solution to our knowledge workers, to later extending it to our entire workforce. That was a complex problem that we had to solve: reaching a user base that hadn't had a traditional kind of IT account previously.
Rob Beahm: Let's keep moving and get into more recent activity by looking into 2019 and present day. You recently added Adaptive MFA. I just wanted to talk to you a little bit about your approach to Zero Trust, and how you look at MFA insecurity in general. So, do you mind just talking a bit about your thoughts on Zero Trust and MFA insecurity?
Matthew Freeman: The Zero Trust concept is definitely a guide for our security program. At the beginning of our cloud journey, we talked about the importance of simple and secure access. The Okta Adaptive MFA product was a natural fit for us as we looked to expand our identity-related security capabilities, while ensuring that we continued to align with Zero Trust. Our first target for the use of Adaptive MFA from Okta was Office 365 and mobile devices. Ultimately, we were able to integrate Okta with our MDM solution to ensure only the mobile devices accessing Office 365 were registered in our MDM system. I think we will be extending the Adaptive MFA beyond our mobile workers here very soon. We're looking forward to having an advanced authentication capability really helping to protect all of the applications and employee access that we have across Emerson.
Rob Beahm: That's great. I think Emerson's in a unique position because you've leveraged almost every aspect and service that Okta has to offer. So, I just want to talk for a minute about the executive briefing that we did last year, and about some of the training we've done on site. I think it's unique, not just to Okta, but I think Emerson has also been able to leverage some of those outshoots to learn a little bit more, or to have a better partnership with our company. Could you give your thoughts on the executive briefing and then talk a little bit about the training we've done for your developers?
Matthew Freeman: The executive briefing and training events were great for Emerson. The executive briefing got our leadership teams more engaged from the Emerson and the Okta standpoint. Since that executive briefing, I have felt a stronger sponsorship and relationship with my peers' insecurity at Emerson. I believe that is a really key element in the service we're trying to provide, because security is one of the key reasons why we're operating an identity management service.
Matthew Freeman: I feel like the briefing helped my peers get excited in thinking about how they can leverage Okta capabilities to secure our computing environment. The executive briefing for me, on the Emerson side, did a great job of stimulating involvement from my peers. It also gave us a chance to talk with the product owners and get an idea of where the products are going. It was great for the other people at Emerson to hear the briefing, because it motivated them to help drive Okta activities forward at Emerson.
Matthew Freeman: With the trainings, I think the big thing that we did was look at OWAF. We held that training to get my team more familiar with OWAF, but also as a way for us to reach out into the developer community at Emerson and really talk about some of the things that we're capable of supporting when it comes to integrations for these applications with Okta.
Rob Beahm: Yeah. It's great. It's a lot of fun. That training was a lot of fun to work with you on. So, what's next for 2020? What are the big projects you're looking at now?
Matthew Freeman: 2020 is going to be a big year for us, and it needs to be. We're following a really good year in 2019 where we really grew our number of application integrations. Last year, we landed right at 300, and it was exciting to see that kind of explosive growth in the application integrations we have. That's also led us into some bigger applications which we're focused on at Emerson. One of those items is My Emerson, and that's a portal you'll find on the emerson.com website. It has some commerce and some other apps related to our products inside of that portal.
Matthew Freeman: We're in the midst of an upgrade to the Okta Access Gateway, and are looking forward to leveraging some of the new capabilities that come with it. Right away, the one that we are targeting and working with right now is the rapid SSO. The rapid SSO feature is exciting to us because we see that it has the opportunity to really reduce a lot of the complexities that we have with our existing integrations with Oracle EBS. I think that's very important to us when we think about the operational sustainability of these integrations that we put in place.
Matthew Freeman: Often, when we implement things that are technically complex, they often find a way of breaking or finding time when they're not accessible to the end user. I think that with the rapid SSO, we're going to be able to reduce that complexity. It's going to keep the application integrations running, keep the users in the application, and I think ultimately, it'll be a lot easier to perform the integrations as well. My hope is that we're able to take on more and more of these integrations with Oracle EBS if we find that the rapid SSO delivers on the promises.
Rob Beahm: Thanks, bud. That was a long journey to cover in 30 minutes or so. But as we close out, are there any words of wisdom you have for the audience? Any parting thoughts?
Matthew Freeman: I go back to the beginning, and for me, it really started with making sure you understood the problem that you're trying to solve, and then just really working on it relentlessly. I think that's what we've tried to do with all the work that we've done here in using the Okta product. We've just kind of solved one problem after another. And largely, we've been able to do that using Okta or using products with Okta. My advice would be to first understand the problem and then just really attack the problem relentlessly with the tools that you have available.
Rob Beahm: Well, thanks for sharing today. Now we're going to break over to the Q&A session. So, thanks again, Matt, for your time, and let's turn our attention to any questions the audience might have.
Join us to hear how Fortune 500 company, Emerson, is leveraging Okta Access Gateway and the expertise of Okta's Customer First team to successfully support their hybrid IT model.