Oktane19: Minimize AD Dependency As You Move to the Cloud

Marcus: This is the Minimize AD dependency as You to move to the Cloud. And this is the Safe Harbor Statement that I'm not going to walk you through. But, you're going to have to trust me on, it's water tight legally. My name is Marcus Hartwig. I'm a product marketer here at Okta for the universal directory. I'm going to be joined on stage today by Simon Dolly, who's a product manager for the directories. And we're also going to have our CSM, Marissa Henderson and a customer Ryan Walker from Chick-fil-A. Talk a little bit about how you can minimize your AD dependency as You move to the Cloud. We're also gonna have a quick look at the roadmap, what we've accomplished so far this year and where we're heading. But I'd like to kick the session off with a small story.

Marcus: This is a story that's been circulated for quite a while, but it's the story of how when NASA was finishing up the Apollo space program. They were shooting up these huge 30 storeys tall, 75 rockets, right? And they were getting this tiny capsule back with the astronauts. And that was because they were primarily geared towards landing on the moon and getting people safely back.

Marcus: But NASA quickly realized that future space missions weren't going to be about landing on the moon. They were going to be cargo missions to space. You're going to build the space station, we're going to continue putting satellites and fix the Hubble telescope and all that, right? So they quickly set out to design a spaceship of the future and this was a completely clean slate that they had and they eventually settled on what was to become the space shuttle.

Marcus: However, there's a lot of design considerations for them when they were designing this. And one word of course, how much cargo it could carry up. However, they were heavily constrained in size to, for the cargo based on these white solid rocket boosters that you have on the side here the orange thing in the middle is the fuel tank. These rocket boosters is basically what propelled the space shuttle out through Earth's atmosphere and brought the space shuttle out into space.

Marcus: They were not manufactured by NASA. They were manufactured by a company called Thiokol and they were shipped by a train to Cape Canaveral in Florida. They were heavily limited on how big they could be based on the size of trains specifically in Utah the train goes through mountains, so they needed to fit through the tunnels, the train tracks and a tunnel through there.

Marcus: And this quickly became a question that someone asked, well, who decided that trains were going to be the size that they are at the train tracks and all that? Because at some point, I guess there was a pretty much a clean slate building out the railroads in America. You weren't constrained by land and stuff like that right? So the answer to that was that well the trains in the US are the exact same specifications as the trains in the UK.

Marcus: A lot of people who built the railroads came over from the UK and they said, let's just use the same specifications as we have and that way we can also ship railroad carriages and stuff like that over. Okay, fair enough. But you've got a mission that's at some point someone made a decision in the UK what there train tracks were going to be and what was that decision based on?

Marcus: Well, the answer to that is they are the exact same specifications as the tramways that they had. Tram ways were the predecessors to two trains and they were these horse drawn carriages that you can see on the side here. Okay, fair enough. That's still doesn't really answer the question. Now who decided that tramways we're going to be the size that the tramways were.

Marcus: The answer to that they are the exact same size as these ancient Roman roads. And the Roman Empire were the first to build out roads all throughout Europe, all the way up to the British empire. And they have these grooves cut into the road. These groups are meant to fit the wheels of a Roman chariot. A chariot is just this horse drawn the war carriage open. You've seen him in the movies, right? And the chariots themselves were designed to be as lean and slim to be fitting exactly behind two horses behinds. So by proxy the space shuttle size was constrained by the size of two horses butts. Thank you.

Marcus: This concept is called path constraint and it's not something new, right? We've continuously forced to design new things with the past in mind. And AD is very much something like this, right? It's a legacy of a past and it on itself has a lot of history on why AD was to become what AD is. Luckily for new companies, right? They're not going to be bothered with AD. If you spin up a new company today, you're not going to be installing on prem AD servers and manage your devices and stuff like that. But for almost any other company you're going to have to have, or at least you have an AD footprint that you might want to get rid of, especially as it sort of sunset and has paid out his role as the main repository. Right?

Marcus: Lucky for us the cloud world that we're living in, and at least migrating to is not as constrained as the physical world. So these train tracks and rockets really don't matter as much for us, right? So today we're going to talk about why AD is obsolete, how Okta can help what we're working on and help you try and reduce your AD footprint. And notice I'm saying reduce, I'm not saying get rid of completely because of unfortunately we're not going to able to offer that solution to you today. We're also going to listen to a chick-fil-A's journey because they attacked this problem and went through it and it's a completely fascinating story how they looked at it and what they eventually settled on and managed to make do.

Marcus: A little bit of background history. Right? AD was launched with windows 2000 professional and as I was doing my research for this presentation. I found the old O'Reilly books that cover almost any subject specifically for the technology that they were lost in and this is the official O'Reilly book for Windows 2000. As you can see, it has an ancient Roman road on the cover.

Marcus: I don't know if that's foreshadowing or what was going on there, but the point I'm trying to make is that AD set out to fix a bunch of problems that mostly aren't relevant today. If you think about it, this is 2000, that's 20 years ago. If you look at how a business was being run it in 2000, you can sort of envision a place where you went to buy software in boxes from the store, right? And your office had these desktop computers in beige plastic and you would have a bunch of on prem file servers and stuff like that. Right? And what we see today is that companies, as they move to the cloud, people don't work like that anymore. They bring their own device to work, they work with cloud services and a lot of cases they're not even at work. They work remotely and then are out traveling. Right?

Marcus: With the cloud, the need for an on prem repository is almost completely gone. And to be realistic about it, and I think most people realize that that AD is pretty fantastic for storing the actual employee data in it. But once you start expanding it to consultants and contractors, and in some cases, customers, it starts to be a little bit uncomfortable, especially with all the groups and the security stuff there as well. One thing that we see a lot of our customers are doing is they're migrating to a world where AD as downstream application and the HR system is taking the front seats. In that model you would have the HR system, which really is the more appropriate source of truth for who actually works in your corporation would push the data down into Okta and Okta would push that data down into all the other cloud applications including Microsoft AD to manage the on prem stuff. And we are mindful that in a lot of cases the HR system is not going to be the authoritative source for every attribute.

Marcus: You're going to have stuff like phone numbers that might be managed by ring central or emails from the email server. In that case, we can push that data back into Okta and have Okta be the one stop shop for the most current and up to date information. And we also see that this is really a place where most customers are comfortable storing data other than their organization data. So you can freely store customer data in Okta without disrupting your security model, right? What this allows you to do is to minimize the footprint that AD has in your organization. So let's say you have 10,000 users in your organization, right?

Marcus: Maybe if you start to look at it, this is a pretty big cloud for it organization. This example, 9,000 of them, they're primarily using box and slack and office 365 for their day to day work. They're not working with anything on Prem. So Brian will get rid of those guys from the AD, reduce the AD foot print to a thousand people, which makes something way more easier to manage and contained for the IT organization. Right? So what about all the applications that you have on prem and that need to authenticate to Okta? Well, we're happy to announce that our elders interface finally hit the general availability.

Marcus: This means that you can take those applications and you can, instead of pointing them to your own primary lab servers or in many, many cases an AD survey, right? You can point them directly to Okta and do the authentication that way. And it also has the benefit of adding stuff like two factor authentication on top of LDAP calls and stuff like that. So that's a couple of things that you can do already today to try and minimize your AD footprints. I'd like to welcome my good friend and colleague Simon Dolly stage and he's going to talk a little bit about what our roadmap and what we were looking at doing next year. Thanks.

Simon: Awesome. Thank you, Marcus. How's it going everyone? My name is Simon Dolly. I'm the product manager for our direct integrations team. That's everything to do with AD, LDAP and our desktop SSO integrations. Marcus talked a lot about how AD can be this path constraint as you move to the cloud, right? It's really was made for its time and age two decades ago almost. If you think about how you want to move forward and build an architect for the next decade and in a cloud forward way, AD doesn't really make sense for you to build a foundation on, right?

Simon: What does that future look like? At Okta here, we envision IT to be this fast modern, agile, driven IT right? And that can mean a lot of things. Specifically it means automations and less manual operations. It also means a single source and not a disparate sources. Because what we've seen a lot of our customers is you have these disparate identity systems, whether that's one AD, multiple domains, multiple forests, or in most cases, it's AD and LDAP and some other SQL databases. So now, how can you consolidate all of that into one source to make it more agile? It also means best of breed, talked about this today on the keynote stage. It's a reality. It also means Day 1 Access for your employees and doesn't mean thousands of access tickets for your IT help desk admins. It also means you user identities because what we see in a lot of cases is shared accounts, right? One user or multiple users using one user account to log in to workstations or common apps. Most of all, it means more SAS and less maintenance for you.

Simon: So less costs, more efficiency and fast. But at the same time we understand that getting to this world, it's not easy, right? There's a lot of work processes that you need to worry about. A lot of budget constraints, your orgs growing. If your team members more burning issues, right? That's why I want you to think about this as playing chess. Any chess players in the crowd, okay? Few. But one of the first things that you learn when you play chess is how do you get in better positions of mobility, right? When you start off, you're not essentially saying, I'm going to check the king in two moves. No, what you're trying to do is trying to get in better and better positions of ability to say, Hey, I can actually think what my next five, six, seven steps are going to be, so I can get in stage that increases my chances of checking the King and win the game.

Simon: This is very similar to that, is how can you get into better and better positions of mobility, so you can actually think about what your cloud forward strategy is or what your strategy for the next 20 years and how you can build on top of that. Looks like whether you're fully on prem right and very rigid, where you have multiple AD and LDAP sources, multiple domains, multiple forests, figuring out how to consolidate that, that's a very big problem. Or you could be mostly on prem, right? We have a very small footprint in the cloud. Maybe a few or 365 applications. Maybe slack, maybe zoom, but only subsidy of users are using that. But you still have to worry about how do I manage all this on prem complexity that I have, right? It's a very hard problem.

Simon: Or you could be mostly cloud where you're only on prem resources or a couple of applications or servers and printers and file shares they need to worry about, but 90% of your users are in the cloud or you're fully cloud and agile like Marcus talked about. The challenge for us is figuring out how to help you get to the top two buckets there that I talked about. If you're using AD today, you're probably using it for a few different reasons, right? And the first and foremost being how do you manage users? How do you manage groups? How do you manage credentials? How do you manage the devices and servers? Right? And how do you store that? And the next part is really how do you manipulate that? Right? How do you apply policy whether that's device join, whether that's network policy, how do you do that at scale?

Simon: How do you do that at bulk? Right? Group policy objects. And the next one is really intended with ADFS or Okta. How do you do access? App access, server access, whatever that looks like. If you really think about what these are, they really fit into a few buckets, right? The top bucket, user management, group management, credentials, devices. It's really about how do you manage objects and that's really about a directory, right? How do you store these? How do you add Schema? How do you change Schema? How do you migrate that Schema? How do you do password resets, all of that. And next part is group policy like I talked about, it's how do you do things at scale? How do you apply policy at scale? If you really think about what that comes down to, if you reduce it, it's really all about workflow, right?

Simon: And the next part App access, Server access it's pretty straightforward. It's just access. Now as you go to various sessions throughout the day, think about how you can apply this framework and think about how you can use that to get in better positions of mobility with all the great things that we're building this upcoming year and the year after.

Simon: With that in mind 2018, we had a very big focus on flexibility. How do we become more flexible? And how do we become more scalable? So on the directory side, there's no more email restriction. We used to have an email restriction for the log in field. That's no more the case. And same with imports. If you're importing AD users from your AD into Okta, there's no more first or last name requirement they need to worry about. We hear a lot of that from our Apac customers and also linked objects are in AD now. What that means is if you have manager employee relationships, you can also imagine that on AD today. You also heard about hooks that Todd talked about today. it's a very valuable for a lot of important use cases that we see where you want to enhance the user profile or make a record in a different system that's available today as well.

Simon: You heard Marcus talked about LDAP interface, for the long time within support compound and presence filters. So basically what that means is being able to write a very complex filters using ands and ors or you're doing wildcard searches, but that's available today. And we also made a lot of desktop SSO, IDBA performance improvements where we saw nearly 50% performance improvements for logins. Any DSSO so users in the crowd? Okay, a few. Cool.

Simon: Now before we look into 2019, I want to take a very quick history lesson. So Okta really started off as a very simple directory sync agent, right? What we did is really like a V Zero of our current AD agent that you dropped onto your active directory and we pulled in the Basic Schema, right? It was just first name, last name, your user name and a password and you could do SSO into a couple of applications. And we also pulled in some groups, but it was very, very small and very limited. But as we talked to more customers, we went into more complex environments with our customers. The need for a real enterprise directory and lifecycle management became apparent. And that's how we build our universal directory about three, four, four years ago, I think now. Where you can do UTA as a master, you could have native users in Okta had a more extended Schema, a more applications and that's where the pattern of a HR as a master also started to emerge where your identities were really mastered in the cloud and then push down to downstream applications.

Simon: But as we move into more and more complex environments, seemed more complex customers, more gnarly problems and the need for this platform becomes more and more apparent. How do you morph, how do you take any use case and make that possible for you? And that's really how we're evolving to this directory and integration platform. And you heard a lot about that in the keynote today, how do we become this director of platform? It's customizable Schema, customizable data types, generic objects, and also workflow, right? With that in mind 2019's focus is a lot about this customization and flexibility. How do we become a platform? Right?

Simon: And with that in mind, I'm going to take you through this framework again of directory. It's really, again, all about users, groups, credentials and devices, right? One of the things that's going to come second half of the year is group profiles. If you have to use case of pushing male enabled security groups from AD into 365 to help reduce that group management in AD, you can do that with group profiles. It's going to be available the second half of the year. And then we're also going to have uniqueness on UD objects. So being able to enforce uniqueness and have Okta take care of how do you manage that uniqueness on a specific attribute or an object that's also going to be on the second half of the year. You kind of heard about the identity engine Todd talked about today and one of the core concepts of that is user types and it's going to be a native object in UD, but basically the way it works is you can have users of different types in your organization, right? Contractors, temp workers, interns, full time employees, and each of them have their own workflows. How do you onboard them? What apps they get? What policies they have? And user types is really a way of figuring out and defining what those users are in your organization.

Simon: On the credential side, one thing that we hear a lot is how do I easily and seamlessly migrate my profile or credential master from AD into Okta? So one of the first things that's going to come out in the second half of the year, Q-3, Q-4 is how do you de-master? Migrate that profile and credential from AD into Okta? Whether that's on an import or a Deloitte GitFlow. They can quickly get that passer from AD and make that user Okta-mastered.

Simon: Again, it goes back to that analogy I gave earlier is, how do we get you into better positions and mobility to make faster and more efficient decisions for your IT? And also credential migration. This is available today where we have various hashes that you can directly migrate into Okta. Whether that's a legacy identity system that you have or maybe an old web server that only a few apps and users are using. On the devices side, we're investing in making devices a first class citizen in Okta. That means having an actual device, platform, devices in Okta, or the team's heads done working on that, that should be available also in the second half of the year. And that's really to feed into our Okta and VMware device trust and device management capabilities. If you're interested more in that, a highly recommend that you guys attend the security roadmap that's going to happen today and also tomorrow, there's two sessions for that.

Simon: Now on the sync and workflow side. Sync in workplace is kind of interesting 'cause it's really about, how do you pull in data? And how do you push that data out? But also about how do you, like what do you use to get that data? And so that's really divided into imports and what we're doing with our agents, which is these lightweight agents that you can deploy onto your AD, or perhaps LDAP server they have. And then the imports side, one of the things we're going to release in the next couple of months, it's going to be advanced in port matching rules.

Simon: This is available today if you're using workday for example, but it's not available in AD or LDAP yet, but this basically enables you to do uniqueness check or check for collisions and imports, and also granular imports scheduling. Today if you want to schedule incremental imports, there's very tight things, very tight options for what that can be, maybe an hour a day. But we're extending that to, say, whether you want it to be every 10 seconds, every one minute, every three minutes, every three and a half minutes, whatever that looks like, whatever that what workflow is, again going back to our focus on making it more customizable and flexible.

Simon: One of the things that we hear a lot is, I want to have visibility into how I'm doing my imports, how fast they are. What the progress is. That's also going to be one of the things we'll release later in the year. We're also making, ongoing, again, that scale focus, it's an ongoing focus it's not just like a onetime focus, it's how do we enable you to pull that data as fast as you can and push it out as fast as you can to whatever system you needed to.

Simon: On the agent's side, one of the things we also hear a lot is, if I'm managing multiple agents, how do I auto install them? How do I, how can I move to a more Dev ops model? Again, it goes back to that metaphor of how do you make, how do I become more mobile and agile? So we're investing in making, building out headless agent installations. And the one thing after that we're going to build right after is API operations for the agents. What that really means is being able to integrate with our workflow tool and being able to do downstream actions in AD. Whether that's moving users between our use, changing user lifecycle status, we're setting a password, maybe like deleting a user, whatever that is based on some triggers or actions that happen in Okta or some other system, how can you have a downstream effect of that in AD. How do you keep that in sync with the rest of your systems? Let's say, automation use case as part.

Simon: And also we're also going to invest heavily in improving our reporting and troubleshooting. This way kind of goes back to how you can move faster and troubleshoot quicker with all the issues that you might be seeing.

Simon: On the access part, Marcus talked about LDAP interface and SGA right now, and a few things that we're going to build out in the second half of the year is booming to an APP based model. So that means is, let's say you have five or six applications. So you want to use LDAP interface for, you'll be able to define what the Schema for each one of them looks like. And also if you want to enforce MFA on these other applications on a one app basis, you will be able to do that. Well that also means is you can enforce authorization based on these LDAP groups that you're pulling in from AD, again goes back to how you can become more mobile by reducing the reliance on active directory.

Simon: You guys heard about advanced server access today? One of the coolest features I've seen that we built, one of my favorite products. It's basically cert based access for any Linux server. I highly recommend you guys go take a look at and how that works and how it can help you.

Simon: And also we're investing a lot in device trust. You saw that Okta and VMware in device platform slide I had earlier about how we're investing in making devices a first class citizen. And so what that also means is how are you able to enforce policy and access controls on all these devices, right? Because you have a lot of people, a lot of your employees are bringing their own devices, accessing all kinds of applications. How do you enforce that? So keep an eye out for all the device trust improvements that are going to come out later in the year.

Simon: Now, enough of my talk let's keep it real. So I want to invite one of our awesome customer success managers, Marissa Henderson and one of our visionary customers, Ryan Walker from Chick-Fil-A. Thank you.

Marissa: Thanks Si ... Exciting things to come, to bring our time together today full Circle, it's my pleasure to introduce Ryan Walker from Chick-Fil-A.

Ryan: Morning.

Marissa: Jumped ahead, Ryan. To take us on Chick-Fil-A's journey of how they're working to reduce their footprint in active directory. How are you doing today?

Ryan: I'm doing great. I really enjoyed the keynote this morning. I hope you all did?

Marissa: Good. Let's start off. For those in the audience who might not know about your company, can you tell us a little bit about Chick-Fil-A?

Ryan: Yeah. Chick-Fil-A was founded in 1946 in Hapeville Georgia by Truett Cathy, and he really ran this one really small diner until 1967 when Chick-Fil-A as we know it today really started. Chick-Fil-A's, a brand started in '67. We're now over 2200 restaurants around the country. Our revenues last year just crested over 10 and a half billion and later this year we hope to open in Canada for the first time.

Marissa: Tell us about Chick-Fil-A history with active directory.

Ryan: Sure. We go all the way back to the beginning. I call this, I am 0.1 in 2000 when we installed active directory. These are some of the common use cases for active directory. I'm sure you're familiar with most of these. You may be jealous of our active directory. We're single forest, single domain, eight domain controllers, and that's it. We do have three sites, so that adds a little bit of complexity, but not much. We really started using active directory initially as I talked about really just for users, there for users and credentials and since we had this directory, now we're controlling permissions to network file shares, were able to send out Microsoft exchange for email. Then around 2004, we started bringing on a web portal. This was something new to us. How do we authenticate users to log in to something on a website?

Ryan: Since we had active directory and it was doing authentications for our desktops already, we just extended that for our web use as well. The problem with that is active directory is very expensive. When we started talking about adding 50,000 users to active directory, that's not cows that we want it to pay for. Additionally, we didn't want to ... before this, we had spreadsheets with everybody's user name and everybody's password in the whole company. That was not a good idea. We actually brought in this sync engine, we wrote it ourselves. It's based on.net and it was a neat way for us to get identities from our HR system into active directory. Again, that's 50,000 team members plus all our restaurant operators and a support center people. But we also wrote our own web application security, which we call WAS, and this is our custom authorization model.

Ryan: Our initial web portal that we brought in, we used active directory for authentication and WAS for authorization. Then we decided to grow up a little bit and this is what I would call identity 1.0, so around 2004, 2005 we were doing the sync engine thing that we wrote ourselves, but it was getting cumbersome really fast. So we brought in Oracle identity manager to help us streamline this process. So we used OIM to provision to active directory when necessary. And then for cost reasons, we pulled all of our team members out of active director and instead use Microsoft's Adam product. Now it's called ADLDS. We use that as our enterprise directory, so everybody gets an account in ADLDS. We're still using WAS for authorization and this really worked, this worked for a while, but fast forward a few years we started seeing the need for something better.

Marissa: How long have you been an Okta customer and how does Okta fit into your identity strategy?

Ryan: Right. It was around 2014/15 that we really started seeing the need for more cloud based identity and we didn't want to expose our active directory to the cloud, so we really started looking across the market to see what can be that identity as a service for us in the cloud. We were calling it Cloud IDP at the time. We had our own IDP that we wrote based on open SAMI, but maintaining that and the connections in there was getting pretty cumbersome. We wanted a platform that would make it easier. We'd settled on Octane, really had four main priorities for that project.

Ryan: First and foremost, we wanted high availability of authentication. We had all of our authentications coming through a single data center, and if that fiber gets cut or both fibers get cut then we're sunk. Even though we have all this SAAS that we've been standing up and single sign on the integrations, all of that's lost if we can't actually authenticate the user.

Ryan: We needed high availability of authentication. We needed single sign on, something easier for us to set up and maintain than what we were doing with open SAMI. We needed password self service, which we actually wrote ourselves about 10 years ago. But I never felt comfortable with the security around it, so we shelved it, and then we rolled Okta in and that's when we really started using password self service.

Ryan: Then lastly is multifactor. We were already using multifactor in a few places, but we really wanted to expand that and have multifactor available for all of our users, all the way down to the team members in our restaurants.

Marissa: So how does Okta factor into your plans to reduce your dependence on active directory?

Ryan: Great question. Let me back up one slide if we can. Something I should point out that's very important here. When we brought Okta in we chose not to use AD sync. And for us that was a no brainer because we didn't have all of our users in active directory. What we decided to do instead, because OIM is really the center of our identity world, and at this point we have three HR systems as a master. We didn't want to try to rewrite all of those integrations directly to Okta. We simply leveraged our investment OIM, and OIM is calling APIs at Okta. From our standpoint through Okta mastered users to use the official language, but really they come from various HR systems consolidated into OIM and then, OIM writes those users into Octa, you'll go forward.

Ryan: How are we using octa? We're using it for authentication as I mentioned. We, again, we needed something that was not a single point of failure for all of our authentication. It's handling all the authentication with that as single sign on to almost 200 applications that we have set up. I mentioned multifactor, we're slowly removing the dependence on our old multi multifactor solution. Moving those connections over to Okta as well, like remote desktop sign in. In our managed data center, we have multifactor on those, we were using another solution we're working to implement Okta's remote desktop MFA instead.

Ryan: Then lastly LDAP. LDAP is really a point using the LDAP as a service as talked about. Our going in position is looking to see if LDAP as a service with Okta can solve the LDAP needs of an application coming in the door. If it cannot and that application is in our managed data center, then we will entertain hooking it up to either ADLDS or as a last result to AD directly. It's been helpful for us to not have all of our user base in active directory. Again, initially it was a cost reason that we didn't have them all there, but now that we don't have them there, if an application comes to me and says, "Hey, we need team members and we need LDAP." Then I can take AD off the list immediately. We don't have to even consider that. We'll first look at Okta, has a cloud solution. If that doesn't work, and again, they're in the managed data center, then we'll talk about using ADLDS.

Marissa: All of these things being said, what do you still see on active directory and how are you planning to address these dependencies?

Ryan: Yeah, let me give a good example here. Anybody experienced the office 365 effect? When we migrated to office 365 in 2016 this was just before we signed with Okta, so we were migrating from a third party email provider over to office 365. When we did that, we needed a place to authenticate users and a way to provision them there that was completely different than what we were doing with this third party provider. We had to quickly stand up ADFS. We had to stand up Azure AD Connect. Azure AD Connect, if you're not familiar with it, it's loosely based on MIM and that's the way that we're provisioning from our on prem active directory up to office 365 for the users. For licensing, got a smart colleague in the room, wrote a bunch of powershell scripts that handles the licensing for us.

Ryan: And then for authentication we were using ADFS because we stood up ADFS in the managed data center and we didn't have Okta yet. We had a bunch of other applications that didn't want to use open SAMI and they jumped on ADFS. So that's what I call the 365 effect because we made the choice to migrate to office 365 then we had to bring in ADFS and then I had all these other things jump on board with that. We've been working to unravel that recently and using Okta instead. All the connections that we're talking to ADFS we're slowly moving all of those over to Okta. So we've moved office 365 to Okta. We've moved a lot of the SSO's and AWS was a big one for us. We moved ADFS, excuse me, all of these acronyms, moved AWS, SSO to Okta and got that off of ADFS.

Ryan: I'm going to give a little plug here if you're not, if you haven't turned off legacy authentication for office 365 and go with just modern Auth, I highly encourage you to look at that. Okta makes it easy to turn that legacy off, that's a lot of the attacks that we're seeing. They're trying to attack that legacy protocol connecting to office 365. We didn't have as good a visibility when that was in ADFS, but now that we've moved authentication over to Okta, we've got a really good visibility into the attacks that we're getting from a global perspective against our office 365 tenant, and by turning off that legacy protocol and just using modern off, we've eliminated a lot of those attacks being able to get in.

Ryan: The last piece here is Azure AD Connect. I'm showing that with a dotted line because we haven't completed that one yet. We're still talking with Okta on how can we move the provisioning piece from what we're doing with Azure AD Connect and instead rely on Okta for that. Okta has almost all of the users that exist in 365 so our work is to provision those users into Okta and then allow Okta to take on the provisioning of those users into office 365. That allow us to eliminate two of the Microsoft technologies that were brought in just as a result of 365.

Marissa: So what advice can you give to our audience about their use of active directory moving forward?

Ryan: First thing is just start with an inventory. Know what you have and then start from there. I like size metaphor with the chess game. You've got to think of few moves ahead. In order to think of few moves ahead, you need to understand what the layout of the board is right now. So do an inventory. How much active directory do you have? How many domains? Forest domain controllers? And then once you've established what you have, figure out what's talking to it? What applications are in your managed data center? Or in the Cloud even that are talking back into active directory and then prioritize and just start chipping away at those things.

Ryan: This slide is again going back to the beginning of the deck. This is where we use active directory, and my mindset now is, active directory should only be for the managed data center. If it's not in the managed data center, it has no business talking to active directory or relying on it in any way. If it's anything to do with Cloud, it needs to rely on Cloud systems, not active directory and managed data center.

Ryan: I'll throw out a whole bunch of buzzwords here. Consumerization of IT leads to BYOD, which now zero trust networking, all these buzz words, phrases that we have are really leading me to think about, I don't need them talking to active directory anymore. If our users want to bring their own device, which they're already doing, with their phones and their iPads and we're not managing those devices since they're logging in with their own device. Let them do that. If we can take that one step further, why do we need to provide them a domain joined computer? They want to bring their own computer anyway. Let's get them off the domain. Let's figure out the minimum amount of device management that we need to do.

Ryan: I'm excited about this idea of device trust and device management from Okta. Can we manage that device just enough so that we trust it to allow that user to log in, not a full lifecycle management of the device anymore so that gets workstations off of the domain. Again, servers need to be there because AD is for the managed data center and this is my opinion. If workstations aren't there and only servers are there for devices then the only users we need there are users who need to log into servers. We can take our footprint of users in active directory and cut 95% of those users out. Groups permissions really around network file shares. This is if you've got great ideas here. The problem that we're facing is we've got a legacy file share. We call the H-drive. It's got like 10 terabytes of data, but nobody wants to step up and move that data. It's too complex. There's stuff out there. We know we need it, we just don't know where it is. We don't know how it's protected. What groups and permissions are in place.

Ryan: This is the part I think is ... we use the term, the long pole in the tent. That one's going to be tough for us to overcome. Because we've made the move to Okta and Okta is really the front door authentication for us now, we don't really have a need for password policy in active directory. Again, this is if we can get domain joined workstations out of active directory that we don't need to enforce any password policy there. Not for the mass of users only for managed data center users.

Ryan: Already mentioned client management a little bit. We used SMS back in the day. We are using SCCM a little bit today. I'm excited to hear the session about VMware. We're looking at things like workspace one and intune as a way to do what I would call device management light. It's not a heavy SCCM where we're managing the entire lifecycle of the device. We want to do just enough to get a trust level with that device. I already mentioned office 365 so we've made the move there. We don't have any on prem dependency on email except for Azure AAD Connect, which we're working on.

Ryan: And then the last one that I skipped their DNS and DHCP. So years ago we made the switch away from AD integrated DNS to instead use an appliance based DNS and DHCP. So we don't have dependency in active directory anymore. So these are just some examples, kind of my thoughts on it. But again, start with an inventory. What do you have as far as AD and then what's talking to it and then prioritize as those systems move to the cloud or new systems come online, do they really need to talk to AD and what can you do to reduce the dependence on AD.

Marissa: Great stuff, Ryan. Thank you so much for taking us on your journey. I'm sure this resonates with many if not most of the folks in the audience here today. So we are going to open it up for some Q&A. I think we're going to have a mic runner so if you have any questions, raise your hands. We'll put the lights on a little bit and get things rolling.

Speaker 5: Hi, we're running into a similar issue with H-drives and all that, as you mentioned. Are there any technologies I noticed, box's a big partner. We're kind of looking at a few different, have you investigated any cloud file, server based solutions in this exercise?

Ryan: We've had some pockets within IT that have looked at box, looked at Dropbox because we're using 365, we're using a lot of one drive and SharePoint. Those have helped kind of stem the growth a little bit. It's still growing but not as fast as it was before. I'm working with a project right now with our legal department to move a lot of their data off of this old legacy H-drive and out to a cloud based solution. I think that's really the opportunity. It may not be one system to lift and ship the whole thing. It may be pockets of departments around the business that they see a need, they see a solution that's applicable for them. We help them move their piece of data off of that H-drive and slowly chip away at it that way.

Ryan: The question was have we had any problems with audit and compliance and moving that identity data out of active directory? Not for us so far. So part of the story of Chick-Fil-A that I failed to mention is we're a private company, so we don't have as much regulatory and compliance needs. Now as we look to expand I mentioned Canada, we're looking at Europe later on, we're going to have to start meeting some of those compliance and regulations but we haven't really had the strict regulations that I think a lot of you as public companies are dealing with.

Speaker 6: We are currently running delegated authentication to AD from Okta and we're kind of on the doorstep of being able to turn off several thousand users in our environment due to some changes to one of our internally developed apps. What's our best course of action as we de provision those users out of AD is to transferring them up to authentication in Okta. Because currently what I've seen so far they've dropped in with a no password and it gets a little bit of a cumbersome when we make that transition.

Ryan: I,[crosstalk 00:41:27] Marcus, can fill that one.

Marcus: That's a very common pattern that we see that a customer is asking. So one of the things that I talked about in my roadmap presentation was the migration of credential master piece. So once you really understand that, okay, these subset of users, they don't really have these on Prem apps anymore. They don't really need access to that. This feature will really help you get there, which is on the next login or in the next import, I want Okta to import these credentials into Okta and make them Okta mastered so that then now they can access whatever applications that they have in Okta that are integrated that they have access to. And you're good to go.

Speaker 7: This is more of an active question. When are you going to approach allowing more flexibility and usability and then querying of nested groups within active directory?

Simon: That's a very good question. So we hear about nested groups a lot. What we're investing this year is how to improve the underlying performance of groups. But I think nested groups is kind of beyond the scope of this year. But on that note, please reach out. Like I'll ... my email is si.medalliadr.com. Reach out to me with the details and I'll reach out to you when we start the research and talking more about as groups.

Speaker 8: Can you talk a little bit more about, how you're utilizing return on investment for utilizing Okta and in minimizing the AD space both for Chick-Fil-A and if you can provide some general numbers as well. Because one of the questions we're always being asked, especially by our CFO is like, okay, "Hey, what type of return? I've spent six figures on this solution. What are we realizing in terms of efficiencies, dollars saved, etc.?"

Ryan: For me, I'm helping to make that case by seeing what we can turn off, how much of our time and resources to run old systems like ADFS or Azure AD Connect, how much are we spending on those versus how much we're spending to move to Okta. So the more things that we can move to Okta, we're maximizing the investment that really, that we've already made. And if we can turn off that technical debt, then we stop worrying about that. For me, and part of wanting to move away from Azure AD Connect is that I tell people that's a time bomb to me. We brought in a vendor to help us set up Azure AD Connect. It's running, but we don't really know a whole lot about it. If it stops working for some reason, then that's a risk that we're trying to mitigate by moving away from it.

Ryan: I don't want to invest my own time and resources and money and skilling up on Azure AD Connect when I know it's something already on the roadmap to get rid of. So minimizing the risk and then trying to compare the costs that we're going to save by turning these old systems off. And that cost may be a minimum amount of infrastructure costs, but it's more the effort to keep them patched and updated and healthy and running versus we've already made the investment in Okta, let's move those systems over.

Simon: I think that's all the questions we have. We're going to get kicked out for the next session, but I'll hang out outside and we can talk, but please don't forget to rate us on the Octane mobile app and really think about how you can get into better positions and mobility. Thank you very much.

Ryan: Thank you all.