Protecting the Enterprise: Smart Strategies for Identity and Access Management



Lafe Low: Greetings everyone, and thank you for attending our webcast today. My name is Lafe Low and I'll be your moderator. I'd like to welcome you to today's webcast entitled Protecting the Enterprise: Smart Strategies for Identity and Access Management. This event is brought to you today by FCW and sponsored by Okta.

Lafe Low: Those government agencies continue in their efforts to modernize their IT infrastructure, their ability to successfully manage the identities of both internal and external users, whether those are employees, constituents, contractors, partners, suppliers, whomever, becomes more critical than ever before. Many of the advanced technologies that can improve government agencies' efficiency and effectiveness could also alter the security landscape. Things like using cloud computing platforms, the internet of things, mobile devices and solutions, and other technologies are tremendous tools to help improve the productivity and capability of government agencies, but they can also increase the potential attack surface.

Lafe Low: Plus additional perimeter security becomes a less viable means of protecting government systems and networks. Authenticating identity and authorizing access is emerging as a new front in this escalating war against cyber attackers.

Lafe Low: During today's webcast you'll learn how to assess the merits of a cloud-based identity management system, how federal agencies are bolstering their identity access management efforts, why user access controls have to be user friendly, how to apply lessons learned from the field, and how to prioritize best practices of an effective access management program.

Lafe Low: Our featured speakers today are Karen Wrege and Ted Girard. Karen is the Chief Information Officer for the Directorate of Defense Trade Controls at the Department of State. And Ted Girard is the Vice President of Public Sector at Okta.

Lafe Low: Well thank you all again for joining us today. Before we get rolling, I just have a few housekeeping items to cover. First of all, during the presentation today, if you'd like to enlarge the slides, just look for the square icon in the top right corner of the slide window. You can also view the presentation in full-screen mode by clicking on the squared arrows icon. If you would like to submit a question at any time which we strongly encourage you to do, just look for the question field to the left of the slide window. Type your question in there and hit submit, and we'll get to as many of those as we can at the end of the presentation.

Lafe Low: Should you have any technical difficulties during the session, just look for the yellow question mark icon below the slide window. Click there and someone will be able to help you out. If you'd like to download a copy of the presentations you're about to see, just look for the Resource Center below the question field.

Lafe Low: And then finally, within the next day or two, we'll email you a link to an archived version of this session so you can review it again or pass it along and share it with a colleague. The on-demand version will be available for 90 days after today. And now without further ado, I'd like to hand things over to Karen.

Karen Wrege: Thank you so much. It's so good to be here. I'm going to start out by running through a little bit of the agenda for the presentation part of this webinar. I'm going to do a little overview about the DDTC IT Modernization and our objectives for Identity and Access Management. We'll turn it over to Ted, who's going to talk a little bit about Okta. And then we'll have a roundtable discussion and a Q&A.

Karen Wrege: I'm going to just talk a little bit about what the Directorate of Defense Trade Controls is. We're part of the Department of State, and we're a regulatory agency. And what we do is we ensure that commercial exports of defense articles and defense services are consistent with US national security and foreign policy objectives. So what we're doing is we are basically adjudicating licenses for any entity in the defense community that wants or needs to export those goods and services overseas.

Karen Wrege: So we establish and maintain the regulations, which is referred to as the ITAR. We register entities and individuals, and everyone who does business with the Department of State Directorate of Defense Trade Controls must be registered. We adjudicate export licenses. We respond to any inquiries about the process or any questions that people have about whether or not we have jurisdiction over their commodity or the service. And then we promote and enforce compliance of our rules.

Karen Wrege: So on the right hand side here is just a little about myself that you can read at some point. We'll sort of move on.

Karen Wrege: All right. So I love this slide. I'm not exactly sure on the left hand side what we're doing here, but I think the cluttered desk is sort of a great metaphor for our legacy systems. We have a lot of data. It's in a lot of different places. It's duplicated. It's not easy to access. We're not as transparent as we might like to be, both to our regulatees, but also even within the Directorate.

Karen Wrege: And so when I came on board, I was tasked with modernizing DDTC's IT platform. We have a series of legacy systems that have come online over the last two decades, and I had some experience with doing cloud-based technologies, and the new platform that we are in the process of deploying is called the Defense Export Control and Compliance System, and of course we have an acronym. It's DECCS. And what it's going to do is... We've already launched pieces of it, but by the end of the year we'll have launched the entire application suite, and it basically will transform all these disparate systems into a single system, a single online access point for industry, and a single set of tools for our internal users to be able to more quickly and more efficiently process registration applications, licenses, questions, retransfer requests, and all the other different types of things that we need to look at.

Karen Wrege: So this is really a case management application. So our major use case is case management. And it's common in all of government to have case management dealing with an industry or citizen facing, and so it has its own unique challenges as a primary use case for identity management.

Karen Wrege: Regarding the topic of identity management, I've been in the software... I've done a lot of software development for government and non-government, and back in... I'm probably dating myself a bit, but we always did all of this using whatever was the... whatever we were using, we would always build it ourselves, right? And so coming into this role, I was unaware of what was available in the marketplace and assumed that we would be building identity management and access control in our application. And so I was really fortunate early on, relatively early on, that I learned about... I was at a ServiceNow conference, and I learned about the FCC's use of ServiceNow, and the various tools associated with that. And FCC was using... their plan was to use platform as a service for everything. And this is a regulatory agency, and the good news there was that I really understood the use cases because I had spent 10 years at the FCC.

Karen Wrege: And so it was very interesting to see those presentations and notice that they were using ServiceNow, Okta, and Box. And frankly, after that presentation, I said to myself, "I think I'm done." Because if it works for the FCC, it's going to work for the State Department because the FCC licensing process is extremely complicated, and not to say that the Department of State's process is uncomplicated. It's complicated in different ways, not from an IT platform perspective, but more from making sure, you know, the stakes are really high with exports and making sure that you don't allow an export through a bad guy or to the wrong country.

Karen Wrege: In looking at access management and recognizing at that point that there was an off-the-shelf product, which because I'd been so involved in software both in my government career and also when I was in the private sector, I did what lots of government people do which is, okay, what is going to be the easiest for me and my team, and how can I get out of this business and go back to what we do as a mission?

Karen Wrege: So I wanted easy procurement. I wanted to make sure that it was fedRAMPed approved. I wanted to make sure that there was simplicity in configuring and implementing it both with custom applications and with software as a service or platforms as a service. And so those were sort of my criteria for an access management system. And based on these objectives and the requirements and the fact that there was a proven case that was so similar to ours at the FCC, we chose Okta as our IAM solution with the main focus of our use case being the external users, which we have thousands of external regulatees that come into the system every day to request adjudication of licenses.

Karen Wrege: And then somewhere along the line, it was after I had made the decision and I had worked the main Department of State to keep them in the loop in terms of what I was doing for my use case, I was invited to be part of a tiger team to sort of look at this issue more broadly across the Department of State. And that was... The use cases are more complicated in that they're lots of internal users of all different types, both in-country and out of country. There's contractor personnel. There's local personnel at the post. There's external users, you know, needing visas, and passports, and all of those things that our Consular Affairs colleagues do. And what we ended up doing was coming up with a set of criteria in that case as well, and kind of selecting a best of breed approach with Radiant Logic, SailPoint, CyberArk, and Okta. So we have all four of those tools that will be used, and we're sort of right at the beginning of deploying those things for sort of the larger Department of State for all the users, internal and external.

Karen Wrege: This slide basically just covers how to get in touch with us, with my IT Modernization Team, and general inquiries about what we do, and then technical assistance for what we do. Those are the contact information.

Karen Wrege: I'm going to turn it back over to Lafe, who's going to introduce Ted.

Lafe Low: All right. Thank you very much, Karen. Sounds like you've got some great modernization efforts there underway at your department.

Lafe Low: And as Karen said, now I would like to introduce Ted Girard with Okta. Take it away, Ted.

Ted Girard: Thanks, Lafe. I appreciate it. Karen, awesome.

Ted Girard: So first off, I'm Ted Girard. I'm the VP of Public Sector at Okta, and what I'd like to do is take maybe the next five minutes and tell you who Okta is. I'm assuming some people on the Webex know who we are. Probably a bunch of kids have never heard of us before.

Ted Girard: Okta was founded in 2009. And what we launched was called the Okta Identity Cloud, and we pioneered a concept called... in a new market called Identity-as-a-Service. And our founders realized really early on that the world was changing and that mobile cloud stack was going to transform the way that IT services were consumed and delivered. And they also recognized that the current slew of identity management systems were ill suited to meet that transformation. So what they thought was needed was a modern cloud platform for identity that would reduce complexity, would increase uptime and security, would remove end user friction, and could be deployed in record time, in cloud-speed type time. And so that's what they set up to build, and they launched the Okta Identity Cloud.

Ted Girard: The Okta Identity Cloud... I'm going to scroll over the next slide here. Is a platform service built up of independent identity services. At the base of our service is something that we call Universal Directory, and that's what allows us to connect all the disparate identity stores throughout your enterprise, delivering a 360-degree view of who's who within the enterprise, both internal and external. And then we have a series of services like single sign-on. Once we get past that, we can step up authentication and multi-factor authentication. We can automate the provisioning and deprovisioning of users with our lifecycle management capability. We can secure identities across APIs with our API access management capability. And then we can have software development kits where you can embed Okta into your custom applications.

Ted Girard: So if you've ever logged into Experian to check out if your name's on the dark web, it looks like you're logging into Experian, but you've actually deployed into Okta. If you log into JetBlue to check on your frequent flyer miles, you've actually logged into Okta. If you use Adobe's Creative Cloud or Marketing Cloud, you're actually using Okta, and that's our external facing piece.

Ted Girard: So at Okta, Karen really did a good job of describing this next slide for us at the State Department. At Okta we view the world in two different lenses. One is we got a series of products. Although we got a single platform, we've got use cases for what we call workforce identity, and those are to support employees and contractors that show up to work every day to do their most significant work for the agency mission that they serve. But then there's also a set of solutions from Okta that supports our customers' customer. And in Karen's case, that's where she fell. When we first met with her, she was trying to solve the problem of, "Hey, I've got to modernize my system that interfaces with aerospace and defense contractors in this new case management system that we've built." That's a very strong play from Okta.

Ted Girard: So what we were able to do at State Department is solve Karen's problem, but then have a bigger discussion with all of State, and say, "Hey, we can also solve the workforce identity problem as well. So we see a joint use case solution on a single platform from Okta."

Ted Girard: Kind of our view of... our founders' view of the history and future of identity looks something like this. So yesterday, the network was the perimeter, and we put everything we had in our data centers, protected the perimeter with firewalls and VPNs, and we got our identity as part of the application stack, and we were... organizations were either an Oracle shop or a Microsoft shop or a CA shop, and your identity was part of that stack, and you bought all the corresponding infrastructure, and got the people, and you built it yourself. And Karen kind of related to that. She started off saying, "I'm going to build it myself." And typically when you build it yourself, you customize the daylights out of it to make it your own.

Ted Girard: What we see today is that no longer works. Trying to extend that infrastructure into a mobile cloud stack type environment is really complex. It's very costly. It's time consuming, and quite frankly, doesn't work as elegantly as systems that were purpose built for this modern computer era.

Ted Girard: So at Okta the thought is identity needs to be its own independent and neutral platform. You need to connect to everything. You need to connect to cloud. You need to connect to on-premise. Anywhere the data seems to be needed, it would connect there quickly and securely. And in order to do that, you have to be an independent... a neutral platform to do it. You've also got to be able to deliver identity as a microservice for organizations that are building their own app and embedding identity in that app, in a clean, simple, seamless fashion that looks like the application. You get your developers to build to best experience of the application they're building and not have to worry about the security because you can outsource that. Like I said, companies like Experian and Adobe have done that.

Ted Girard: Looking forward, we've got a pretty bold vision. We think that identity needs to be a universal platform that connects everyone to everything, and it's our goal to become the identity standard.

Ted Girard: So in the beginning, I said Okta's... 6,000 customers globally, global brands around the world, every single vertical. I run Public Sector and Federal in specific, and we've seen a really rapid adoption. So today is a pretty auspicious day. We started the Okta Public Sector vertical on February 12, 2016, so today's our three-year anniversary doing business in the public sector space. And the beginning was a little difficult in that we were a commercial cloud service. We didn't speak federal government language, and there were certain things we needed to do in order to be consumable by the federal government.

Ted Girard: Karen alluded to that. She said, "I needed something that was FedRAMP authorized." The very first thing we did was enter the FedRAMP process, and that took us from February of '16 to April 2017 with our sponsor, Department of Justice. Karen was one of the early adopters after that. Once we had it, she was like, "Let me see it." And since then, we've seen a really rapid adoption of Okta in the federal market space.

Ted Girard: One thing that's in common across all these logos, and these aren't obviously all of our customers in the fed space. But one thing that's common... Actually there are two things in common. One was everyone of these customers was doing some fairly major modernization initiative. With Karen, it was modernizing DECCS. With others, Navy was MyNavy Portal. But there's got to be some modernization initiative.

Ted Girard: And the second thing that's common to most of all of them is they realize-

Lafe Low: Now that's an impressive list of agencies that you're working with there, Ted.

Ted Girard: Thank you.

Lafe Low: Oh sure. Absolutely. I've certainly used Okta logging into JetBlue. I'm a flyer there.

Lafe Low: Let's dive in a little bit deeper and hear some more about what you've experienced and what you're doing there at the Directorate of Defense Trade Controls, Karen, before we get into the audience Q&A portion. Ted mentioned that you were certainly an early adopter. Now Karen, when did your agency realize you had an identity management issue, and how big of an issue was it?

Karen Wrege: It's funny to call it an identity management issue, but yeah. I didn't actually realize I had an identity management issue at first because, like I said, I was really so focused on building the applications. It was when I got into ServiceNow and when I talked to those providers that I said, "Man, this is so much simpler than it used to be," and for good reason. So that was the first time when I actually realized that I've already made a mistake. I didn't know what I didn't know, and it turned out that it's a big issue.

Karen Wrege: And my story is kind of an interesting one in that I was a little bit far down a path of doing some custom applications, building an identity and access management system as part of that, and I kind of thought I needed to continue down that road. And that turned out to be a colossal mistake. As it turned out, it took a long time, as Ted talked about. And it was really never right. And so we built it, and it was complicated, and it didn't work very well, and I had to go back in and basically have Okta for those applications as well. So I did a complete about face, but I wasted a good bit of time and a fair amount of money not realizing that this is really not just good for integrating with ServiceNow, which is what I had originally thought, but it is very quick and very simple to integrate with custom built applications. And that was something that... yeah.

Karen Wrege: So identity management has sort of creeped up on me. I still didn't realize what a big problem it was. I spent a lot of time and effort, and then it sort of whacked me in the head again. And then now I'm happy to say that I'm beyond that, and we have Okta for both our ServiceNow applications as well as our custom built applications.

Lafe Low: Sounds like there were unnecessary layers of complexity by doing it yourself there.

Lafe Low: But once you came to that realization, you didn't need to build it yourself, what sort of tools did you consider as you were looking around for a solution to your identity management needs?

Karen Wrege: Well, I actually... you know, I was introduced to Okta early on with the FCC example of where that was done so successfully, and I really felt... had spent a lot of time talking to ServiceNow and the other providers, and really felt like Okta was absolutely perfect for the external facing applications that we were doing with ServiceNow. And then, of course, after using Okta, that's when I said, "You know, this is going to be faster and easier than the work that I've been doing on these custom applications."

Karen Wrege: And so, the key thing for me, frankly, was that it was easy to procure and it was FedRAMP certified, because if it didn't have the FedRAMP certification, it would have been really difficult for me to get an authorization to operate. And I didn't want to spend my time doing that when there were so many things that we needed to do to modernize and get off of our legacy system. We needed to both modernize our business process, but also really get off of some very old infrastructure.

Lafe Low: That makes sense. Now-

Ted Girard: I want to add to that FedRAMP case.

Lafe Low: Sure. Yeah.

Ted Girard: I didn't realize how important the FedRAMP authorization component was, and it was... I think the federal government's been conditioned to not talk to folks until they actually have it. I think the early adopters of other vendors... they got the, "Hey, we're going to have FedRAMP in a month." And they would buy it, and then the FedRAMP process doesn't take a month. The FedRAMP process is a pretty laborious process, and customers would end up buying a service that they couldn't use for six, eight, 10 months because thy didn't have the FedRAMP authorization.

Ted Girard: So Karen, I know you were one of those. You were like, "I'm not talking to you until you have FedRAMP."

Karen Wrege: Right. And part of that, Ted, you're right. I got burned by that. I didn't realize what a lengthy process it was, and I have made that mistake too, of purchasing something hoping that it's going to be FedRAMP authorized and going to get through my ATO relatively simply, and it hasn't worked out that way. And so, I can vouch for the fact that even with Tableau, I was... until you have your FedRAMP, come talk to me then. Because I want to make sure that what we have is... Especially when you have all these different platforms, and you have to... each one takes a lot of time through the assurance process to get authorized.

Karen Wrege: And so if you've got all these different components, if you have half... a couple things that aren't FedRAMP, it really, really delays it from the authorization operate perspective. So that was a big, big deal for me.

Ted Girard: It's a big, big deal for everyone.

Lafe Low: Sounds like it. Yeah, it sounds like it's definitely better to wait until the solutions have FedRAMP certification before charging ahead.

Ted Girard: Yeah, back in the day, you could be in-process for NIAP and customers would talk to you and buy your stuff. That's just not the case.

Lafe Low: It's not the case.

Ted Girard: If you're in-process on the FedRAMP website, that's... they'll say, "Come see me when it's authorized."

Lafe Low: Now Karen, it sounds like your first... just talk a little bit more about how you first approached this process. It sounded like you started off building your own solution. Can you tell me a little bit more about that experience?

Karen Wrege: Well, we were pretty far down the road before I had even talked to ServiceNow about doing case management, to do some of our more sensitive applications on Microsoft Azure, a cloud provider, but actually building our own custom applications. And so that seemed like a good idea at the time. And some of those applications... and part of this is this concern we have very sensitive data in this thing. And so the question was, where's the security going to be most solid, and how am I going to get through this authorization to operate process?

Karen Wrege: And so we did the custom application. Started down the identity and access management as I noted before, and actually, once we had deployed, or once we had implemented and started testing Okta with ServiceNow, I said, "Jeez, this is so clean. This is so user friendly. This is so easy. And the stuff that we've built custom is complicated and difficult, and just is going to be too much of a different experience for the same users," that I basically had to make the choice at that point to move over and use Okta. And it was not a difficult choice. It was just difficult to have come so far with the custom application and have to sort of regroup and do Okta on the...

Karen Wrege: But I'm happy to say that, you know, this was a recommendation by Okta at the very beginning that I didn't take, and I should have as it turns out. But I just was not convinced that they were going to be able to be as integrated as quickly and easily as they said they could do. I said, "Yeah, yeah. Yeah, right. Okay." And it turned out that they could and that I should have taken their recommendation. But I did, to my credit, I learned quickly and got off the path and started again. And that's been sort of the way my career has gone with all of these emerging technologies is try something, and if it doesn't work, regroup, and make a different decision and move on.

Lafe Low: Learn from your experiences. That's a good way to go, for sure. Well, you mentioned also, you had some very sensitive information that you're dealing with there, so I can imagine security was certainly top of mind.

Karen Wrege: Our licensing, the identity... the access management and identity that we've been using in our legacy systems have been digital certifications, and this was another big issue that I was... Okta has worked really closely with us, and with other federal agencies that have the same use cases, to allow us to use anything that's in the federated bridge, it can be used as the identity. Because what we want to make sure of is that, that we know exactly who is submitting these applications for licenses.

Karen Wrege: And so, there's a whole set of digital certifications that are just plug and play with the Okta identity solutions that would have been even more complicated to try to custom build. So that was a huge... that was a huge factor in me moving over to Okta was their ability once they showed me that, "Yeah, we can do this. We can take any of these digital certs, and we can incorporate that use case into our platform." Then I was completely converted, and that's when I made the change to use Okta for everything.

Lafe Low: You've alluded to this a bit, but what really steered you to take the approach that you did? What were some of the factors that contributed?

Karen Wrege: As I said before, it was security, it was... And security in a number of different fronts. It was making sure that we had the right identities and we knew who we were dealing with in terms of who was asking for these licenses and who we were providing adjudicated licenses to. It was also the ease of being able to incorporate this technology into our applications, and I guess, the ability to get it authorized to operate since it was FedRAMP certified.

Karen Wrege: And those were, I think, the main reason. And I have to say that it's just a really easy experience for the customers, and sometimes these things can not, can be more convoluted and can be less streamlined. But I think because Okta is only doing this, this is what they're thinking about, and they're doing a better job than just a typical development team that is more focused, frankly, on the mission, which they should be. But identity can create so many help desk tickets and so many problems, and in terms of permissions and all of those sorts of things, that it's really nice to have a company that is focused solely on that particular part of these applications.

Lafe Low: Certainly as critical as it is to ensure solid identity and access management, you also want to make it relatively easy for the people to use so they don't ignore it or try to work around it.

Ted Girard: Lafe, that is like the number one thing. It's... we call it taking friction from the user. Typically, when you add security, you put that burden on the user. Our goal is to add security while lessening the burden on the user.

Lafe Low: Valuable philosophy, for sure. All right.

Lafe Low: Now throughout this process, Karen, did you encounter any cultural barriers, and if so, how did you work around those?

Karen Wrege: I think initially when I went to our... the assessors for the authorization to operate, there was initially, and this was a few years ago, there was reluctance about even using the cloud for any of that. So it wasn't in particular about Okta, although they were certainly a part of it. But any of these platforms were not the way that we do business. It was... And this was when I first started. It was, "What? The cloud. What are you doing? Why are you talking about that?"

Karen Wrege: And then what happened, and I've been here for four and a half years, so what happened is that people started thinking about it and so very, very slowly at first people were more interested in using the cloud and understanding the benefits, and understanding the benefits of some of these platforms to the point now where fast-forward four years, we have enterprise licenses with ServiceNow and Okta. So we've come a long way in it seems like a short period of time for government, but it was a number of years. So being the early adopter on this, it wasn't that popular and people were wondering what I was doing, and I think were a little bit nervous about what I was doing initially. And so I'm feeling really much more comfortable in my job and my role now that everybody's sort of very enthusiastic about these kinds of platforms and using them all over the Department of State.

Ted Girard: I'd like to add onto that, Lafe.

Lafe Low: Oh, sure. Yeah.

Ted Girard: I mentioned it's my three-year anniversary today in the public sector, and the discussions I'm having today with the federal government vs. the ones I had three years ago are diametrically opposed. And the folks that... Literally in our first year we had two customers. It was the Department of Justice and FCC. And Department of Justice had a complete burning platform problem where it was like Karen's, a case management system where they're putting all federal case files into Box and ServiceNow, and they couldn't figure out a way to authenticate users into that incredibly sensitive, sensitive data. Turns out we're probably the only company that could do it, so they had to do it.

Ted Girard: FCC, they had a very bold strategy. They were doing everything cloud. So then Karen comes on board. It was not a popular thing to do. It was... People thought they were crazy. Like, "What are you doing? This is nuts. You can't go cloud. It's not the cure. It hasn't been proven." In the federal government, no one likes to be the first one in the pond. But we built our business off those successes, and the conversations I'm having now, it's... government is adopting cloud in a really rapid fashion. And I would say it's one of the fastest transformations I've seen in my history in government. They've gone from being allergic to cloud, to, "We have to do this."

Ted Girard: And I'm seeing it across my peer groups. ServiceNow, Box, the folks at Salesforce, Workday, they're all having meaningful conversations in transforming the government, and that makes what Karen did scary when she did it, was bold that she did it, but she's not the only one in the pond now.

Lafe Low: That's certainly a positive experience it sounds like.

Ted Girard: Well, we had to make sure that was the case.

Lafe Low: I want to add just a quick question that occurred to me, and I'd ask both of you. Do you think this increased adoption of the cloud and newer technologies is more driven by federal mandates, or were they realizing these success stories, realizing that it actually does work?

Ted Girard: I think it's a combination of both.

Lafe Low: A little of both? Yeah.

Ted Girard: Yeah. It's definitely the mandates are pushing it. Instead of saying, "Hey, you should think about doing cloud," it's like, "Hey, you're going to do cloud."

Lafe Low: You have to do it.

Ted Girard: Yeah, you have to do it. That has... Your first question was about culture, right? The culture's definitely shifting at very high levels of government. It hasn't made it all the way down into the mid-range yet. It's also people that want to do things the way they've always done them. But that pressure is causing change. Having positive experiences also helps that, right?

Ted Girard: When Karen can call the FCC and they're like, "Dude, this is awesome," that makes it a lot easier for Karen to begin to trust us. And to try. And any other group that wants to get on the journey.

Lafe Low: Absolutely. All right. Now Karen, as you worked through this process, were there any sort of risks or other factors you experienced that might have added some complexity as you worked through implementing identity management there?

Karen Wrege: Well, I think that probably the piece that I mentioned earlier with the digital certifications as our means of authenticating was something that initially it was not part of the Okta solution and it was sort of mid-stream that it was added. So that was a factor for us, for sure, because we were not going to... we needed to have that level. And there's a lot of agencies, I think, that need that, and so it was great that we were very aligned with Okta in terms of it was something that we're getting there and it's going to be sooner rather than later. It's our top priority.

Karen Wrege: And it really was because it happened fairly quickly in, I think, in the Okta lifecycle, at least from my perspective. So that was something that I thought was, it was a show stopper for me. And I think that was, in retrospect, that was why I thought I had to do it myself, and why we went down that road to begin with. And so that was a complex piece of this.

Karen Wrege: And I think that there were other... there were concerns. I noticed that there was a question from our listeners about whether Okta's FedRAMP low, medium, or high. We're a medium system, and Ted can probably talk about whether there's any plans on the high front. But our data is categorized as moderate, and so that was an important piece of this for us. That was the beginning of when I started talking to Okta was being FedRAMP moderate because I wasn't interested in going down the road that Ted described before where it might take six months, it might take a year, to get the FedRAMP certification.

Lafe Low: Absolutely.

Ted Girard: I was literally just typing an answer to the question, so I'll just answer it now. So we are moderate. We have an IO2 accreditation from DOD, which is from DISA. We've done an assessment for IO4 equivalency pushed by US Navy. We've completed that audit. We'll have the findings I think in March when we echo back to Navy, so we expect an IO4 equivalency. We've committed to going FedRAMP high. That's funded. We're not in process on the FedRAMP website yet, but we should see that soon. Again, Karen, that's another 12 months, right? To get to that product.

Karen Wrege: Yup.

Ted Girard: We've committed to going.

Lafe Low: That's great. That's great. All right. Well, Karen, you've certainly been at it for a while there. What sort of metrics or results are you seeing from the process?

Karen Wrege: Well, Jeez. I think that... the ease of actually implementing this solution went from... it took us 9, 10 months to build this on our own, as complicated as it was with all these digital certifications and all of these different applications, and pulling together all of the permissions, and access managements, and all the rest of it to... It took us, I don't know, two months to replicate that using Okta. So that's a huge... That's just... I can't even imagine that. I never would have thought it, but it was very quick and they were very supportive.

Karen Wrege: In terms of the difference in the metrics associated with our process for getting a user onboarded, you know, the external user onboarded, we have a very, very manual process for that that involves faxing, it involves people taking pieces of paper and moving them between their colleagues, and all sorts of insane stuff in our legacy process for onboarding a user from an entity. And when I talk about that, it's like the main user. So we have this concept of a super user and they've got to get a letter from their empowered official, and you know, they've got to do all of this crazy stuff. And so it would likely take an industry participant to get a super user account, if they were really motivated, it would probably take for us to set it up and do the whole thing, three or four days. If we're really motivated. And for some people, if they didn't have it quite right or whatever, it might take longer than a week.

Karen Wrege: And what we've been able to do is take all of our legacy users, migrate all that data, and literally a super user account is already created. There's an email that goes out, and all the person has to do is log in, and put their two factor authentication, and they're done. It's all of... I don't know how long it takes, 30 seconds, 45. So we're talking days to seconds. And that's the most impactful metric I can think of that really kind of brings it home how simple this process is.

Karen Wrege: And for someone new, it's going to be just as simple because we're modifying our business process, of course, as part of this modernization. So somebody registers, they identify who the super user is, they give us their email in that filing, and automatically, boom, Okta sends them a notice and says, "You're the super user. Come on in and get your cell phone ready because you're going to do the two factor authentication." 30 seconds later, they've got an account.

Lafe Low: Removing some of the friction as Ted was saying earlier. Absolutely. All right.

Lafe Low: Here's something you probably both want to chime in on. What sort of advice would you have for an agency that wants to get started in deploying an identity management solution? What sort of first steps should they take?

Ted Girard: Karen, can I start on that one?

Karen Wrege: Please.

Ted Girard: All right. Users have been conditioned that identity and access management is like a really difficult, longterm, complex problem to solve. And that's not the case with modern identity services. So we can start very quickly, very small, a lot of times free to get started. So it would be... My suggestion would be, "Hey, you're not entering into this multi-month kind of endeavor where you're allocating teams of people to support this thing to see if it works." It can be done... We've done proof of concepts in days, and a week kind of a thing. So it's easy to get started. It's simple, setting up an org. Our company likes to say we're a commoditized service. We're not customized for anything. We don't... The stuff that Karen uses is the same thing that DOJ uses, it's the same thing that Navy uses. The only difference is certain configurations that are unique to each environment. So it's really rapid to get started, and it can be a very, very low cost to do it. So we could... just go.

Lafe Low: Yeah. Just start.

Ted Girard: Just start. It's just finding the time to start is the tough part. A lot of things on people's plates.

Lafe Low: Absolutely. Absolutely. Karen, did you have anything you wanted to add to that?

Karen Wrege: No. I think that's a great way of approaching it. It would have been... It's interesting because even if you're worried about configuring Okta with something that you're building that's not an off-the-shelf thing, I just would really encourage you to take seriously the notion that this is a solution for that as well. Don't make the mistake that I made thinking that it's only for the ServiceNows or the Salesforce, or any of those that-

Lafe Low: All right. Now Karen, you also mentioned you're doing a lot with internal and external users. What are some of the primary considerations or things you have to keep in mind between the differences of how you manage those users?

Karen Wrege: Well, as Ted was saying, these are two different products within the platform, and the use cases are quite different from our perspective at State Department. We want one identity across State. There was a question actually on the board about whether the entire Department of State is using Okta at an enterprise level, and we are using it. Our plan is to use it at the enterprise level for cloud services. So that would be anything where a State employee is wanting to go on Office 365 to do email, so they're offsite. All of that would be through Okta. And then, of course, all the external users will eventually be going through Okta to get to the services that we provide.

Karen Wrege: So I think... I'm not the expert by any means on all the good work that my colleagues are doing in the main State Department IT shop with all the internal users, but I do know just from my own perspective that I have internal users, they are small in number, and look, the important thing for the users is not that different from the external users. They need to be able to get to the right data at the right time from any device to the extent that they can go from any device. Now depending on the level of security around the data, they may not be able to do it from any device.

Karen Wrege: But that's really what we looked at from the Department-wide vantage point is that we wanted to provide employees with easy access to the data they need at any time from anywhere. And that was sort of our tenet. That was our marching orders is, go find that and make sure that it's secure. But make it easy on the users to do their jobs and get to the data they need to do these mission critical activities.

Ted Girard: Lafe, the one thing I would add to that is the thing that's unique to the federal government is with HSPD-50... What is it? HSPD-12, PIV and CAC cards are everywhere. And that's unique to the internal users. So from an Okta perspective, when we deal with workforce, our workforce identity, we have to integrate with PIV and CAC cards. We have to take those certs and be able to integrate with that.

Ted Girard: On the external side, you typically don't issue a PIV or CAC card to an external user, but you want to have as close to that same level of security and trust. So for example, with the Navy, with their external portal, it's something called MyNavy Portal, all sailors, family members, beneficiaries, need to have access to the benefits. And in the past it was you had to go on base with a CAC card to get that, and that wasn't a user experience that was beneficial to the service members of the Navy.

Ted Girard: So Okta can deliver really secure external multi-factor type capabilities to external users, while simultaneously on the inside, accept the most secure factor which is a PIV and CAC card that has the cert on it. So what Karen said, the use cases are totally different. You need a platform that can be able to work both.

Lafe Low: That can handle both, absolutely. Now before we move into the audience Q&A, do you have any final thoughts? Any final bits of advice for agencies that are interested in increasing their identity management faster?

Karen Wrege: Ted, do you have anything?

Ted Girard: It would be really self serving-

Lafe Low: We covered a lot of stuff here.

Ted Girard: My only advice and my only recommendation would be agencies are modernizing. They need to consider modernizing their identity infrastructure as well. They're going to come to that conclusion at some point-

Lafe Low: Got to be part of it.

Ted Girard: It's going to be part of it. When you're modernizing, think about modernizing identity and access management because that's an important component of your effort, and you'll figure it out sooner or later.

Lafe Low: Absolutely.

Karen Wrege: And that's actually really great because of the sooner rather than the later, right? Because it's like anything else. You want to bake in your security. You want to bake in your identity management and access controls, and so I think that's great advice, Ted, because that's the piece that didn't work out exactly the way I, in retrospect, would have hoped.

Ted Girard: I think you've taught some people. The Office of Comptroller Currency just released a five-year contract to modernize eight major mission systems for OCC.

Lafe Low: Oh wow.

Ted Girard: First task order... Was won by Unisys. First task order was to do identity. They're going to do identity before they start the first eight mission systems, which is-

Lafe Low: All right. Good level of priority there, for sure.

Ted Girard: Well, that's right from our playbook anyway.

Lafe Low: Absolutely.

Karen Wrege: And it makes sense though, because the idea-

Ted Girard: I think they'll be well served.

Karen Wrege: Yeah, it does. It makes sense. But it's often overlooked.

Lafe Low: All right. Well, thank you for those valuable insights, Karen and Ted. That's some great stuff we've covered here. I've got time to move into a few questions from our live audience. Before we do that, I just want to quickly remind everyone that you can download a copy of the presentations you just saw. Just look for the Resource Center below the question field.

Lafe Low: All right. To start off we've got one question here. It's probably suited for you, Ted. Now is the AWS identity access management in Okta, are those the same product?

Ted Girard: They're not the same product. So Okta, from day one we've been hosted on Amazon. Our founders looked at all different platforms. They chose Amazon. And I thought that was a really good decision.

Ted Girard: Amazon has their own product. We partner very closely with Amazon being that we're hosted in Amazon. We're part of the Amazon partner network and we're part of their... it's with AWS to ATO platform, so we're close partners with them, but completely different products.

Lafe Low: Got you. Got you. All right. Here's a question probably more suited for Karen. Karen, in your experience, how is the process of setting up standardized roles and permissions?

Karen Wrege: Well, yeah. That's such a great question. It's very, very easy to do in Okta, but as you probably know, it's not easy to get everybody agreeing on what the standardized roles and permissions are. So I think we spend 90% of our time, or maybe even more, working with stakeholders and making sure that the office directors and the division chiefs were comfortable with what data other organizations could see, edit, insert, whatever. So those permissions took a lot of coordination among all the different divisions, offices, and that was really the heavy lift. Actually implementing it in Okta was a very short order, very simple. But again, it was a big deal. Because we were really changing fundamentally the transparency of the data because we were all in silos before in our legacy systems. So no one had access to other offices' data, and that was one of the things that was one of the major tenets of the IT modernization was to increase transparency across the enterprise data.

Lafe Low: Was there much customization involved in implementing your identity management solutions?

Ted Girard: I hope not.

Karen Wrege: No. No.

Lafe Low: Ted, you alluded to the fact that you don't do much customization, so I would..

Karen Wrege: No. It didn't even come up. There wasn't anything where they had to put us back in our place and tell us not to... because you know, because it just worked. So we didn't... There was nothing special. As I mentioned before, we did have all these digital certs that we wanted to have incorporated, and that was all incorporated in the platform, so that was work that Okta did. And then we just were able to use it out of the box.

Lafe Low: Perfect. Perfect that's definitely how you want it to go. We probably have time for one more quick question here. How was the process of integrating Okta with your existing tools and systems?

Karen Wrege: Like I said, it was surprisingly very easy-

Lafe Low: Easy, yeah.

Karen Wrege: ... to implement with our... And we weren't implementing it with our legacy systems that were old and ancient. We were implementing it with modern systems that we were building. And it was very straightforward and the documentation was really good, and we were able to pick it up without a lot of issues. There were a couple questions that we asked Okta directly, but that support was there, and we were able to do it very quickly.

Lafe Low: Sounds good. Sounds good. Like a good straightforward process.

Ted Girard: I would add to that that one of the... other than the platform, the two key things that Okta focused very heavily on, one was being able to connect to our customers' identity stores in a really seamless, delightful fashion, better than the vendors that they have. That was one mission. The other one was to create a network of applications. We call it the Okta integration network. We've got over 6,000 applications that are pre-integrated for our users, and there's more being added every single day where we've got this whole network effect going on. We want to take our customers out of the integration business. That's the time consuming piece of identity management where you go, "Okay, I need it now. Talk to this," and that team has to come in and create that integration. Okta has done those for you.

Ted Girard: On the legacy stuff like Karen talks about, those are a little more difficult. There's partnerships we have that help us connect to those, but for any modern type stuff, that work should be done.

Lafe Low: Sounds good. Removing more friction as you said earlier. All right.

Lafe Low: That's about all the time we have for today. I'd like to give a huge thanks to Karen Wrege and Ted Girard for a very informative session. Covered some great stuff here. And I'd also like to thank Okta for sponsoring this webcast.

Lafe Low: I want to remind those of you in the audience that again, within the next day or two we'll email you a link to an archive version of this session so you can review it again, or pass it along to share with a colleague. Thank you very much for attending today, and this concludes today's webcast.

As government modernizes its information technology capabilities, the ability to successfully manage the identities of internal and external users – employees, constituents, contractors, partners, suppliers, et. al. – will be more critical than ever. Many of the advanced and emerging IT tools that improve government’s efficiency and effectiveness also alter the security landscape.

Cloud computing, the internet of things, mobile solutions and other technologies are boons to government, but they enlarge the potential attack surface. And as perimeter security becomes a less viable means of protecting the government’s systems and networks, authenticating identity and authorizing access is emerging as the new front in the escalating war with cyber adversaries.