Oktane19: Working with Your Extended Enterprise: Partners, Contractors, and More
Daniel Lu: My name is Daniel Lu. I'm part of the product marketing team here at Okta. I've been here for about a little over two years now. It's been a really awesome experience, my third Oktane. I'm really excited today to be talking about working with your extended enterprise, partners, contractors and more.
Daniel Lu: I'm also really lucky to have Ed and Eva. Eva, from Dick's Sporting Goods. They'll be coming on a little later to tell us a little bit more about their story. Super excited there. We've got 45 minutes together, and a lot to go through. I talk really fast, so hopefully that won't be an issue.
Daniel Lu: I'll first go through what is the extended enterprise? I think this is a term that means different things to different people, and so I really want to get into the details of what we mean when we say the extended enterprise. Then I'll go on, and talk a little bit more about the challenges. What are the challenges of working with your extended enterprise?
Daniel Lu: Then I'll go into how Okta addresses those challenges. Next, I'll be lucky enough again, to bring on Ed and Eva from Dick's. They'll be talking more about their story. It's a super interesting story about how they tackled their extended enterprise, really looking forward to that. At the very end if we have time, some Q&A.
Daniel Lu: Get ready to go. What do we mean by the extended enterprise? Why is this a topic of conversation today? Well, in the past you really only had to worry about your employees that were living behind your firewall, probably coming in from devices that you own.
Daniel Lu: More and more so though, you guys and modern enterprises are starting to work with partners and contractors and users, that are coming in from outside of your organization. Enterprises are extending their workforce beyond just traditional employees, in order to move their business forward. Who are some examples of these users?
Daniel Lu: Suppliers, distributors, resellers, contractors, temp workers. These are all probably familiar to some of you guys, in terms of who you work with beyond just your traditional employees. What makes them unique? There's a couple things. First, there are more transient, much more transient than your full-time traditional employees at least.
Daniel Lu: Second, they have their own identity. Meaning that you probably don't manage and update the profiles and life cycles of these users, that are coming in from outside your organization. Third, they do live outside of your network. They're coming in from new devices, new locations, places that you don't necessarily control anymore.
Daniel Lu: Then finally, and perhaps most importantly, they need selective access to certain resources that you own behind the firewall or perhaps even in the cloud. You have this situation where outside people that you don't necessarily control, are coming in and out with a greater frequency, trying to get access to sensitive information that you own.
Daniel Lu: This naturally leads to some challenges that you guys will probably be facing around extended enterprise. At a broad level, we see three main challenges working with the extended enterprise. First is integration complexity. This is connecting your third parties to your internal resources.
Daniel Lu: It can be challenging not only technically, but also from a business standpoint. New technologies and old technologies, they don't necessarily play well together all the time. Next is an increased IT support. Off-boarding, onboarding, providing customer support for your own internal employees, can already be a burden for your IT team.
Daniel Lu: Now you've got to think about your partners, your contractors, your outside users. Adds a lot of complexity to that IT support model. Finally, new security risks. When you have new users coming in from new location, they have new use cases, it's just naturally inevitably going to lead to new security risks that you need to think about a little bit more.
Daniel Lu: These challenges are a great way to frame the problem at a broad level, but they are a little bit abstract. When we talk to our customers, they really come to us with five questions that they're trying to solve for. How do I connect to partner identity sources? Number two, how do I provide secure and selective access?
Daniel Lu: How do I automate user privileges as they come and go? How do I validate proper compliance? Finally, how do I offload management of these partner users? We'll get into each of these. Now, so the first question is always, how do I connect to and authenticate the identities that ultimately need access?
Daniel Lu: For your own users, this was generally pretty easy. Not necessarily easy, but at least solved for. They probably lived in some directory that you owned. Most likely something like Active Directory, maybe LDAP. You're responsible for managing and updating those user profiles. Everything was hunky-dory.
Daniel Lu: However, more and more so you probably are starting to work with these partners, and they can be a little bit tricky to manage, right? You don't want to put your partner users into your Active Directory, nor do you want to be responsible for managing, updating the user profiles and life cycles of these outside partner users.
Daniel Lu: At the same time, you don't want to be passing back and forth CSV files to you and your partners. Which some of our customers actually do, because it's not a sustainable model, right? It's not very secure. At Okta, we recommend three different approaches to think about how you might connect to your partner identities sources. The first is directory integrations.
Daniel Lu: This is pretty straightforward. You guys probably do this today. We have a lightweight AD Agent, or an LDAP Agent that we install that directly connects to your Active Director Area or LDAP directory area. From there, we sync those profiles into your Okta organization. We can do the same for your partner orgs as well.
Daniel Lu: Installing these lightweight agents into their AD or LDAP domains. Of course this requires you to install something on your partner environment, and that's not always an option for you or your partner. The next approach is identity federation. Often partners, especially the large partners, they'll probably have an existing identity solution that they currently use.
Daniel Lu: Okta can connect to any SAML enabled IdP, whether that be Microsoft ADFS, or CA or Ping or any of the other third-party IdPs that your partners might already be using. We can connect to them very seamlessly.
Daniel Lu: That allows your partners to continue to use the IdPs, the identity solutions that they currently have enabled and deployed, without disrupting the end-user experience for their end users. Then finally, a hub-and-spoke approach. This is a great solution for partners that don't necessarily have their own identity solution.
Daniel Lu: This is the concept of connecting your Okta org to another Okta org that is independently managed by your partners. As I mentioned, Okta can connect to any SAML enabled IdP. Well Okta is a SAML enabled IdP, so we can connect to other Okta orgs very seamlessly and very easily. Which is a great way for you to allow your partners to have an IdP.
Daniel Lu: They can manage their users. They can manage the administration of those apps within that org, while at the same time allowing you to connect to that partner sub-org. The hub is your Okta org. The spoke is the sub-org here. We have these three approaches to connecting to identity sources.
Daniel Lu: The next question is always, “Okay, I've been able to connect to these identities sources. Now how do I enable access to these identities?” The challenge here is your partners and contractors again are probably coming in from location devices, that you don't control. or you don't necessarily have visibility into, and they need access.
Daniel Lu: They need access to resources that you own, but they need selective access. You're not going to give them access to the entire kingdom. Something like a VPN, which may be a little bit more heavy handed is not a great solution. At the same time, it needs to be a very easy-to-use tool or process for these partners and contractors.
Daniel Lu: You don't want to inundate them with new technology that is too cumbersome or confusing. What solution can we offer here? Well, I hope everybody has tried our Okta SSO solution. It's a really simple tool meant to allow your users, to get access to the tools and resources that they need.
Daniel Lu: This is really common for, of course your employees, but now a great option for your partners, contractors and temp workers as well. They can come in from any device, come in from any part of your network inside or out. Of course, we always recommend layering MFA on top of this access. It's really useful for protecting your users.
Daniel Lu: More so, this is a very important concept for your partners and contractors as well, because you again don't have much control over their security practices, how they're being managed, where they're coming in from. Layering MFA on top of that access is very important. At Okta, we take that a step further by incorporating user context into that access.
Daniel Lu: You heard a little bit about this on the main stage this morning with our demos, and Todd speaking about the contextual access management. Taking information beyond just a username and password, and things like the user behavior, and the context that they are coming in from, to determine whether to allow access or not.
Daniel Lu: Some examples, what app are they trying to get access to? What user membership rules are being applied? What network context is an IP range I trust that I've seen before? The device, again, partners coming in from devices. BYOD issues, you don't necessarily see or control those devices. How do you make decisions based on what you see?
Daniel Lu: Then location, whether certain countries, certain cities, certain Zip code. Depending on where they're coming in from, you can make more informed decisions around how to enable access. We take all of this into a risk, and we evaluate for us to then make a contextual response.
Daniel Lu: Whether we again, allow them to move forward, we deny them access, or probably more likely do some sort of MFA prompt like our Okta verify push. The third question that IT has asked, is how do I automate user privileges as they come and go? This is especially important for temp workers and contractors, that are more transient by nature.
Daniel Lu: IT needs to ensure that they need to get access to the resources that they need, on day one when they start their job. More importantly, when they leave or when they change roles, IT needs to ensure that they get de-provisioned immediately on that off-boarding process, so they don't continue to get access to resources that they shouldn't get access to.
Daniel Lu: This can be a challenge since again, these users are joining and leaving at a higher rate than your normal employees, right? Also, they might spike during a certain time of the year. We'll hear a little bit about this from Dick's Sporting Goods. How they have seasonal workers during a certain time of the year, and they need to onboard and off-board a lot of users all at once.
Daniel Lu: This can be overwhelming for their IT team. Of course doing all this manual onboarding and off-boarding, is a drain on the IT resources. Then not only that, it's a security risk. You're doing a lot of these manual activities, which can be more error-prone because of human error. Somebody might fat-finger something.
Daniel Lu: Our lifecycle management product is really meant to help solve this, right? We can ingest user information from a source. We can then push that to make sure they're properly assigned to the right resources.
Daniel Lu: Then we have the tools that audit, and review those privileges to make sure that that user should in fact continue to get access to the resources that they should get access to, and if not, immediately off-board them when we need to.
Daniel Lu: That's all done through a centralized policy, so that IT doesn't again, need to manually do this for every user, every time somebody comes in and out of their organization. To push this further, we're continuously evolving and adding new features, to make this lifecycle product even better and more automated.
Daniel Lu: We're really excited to be introducing a new feature called automations. It's a new release. It's currently in EA if you guys want to check it out. What automations is, it's a framework that allows Okta admins to automate manual tasks. For example, an Okta admin here, he or she can write an automation, which consists of a condition and an action.
Daniel Lu: Okta then evaluates those conditions, and determines whether that action should be executed. It's kind of like a fancy if-then statement, “If this happens, then we go ahead and execute.” Let's bring some examples into this, and bring this to life a little bit.
Daniel Lu: Let's say you want to bulk suspend a bunch of contractors at a specific date, because you know that their end date will be at the end of the year. On the left, here are the conditions that are set by the admin, and on the right are the actions that will happen if the conditions are met. We have all the groups, all the contractors.
Daniel Lu: We have a group called contractor, so all of those. This condition will be run once at the very end of the year, because that's when we know that we need to off-board these contractors. Then at that time we'll go ahead and suspend this group of contractors. A great use case, if you know the end date of a user.
Daniel Lu: What if you don't? Well, you want to get a little bit more sophisticated. Well, what we can do here is also suspend based on inactivity. Instead of running just once at the end of the year or at a predefined time, we can say, “Hey, every day, at the end of the day, we're going to run this automation script.
Daniel Lu: If the user has been inactive for 30 days, hasn't logged in, then at that time we're going to suspend him or her. Now, if they've logged in during the 30 days, well that's fine. We allow them to continue to gain access.” A variation of this, is suspend account if pending for seven days, or a certain amount of time.
Daniel Lu: This might be for whatever reason the IT has created an account, but that account never was activated. Just been in a pending state for a while. Instead of leaving that account in a pending state for a prolonged period of time.
Daniel Lu: We can just go ahead and first suspend it and investigate further to figure out, “Okay, this user does in fact need to have access, or we've decided that this user no longer needs to have access.” Automations, and you can see that this can become very powerful.
Daniel Lu: These are just some initial examples as we continue to build it out, we're going to be adding more and more features and functionalities to this. Automations is a really powerful tool for us. We hope that you'll take advantage as we move forward. The next question is around compliance.
Daniel Lu: In an environment where your partners, contractors, temp workers, they're coming and going. How do you validate that everybody has the proper level of access? How do you prove to your auditors that there are no stale partner accounts or contractor counts, floating out there in the world?
Daniel Lu: Well Okta has a lot of reports that help the Okta admin, figure out what's going on in their environment and prove out some of these compliance regulation issues. I'll introduce a couple of them here. I'm not going to go through all of them. We have a lot of reports that Okta can help you with, as well as our CIS log, which hopefully everybody who's here is familiar with.
Daniel Lu: I'll go through three of them here. The first is our current assignment reports. This contains data about how an application is being used over a specific period of time. What this tells you is given a specific app, who are all the users assigned to that app? Or given a specific user, what are all the apps assigned to that user?
Daniel Lu: That gives you a very good understanding of what's going on within your organization. The second is suspicious activity report. Just as it sounds, it's a report that highlights suspicious activities going on within your organization, over a certain period of time.
Daniel Lu: Some examples of suspicious activity might be, there's a high number of password resets, requests PIN coming in, or maybe password lockouts. There are just some examples of how you can take the suspicious activity reports, and really understand if there's anything funky going on in your organization. Then finally, rogue account reports.
Daniel Lu: This compares the assignments if they're in Okta, and compares it to the assignment of an actual application that's connected to Okta. Perhaps you have an app admin who's manually adding users within an application that's outside of Okta.
Daniel Lu: What this report does, is it compares the two to make sure that there are no rogue accounts or discrepancies between Okta and the actual application. Ultimately at the end of the day, you want all of your assignments to be done through Okta, and so this helps you highlight some of those discrepancies.
Daniel Lu: Finally, enterprises don't want to clog up their IT help desks with partner users. Okta has several self-service passwords and self-service features, that can help manage minor account-related issues so that your users, your partner users, your contractors, they don't need to come to your IT team to ask for help.
Daniel Lu: Everybody here should be very familiar with our password reset flows, our self-service password reset flows, our self-service account lockout flows. We have self NFA enrollment. A lot of self-service tools, again to offload some of that user management, some of those kind of basic it tasks, away from your help desk and onto the user themselves.
Daniel Lu: What about actually, about user administration? You'd like to be able to delegate admin tasks to others, including partners, but don't want to have a full admin rights for those other users. What can we do there? Okta has a lot of pre-defined admin roles that can help you with that.
Daniel Lu: Everybody here should be familiar with our super admin, but beyond just a super admin, we have created several different admin roles with scoped-down privileges meant for certain use cases. For example, we have the help desk admin, over all the way on the right. That help desk admin can only unlock accounts, reset passwords, and nothing else.
Daniel Lu: Really great if you outsource your help desk IT team to a third-party contractor. We keep getting more feedback on what types of roles are important and useful for our users. We recently introduced the report admin role. These can pull reports. Some of the reports that we just talked about for auditing purposes, and nothing else.
Daniel Lu: Really scoped-down just for that use case. We know that there are many more use cases out there, than just these nine pre-defined roles. We're starting to look at more ways to offer our customers more flexibility in creating their own roles. We'll be soon introducing something called custom admin roles.
Daniel Lu: This allows admins to create roles tailored for their specific use case. No longer relying on Okta for these pre-defined roles. This should be coming out in the next couple of months. With all of this, it should be making your life as the Okta admin, easier to manage some of your partners, your contractors, and temp workers. That's really it.
Daniel Lu: That's really meant to give an overview of some of the high-level questions that we get from our customers, when we talk about the extended enterprise. We went through how there's different approaches to connecting to the partner identity store.
Daniel Lu: About how SSO and MFA can really help add a level of security, especially to your users that you have less control over and less visibility over. We talked about our new automations features. We can help automate user privileges as they come and go. Some of the reports that we have are very useful, and you guys should definitely be taking advantage of those.
Daniel Lu: Then finally, we talked about how we manage some ways to offload your partner users to other people that might be able to do them better, allowing you to do things that you probably care to do more of.
Daniel Lu: With that, I think the takeaway really is that the extended enterprise is a priority for you, and it does pose some challenges. Okta offers you several options to enable you to have a protect-and-grant access to these non-traditional users, and help really drive your business forward.
Daniel Lu: We hope that you'll continue to think of Okta and talk with us, as we build out more of these features and help you. With that, I now wanted to invite our customer speakers Ed and Eva up on stage. I'm really excited to hear their story, and have them share it with you. Ed and Eva. There you go.
Ed Hiser: Thank you sir. Thank you Daniel. All right, I think that report admin character had my hair cut. All right, we are here from Dick's Sporting Goods. My name's Ed Hiser, IT Project Manager, Engineering Manager for Dick's Sporting Goods. Presenting with Eva Sciulli, our IT Product Manager of Customer Interaction.
Ed Hiser: Over the past six years or so, I've been working with eCommerce Omni-channel, Customer Fulfillment and Customer Service Technologies. Every good business I think, it's cool when it has a good origin story. Think of the rookie underdog, who no one ever thought he was going to make the pros, right? That's our story at Dick's Sporting Goods.
Ed Hiser: In this picture is Dick Stack and his brother, in their first bait & tackle shop in Binghamton, New York, circa 1948. At the time, Dick worked for an army surplus store and the owner came in and said, “Dick, what's it going to take to sell bait and tackle?” Dick went back, he did his homework and he came back with a proposal for the owner.
Ed Hiser: The guy looked at him, scoffed said, “Kid, you're a dumb kid. You don't know what you're talking about.” Right, Dick took that, went back to his family and said, “I can do this.” His grandmother gave him her life savings, out of a cookie jar.
Ed Hiser: That was the start of Dick's Sporting Goods. Today the company is run by Dick's son, Ed. He's our current CEO and chairman. We operate over 700 stores. We're the leading Omni-channel sporting goods retailer. We operate the Field and Stream brands, Golf Galaxy and Team Sports HQ.
Eva Sciulli: Good afternoon. My name is Eva Sciulli, and I'm the IT Product Manager for Customer Interaction at Dick's Sporting Goods. I have responsibilities for adding value to our customer service technologies, beginning at the customer service order number, all the way through to our customer order and incident management, as well as our surveys.
Eva Sciulli: I apologize if you had to contact us. Ed gave us a great introduction to Dick's Sporting Goods, and our great history. I want to walk you through a little more recent history for us. A few years ago Dick's Sporting Goods began a journey to in-source our eCommerce properties. Insourcing our customer service centers was part of that effort.
Eva Sciulli: Just like our stores, our eCommerce footprint has grown and so has customer service. From a dozen agents who worked in our retrofitted barn, to a complex customer support and service organization. Today we have a non-holiday customer engagement center presence, utilizing two business partners who reside within three physical sites and one virtual site.
Eva Sciulli: Those centers support all of our customer engagement, customer service needs. Including our three chains, Golf Galaxy, Field and Stream and Dick's Sporting Goods. The three eCommerce websites, all brick and mortar stores and our ScoreCard Loyalty Program, but that's just an average month. Just like sports, retail has its seasons.
Eva Sciulli: Retail has no bigger season than the holiday season. At holiday, we recruit three times the number of our peak agents, off-peak agents to support our holiday needs. The growth increases physical size from three to seven, and virtual sites from one to two. We do this and onboard all of these agents, and give them access to all of our systems in less than one month.
Eva Sciulli: Then after holiday, we ramp them back down in half that time. We have a lot of challenges. When we started this insourcing process, we began onboarding and began onboarding our agent teammates. We worked with each call center site, to create templates and processes for agent account access provisioning all via email templates. What could go wrong?
Eva Sciulli: These spreadsheets were created by the trainers of these BPO sites. Each site had up to three trainers, all of whom had their own flair for submitting these agent requests. As if that wasn't challenging enough, each site's IT organization had their own flavor of AD management as well.
Eva Sciulli: Our agent teammates also had several account usernames and passwords to remember, all while trying to take care of our customer athletes. We were making their jobs just that much more difficult. Their manual account administration, account creation and deactivation, required non-holiday one and a half Dick's Sporting Goods full-time employees.
Eva Sciulli: During holiday, this was an IT service desk of seven FTEs. We needed to perform reporting gymnastics, in order to understand who had access to our systems, and what roles they were provisioned to. Finally, our costs were exploding. Call centers have a not insignificant turnover rate.
Eva Sciulli: Keeping up with who was a new recruit or a retired player, was an incredibly manual expensive low-value task. It had to be easier than what we were doing. Ed and I are going to walk you through the goals that we set when we began working with Okta.
Eva Sciulli: With Okta acting as our coach, we needed to make it easier for our agent teammates to have access to Dick's Sporting Goods tools, and we had to equip them in a better way to service our athletes. We needed to pass agent teammate account management to our BPOs.
Eva Sciulli: Getting us out of the agent management business, and back into the BPO management business. Thirdly, we needed to reduce our costs. Timely account provisioning and de-provisioning, was the key to our license expense management, Ed.
Ed Hiser: All right, so we also needed a seamless holiday ramp. We've talked about, that holiday ramp time is a short period of time to get the agents up. They'd slope up, short period of time for a run rate, and then we ramp them quickly back down. That was a key goal for us as part of this engagement. We needed to implement a repeatable process.
Ed Hiser: We didn't want to be tied to one-vendor partner, if we wanted to stand up two, three, however many vendors, we could do it through a simple repeatable process. We need to be able to audit user access.
Ed Hiser: Sorry, so whether it's within Okta itself, or you'll see in our architecture going through identity management table, we wanted the ability to kind of see who's using what application when they're using it? Et cetera. All right, so we're going to step through the architecture. We're going to start with our BPO center.
Ed Hiser: This contact center, you have your agent on the workstation, right? Everyone's familiar with a customer service agent, taking inbound calls or chats. Those agents are provisioned by the BPO within Active Directory.
Ed Hiser: What we have then is the Okta AD agent installed in their data center, and we achieve high availability by having them install that Active Directory agent in two different data centers, so we make sure there's no data loss.
Ed Hiser: From there, the BPO manages their own spoke, so they have access to their own Okta spoke. They're responsible for the imports into that spoke, and that spoke then comes into the Dick's Sporting Goods hub. We enable that via the Okta application org to org. From there, it comes into our Active Directory.
Ed Hiser: Now we are using the identity manager tables to enable us to do additional audits, and some additional functionality with some other applications, but it does ultimately end up in our Active Directory tables.
Ed Hiser: From there, we now have the ability to provision the call center, contact center agents into our internal ADF authenticated applications, order management, web special orders, gift cards, et cetera. We also give them access to external applications that require authentication. Think your carriers, fulfillment partners, things of that nature.
Ed Hiser: As well as sites that don't require any authentication, but to serve it up in a one-stop shop, they've got access to our eCommerce sites and the postal service. This is what it looks like today, and we're in the process now.
Ed Hiser: We have a second spoke there of standing up another third-party BPO, who is coming in. Via that repeatable process, they are coming into their Okta spoke, which is coming into our hub. It's kind of, “In order to do business with us, this is what we kind of want you to do for us,” and it works.
Eva Sciulli: Thank you. Our Okta integrations have driven value into our customer service operations. With our existing and any new BPO partners, the ownership of identity becomes our partner's responsibility. This is a game changer for our IT support, and business operations teams. Our agent teammates have simplified access to our tools, as well as self-service password resets.
Eva Sciulli: Lifecycle automation has empowered our business operations to better understand BPO headcounts, and audit accordingly. Our license costs have reduced significantly. Most importantly, we have confidence when working with our partners that we have a winning playbook, to facilitate agent access to our tools.
Eva Sciulli: So much so that as we are currently onboarding our newest BPO, we are certain that our technology and access to it, will not be the long pole during stand up. Ed give them the stats.
Ed Hiser: All right, I was told not to read the slides. I'm going to read the slides. All right, so DSG and Okta are a winning team. We had 16 applications cut-over and go-live. We have three-time user-base holiday ramp. That's huge. 30% reduction in license spend for the first quarter, and so far over 5,000 lifetime users.
Ed Hiser: Big one for me, zero major incidents after launch, and really maybe a handful of minor incidents with that. You also factor in the seven FTEs that Eva mentioned previously with a holiday ramp, we didn't need them once we had Okta in place. Then as an added bonus, we had decreases in password resets to the service desk.
Ed Hiser: Right, that's kind of a no brainer as well. That's the ballgame folks. I want to give a big thank you to Oktane. To our Okta team, Tom and Mark, thank you. Now if there's any questions, we'll go onto that.
Daniel Lu: Otherwise we'll be around at the end of the session as well, to answer any one-on-one questions. Hope you guys enjoyed this talk, and let us know if you wanted to talk more. We'll be around.
Modern organizations are increasingly required to manage users that are more complex than traditional employees. These non-traditional users might be contractors, temp workers, third-party partners, vendors, or others. IT needs to ensure all these users, many whom IT may not directly own, get proper access to internal resources and applications without increasing the security risks. This might mean proper deprovisioning of a population that is in constant flux or enforcing MFA for users you don’t have control over. Learn how Okta helps with your extended enterprise and hear how Dick’s Sporting Goods manages this problem with Okta.