Oktane19: Okta + Microsoft: Maximize Your Now

Willie Clemons: I work with EBSCO Industries. Has anybody ever heard of EBSCO? Who has not heard of EBSCO? Yeah, I figured that way. EBSCO, we're based in Birmingham, Alabama. Been working there since just after Thanksgiving. EBSCO, it actually stands for Elton B. Stephens Company. So it's a private labeled company in Alabama. It's been around 75 years now, and great to be there.

Willie Clemons: I've had 27 years of experience in information systems and security. I love IT Crowd. Anybody love IT Crowd? Pretty funny, but it made me think about what used to be identity. You just were kind of in the corner hidden away. Nobody really knew what identity was, and now finally people are paying attention to identity in an info sec world, but its really come about in the last few years.

Willie Clemons: As I said, 75 years EBSCO's been around. They have a number of different companies. We're all over the place in terms of presence with employees. If you look at this, you don't know any of these, but Moultrie for example in the upper right, that's outdoor cameras. So if you ever hunt and put out the cameras that motion detect and take your pictures of the deer on your property, we sell that. We sell real estate, we sell insurance, digital libraries, Lug Store is actually stands like Varidesk stands we make those. So you can stand up or sit down. A number of different companies that we support.

Willie Clemons: The idea behind using Okta in particular is we're trying to get our hands around locking down accounts, being able to provision, de provision as quickly as we can. The company buys and sales, and we never know when they're going to do it so it's a constant cycle for us. So we're really looking to move away from the traditional AV structure, into an IDP with Okta to help us and allow us to start bringing and taking out businesses as they come and go.

Willie Clemons: Why did we get to Okta though? Really came to our CISO John Graham, who actually came from Jabil before. It was pretty much a mandate, and I thought it was really cool when I was talking to him and interviewing. The CIO has the same belief that John does, that identity is critical. If we can get our hands around that and control the poor passwords that people have there, we'll really cut down on the security risks we have. So its been a big push for us.

Willie Clemons: We've been using Microsoft for ADFS for quiet some time. Made the decision that we were going to go with Okta for provisioning as well, but primarily to standardize unnecessary MFA. We've actually gotten through that in the first three months, and we actually rolled over Office 365 about three weeks ago, I think it was. That really helped us. We were getting hit with spray attacks. Al will talk about that a little bit more later, but that was a huge win for us. So all the applications within Okta are all MFA enabled now, and we're just rolling more and more of those into it.

Willie Clemons: Automation is the next thing, so we'll start looking at Service Now, Office 365, and a couple other applications for automation, as well as HR as our master going forward.

Willie Clemons: Al.

Al Dixon: Thank you very much Willie. All right excuse me.

Al Dixon: All right. Good afternoon. I'm glad you all kind of packed in here and came to listen to our short spiel. First I want to thank Okta for allowing us to come and speak on behalf of on Okta's product line. Its been a fantastic journey. We've been able to do quiet a few things in a short amount of time, and I really want to thank Okta for that. I think for a lot of us, we all have some of the same challenges and I think us as an IT security community, it's good for us to get together and talk about these things, and help understand the solutions that are out there today.

Al Dixon: A quick short bio of myself. My name is Al Dixon. Currently I'm the principal IT security architect at EBSCO. Been there for about seven years in a number of roles. I've been a 365 administrator, I've also been on the identity access management team, and now I'm in a new role as the principal IT security architect. This is my passion. IT security is my passion. It's something I enjoy talking about. If any of you all want to talk we can have a sidebar and we get into some details.

Al Dixon: Let's talk about a little bit of how did we get here. Why did we decide to go to Okta. In a sense a lot of companies are not quiet sure of their maturity just yet, when they're actually moving to the Cloud. This poor guy here, this is actually a picture of my old boss after I tried to explain to him our enterprise licensing agreement. Yeah, he quit right after that. Anyway. Seriously I think a lot of companies need to really assess where they are at and within their maturity model.

Al Dixon: What we found is that a lot of the Cloud adoption happen so fast that a lot of times a lot of companies senior leaders are not making the best decisions around guardrails or what they should be doing when they make their journey to the Cloud. A lot of times it's not that easy to do, because in a sense you actually have to understand your posture.

Al Dixon: So we adopted ADFS as a single sign on platform. We understood there was a little less mature, and we knew that we were going to need an actual identity access management platform. We had a number of things happening around our organization as far as multiple single sign on platforms. What we saw was that the company itself was suffering from what I call digital identity schizophrenia. We had people using it on accounts here, and they would use on accounts over here, and you really didn't know quiet where or which account to use. So we found that we needed to centralize those services, and that's where Okta came in and really helped us with that journey.

Al Dixon: As you know, with ADFS we had a lot of complexity around an architecture. So just to give you an idea, this is kind of what we had put together when we rolled out to Office 365, as a means of architecture to insure that single sign on was there. We know that we had suffered through a number of attacks, password sprays, DDOS attacks. Now here's our infrastructure. It's less complex and way easier to manage.

Al Dixon: Let's talk about, once we understood and our maturity level started to go up a little bit, we understood what our business requirements were, we understood what our security requirements were. Now we understood that we needed a much more mature platform, such as Okta. We had did some searching around and we landed on Okta. We understood that identity lifecycle management for provisioning and de provisioning accounts was key, because in a sense we understood that de provisioning an account actually had cost benefits to removing licenses for people who weren't utilizing those services anymore.

Al Dixon: We understood the reduction in cost from the not having too many servers. Systems that our system administrators had to actually monitor. One of the big, I think, pieces was MFA. We had a lot of serious security related issues, and like Willie mentioned we have business offices all over the world. So if we know that a user is typically logging in in France, and all of a sudden now they're logging in from Lickskillet, Alabama ... Lickskillet is a real place in Alabama. Okay I'm kidding. We knew that we needed to possibly take action, investigate that a little bit closer. In a sense, that helped us with the adaptive multifactor authentication. The other piece was we needed something that was scalable, and that piece for scalability came with Okta.

Al Dixon: Here's some of the other benefits of why you should look at moving to Office 365. We've seen that we've benefited from many of these particular items.

Al Dixon: Now let's get down to the meat of what you need to do when you get back to the office on Monday. Thou shall enable MFA. If you're going to be moving to the Cloud, take that as commandment number one. Talk to your business leaders within your organization, and ensure that they enable MFA. Take a lesson from me, we saw a lot of attacks and this would've saved us in many instances. Understand that there may be a cultural thing that you may have to go through, as part of enabling MFA, but it's a big benefit.

Al Dixon: Here's some of the other lessons learned that I saw. That as you move to the Cloud you're going to see that the dynamics of your team are going to change drastically. Identity access management came as a byproduct of us moving to 365, but once we got a little bit more mature and understood that that became a required services, that people were going to need it, then our team started to change a little bit. This is where we ended up. We have a full identity access management team, we have a security team that are looking at Cloud based things, and we benefit.

Al Dixon: Last point, communicate, communicate, and communicate. Thank you.

Rich Kellen: I have a thing, and it sounds like I'm on. Sorry that was the thing.

Rich Kellen: I'm Rich Kellen. I am the chief information security officer for Qorvo. As Steve just mentioned, I was a month ago named the head of IT infrastructure. I've been at Qorvo about eight months. Let me ask, anybody ever heard of Qorvo? Yeah, see no there's ... Wait, there are two guys with me. Previous, my last 26 years I started with HP and I've been running HP splits. HP Split 99 to Agile, and I went to Agile and Split in 2014. I went to Keysight, which is part of Split. Qorvo recruited me about eight months ago.

Rich Kellen: The reason I say that is, because a lot of the experience I'll talk about in those splits, and integrations, and those kinds of things if we get into the Q&A, a lot of back and forth with Microsoft, a lot of back and forth with Okta even. I started with Okta back in 2014 at Keysight. Bought a bunch of companies and added them on Okta. Then back in 2017 did an EA and went to Microsoft. So first thing I did when I came to Qorvo was take us to Okta. If that tells you I've been on both sides of the house. We'll talk a little bit about some of that.

Rich Kellen: A little bit about Qorvo. We are public, in 2018, a little over $3 billion in revenue. We have about 9,000 employees, about 15,000 clients, and then of course a number of engineering things around the company, and different stuff. We play in the RF semiconductor space. Love this picture here. I stole this from an investor day picture, because people have no idea what RF is, but we're in pretty much everything. I bet we're in everybody's pocket, or on everybody's wrist, or in everybody's something in the audience. You may not know us, but we're in your life. We play an infrastructure, so all the 5G infrastructure that's getting put in those are big plays for us, as well as in the mobility devices and those kinds of things.

Rich Kellen: Enough about Qorvo as a company, let's talk some IT stuff. This is our stack, and the reason I wanted to show you our IT stack a little bit is to show, because a company like Qorvo, we were a merger about four years ago of two companies that had been in the business for quiet a while and come out of other companies, and been around a while. So Qorvo's only been around about four years, but the two companies that merged are 20-30 years old. Our model and where the CIO has taken us, I think since the mergers, is pretty much a Cloud first attitude.

Rich Kellen: So we are O 365. We have nothing on prem from an O 365 perspective. All our email, everything is in the Cloud. This is obviously where Okta plays a big space for us. All of our sales, you can guess which apps those are, our payroll and about 60 other apps in the Cloud major stuff, but even in our in prem data center. My teams run three primary data centers, and then of course we have engineering data centers around the world, but about 98% virtualized. 100% virtualized on anything we can, that's our first premise. Bring it in it's virtualized. So we don't want to run a bunch of servers on prem. I think Freddy's speech this morning was really good about, why do you want to run IT anymore. That piece is growing very small. So it's either in the Cloud or it virtualized. We want to stay out of the server business as much as possible.

Rich Kellen: Very heavy Microsoft environment. We're 99% X86. So we run a lot of Window server in our environment. Since I've been in place about eight months ago, and I'll show you a slide here in a minute, we put security in the Cloud whenever we can. So a lot of old time security people ... How many people in the audience are security people versus IT people? So a few people, okay. I bet some of you that have been in the business for a while said at some time, we're never putting security in the Cloud because I don't trust the Cloud, and everything. Now we all say as much as we can there, because it gives us that flexibility to protect what we can everywhere else. Then we deal with a world wide presence. Offices around the world, and 22 of those with IT.

Rich Kellen: This is what Qorvo looks like, and we run fabs. We're in the semiconductor, well RF semiconductor business. Most of our fabs are in the U.S. I don't think we show the one in Costa Rica up here, but our largest site in the world is in China. We have 2,000 people in China, but we do assembly and tests there. So we don't run fabs there for obvious reasons, because they want that technology and we don't want them to take that technology. So we do it at these locations here.

Rich Kellen: What I want you to understand about fabs is much like manufacturing, I spent 20 years in large manufacturing companies, is very high tech products. You have a lot of high tech stuff in fabs and manufacturing centers, but you also bring along with that things that were put in place 20 years ago. We have XP boxes. We probably have Windows NT boxes in there along side this really high tech super expensive stuff. So from a security perspective we have to protect old and new in these critical facilities that are very sought after technology. If you understood some of those initials under there. Which I'm not going to test you on later.

Rich Kellen: On the other spectrum of that, we are extremely mobile. So if you don't work in a fab, our workforce is at 55 engineering sites around the world. We create IP in the south of France, we create IP everywhere in Asia, everywhere in Europe, Germany, all over the United States. Cedar Rapids, Iowa, Boston, Florida, et cetera. So we have to deal with that mobile dispersed workforce that's really handling critical data for us, and protecting that when ... If you look again going back to our applications all being in the Cloud, whether it's Office 365, the One Drives, the Share Points, payroll apps, sales apps, HR apps, it's all that critical data for us is in the Cloud. If it's not in the Cloud it's moving around on people's computers now.

Rich Kellen: So of our clients, I said we had about 15,000 clients, about 75% of those are mobile. That's a high percentage for those of you that aren't in the infrastructure business.

Rich Kellen: Okay. Steve wanted me to show this slide here, so I had to take off all the confidential words on it and everything. The reason I show this, this is my security stack. So this is one I did for the board of directors recently. You'll notice up there it doesn't say Microsoft anywhere. It's kind of funny. I already said we're an extremely Microsoft shop. We have a Microsoft DA, we've had them for years. We love Microsoft, but to be frank I want Microsoft to play in their space.

Rich Kellen: How many security people that have worked on EA's and things, or if you've talked about Microsoft ATP, or you've talked about as your AD, or you've talked about all those things. How many people have been in conversations where you've heard, well we think it's good enough? Anybody ever heard that? Yeah, there's one right there. There's the honest person. I think there's a couple. We can't see past the first three people, the first three rows.

Rich Kellen: In the security business you should never be saying it's good enough, because some CIO wants you to contract it because it's an easier contract, or Microsoft has negotiated and hey we'll give you Windows really cheap, we'll give you this really cheap, but we want you on the EMM stack or whatever. We can talk about some of that bundling and unbundling in a little bit. What we did by not putting our security stack into Microsoft, and we just renegotiated REA eight months ago when I came in. They asked me to help them with that negotiation. The first one we pulled out, it was once we needed MFA. I came into a company that didn't have MFA, and I liked your speech. MFA first, that needs to be first. We bought off on that.

Rich Kellen: So Okta was the first one in this stack we pulled out. Then we went to CrowdStrike, because we needed an ATP and Microsoft was saying oh no we can't sell a client ATP by itself. Now they can, because they're seeing people start to go the other directions, and those kinds of things. Then just recently we put in place Proofpoint instead of ATP in the Cloud. What you see is it gives you the ability if you break that to go with best of breed technologies, things that actually work for your environment. We're able to go back and look at what it is we're supporting.

Rich Kellen: So this isn't an anti Microsoft speech, by the way. I don't want to come across that all, because we're full blown. I spoke at Ignite two years ago when Microsoft O 365 deployment. I'm fully a Microsoft supporter, but when I'm talking about security and as the CISO versus my role as the infrastructure head, I've got to pay attention to what's the best for the environment. So much we get into those decisions again because of the contracts more than anything else. Trust me, my board asks me those questions, and my CIO is like are you sure, and I'm like if you want to make the decision on what we buy fine you go ahead, but then you're in charge of security. So he didn't want to do that.

Rich Kellen: All right, this is why we bought Okta. We wanted to make sure that security stack we had, whether it's in the Cloud, whether it's on prem, that we knew who you were when you're accessing it. Multifactor. The first thing, we all get fished every day. Qorvo, we have very highly sought after technology. If you knew what we did you'd know why. The first thing we were seeing, we were seeing it regularly, when we didn't have MFA the first thing hackers do now is if they get somebody to click on the fish, in 10 seconds they just go straight to the O 365 site, put in your email, they've got your password. They take and download everything you've got. So it doesn't matter if your security teams and everything change your passwords and everything, 30 minutes they've already got your entire email box.

Rich Kellen: The reason for that MFA first, and we wanted to go after Okta first was to at least kill that. If we could stop them from that ability to download and do all of that heavy lifting, at least then we can go focus on the fishing stuff with Proofpoint, the client stuff with CrowdStrike, et cetera.

Rich Kellen: That's me. Qorvo, all around you. That's our saying. You got it? You want the clicker?

Speaker 4: Thanks so much Rich. What I wanted to do now is just, obviously I want to dig into the unbundling piece, but I wanted to give Willie a quick chance. We talked about MFA pretty heavily here. Was there anything in journey that Okta helped with that? How did you feel that that was a beneficial piece? Talk a little bit more about that part of it.

Willie Clemons: Yeah, I can start. I think Okta's been very helpful along the way. I mean, they've got a good roadmap whenever you're rolling out their software, in terms of customer success, project management team, the information they give you for education for your end users. It's all about communication in the end. That's probably been the most difficult process. Okta was easy. Enabling MFA, it's a piece of cake. It's the communication going out to tell people when it's going to happen, and what it means to you, and what you've got to do to get to that point. Yeah, Okta was great along the way.

Willie Clemons: We chose to go with VPN first. We were using Microsoft for VPN, but we figured if we hit those users first, those are the most technical users we'll see what kind of issues we'll run into, get those registered, and that would set stage for everything else. Then we could work our way out from there. It worked well, but it was ... What you'll find out whenever you're doing something and you're telling an organization that you're going to make a change, nobody reads the same thing. So you could send out an email, you can put out Yammer, or you could put out SharePoint, you could fly a plane over their building and somebody might see it. At the end of the day there will be people that think you did a great job with the communication if you do it enough, and then there will always be somebody that complains.

Speaker 4: That's great. Anything to add there?

Al Dixon: Yeah. I can add a little bit more to that. Just like Willie said, the communication is key. Especially as you're rolling out these large projects you have to get out there in front of the customer, because we as IT security people, we kind of sometimes forget about the customer experience, but we also have a job to do as well. We're there to help protect them. I know for our department, information security specifically, we had three products that we're actually using for MFA that was sprawled around the actual company, and we managed it within our department.

Al Dixon: There was an opportunity there of course to collapse those systems, and that happened fairly quickly, and we moved it actually to Okta. They were able to come in actually help us, advise us on exactly what to do. We targeted areas such as VPN, right after that 365 to close off those gaps where we saw those fishing threats that were happening from those malicious guys out there. It was a big benefit. MFA is key. If you haven't start selling it to your senior leadership, do it Monday morning. Tell them I know it's cultural, but we have to turn on MFA.

Speaker 4: Fantastic. Thank you very much Al and Willie. I think-

Rich Kellen: Rich.

Speaker 4: No, no. I was just checking to make sure you had a mic.

Rich Kellen: Name tag.

Speaker 4: Make sure you had a mic. Rich, you touched on something that is very close to me, but I'd like you to dig into that a little bit deeper. Actually, how many people in the audience here are aware that you can actually start to dismantle or unbundle your EA?

Rich Kellen: How many people in the audience have EA's?

Speaker 4: How many of those folks are either on or considering an E5, or being told they should consider an E5? That's the playbook right?

Rich Kellen: Yeah.

Speaker 4: Again, I just want to say real quickly I totally agree with Rich. I think Okta, we see ourselves as being strong on the identity and security side. That's what we're very good at. We feel that Microsoft is a strong partner for all of you. They're a fantastic product from a productivity perspective. Where we think that there's a difference, is some of the things that these gentlemen have explained today. Actually I'd like to go into that EA unbundling piece, and kind of walkthrough. What are the signals, or what are the things that you would look for or tell a customer interested in doing the same thing to look for in their usage, of say technology, before they might consider an unbundling? What are the key ingredients to starting that process?

Rich Kellen: That's good. It's probably not hypothetical, because I know my Okta guy has had me come in and help a few of his accounts. Figuring some of this a little bit. First of all, hopefully everybody knows Microsoft, like a lot of other companies, you've always got to leave them for your next negotiation, because an EA is going to end three years, or whatever you sign. If you don't have something to grow into you hit the point where costs start to jack up. That's what they get to. You've always got to have something in your head that you want to give them, but in their mind they have to grow because that's the mandate.

Rich Kellen: Going into an EA renegotiation, or when you do your annual true ups and those kinds of things, a lot of companies and my previous companies, we just said yeah we'll take everything, just give it to us. It's easier to count that way. We didn't even profile our user. So in my current company, because we have a large fab manufacturing organization, we've done E1's and E3's. We don't do E5 obviously, because I just showed you why. So if you profile your customers and say, why am I paying for E3's even for 3,000 of these people when all they do is email in the Cloud. They don't access anything. They don't do SharePoint, they don't any of this stuff.

Speaker 4: So if you have like a mix of knowledge workers would you say that would be a situation?

Rich Kellen: Absolutely. That is our situation, and a lot of companies have that situation, but Microsoft doesn't always go to them and say, hey you should profile your users for stuff. Now if they're working on their first sale, and they're coming into it, and they really want to get it, they'll say hey you can profile because that way you don't have to pay as much for all these guys, but the problem is when you get into things like Azure AD and these kinds of things, whether you're on E1 or E5 everything they do is still done by head count, or depending on the license.

Rich Kellen: So everything you have to do, whether they access one app or 50 apps you're still paying for them to do that. There's others beyond identity, but this is where people get confused in the Microsoft contracting. It's designed to everything to cost the same. So if you buy O 365 and they say oh you can put it on five clients for free. Is that still the number Microsoft uses? You get five devices. Well if you have large R&D labs, I have some guys that have 30 computers in their names. Well that means I have to buy them five different O 365 licenses, because some of that is client based, and if they have different things on them. Now maybe I only needed one identity, because it's still the same person logging in.

Rich Kellen: You really need to understand your profile, and what you're using, what you're not using, because that gives you the power to go into a Microsoft contract negotiation and talk. Again, they'll show you the slide that says bundle it all in. Actually they show it with the three products I use. They'll say, if you went with CrowdStrike, Proofpoint, and Okta it would cost you $1.5 million to just do these products. I will tell you, I went with CrowdStrike, Proofpoint, and Okta and, I'm not allowed to talk about pricing and stuff, but it cost me less than if I had gone just with Microsoft for those products, equivalent products. Then I would've been just back to the but they're good enough.

Rich Kellen: We did bake offs by the way. We did bake offs on the clients, we did bake offs on the identity stuff, we did bake offs even on the Proofpoint stuff. Microsoft never won. Not a single time. My hackers were able to get through on certain things. Again, they want to be a security company, but that's not where they come from. Until they say that's what we're going to do full time, like Okta said this is what we do, we do identities and we're kind of doing identities. If Microsoft put the money of their company and said, we only want to do that, great then lets do that, but they can't take away from those things that are their bread and butter.

Speaker 4: Is this a journey that a customer has to do themselves, or is this something where there could be help in partners, either your resellers or your ISP's? Is there a way they can help you to do that?

Rich Kellen: You know, having people that have done negotiations with them before is always helpful. The value added resellers that Microsoft contracts, because you can only use certain ones, the ones that are ... They'll help you with counts and things, but they're not designed to say hey but you should look over here for this. Unless they're the reseller you're going to use for that one over there, or they're working on a better deal. Typically you get into that. The var isn't going to help you as much with it.

Rich Kellen: For anybody that's a Gardner customer, Gardner is extremely helpful in this space. They've got some really good experts that know what Microsoft is being compensated on today, what they've seen in other contract negotiations from a product perspective, and stuff. If you're not a Gardner and you're working on an EA, and you're wanting to unbundle it, they can help you with strategy I think probably the best or find your Okta rep and they can find somebody that helped them do it.

Speaker 4: Got it. We're working on that. Let's see, you kind of hinted at it earlier on, but I just want one more question for you Rich. From the perspective of when you face a CIO, or a CEO, or CFO for that matter who is kind of pressuring you to ... You had a comment, but I just ... I think these are conversations that a lot of our customers are having. That they're being told that we have this, or the potential to have this upgrade to E5 or what have you, or have an EMS on there. What do you say to them as a CISO?

Rich Kellen: As a CISO it's pretty easy. I go after the security aspect. For me saying look this is not the best product, this is the best product. If you're a Gardner guy, and all CIO's tend to be Gardner people, or even CFO's, it's easy to say with a thing like Okta. They've been in the top right since day one. Microsoft got close to them for a couple years, and now they've I think even dropped down a little bit. You've got Centrify up there with you a little bit.

Rich Kellen: So you can use things like that, but as the CISO it's easy for me to tell the CFO and CIO, the board hey we're going after this. This is why. Get them all excited. Of course there's always going to come back and see a cost, and that's always got to be a line item I show them, but in the end the board is being held to cyber risks now as much as they are to any other financial risk. If you sell it as this, and you're that guy, you're the head of security, again no CIO should override a CISO when they're passionate.

Speaker 4: That's fair enough. So stand by your-

Rich Kellen: Stand by your guns. There's a guy in our region that my sales rep had me talking, and he had been talking to Okta for like two and a half years. It wasn't because he didn't want Okta, it was because he was trying to convince his company that he could get out of Microsoft and this stuff. So he's finally now an Okta customer now, but the work for him was convincing the CIO in the company that it made sense to dismantle pieces.

Speaker 4: Before we go to Q&A I wanted to ask Willie and Al really quickly. It's kind of crazy when you showed that slide with the hundreds and hundreds of different companies that you guys own. We talk about at Okta the MNA agility story, and being able to do that and enable it. Is there anything in terms of a story there, in terms of how we've been able to help you to pull in an organization, or facilitate that a little bit better?

Willie Clemons: I don't have anything immediate, because we've had three acquisitions since I've been there, but they've been relatively small and we incorporated them into the whole MFA process like everybody else.

Speaker 4: Pretty straight forward?

Willie Clemons: I do think that it makes sense with what we're doing and what Okta is doing. There was a presentation yesterday showing how to build out, instead of having to collapse domains to build those out. That seems like the natural progression for us. Going back to your earlier question, Microsoft can offer a lot of different things to you, but how many times does Microsoft give you something and it's not 100%, and there's like a bolt on top of it to fix it?

Willie Clemons: Even if you had an E5, how quickly can your team pick that information up and do something with it? We took Okta, we had no experience with Okta at EBSCO starting in November of last year, and we have six people that can go in and administer Okta today. Adding a company, adding users, setting up whatever we need to, SSO, or MFA in there. It is very intuitive. If Microsoft would've had that capability with ADFS, then Okta may not exist now, but they didn't do it. So somebody said hey I can do this better, and that's why we bought the product.

Willie Clemons: It is a cost thing. At the end of the day you have a budget, and you only have so much that you can spend. If you're going to go buy E5 licenses, then you're not going to buy any other products. At least for us. We're still in, I'd say an early infancy of an information security program at EBSCO. That's what we were hired to come in and help build out. Just the cost of what we have to spend to get us where we need to be is going to be a lot of money. So we have to be very selective in what is a priority for us and what's not. We have not made the formal decision that we're not going with a Microsoft E5, but it's interesting. As we go through those, you get tools we were seeing on the screen just a minute ago with CrowdStrike, Carbon Black, Okta, those are tools that a lot of people use, and get a lot of value out of.

Speaker 4: Thank you.

Willie Clemons: But it's ease of use. I'm telling you, I'm thrilled to death how quickly my team picked up Okta, and so proud of how they picked it up.

Speaker 4: That's a great point. Al anything to add?

Al Dixon: Yeah, I can add a little bit to that as well. EBSCO is a very interesting company, because we have so many different lines of businesses and they all do something different. If you could imagine from the security side of things governance is a challenge. There's always a use case for something. With Okta however, with us having those mergers, acquisitions, and divestitures, those activities are really fast paced. Especially for us. So, when they come to us and say hey we've bought a new company. I coined a phrase, they're called mad activities. Right? Mergers, acquisitions, divestitures, because they move so fast.

Al Dixon: They want us to be able to spend on the dime. They say, okay we got this new company, they bring them in, get them onto our email system, bring in their directory services. Well before we didn't really have an avenue for that before. As probably some of the people have already seen, some of the capabilities of Okta in order to incorporate those new directories, incorporate those new email systems into its universal directory. That's been a huge benefit for us.

Al Dixon: Going back to the earlier question, I think one of the things that companies have to do, especially as you're sitting down talking with your Microsoft rep, is understand where your gaps are. Doing just a basic SWOT analysis of your company to understand that the things that they may be pitching to you, you may not necessarily need right now. A lot of times finances are finite. So we don't have a whole lot of money to just spend on these bells, these whistles. We may have specific things that we're trying to address you know, fishing, MFA, those type of things we need to address right now. We don't need to be called in the lingo of here's an E5, but you need a P2 for the atrophies, and here's another boat on.

Al Dixon: Your technology people, or your senior leadership, your security people have to be knowledgeable of what exactly is needed. That can come from a standard risk assessment from your organization, if you have kind of a government structure there, so you can identify what those needs are, because the salesman is going to try to sale you. He's going to offer everything, but maybe you didn't need the leather seats. Not in Alabama anyway. Maybe you didn't need that particular piece, but it's understanding exactly what you need when you're going into those discussions.

Speaker 4: That's great. Thank you Al. So we just have a few more minutes. I'm just going to leave this up there. Really quickly before we jump into Q&A, if you are interested in having a bit more understanding about what it looks like to do that True Down, we are offering workshops. If you want to sign up go to this link, this bitly link. It'll just be a simple one. You send your email in, we will respond to you, and schedule you up, but if you're interested in that.

Speaker 4: At this point, I'd like to go ahead and open up to Q&A to anybody in the audience.

Audience: So what do you think the smallest company size is that you'd be able to start doing these sorts of unbundling activities? We're currently Microsoft E3-

Willie Clemons: Can you speak up a little bit?

Audience: I'm sorry. We're currently on Microsoft E3, but we're only a 400 person company. Are we going to be able to unbundle at that sort of scale, do you think?

Rich Kellen: I can take this one a little bit. I actually just did some consulting for one our board members nonprofits he does, and it was a smaller company than ours. The way I understand the question is, does it make sense for you to try to unbundle because of the size of your company. Right?

Rich Kellen: It depends. You're probably better off doing as many things with Microsoft as you can, because you can go up for much cheaper. Now, does E5 make sense for you? You're not at a true huge, because Microsoft's discounts get smaller as you get smaller. So larger companies, we get bigger discounts. It's kind of weirdly unfair. Right? You also lose a certain amount of negotiating power with some of those other companies. Your ability to get their pricing way down is harder.

Audience: I'm actually a very large bank, and I've discovered that the same techniques seem to work with the security vendors regardless of your size.

Rich Kellen: Do they? Okay good. I'm glad you said it out loud. What I was going to say is there's some, and what I was going to tell you is, you're going to be better off in some of those cases going direct yourself and trying to find a var to take a cut and do all of that. Go ahead.

Audience: I'm direct with Okta, direct with Six Side, direct with CrowdStrike.

Rich Kellen: Yeah. It's a balance, but again 400 people. It goes back to what are you doing? Are you growing? Are you in a growing phase? Are you in an acquisition phase? Because if you know you're going to acquire in things, your Microsoft bill is just all across the board going to go up, and up, and up much faster than say I bought Okta, I bought 400 licenses. If you know you're going to acquire maybe you want to negotiate 500 licenses. These are the things I've done knowing where we're going. Sometimes the CIO will go, but you just bought 1,000 extra licenses. I'm like, yeah and I also know there's three acquisitions we're working on, or whatever and it was easier for me to negotiate the pricing across the board. Then they're like, oh okay. Some of those tricks, and it sounds like you know them which is good.

Audience: An objection or a concern that I've heard from customers is, when you unbundle the cost of the items that you're going to be keeping are going to go up in cost. Right? Because it's not just take this out and leave everything else flat. What's your perspective on that concern?

Rich Kellen: Back to my original comment was, you need to know what you want to do with Microsoft, because you've got to offer them something typically to keep at that renegotiating phase, because you will lose your discount. What he's saying is, if I unbundle then I think they're going to jack my prices up on the things I have. First of all, when you work with any company hopefully when you sign a three year deal you put a clause in that says maximize my increase on the next three year deal. If you don't do that you should have procurement people look at those kinds of things, because that protects you because anybody naturally is going to try to jump.

Rich Kellen: Now, Microsoft in general, they're pricing has actually come down on certain products over the years. Right? But, it's because they still have to grow, they're selling additional things. So if all you need is Office, well first of all sales reps don't get compensated on Office anymore. People think, well Office does this. If you know what Microsoft reps get compensated on, and it's very public. Gardner will tell you, because every year they change it like anybody else. You go into it into an educated negotiation. Well you know, but I really want something more valuable to me Windows. So give me a Windows contract, because I don't want to do my Windows by clients anymore I want to do them by users.

Rich Kellen: They've got so many different pieces you can put in there that you don't need to focus on the identities and the client things unless you want them, but there are some things you might want. Again, they have some really good products. Know what you want, but take that assessment before you go into the negotiation. Don't start the negotiation, and then start to figure out what you want and what you need.

Speaker 4: I think have one last question real quick. All right, I'll call the day. Thank you so much gentlemen I really appreciate it.

Rich Kellen: Thank you.