Oktane18: Customer Spotlight -- Partner Identity Management in Complex Environments



Jennifer Galvan: My name is Jennifer Galvan, and as Sarah mentioned, there are forward looking statements in this presentation, so today we're going to talk about how leading enterprises are rethinking customer experience and building new digital transformation around data access. We're going to talk about how you can experience a positive impact on your applications by using a best in class identity platform such as Okta for your digital transformation and Gregory Schlugier from Mount Sinai is going to talk to us about a case study about how he and his team wrote an application that allows providers and patients to access their data, that is stored in over 15 different business intelligence systems and we're very lucky because he's also going to demo the IT data analytics center here for us at Oktane. As every company becomes a technology company, customer identity and access management is critical. Each and every time you expose an application to your customer base, you are giving them an opportunity to have a personalized and engaging experience and by using a best in class identity platform, you're minimizing the work that it will take to deliver that application, meaning you could launch a head of time or at least meet your project timeline. And by delivering identity and single sign on your creating a great user experience, but you're also reducing the cost to deliver that service. And it also allows you to apply that enterprise-grade security on top of all of those applications to prevent security breaches and to meet your compliance requirements now and also in the future. But without Okta, alone it is difficult to meet these requirements. And on average, 71% of customers abandon applications due to poor experiences. If you were to do this on your own an roll your own security, you are adding work to your application and you could experience delays in launch, on average up to six months or more in your project. And without delivering a centralized identity management for your applications, that does not absolve you of the responsibility for securing those identities.

So by applying a security to individual siloed applications, you are potentially increasing your total cost of ownership three times. And it's not going to give you the capability to apply that enterprise-grade security, which could result in a breach. Last year, over 51% of enterprises suffered at least one breach and credentials were stolen. Because of the depth, breadth and flexibility of the Okta platform, Okta is enabling seamless customer experiences, from Fortune 500 companies to small and midsize businesses. Al are able to deliver the application securely and faster using Okta by using the prebuilt tools that are available on Developer.Okta.com. The reason they're choosing Okta is because Okta makes registration, authentication and security plug and play for applications. In addition to having all of the functionality that you need to deliver self-service registration and authentication, Okta also has tools that allows you to deliver API driven conversion methods to take your siloed applications and connect them to Okta, so you can deliver a seamless single branded experience for all of your customers, whether it be a single experience or whether it be multiple experiences per business line, Okta makes that simple to use and easy to do in minutes. How do we do that? Well, let's break down what Okta is doing. Let's use the example of a grocery store. Let's call it Acme. In the case of a grocery store, you might have more than one type of user. For example, you have customers and you might offer a loyalty program and you have other customers that also sign up for premium services such as grocery delivery, and of course you have employees that have to access their timecards and also payroll. So what you can do is you can connect these applications to Okta. By connecting them to Okta, you have centralized all those identities in a single, universal directory and that now allows you to use the prebuilt tools on Developer.Okta.com to create a branded experience for your users and your employees.

Now, Okta is obviously handling the authentication for those applications, but you can authenticate to those applications now, not just with identities stored in Okta, but with identities from any other authoritative source including social media. You can also use the tool ... use the out of the box functionality to turn on self-service registration, which would allow your users to have an easy experience to sign up for these services and allow you to do some progressive profiling. For example, a loyalty program might need very little data, might need just an email or a phone number, but if a customer wishes to receive groceries, they're going to need to input their credit card and also their residence and their address. So this is more sensitive information, but you only have to gather that particular bit of information at that time in an easy to use experience because all the applications are sharing a common user profile and all of the user management is now accessible in a single location. Customers that have forgotten their password and that update their addresses can now do so in this simple to use interface, and it updates all of the applications connected to Okta. And for those applications that contain sensitive data and also for those employees, we can increase that security by applying security policies across any applications that need it now and in the future. So to do this all yourself would be very complex, but by connecting all the applications, Acme is able to future proof these applications and their security now and for any other application they develop and they can even connect any of the applications that already have an integration in the Okta integration network, and we have 5,500 of those. So now Gregory Schluger is going to come up and talk about how he used Okta at Mount Sinai.

Gregory Schluge: Thank you. Thank you. Thank you Jennifer. Thanks everyone for joining the conference. I would like to go to a quick agenda. I want to explain healthcare. I understand that in this audience, not everybody from healthcare. I just wonder that, we're all client, one or another. We're all client or healthcare. I would like to just quickly go and explain the challenges that we're facing in healthcare, how we overcome these challenges and go and explain some different. I think we're in a unique solution that we're implementing and make a demo for analytical data center. From an IT perspective in the health care, there are three mission that we need to finish. IT is not the main business for healthcare, but it is supporting the health care in other. We need to help healthcare to improve the patient outcome. We need to help health care to control and align the cost and improve the quality of the health care. But in order to do that, I want to go and explain what is Mount Sinai healthcare system. Mt. Sinai healthcare system with one of the biggest healthcare system in New York. In the five years, we went through multiple acquisitions and acquire a lot of hospitals and providers. As a result, right now it's composed six different hospitals, 150 community based organization, more than 200 partners, thousands doctors who affiliated with us, as well as we're serving more than 5 million patients.

What's going on as healthcare providers, doctors, they merge and join with healthcare medical groups, medical groups affiliated with multiple different partners. And multiple partners have the right to be affiliated with multiple different hospitals. Just think about the scope of the system, what we need to resolve when would. When we're working in the healthcare space, just Mount Sinai have 800 different applications which we acquired from six different hospitals, partners have their own applications. Providers have EMR systems, sometimes everything done by paper or by hand, and in order to improve the outcome of healthcare, we need to make sure that IT is integrated. There are interoperability between the system. The data have to be clean. The data have to be validated. We need to make sure that patient, whoever was admitted yesterday in the hospital, we know what is his status up to day if he was admitted today.

Is the healthcare system all-time? When we're thinking about it all the time system. Usually we think about the banking investment, but from the time perspective investment, they can lose the business opportunity. In the case of the patient who was admitted three hours ago, for example, this would take for it. He is diabetic, over 65, drug abuse, obesity. Yesterday he was admitted and was treated in some community-based organized today, he was delivered in the emergency room in the hospital. If we do not know what he was taking, what was happened yesterday, we can potentially make the wrong decision and it's coming back his life. It can craft a huge legal and compliance implications. Another thing I would like to discuss about our user base, we break down to our user base in three different groups. I don't even want to talk about the patient because patient is completely separate and a very complicated way. How are we supposed to handle this?

I would like to talk about three different user base. We have internal users which we consider Mt. Sinai, user base, it’s all six hospitals, employees and affiliated. Everybody who have AD and have control to the AD. Second one is advanced partnership. We're talking about advanced partners, 10,000, 20,000 employee owned data center. All the infrastructure, IT stuff. And we have community based organizations. Some churches, they do not have IT at all. They have Yahoo and Google account and we need to give them access to our systems. Just want to give you an overview. We have more than 15 different report engines in our system, VI tools. The users, in order to see information, they need to go have a bunch of different link. Log in, supply credentials.

Gregory Schluge: I need to go have a bunch of different link or ID, supply credential, and each reporting system required to learn how to use it. If they go to Crystal, this is one presentation, this is one view. If they're going to Business Logic, it's another view. If they're going to Tableau, a third view. The user is lost and some report is duplicated across different various systems. But talking about the users, we have three different user group. And each user have their own way of automation. If the user ... no, this is role number three, if user is, have data center, and have AD, we install the Okta agent. And able synchronize simultaneously users from their AD to Okta. If user is onboarded, we do not have to be worried about, because HR staff of that organization will take care. And this user will be deactivated in the whole world. If they do not have AD, we'll give them rights to maintain their own user abilities in the systems. This is role number two.

In role number one, when somebody register in our applications, I not talking about one application, talking about set of applications, request going to Mt Sinai, dedicated team, who is approving and reviewing if this request is valid. Role number one is required some support team, which, this is why it's not so much preferable. I just mention something about report engines. Idea was having, fifteen different report engines, how do you simplify the user access? And idea was let's, we're going to build some multi-tenant, web-based application that allow access from desktop and mobile. And it's supposed to be report agnostic. It's supposed to be, we're not supposed to maintain list of report. IT do not want to be in the business of support. We'd like to give one single presentation, user friendly interface, where user can go, and working by category, if they want to, on the report on the clinical, they select tile called "Clinical." If they want to work on report Administration or Finance, they go and select report Finance. This about something which we built, and been noticing something which, they are not bad, on the road to achieve that, we resolve couple interesting problem and if somebody have interest, I will going to go and explain. We resolve the issue two way communications, and our synchronization within Okta, Identity Cloud, and our application.

In other words, we make a decision from the day one when we were starting building the application, we make a decision that Okta is going to be our main source of user's information and user profile. Even if we just stored the user in our world, we still have to sync up this user information with Okta Identity Cloud. If the changes happen in Identity Cloud, you have to sync up with information with this application. To achieve that, we went to the multiple different road. As you know, Okta have some challenges when you're creating property attributes, any of this user identity is AD. You cannot change that barriers. We resolved that issues, and I can share that later on, and experience if you're interested. We're using the Okta in two ways. We're using the Okta as identity provider, and we're using Okta as a service provider. In other words, if the user want to go in our desktop panel, and accessing Tableau or accessing Crystal, or accessing Business Object, or accessing SharePoint, in this case, Okta is our main identity provider. The entry point is from our application, identity product Okta, and accessing the destination Business Object. Business report, BI report. But we built the application as software as a service. As a result, we're leveraging the table we'll build, to API, to everybody else who want to consume. One of the examples in the world when Epic want to consume and use the platform, in order to integrate our report and cycle the Epic. But Epic keep in AD outside of Okta. This is why it's, what happen is, we're using the Epic as identity provider, and we're using Okta as a service provider. In other words, same technology, just leveraging existing platform. Okay. I just mentioned about reports, this is something which we're going to be dealing. On the left side something is already, it's implemented in the production we're supporting right now. Tableau, Web Focus, Diver, SharePoint, Crystal, and Epic. And on the right side, something in our pipeline, something is already in UAT, something which we're working on. We're going to implement for the single-entry point access to Business Object, Jasper, Box and Google Drive. Salesforce, Dice, QlikView, MicroStrategy, and Hadoop Data Lake. Mt Sinai have system, it's not just hospital, it's one of the best medical schools, Mt Sinai medical schools, and we have a lot of research. And our data, all data related to clinical trials, and all data related to, without patience. Hadoop Data Lake and it's going through the different analytics. This is the partner offering that we have.

Hadoop Data Lake we need address some reporting against the Hadoop Data Lake, and this is platform we're planning to implement, support the Hadoop Data Lake reporting capability inside of our data analytical platform.I not will go through that one, you can go through the slide. But on right side, we're using Okta single sign on and MFA. It's multi-tenant, application was built in such way that potentially every company can use the same platform. It's running on the cloud. We're using the Azure. Everybody knows we can onboard any other companies and creating the organization and creating department and sub department. Onboard the users, and it's up to them to publish the reports. One of the interesting features I think we offer that nobody else allowed to do that if you're using separate report engine, because everybody going through the single entry platform, we can see which report used much more often, which report, how long it take to run report, across the whole user base, and I will show in the demo. As a result it give the idea to the IT management to see where its money should go, which report have they been proved, which performance of the report have to be addressed. If some report is not used, or it's used very rarely, maybe it makes sense to retire, and combine some data element in some other offering.

Another thing, because a single entry point, and we have access to 1000 different reports, will give ability to user to go and do shopping. Report is published per organization and department, and if I associated with some department, I can go, in my shopping list report, I can select a report, put in a shopping cart, and say, "Yes, I want it." Internally, we have a host system, that allow, is going through the level of that approval, if user got that approval, he can go and have access to this report. In other words, it's answering the question is, "What else exists in my organization?" Instead of the users, who request and order additional work from IT, they can go and shop existing offering. It's mobile friendly. And I will say that it have very intensive audit trail feature, because we're under strict compliance regulations from state, as well as from HIPAA. We have to, every action that user take, every access to the report, we're planning, we have to do ...

Another feature which is in the pipeline, we want to give the user ability when they're wishing a report, what of the data element, they can supposed to click on a data element and say, "You know what? I like it. I trust it. I trust this calculation. Why I do not trust it?" As a result, we can, back in the back end, we can build artificial intelligence algorithms, when we can see which data have to be verified. Which data have to be sanitized and validated. This is something which is in pipeline, this is what we're working right now. Authorization model. We have three different authorization, super admin, super admin practically it's a person from IT who need to do some support. We have organization head, the person who is actually responsible for reporting in organization. This person see everybody in organization. As well as, all reports which is belong to this organization. But the person who we consider as a department head, his point of view, he see just user who belong to this department, and he see just list of report who is belong to this department. In other words, it's subset of the organizational head. Conception of report publisher. If I'm IT person, and I develop some report, I can go and publish this report in the system independently. This report not published to everybody, it can go to the tester cycle, and if it's assigned to some organization, department, department head or organization head can take this report and start assigning the group of the users. We have an intensive, by the way, we'll have an intensive panel. This is how it's look, and I think the next thing, we're going to go to the demo. Does anyone have any questions before we're starting going for the demo?

Okay, thank you. Okay. Okta widget. I disabled MFA because don't want to wait. Okay. This is the dashboard. If you see the dashboard been cut down by different category. Category is, we're going to go and going to show you the administrative panel. Everything is customized along the screen. User can go and say, "You know what? I would like to move that one. It's my personal. And if I go out and go in, this is an order which is required, right?"

It show how many reports each category got. This is my test sample account in the production. It show that, "Oh, this compliance have that two different report, this is IT DAC system, we have additional two different report. User have ability to go and select mark report as a favorite. In other words, if I mark that one, report become the favorite, and it show in favorite category. Favorite category, it's my favorite category, not somebody else's. Let's assume that I ... that tiles coming from my department, because whenever again, administrator for some organization, and I'm associated with some department, when I grant access to report, for example, I grant access to hygiene report. That hygiene report is part of the compliance tile. This tile will be automatically be sh-

Gregory Schluge: For this part of the compliance style. This style will go to dramatically, but sometimes the user want to go and create his own. They and go and say, "I want to clone it." If I want to clone it, this will become my personal tile. I can go in and define the contents of that. This is fingerprint show this is my personal. I can go and modify, rename it, the compliance tool. And that contained the student report, which I just cloned. But, I would like to modify this list, and say, "You know what? On this, my personal tile, I want to go and add additional reports." This is the report, which I have access, right now, because previously I had request it. And so you know what? I would like to have this report, that one. It doesn't matter. I select something.

My personal became in six reports. By the way, each report can be ... As you see, I'm going to show you something. One report is from Tableau another is from Word Focus. User do not know. From the user perspective, they see full compliance dashboard report, hygiene data report. It's completely masked. Just before I left for the conference, I get request for one of the chair, or the doctors. The doctors they're asking and saying, "You know what? We have some media files. I would like to have this media file and have access. I would like to have to go to analytical center in accessing the media files." As a result, I asked the support team to publish a report for the media files. They published the media files, and user has direct access.

Okay. Okay, this is the tile wheel. But tile wheel, not everybody's happy with tile wheel. We have list here. Another user can go and do the search for a bunch of the reports, which are available everywhere this at hand. And this is where they'll find this report, where it's located. Okay, now, let's go around at ... Again, when a conference on the table to show the beautiful nice report, which we're using because for compliance difference reason, but it's has to some public report. I will show you the hygiene report, user on it, hygiene report for example. Hygiene report was built on what focus? This is not our application, this is performance of hygiene report. We keep talking about who clicking what and how one gets run, and as we go later on, if somebody's wanting proof, we'll have the statistics. This is a hygiene report. If you see on the right side, we'll have some for voting bar. Because they're running inside of IT deck, and we're using that space on the top, it's not convenient. Sometimes report is very crowded.

This is why we'll build it from Shanow. It's maximized. They can go maximized and take all above all else that, or they can minimize the back. They can merry this report as their favorite again on market if it necessary. But sometimes, the use cases is they want to go and see some report and compare with the previous one. This is why we build a function now as you open a new windows. In this case, they can put two slides together and do some comparison. I would like to go and show some statistic analytics, which we collected. This is Taboo report. This is our system IT deck analytical center user usage report, because we built a Taboo report integrated just for the people ... That show that right now, we have 946 users who currently using the system. Its internal user for our system. This is the partner user. This is the all-time data ... This is the all-time data who is using the system right now, and it show the trend, and the usage peak. How we know that? Because they are going for the one part. It's happen on the screen. We're capturing that. If I will want to go with you dive, I will see the users. I see what the user was last time, use it and I have this whole type of information, right? This is one of the system internal reports. In another one, I'm going to show you much more. We'll have conception. I did not want our business administration accessing, assigning report to the user. I didn't want to go and do one by one. I would like the report to go ... For example, I can say, "My financial reporting group," attached in different report. Instead of just one to one map user to the report, I am attaching report to report group. This is another thing when we're saying, "Okay, this department, this report group. What is report name? What is the usage?" This is what is the usage. System identification, every time when some house something happen, and the user request access if he was granted access, it was rejected.

It's going to notification bar. One of the thing I want to show you is when user publishing report, they have ability to publish metadata as well as help information. This is why they're inside report. This is metadata about report. For example, I would like to know who build it, when the last time updated, who is the user, what is the contact information? For example, or they can go in and this is next thing is it show that question mark in terms of it potentially can be help information or awaited report. If you hear the hyperlink, they can go and open the help document associated with report. Okay, now I will go to administrative consult. This is much more bigger portion. This is something we should just show the simple user. Amazon has its side, but as I'm on side administration, it's much bigger than as I'm on my own side that we see right now. As a user, all administration sides take much bigger than the side we should always work with doing on the surface. Okay, I want to go and search hygiene report for example. This is what's happened, the user who have  access report publisher, the goal have access to this admin counsel. They can go and register report. This puts the file report name, they can attach the tile, in this case, category. By the way, they cannot attach multiple tiles. They want to show this report in multiple tiles. They can specify source. I just wrote the sources for this day. This is the sources right now. They can specify Taboo. Taboo is guest account. Taboo is a public access identification. They can specify this define report group. This is something we should mention before about metadata information. Say, this report was develop by John Smith and it was develop in such and such date. That early part, if you want to contact information, this is my contact phone number and email address. This is metadata. On the bottom, they can specify Wiki help, and they can see everything about report. If you look in the column, this column it's means, and it's computed by the column number 5710.

Organization management, the consensus they belong to this report and specify URL. This is the only thing, which is required. Oh, we also have some additional feature who has it Iframe compatible, because not all report is Iframe compatible. For example, we received some requests for Montower, executive management that every time when they go on the board, they're using the system. They want to see Monday, Tuesday, Wednesday, Thursday, Friday. When they go in this tile Monday, Tuesday, Wednesday, Friday, they supposed to see some share point report, have access to share point report and this is what they have to look for. As a result, we will create the customization that work for them, that will allow them to go and do not search for report. They're looking from a perspective Monday, Tuesday, Wednesday, Friday. Okay, the report, not all the report is all Iframe  compatible. There is nothing we can do about it, but if you want to use it, you can say, "Yes, I want to have this to my report as Iframe compatible," or "my report is not Iframe compatible. There are other ends to user management functionality. They can go in and search myself ... Can go search it and can specify the profile. Whatever you're doing here, it's synchronizing with Okta. Whatever I'm doing here, I'm modifying the contents of the user's profile. Okay, my network, I changed, my Okta is changed. It's moving right away the data. One of the slides I will show, before synchronizing result because we have multiple different product offering, one of the product offering called community gateway is when user go connect obligations and that information have to be transfer. Instead of just have duplicate, this is how it is all, this is the issues. I want to show one, just one more functionality is report mapping. When I can go on the left side, select some report. One the right side, I can go and select some users and map this report to the users. And when I save, it's done. Alright, this is basically what I would like to show in my presentation. I would like to ask you if you have any question? Okay, thank you.

An integrated IT DAC system is crucial to the effciency of the technology-based healthcare system today. Watch as Mount Sinai, New York’s integrated healthcare system, provides exceptional care through a network of over 2000 providers and partners by nuanced use of BI reports and applications via a custom portal.

Gregory Shlyuger, Head Architect of Analytics and Population Health, Mount Sinai Health System
Jen Galvin, Senior Sales Engineer, Okta