Collaboration Made Seamless with Box and Okta: Connect Your Users, Partners, and Customers

Bryan Mann: Thank you very much for coming this morning. Hopefully, everybody is in a okay mood and recovered from last night. Your voice sounds like you've smoked a dozen cigars like mine does. I don't know. I didn't. Maybe some of you did, but I did not. So, thanks again for coming.

Just a quick survey from folks. How many of you have 10 or so Okta connected SaaS applications in your environment? Okay, good. 20? 50?

Bryan Mann: Okay. All right. About 50 or so different applications a year you're managing with Okta? Great. How many of you would admit to, say, a credential compromise in your environment? Obviously, identity credential's all about ... So, nobody's going to admit to it. How about admitting to maybe using a password manager? Not Okta, but how many are actually using a password manager? Good. Awesome. That's an interesting thing because as we look at SaaS services, password compromise is probably one of the biggest challenges that we have. It's probably one of the biggest security risks that we have as Dropbox. So many people are reusing password. So, one, get your things connected with something like Okta. And then, the second side is definitely get a password manager in place to start managing those other credentials.

How many, finally, are ready for the big day tomorrow? Everybody knows what the big day is tomorrow, yes? GDPR. Great. Happy GDPRE, I should say, yes. Wonderful.

Well, Okta's had a great integration with Dropbox. Okta's one of our oldest partners. We've got a great way of setting up signal sign-on. Super easy, super automated. We've got a very quick way of importing groups. So, if you have groups in active directory, we can quickly those imported to Dropbox so that you can set up team folders. Lots of automation that Okta's actually taking advantage of using our APIs to simplify the CRUD side, right? The Create, Read, Update, Delete of users within your environment. So, again, Okta's been one of our great partners in the past and I encourage you all, if you're Dropbox customers and Okta, make sure you got that solution connected.

Also, I'm not sure how many of you are using EMM. Yes, couple? Great. Dropbox also has an EMM client that connects greatly to Okta and allows you to de-provision the client, as well as your remote like on content that is on the device as well. So, another great integration option with Okta.

Let's move onto the panel. We've got a great panel here today. I'm going to let each of them introduce themselves, give a little bit of background. And then, we also have a bit of a workflow that we want each of you to describe with your environment. So, we'll start off with Cori.

Cori Biruk: Hi. Pleasure to be here today. I'm Cori Biruk. I'm Director of SaaS and collaboration for Dow Jones. I oversee the collaboration, the SaaS apps, Google, Dropbox, Slack. Focus on collaboration and change management. Some of my background: I've been doing this web marketing HR systems for a number of years and natural to migrate into the SaaS and collaboration environment.

So, as you can see here, one of the big things we implemented recently was Workday as a master. A lot of hard work and good effort from some of the people in this room ended up doing that. That solved a lot of problems. We used Workday as a master, go into Okta. We do the active directory, sync back to active directory. And then, we do the provisioning for Slack, Dropbox, G Suite. And then, we authenticate into UltiPro, Workday and all our many SaaS applications.

Bryan Mann: Great. Awesome. And moving on.

Jarel Jones: Hi, I'm Jarel Jones. I'm with National Geographic Society. My role is there Senior Cloud Systems Administrator. I basically administrate and deploy and develop most of our SaaS applications. Pretty much all of them actually. I've been with Nat Geo for about seven years now. In IT in general for about three years in IT operations management. So, as you can see, with the workflow here, we have a similar system as Cori. We start with Workday as our master. Although, we're doing that mostly for staff provisioning. And then, we have ServiceNow as our source of truth for our non-staff work contractors. All that is funneling into Okta, which then pushes straight out to everything else, such as G Suite and Dropbox for use provisioning. And then, we have Cloudlock in Vera for our authentication encryption policies. That's been working out pretty well for us.

Bryan Mann: Awesome. Great. And Javier, please.

Javier Ruiz: Hi everybody. My name is Javier Ruiz. I'm a Software Engineer at Silicon Labs. We're a semiconductor company in Austin, Texas. We have our master in active directory. So, we typically push all users in groups directly into Okta. What makes the Okta integration really nice with Dropbox is we have all the group provisioning functionality, automated provisioning. So, anytime a new user joins our company, really makes it easy for them to automatically get all the team folders, groups added to their accounts and are ready to go on day one. We also use Vera as well for authentication, access policies. We have a lot of intellectual property that we want to protect. Being in a cloud that's a big concern for most people.

We also use Okta for authentication for our other SaaS applications like our lasting tools, Salesforce. It really makes it nice for Dropbox to just push files into those applications. They're wrapped in maybe Vera or DOP client. Yeah, this makes it really easy for everyone.

Bryan Mann: Awesome. Great. Finally, my name is Bryan Mann. I should have ventured earlier. I'm Head of Enterprise Architecture at Dropbox. I've been at Dropbox for about three years. General Electric prior to that. So, long time IT guy. Not a sales guy. Sorry, if there's any sales people in the room. But I came with three great practitioners on stage. So, let's jump into some of the questions.

So, Dropbox has been around for about 11 years. We started basically with the consumer product. I think everybody is familiar with that. Maybe store your family pictures and those sorts of things. But we made the jump into the enterprise space about five years ago. When we were doing that, we made this conscious decision about maintaining a great user experience. And so, how do you balance that user experience versus security and the controls that an enterprise needs. What do each of you do as far as balancing that security and user experience? Making sure that people are still using the service because if you go too far one way you're going to throw the user experience off and people are going to go off and find something else. So, how do you maintain that balance?

Cori Biruk: When we implemented Dropbox, for example, we looked at departments that had similar permissions for team folders. So, we structured that appropriately, and the more granular and complex integrations, migration, we used a tool called Tervela. So, with doing that we were able to create a consistency and a good user experience so that when we transitioned and people migrated to Dropbox, we were able to give them that user experience, something they're used to coming from that other environment that we migrated over from.

Bryan Mann: Awesome.

Jarel Jones: With us, I mean, it helps that most of my org. had already been using Dropbox personally, so they knew peripherally well how the UX Design went and how great it was. But for making sure that our users continue to enjoy the usage of it at our jobs, we always kind of lean more towards UXI. So, when it comes to any policies or any settings in the system that we have the option of turning on and off, basically anything that we know won't impact the user, or more anything that we know is not going to be a security concern, we just leave on. We just leave the way they expect.

And one thing that's helped recently partially for Dropbox, but a lot more for other applications we're deploying as well, is that we've been bringing our brand marketing team in for discussions. Initially, the start, but all throughout the entire process with pretty much any application we're doing. Even with Dropbox, we would bring them in for any changes coming down the pipeline to discuss with them, "Hey, here's how this looks. Here's what's going to happen. What do you guys think? Do you think the rest of the company would be okay with the design for this?" They've helped us a lot on that end.

Bryan Mann: That's good. Excellent. Javier?

Javier Ruiz: Yeah. I mean, likewise, a lot of our users already had to use Dropbox. Coming from a Legacy On-Premise systems, the UX immediately was an upgrade. Also adopted the UXs is really nice. So, it was an easy transition for us. We also use our brand marketing team to come in and make sure everything is following outlines. CEO is a stickler for that type of thing. We're always going to check with him.

We follow a couple of basic rules, keep it simple, always automate if you can ever automate it. You want everything to be very seamless, make it easy for all the end users. The integration is so tight with Dropbox and Okta right now in our environment. Really makes it easy for the admin side and the user side.

Bryan Mann: Great. Excellent. So, Dropbox is probably one of the many SaaS solutions you guys have in your environments. How are you managing across all of the SaaS services that you manage? What are some of the approaches technology might implement? And then, also what are some of the gaps you might see in managing across multiple SaaS environments?

Cori Biruk: For us, we control access through Okta, which is great. It gives a one-stop shop for our employees to access. But one of the biggest challenges and gaps we face is the configuration across multiple SaaS solutions. Being a news organization, we have a lot of rules around the legacy information, retention data, and what we do with them. So, keeping that consistent basis across SaaS applications is a challenge for us. So, we look to solve for that using whatever tools we have or working with the different departments to get the application set up.

Bryan Mann: Gotcha.

Jarel Jones: I feel like our answer is going to be very similar for all this. Okta pretty much takes care of everything. The provisioning for Dropbox makes it so much easier just to be able to give everybody accounts. But that actually ties into the biggest challenge probably for us is the fact that so many SaaS applications out there don't actually support automated provisioning. So, we spend a lot of time right now just mainly creating accounts in various SaaS apps internal to the apps in addition to giving access to the app and Okta. That takes up a lot of time.

It's funny. When we discussed this before, I didn't really have a good answer as far as fixes for that. But yesterday in one of the panels that Okta, they mentioned possible SCIM provisioning coming to the app integration wizard, so maybe I don't have to worry about that for long hopefully.

Bryan Mann: Yeah, I guess along that line, are there other standards that you're starting to push your SaaS providers to support so that you have consistency across ...

Jarel Jones: Yeah. Basic SAML connection is the starting point. Most people offer that. At least, the ones that don't have it set up automatically with Okta. We can set that up manually. But especially, what I just mentioned, SCIM provisioning is ... At least, if not SCIM provisioning then just direct provisioning with Okta. That's the biggest thing we look forward to in any application we go out to because we want to have that on the ground floor and not have to deal with any of the issues related there.

Bryan Mann: Right. Good. Javier.

Javier Ruiz: Yeah. Lifecycle management. That's really one of the issues that we deal with as well. Provisioning, huge issue. We'd love to just have it as easy as it is with Dropbox and Okta. But typically the other apps that don't support that, we have to maybe get our HR team to submit Excel spreadsheets to them for provisioning. And then, we on the Okta side have to manually make sure those are matching up. It can become a pain. If we can push the vendors to get these app integrations a little bit more robust with provisioning, that would really, really save us a lot of time.

Bryan Mann: Good. So, it's increasingly important for IT to integrate applications. So, it's not just siloed applications, but how they're actually talking to each other. Oftentimes it's tools that IT has brought in, extension things, but often it's not. It might be users bringing in tools. How do you guys solve the integration challenge? What are some of the approaches that you take to making sure that apps are integrating? And this is beyond identity, beyond security applications.

Cori Biruk: We have that challenge, especially when individuals purchase their own application for individual use for the departments that they're doing. And it presents a big legal, again, with the data issues. For example, we had a lot of our execs, and people brought on this application. Wasn't integrated into our system. It wasn't authenticated through Okta. So, it becomes a security risk. Then we look at how we can move to an enterprise agreement and what we can solve for as far as integrating that into our solution and what we have. So, it becomes a challenge. And the integration across the different SaaS applications. Also, we look at ways at how they work together, just like Dropbox, Okta. A lot of these applications have their out of the box solution, which is great, but doesn't always work with our Legacy customized experience. So, that becomes a challenge when we're trying to integrate into our Legacy systems.

Bryan Mann: Is integration a primary purchasing decision as you're choosing things?

Cori Biruk: Yes. It becomes. It does. So, I look for solutions that have an API that potentially works with other companies. When we bring it in, it becomes part of our requirements and what we're looking to do. When we brought in HR systems worked in other things. We looked at how we could integrate with what we currently have, our Legacy, and what we need to integrate out with the Okta and everything else for security. So, yes, it's very important when looking at purchasing something new.

Bryan Mann: Yeah, good. Jarel?

Jarel Jones: Yeah. So, that's definitely a concern for us as well with integration. This kind of ties into my previous answer on opposite side though. I mentioned that there's a lot of applications that don't have support for things, but so many cloud applications now actually do have support for even just basic SAML connections to mainly create in Okta. So, it makes it a lot easier these days if we run into departments that have privately purchased an application or are using internally. It's generally not that difficult to pull an application in, connect it to Okta, give them access that way so they're part of MFA security password policies. That helps a lot. It's absolutely some-

Jarel Jones: ... or policies. So that helps a lot and it's absolutely something we look out for because, like Corey mentioned, there's a security risk there, but also on our side, I've noticed that departments will purchase products that other departments may already be using. Or they may be using other alternatives that they hadn't considered. So we want to get everything in one umbrella so that people have the resources to see basically what we offer that they can use, and see what fits them best.

Bryan Mann: Yeah, I think that the cross department, nobody talking and buying their own thing, is a challenge for everyone. Want to get everybody under the same umbrella, logging in the same, but, better figure out the credit card problem like everybody's got a credit card...

Cori Biruk: That's true.

Bryan Mann: Javier?

Javier Ruiz: Yeah, shadow IT's always going to be an issue, particularly when, exactly that, when the department doesn't really know what tools are available and maybe another department has purchased something and maybe another department doesn't know that that's available to them.

We really try to solve that by just being as transparent as possible to our users, showing a list of all the applications that are available to them. We do a lot of end user trainings, we try and bring in vendors to do training for us, or if maybe we have an admin like myself or somebody who's the in house expert to offer as many trainings as possible. So that way, the users feel comfortable with the tool and maybe it'll fill a gap of a couple of tools that they didn't know was possible. Just transparency in general, really seemed to be what solved a lot of our issues.

Bryan Mann: Good. So each of you have unique requirements, whether it's protecting intellectual property for a multi-protocol chip, or protecting sources for news that's coming out tomorrow. How does identity play a role in data protection for you, and how do solutions like Okta help solve that controller challenge, as it relates to SaaS solutions?

Cori Biruk: With our company, we have multiple business units, not all on same Okta, some are not on Okta. Different networks, so it's hard, a challenge for us with collaboration, when people want to share documents or tools across the different business units. So what we found, one solution we looked at with Dropbox was a way we can allow and authenticate securely, to have the different business units access this documentation, share it, and this helps especially in the tech world, when we're looking at APIs, or what was done and not done, so we're trying to look at how the different business units collaborate, technologies, plugins, anything another company has done, across the board, and use that in their technology space. That's one of the biggest issues, I find for us.

Bryan Mann: Interesting.

Jarel Jones: I think one of the more important things for us was just making sure everybody was on one platform. I feel like that's kind of impossible in the business world, where most of the platforms, they handle everything. But if we can get all of our users primarily using one source for the stuff they upload and share out to other people, it makes it a lot easier, and obviously that's not going to be possible without identity. But Dropbox makes the situation significantly easier on that aspect too, with the Okta Integration working as well as it does, so with all our employees in Okta, and everybody provisioned with Dropbox accounts, it made it easy to make sure everything was flowing through one direction, and that we could put all our policies on top just to make sure things were going where they were supposed to.

Bryan Mann: Good. Javier.

Javier Ruiz: Along the same lines, we're a multinational company, our IT admins aren't awake all the time to make sure that our users in Asia are getting access to everything that they need. So, we've kind of started to share responsibility with a lot of the teams out there, instead of us being so heavy on the IT side of the admiring. And we really wanted to give some of that control back to them. Because at the end of the day, they know who should have access to what, more so than we do.

And just making sure, like Jerome mentioned, everybody being on the same platform really makes that easy. And if we can apply policies on top of that, to really make sure that we're protecting the important stuff, it kind of makes a nice symbiotic relationship between IT and the end users.

Bryan Mann: Yeah, and I think Jerome, Javier, guys both have a unique situation, where you're using VERA as well, in the data protection aspects. So there's an additional policy layer that you're able to have on top of that. It's all about integrating with Okta and so, as you define a group in AD or Okta, that that is all really reflected within the policy set of something like VERA for that additional protection layer?

Jarel Jones: I would say it is for us. We use a combination of VERA , but both of them are hooked into the APIs to both services, and they're picking up on what's coming in and what's coming out, and the access levels that people automatically get from their groups is being pushed around everywhere else. So, it makes it way easier than it used to be, to keep track of this kind of thing, thanks to those kind of services.

Javier Ruiz: Yeah, it works beautifully for us right now. All of our groups in Active Directory, Dropbox, Okta and VERA are all the same. So, end users, for instance can create a Dropbox group on the fly that'll get pushed to Okta and to VERA, and so all those controls and policies are automatically getting taken care of, and really just, like I mentioned earlier, puts control back in their hands, instead of us having to make sure all the groups are up to date.

Bryan Mann: So, for group management, mostly it's end user or some power user that is driving group management, or is it-

Javier Ruiz: It's a combination of both-

Bryan Mann: ... it's IT-

Javier Ruiz: Typically we have a person that is the expert within their team on the tools and will have one-on-one meetings with them, make sure they're getting everything they need, and make sure that the groups and the technology's working as it should be.

Bryan Mann: Gotcha.

Jarel Jones: Same here. We have a lot of groups, to be honest, very little departments, but in all cases, it's just people in the know, users in the office who are familiar with the situation, and it kind of centers around them. We do the work to set everything up, but we have people who are familiar with the situation in there, and working together helps us ensure that everything is going smoothly.

Javier Ruiz: And undoubtedly, I'm sure probably there's some central authorities that are managing groups, possibly? Yes?

Cori Biruk: Possibly. A lot of our stuff is, we use AD, we have the Google Groups, so there's a lot of disparity across the different applications. So that's where having Workday as a master has at least helped in that solution.

Bryan Mann: So it's more role-based that Workday is the authority to say, "Okay, this person is in HR Finance, or whatever. They want to get this folder, that's going to tie maybe to a team folder in Dropbox, and then maybe to some other policy sites.

Cori Biruk: Absolutely, yeah.

Bryan Mann: Great. That sounds like the ideal world, like where you can have it from, the kickoff from one central place. Awesome. As you guys have adopted cloud services, and when you think about it beyond identity, do you have other baseline controls that you require, or maybe make a best effort to actually implement, and how do you go about testing some of those solutions to make sure that they fit in? Javier, we'll start with you. Mix it up a little bit.

Javier Ruiz: Yeah. Anytime we're bringing in any new possible software, we really go through a process of risk management, making sure that it's going to meet a lot of our requirements on our security side. You know, we want to bring in as many people as possible to really hear out what the possible problem that we're trying to solve for is. To just get different points of view. Even if it's somebody on the HR team who may never even touch this tool, but they've got to be able to speak to it, with potentially other departments, stuff like that. But just getting as many people as possible into these initial kickoff meetings and projects.

Bryan Mann: But are there other tools, maybe a CASB, or a DLP solution, other things outside that you're saying, "Okay, we want to make sure, or make a best effort to plug those in."

Javier Ruiz: Oh sure, yeah. Our DLP solution is wrapped around everything, so that regardless, it's always going to touch every tool that we use. We have multiple layers of security on top of Dropbox for instance. And our on prem environment.

Bryan Mann: Sim solutions, pulling in all the events ...

Javier Ruiz: Yep. Little bit of Splunk.

Bryan Mann: And so, for things like Splunk, are you pulling in all of the events that're happening in Okta, pulling in from Dropbox-

Javier Ruiz: I'm trying to get better about it in our personal environment.

Bryan Mann: ... and flowing into your IT environment, for this glorified magical view?

Javier Ruiz: Yeah, absolutely. Our Splunk admins, they want everything in Splunk and I completely one hundred percent agree. Yeah, it's just a matter of getting it done.

Bryan Mann: Awesome. All right. Jerome, how about you?

Jarel Jones: I feel like it's a similar situation. We don't have the complexity you might necessarily have of things you need to control there. But we do have a lot of solutions we're using for DLP, for CASB, for all that. We have to ensure whenever we bring a new product in that that has support for basically all that. It's not always going to happen, sometimes we had to bring in products that are yet to go round the curve and figure things out via APIs. But that is basically number one in our process every time.

And as far as just making sure that it's good in the end, one thing we do, like you mentioned, bringing in people from the beginning, that's something that's bit us in the behind before, with not bringing people, and rolling out an internal product that did not go very well.

So usability testing is a huge thing for us now in our IT department and we'll bring in people literally from the ground floor, they'll actually be involved in the discussions for design, and just making sure the entire time we're there, happy with the product is shaping up, and how it ties into everything.

Bryan Mann: What's the average time you spend in evaluating solutions.

Jarel Jones: It varies.

Bryan Mann: Of course. Yes.

Jarel Jones: I feel like-

Bryan Mann: I mean do you have a quick fail, fail quickly, whatever you want to call it, pack in how you're evaluating, just to make sure that, "Okay, this is dead, this is down-

Jarel Jones: We absolutely do.

Bryan Mann: ... and then take it into another iteration, and-

Jarel Jones: Yes. So something like that happens, we definitely don't spend a lot of time on it. We're able to identity very quickly that it's not going to work, and just to move on. I feel in general we're pretty good about getting things out speedily, for products we're either deploying or just putting together off PTC to see if it works for the company. Because we also don't want to spend a lot of time deciding, I mean we need to spend enough time to decide if it's good for us, but our employees do have things to do, so we want to make sure that we get the stuff that they need out pretty quickly.

Bryan Mann: Interesting.

Cori Biruk: We've got a lot of POCs to test SaaS applications when they come in, make sure they're what we're looking for and what users want to see and it's a good way to test that without fully committing to that solution.

Bryan Mann: Mm-hmm (affirmative). Do you have that as part of just the regular operational teams, or do you have a team of people that are focused on emerging technology, bringing new things in.

Cori Biruk: It's a great question, and typically it's just a task force, typically my team we do early adopters on a lot of different applications. We have people across our different departments, news, sales, that we pull in that we've worked with multiple times to test out this product and we say, "Hey, this is new, we would want a group of users to POC it," and do it that way.

And sometimes the product, if it's a voice or other solutions, people have already adopted it. So we just look to those people who have adopted or already have accounts, pull them into the POC admin, and those are our users that we'll work with and survey. If that makes sense.

Bryan Mann: That's interesting. It's an interesting point, because how much is the user environment now, the user community driving IT-

Cori Biruk: A lot.

Bryan Mann: ... and the architecture of IT today?

Cori Biruk: A lot. In our case, or Belgen's case, with the SaaS applications, where you can just purchase it, we have multiple applications that we brought in, including Dropbox, because of the users. They dictated it, they wanted it, they put it in their business and workflows. We had to push it out as an IT solution.

Bryan Mann: Is it becoming a little uncomfortable being the follower, in a way? Or is it okay?

Cori Biruk: That's a great question and it's okay, because you only have the bandwidth to find x amount of solutions and you're not the product expert, and I don't know what someone needs to do their job accurately and correctly. So it's nice that these people bring up these tools that you might not have thought of.

The challenge is when they bring in a tool that we already own, that's similar features, that can do the job, but they want to use this tool for whatever reason. And that's some of the challenges we face, looking at that.

Bryan Mann: Is there a hammer process, or is there a soft, convincing?

Cori Biruk: I'm not going to go there and answer.

Bryan Mann: Sometimes you just have to say no. Fair enough. I guess, do you guys find similar challenges that the user is driving IT architecture?

Jarel Jones: Yeah, absolutely. For us it has been useful as well though. Because there's a lot of departments who do a lot of different things and again, just like her, we don't necessarily know what they need, what's the best fit for what they're doing. So, the fact that they know better and can pull in applications we weren't considering, it saves a lot of time for us. We can keep them involved so we can decide, we still have to go through our best effort to make sure it works and can integrate. But once we decide that, that solves a lot of the time.

Javier Ruiz: We definitely have a lot of IT evangelists that we try and keep a great relationship with, particularly in our design and engineering communities. Typically, we'll have a once a month meeting to make sure we're meeting all their needs. This is typically when they'll throw out an idea, a potential software that they'd like to look into, just making sure they keep a nice close relationship with them for any future projects. We don't want to be on their bad side.

Bryan Mann: Yeah, I mean, it's fascinating. It used to be shadow IT and that whole topic was kind of a bad topic. I think IT is becoming much more accepting. It's not a group of people that is necessarily shadow IT today, it's individual users that are figuring out their workflows and where they want to take their day, and how they're most productive. I think that's a pretty fascinating thing to look at the landscape of IT today versus ten years ago, and the way that IT was demanding and putting the hammer down, and, "This is how you'll work, and these are the tools that you'll use." We've kind of lost that power, I think.

Javier Ruiz: Absolutely. Especially when everything was originally on prem and very heavy handed, IT administrated.

Bryan Mann: And they all had a credit card.

Javier Ruiz: Yeah, exactly. And now all these cloud SaaS applications are beautiful and integrated, and really makes us look good at the end of...

Bryan Mann: Right, right. Definitely. I think if you now choose a solution that they want, and have been using, then, hey, now you're the hero!

Javier Ruiz: Absolutely.

Bryan Mann: Good things happen, right?

Cori Biruk: Yeah.

Bryan Mann: Good. So, along that topic of buzzwords, transformation, everybody going digital, I think there's all of these terms being thrown out every couple of years on the way that analysts, maybe vendors think IT needs to operate-

Bryan Mann: Analysts, maybe vendors, think IT needs to operate. Have you guys had any really transformational projects or things that you've implemented that really have actually changed the business? Getting beyond the buzzwords and how analysts think you need to operate, what have been some things that have changed your business?

Cori Biruk: So, one of our big push is moving everything to the cloud. Right? So legacy, we have a lot of legacy servers and a lot of data on those legacy servers. So a big thing with one of the projects we pushed for is everyone has their personal P drives. They had a lot of accounts on it. They've had MP3 files. These are years and years of data that is really potential data risk being on-prem and being on these servers that are not going to be supported much longer. So, one of our big, and it was critical, is we implemented a self-service P drive move where we're having the users accountable for their data. What they want to move. Clean it up as they push it over to a Dropbox solution where it can be managed and stored in the cloud. That was a big initiative that we went through to look at that.

Bryan Mann: Awesome.

Jarel Jones: I feel like I don't have to answer this because Cory just summed it up. It's like the exact same in my organization.

Bryan Mann: Dropbox is just transforming everybody?

Jarel Jones: Basically.

Bryan Mann: Excellent. Great. We've solved it.

Jarel Jones: Yeah. So, we're still in the process of doing some of those moves. We just recently set up team folders and we're basically trying to replace our departmental shared drives with them. It's a long process. We're making sure everybody's good with it. Again, everybody's already familiar with Dropbox so they don't really have any problems with the set up and how it works. But it does take some time to transfer all the files over which we're handling because these are entire, gigantic departmental shared drives. We don't want them to do that like we did their P drives. But it's ongoing and it's going really well. Everybody that's involved in the pilot testing's really happy with it, so looking forward to how that turns out.

Bryan Mann: Good. Good.

Javier Ruiz: Absolutely. Along the same lines, we were fortunate enough to ...

Bryan Mann: Excellent. We didn't load the panel. Really.

Javier Ruiz: We were fortunate enough to actually be able to get rid of our on-prem data center this year. It was a big win for us. We've moved a lot of our stuff over to the cloud now. We really worked closely with Dropbox during their initial beta testing of team folders to make sure it was going to be able to replicate our on-prem network shares that all our users had been used to. And, kind of going back to what I mentioned earlier, putting a little bit of that control back into their hands: permissions and group management. We typically get three to four team folder requests a week for creation, which is amazing. And we're still also very much in the process of moving stuff into it. It's hundreds and hundreds of terabytes of data. It can prove to be difficult to move over.

Bryan Mann: Interesting. Good. Well, we're about ten minutes. We've got a great panel of great practitioners. I want understand if there's any questions from the audience in how they're operating their business and maybe some of the challenges that you all are having and they can offer some advice. And don't be shy. Please raise your hand. Or just yell. Yes. Please.

Audience Member: So this is maybe a very specific point, but it come to my attention that at least two of you test products with brand marketing specifically. Is there something about that team that you've found is really helpful when it comes to testing out new ideas?

Jarel Jones: Do you want to go first?

Javier Ruiz: Yeah, go for it.

Jarel Jones: Okay. So, with us, the reason we went to them initially was just because we, obviously, want to make sure the marketing focus was okay not just for Dropbox but for other applications we were rolling out that needed to be designed a specific way. We felt like they knew better than us, in a lot of cases, about how the [UX 00:35:57] should look for people, for our internal customers who are using them. So that's why we brought them in, but it just happens that a lot of the people on that team are, many of them are IT evangelists themselves. They have their fingers in a lot of those products. They're just smack in the middle of it and so they turned out to be really good people to test and to check and make sure they're happy with the design and to give ideas on where we should change things. So it was kind of coincidence for us. They just happened to be good people, like good testers, and we just made use of that.

Javier Ruiz: Yeah, our corporate marketing team is kind of dual function. They also are our web team so they know exactly how everything needs to look. I'm very happy with just letting them take over that part. They know the exact colors. We have about eight or nine colors that have to be used. The logo has to be precise. I just don't want to get yelled at about that type of stuff.

Bryan Mann: It does seem like every marketing team kind of drive IT more than others.

Javier Ruiz: Yeah.

Jarel Jones: Absolutely.

Bryan Mann: They're the leaders that we're definitely the followers. Great. Any other questions? Yes.

Audience Member: Yes, I'm wondering as SAS vendors increasingly build deeper functional level integrations, so save to Dropbox from video editing tool or see Dropbox updates in Slack. The question was as vendors build deeper integrations between their different SAS apps at the functional level, I'm wondering, what level of visibility would you, from an IT perspective, want over those functional level integrations, like push a Dropbox update into Slack? And/or if you have two applications you already trust, do you not really care about what the interchange or exchange of data between them because you've already vetted them from a security perspective overall.

Bryan Mann: That's a great question.

Cori Biruk: That's a good question. And that's something, a challenge, we have where these developers are started to build these integrations and get access to the API. So what's nice, some of the SAS applications you can control who's accessing and to get permission for the API and typically they need help accessing the endpoints to get that. So that's typically when someone ... we get involved and they'll reach out and be like, "Hey we're building this application. We need help." But other than that, we don't know what's going on. So we don't know what developers are using it for, what integrations they've built to which SAS applications.

Jarel Jones: I feel like it's very similar for us. There's a lot of instances where that happens and we don't know in advance. Although, our HASBY tools help with that. Down the pipeline, we'll see things popping in the system or like, "Oh, okay. They might be doing something here."

What you mentioned at the end, if the two tools are already in use and we've already vetted them, then yeah, that's totally fine. We have a lot like that now actually, where the connections were put in place. We're just like, "Hey, go for it." For ones that we don't use, it's often a case where we will just talk to the people involved and see if that's an application we can pull into IT and manage. And if we vet it that way then we don't have any problem with going forward with that.

Bryan Mann: Javier, any comments?

Javier Ruiz: Yeah, honestly along the same lines. Yeah, typically, it's just the ... we're absolutely okay with them trying to get these integrations going. If we can help them by using API, I'm more than willing to help them. We have our DLP solution that's typically monitoring flow of data and all that. So, if we notice something maybe in Splunk that we can potentially help them with or maybe get them to go towards a different direction, that's what really helps us.

Bryan Mann: So for the most part you guys are all letting people or users do the integrations that they want. You don't have some sort of a front gate or door that they need to go through in order to do that integration from an administrator perspective?

Cori Biruk: The ones that need access to the APIs typically we have to work with the team. So they may start off trying to do it themselves but then they get blocked and fail.

Bryan Mann: Gotcha. Gotcha.

Jarel Jones: Same here. Even for the applications that don't require APIs. A lot of those things we lock down to administrators turning it on in the first place. So, they usually have to come to us regardless.

Bryan Mann: Right.

Javier Ruiz: Yeah, it's been a lot of transparency here on our end, like I've been saying.

Bryan Mann: So for the privilege accounts that are managing those environments, that are doing the integrations, that are managing admin consoles, that sort of thing, are you assigning those roles to an average user? Or to an admin? Or are you creating servers accounts that you're vaulting the credentials in some way just so that there's tracking, but it's also not that role that's permanently assigned to it but an individual to do those sorts of actions?

Cori Biruk: With us, each application is different so the role changes. One of our things is being on-network and accessing that data whether you're a CWR employee we might need to give you access. Our remedy system, for example, to get the access API we have to onboard you into that right group or right business unit to actually access and get those end points.

Bryan Mann: Gotcha. Okay.

Jarel Jones: It varies for us. We're always going to want to have somebody in IT with an app, an account in the various systems we're setting up even if we have individual users who are also internal admins for that app. When it comes to the integrations, if that's something that has to be on the admin side, we absolutely use a service account in pretty much every case.

Bryan Mann: Gotcha.

Javier Ruiz: Yeah, it's very much application-application. But typically if we, like I mentioned, we had IT evangelists. If they're willing to take on that role as an admin, we built this trust with them, we're more than happy to give them an admin role into those applications considering we're multi-national. Again, we are not there available all the times. And half of our employees being across the ocean, it's nice to have an admin locally that they can talk to and show instead of via email or video conference.

Bryan Mann: Right.

Jarel Jones: I feel like it's necessarily for a lot of our apps too because so many of them are in use by the users and until we brought it in, we had no idea what this app was. If they know it better than we do, then it just seems like there should be an admin on their side. Hopefully they're an IT evangelist that can do basic help support for their group. So it just makes sense to keep them in the loop on that one.

Bryan Mann: Interesting. Good. Yes, please.

Audience Member: The previous question was more about like if you allow the user to use the applications, but most of these applications have integrations between Dropbox. Right? For instance, there's a million ways to connect together. So the question would be, are you aware normally of those integrations between applications you have vetted? And the second part is, do you encourage or inform your users to use those integrations so you can use the applications better?

Javier Ruiz: Absolutely for us. My theme apparently is transparency but we want to have a list of everything available to them. All the integrations. Having these monthly meetings about making sure that all integrations and tools that we're using are filling those needs. And sometimes they will bring up a potential use case and we will have to go through and vet it with that team.

Jarel Jones: Yeah, it gets difficult sometimes. The ownership is on us to make sure that we're aware of these integrations when they're built and that they're a thing. And so obviously we need to know about them to tell the user and we just got to keep up with everything. But if we know, then yeah, absolutely. One of the apps we've been using a lot for several of our departments recently is Trello. Trello also has an integration with Dropbox along with several other products and when we learned about that we were like, "Yeah, let's get this hooked up. Let's get you able to see you're Dropbox documents and attach them to Trello cards for your project management." So absolutely, if we know about the integration, we'll definitely let our users know. It's up to them whether they want to use it, but we will absolutely let them know and make sure they know the option is available.

Cori Biruk: Yeah, the biggest risk when you don't know if something goes wrong that integration and then you're called upon it.

Bryan Mann: You're not the owner.

Cori Biruk: ...anything how it was set up so it helps when we understand it. And it also helps when we can promote it to our employees. Like, "Here's a cool integration someone did with Slack with this other Google apps ..." It's a nice way to promote both the products and get it out there and encourage people to use consistently across the applications.

Bryan Mann: Great. Awesome. All right, well, we're at time. I want to thank the panel for attending and answering some great questions. If you have any other questions, we do have a booth out in the expo hall. Please encourage you to stop by and ask any other questions. We'll also be outside if you want to have any follow up. So, thanks so much for attending.