Stories from the Trenches Scale & Growth in the Cloud
Wendy Busath: Hello everyone, wherever you are in the world. This is Wendy Busath and this is Oktane20 and we're sharing some stories from the Trenches today about how we can scale and grow in the cloud with Okta and I'll be presenting with a couple of other folks, Ben Hutchins and Joseph Doyle who I will introduce a little bit later in the presentation. I would like to start off by just kind of displaying our safe harbor slide. This is just telling everyone that Okta is a publicly traded company. Anything we talk about today may or may not actually happen, so just be aware of that and feel free to read this slide at your leisure.
Wendy Busath: Like to start by introducing myself. I'm Wendy Busath. I'm a senior solutions engineer for Okta. I've been here at Okta for about two and a half years now and I've had quite a long career and identity in access management spanning back 20 or so years, that's dating me, but then I would also like to introduce briefly, Ben Hutchins from The Church of Jesus Christ of Latter-day Saints as well as Joseph Doyle from Rubrik who will be presenting along with me and like I said, I will introduce them in depth a little bit later.
Wendy Busath: I'd like to start talking about moving to the cloud and how Okta can help companies move to the cloud. As we all know, a shift to the cloud is definitely happening and folks are taking advantage of IaaS, and PaaS, and SaaS and they're really starting to learn how much quicker things can happen with the use of the cloud. Back in 2018, 79% of all IT professionals said that cloud was important and they predicted that that would go up to 87% over the next two years and here we are in 2020 and I think that's definitely happening.
Wendy Busath: With the shift to the cloud, we get a lot of benefits, but we also need to realize that a centralized point of control for all of these services spread out everywhere is really becoming a linchpin. It's very important to get that solved, and so as we are learning that identity is now the foundation for modern security, not necessarily the network perimeter anymore. We're learning that we need to do several things and I'm going to give four examples of things that are just absolutely critical in today.
Wendy Busath: First of all we want to centralize identity and access control via single sign-on and single sign-on is super important because we can avoid things like password reuse and avoid things like password spraying attacks where if somebody learns one of your passwords, they can go through and try that password with all of the other applications that you have. Using single sign-on is also very important because you're using a standard spaced identity and access management platform that will create tokens rather than using usernames and passwords which is far more secure, and then by having that centralized control claim, you can really ensure that all of your policies are getting activated and enforced when they need to be.
Wendy Busath: Secondly, we want to ensure strong authentication across all services everywhere and this, of the four steps, I would say this one is the one that is the no brainer of all of them. If you're going to do step one and centralize and have single sign-on, you really need to make sure that you're very good at step two. We need to make sure that we understand that a person or a service really is who they say they are and by doing that, we want to use strong methods of authentication such as maybe a biometric through web AuthN or maybe a push notification to a user's cell phone and all of these things will help us to make sure that we know who that person or services before they get access to our data.
Wendy Busath: Number three, we need to reduce our attack service through automated provisioning and deprovisioning. Humans are not able to do everything perfectly every time and so automation is really where that comes in, where that needs to happen automatically. We aren't relying on a human not to make a mistake because we know humans will make mistakes and if we do make a mistake that's something that can damage the reputation of our organization forever. We really need to make sure that those people have the access that they need only at the time they need it and that that access is provisioned and deprovisioned in an automated fashion.
Wendy Busath: Number four, we need to enable visibility, assurance, and control over-server and API resources. We just need to make sure that we lock this down and using a platform like Okta where you're using standards based things like [OAS 00:04:56] will really allow you to make sure that these services are being accessed appropriately. Whether that is an end user that's an administrator getting into a server or whether that's a service making an API call.
Wendy Busath: Finally we need to be prepared to enable rapid response to compromise because we know that a breach is likely to happen. An attacker at one time or another is going to be successful and so we need to make sure that we are ready to handle that by having a security team for instance. Every company should have a security team, whether that's made up of one person or 50 people. We should also have something like a security operations center where we can monitor things, we can see when attacks are coming in and then we should have tools like [ASIM 00:05:46], which will help aid us in doing that real time analytics and alerting when something does go wrong.
Wendy Busath: A successful cloud adoption could something like this. We would have most apps that we're using in the cloud rather than having on-premise apps that we need to make sure that are updated and patched, we need to be able to have distributed IT because we need to allow business units to say, I need this application to be able to roll out that application and then apply the security policies on top of that application that makes sense, and then we need to support a distributed workforce because let's face it, with the times today we are going to have people that are working from home and we need to make sure that those people are just as fit, as efficient working from home as they are when they're at the corporate office.
Wendy Busath: Then we need to be able to make sure that our security is focused on apps and data, not on the network perimeter because we know that really doesn't work anymore. We need to be able to allow a mixed Mac and Windows environment because we have people who don't like to use Windows or don't like to use Macs and therefore are not as efficient if you're forcing them to use a platform that they don't understand how to use. We need to allow for bring your own device because employees work better when they get to use the things that they prefer to use.
Wendy Busath: Finally, automation needs to be a huge focus for us. We need to make sure that we have the tools in place to automate all of these manual processes over all sorts of different life cycles and that's really going to allow our employees to be a lot more efficient as well. Finally, we kind of want to ask ourself, why has everybody moving to the cloud? Why is identity and security also moving to the cloud? And the answer to that question really is innovation.
Wendy Busath: It's really going to help us to be able to build those frictionless user experiences and deliver a consistent experience. It's going to simplify the whole process for end users. It's also going to allow us to have speed to market, where we can build things faster, where we can meet project timelines because we're not having to stand up servers and write custom code. It's also going to allow us to have centralized management and centralized management is hugely important because it does cut down, once again on the time that our employees spend doing manual processes, making sure they're logging into multiple administrative consoles and solving problems in different places. If we could have that all in a centralized place, again, efficiencies and innovation are going to result from that.
Wendy Busath: Finally we can achieve Internet scale security by preventing security breaches and meeting the compliance requirements that a lot of us now being subject to. I would like to introduce Ben Hutchins from The Church of Jesus Christ of Latter-day Saints first as one of our customers that has purchased the active product and is now rolling it out. Just by way of introduction, Ben and I work together to POC Okta for The Church of Jesus Christ of Latter-day Saints and in that process he migrated 17 million accounts to the cloud while still supporting the legacy identity stack that they have running at the church.
Wendy Busath: He also led integration effort for HP and Compaq's merger. He designed the information architecture for HP's first enterprise portal with a $50 million per year hard cost savings, which is pretty amazing. He has a master's degree from Syracuse and he's lived abroad. Ben, I'd like to welcome you and thank you for participating today and let you kind of talk through what you're experiencing with Okta and how it's helping the church.
Ben Hutchins: Awesome. Thank you, Wendy. I really appreciate that. Before I dive into the use cases that we've experienced and looking at Okta as our cloud provider for identity, I want to talk first about the church [crosstalk 00:10:14] and just give you some context as to the audiences and the user base that we're working with. The church has approximately 16 million members, 65,000 missionaries. These are young men and young women roughly aged 18 to about 25 years of age and they are serving all throughout the world 35,000 congregations spread across 160 countries.
Ben Hutchins: We also have a roughly 120,000 employees and volunteers and the volunteers is a big part of our audience because the volunteers provide help across almost every department of the church and every area of IT and are a huge supplement to the workforce and so we have to account for those use cases that involve the various scenarios that we have to work through with each audience type. We also have a large contingent of college students. Some of you may be familiar with Brigham Young University.
Ben Hutchins: We also have a BYU Hawaii and a BYU Idaho and an LDS Business College which just recently rebranded as Ensign College. There are 324,000 institute students. These are college age students taking religious classes offered by the church and 402,000 seminary students. These are high school students also taking religious classes during their high school years that are offered by the church. All material by the church is published in as many as 188 languages.
Ben Hutchins: When we talk about The Church of Jesus Christ of Latter-day Saints, again, it's important to understand that we have many, many, many different types of audiences but from an identity standpoint, we have a single username and password. We don't separate B2B, B2C, B2E into different types of identities. We simply have one registration process where people can go through, create an account and then based on their role, whether they're a student, whether they're a workforce, whether they're part of volunteers, whether they're a missionary, their access rights change so we have a very robust dynamic RBAC system, so role-based access management.
Ben Hutchins: Also as part of the church, we have an extensive charity program and since the foundation of this program more than $2.3 billion has been donated across the world in a number of countries and that volunteer work is at the community level. Water projects, wheelchairs, helping medical facilities with newborn training. A lot of good goes into that effort. Let me walk you through this slide really quickly in terms of the layout. Everything that's in the gray box represents our on-prem architecture for our identity stack. Above this is what's in the cloud and then everything that's in red represents custom work that we've had to do.
Ben Hutchins: As we looked at our architecture, we had a number of challenges from multiple IdPs with ForgeRock and Oracle WAM and Azure AD to scale instability issues as well as custom MFA that we've had to develop over the last couple of years from our own authenticator app as well as all the various methods from push to TOTP and even devices and so as we looked at that we were spending a lot of money on our on-prem identity infrastructure and so we had a number of goals and really the objectives came down to improving security, simplifying architecture and reducing spend while increasing output and so kind of the big mantra is 3X by 2025 for our organization to be able to have the ability to do 3X more in 2025 without having to increase resources.
Ben Hutchins: As we looked at those challenges and those goals, cloud became the clear priority for our organization in terms of being able to move as high up the stack as we could and at the same time reducing the amount of labor in custom work that we have to put into our identity stack and our organization to make everything work seamlessly. As we looked at doing the POC and evaluating a number of IDaaS providers, it really came down to Microsoft and Okta. In this slide you'll see the circles and the more black you see the more complete the use case is and there are a couple of key use cases that I wanted to review here.
Ben Hutchins: First of all, in the loading of the 16 million accounts, we were able to do that with Okta in approximately five days and so that was a relatively smooth process and then also in terms of mastering identity in the cloud, Okta also was a clear winner because you can write all of your identities directly to Okta even if you have an on-prem AD active directory. Whereas with Microsoft, if you want to maintain your legacy or on-prem active directory, you have to master identity there and then sync it up to Azure AD.
Ben Hutchins: Also on the MFA feature sets, in the B2C world, not all MFA options are supported. When you look at push, when you look at TOTP and also when you look at devices like a USB YubiKey type device, those aren't supported with B2C and have to be custom developed. On the enterprise Azure AD side, yes, all of them are supported but not on the B2C world and because we have an identity where we have a single username and password for all of our use cases and all of our audiences, it was critical that we have a single place where we could store all of those identities and have the full MFA feature set or disposal and Okta provided that for us.
Ben Hutchins: On Office 365 integration, this was also another big one. We support multiple Office 365 environments for some of our educational institutions and also for a Polynesian Cultural Center and we wanted to be able to federate all of those Office 365 environments against our main IDaaS provider and if we had gone on the Microsoft side, B2C tenant would have been the primary store for all of identities and Microsoft doesn't support the ability to federate an Office 365 tenant against a B2C tenant, whereas in Okta you can federate as many Office 365 tenants as you want to against Okta.
Ben Hutchins: That was a big win and then lastly on the native mobile app integration, because of our global audience and we have a lot of users all over the world in some areas where there's really low bandwidth and as a result it was really important for us to maintain a consistent and really good user experience, and so from our mobile team, they had a very strong requirement that we maintain the user experience within the app and they didn't want to pop people out into a different browser and so we needed to be able to support the native auth flow and Okta did a really nice job of being able to do that and more custom work would have been involved on the Microsoft side.
Ben Hutchins: Those are the predominant reasons why we went down the path of Okta. They just provided a better user experience and a better story and less custom work that we would have to support on our side to make the full integration work. As we look at our architecture with Okta and again coming to our goals and some of the things that we're accomplishing, we've been able to retire Oracle WAM infrastructure. We had 300 plus applications on that and that's what we spent the first probably three and a half months of our project with executive level support and it was really disruptive process to go through, but critical to making it easier to do the full migration to the cloud.
Ben Hutchins: We also... We're able to move everything to a single MFA experience. We've retired our custom MFA code and we've enabled both MFA for Office 365 and MFA are for all of our on-prem solutions and all of our cloud solutions to simply leverage the Okta APIs and MFA experiences that are provided natively out of box. We're also improving our availability and our scaling flexibility.
Ben Hutchins: Again, the architecture today, we still have a long ways to go in terms of our roadmapping and we do want to continue to look at how we can deprecate more of our on-prem infrastructure but we know it's going to take a few years to retire [LDAP 00:19:30] requirements that are on-prem. We don't want to do a simple lift and shift where we take applications that are dependent on LDAP and stand something up in the cloud and create a bridge where you can do LDAP in the cloud. Our goal is to simply move applications and systems to the cloud as we are able to support that from a modern standards and protocols.
Ben Hutchins: Again, we're looking predominantly at OAuth and OIDC and some SAML and if applications don't support those, then we're not moving them to cloud yet at this point. One of the key changes that we did have to make in our architecture as we looked at this was we originally were in a multi-master scenario and we did have to change it so that we master all identity to eDirectory first and then sync up to Okta and that's primarily because we have a FamilySearch organization that generates the vast majority of our new accounts.
Ben Hutchins: We're in the processes of separating our identity bases there, but it's going to take another year or so and so until we do that, we did try the multi-master approach but there was some performance issues with the synchronization process coming Okta down to [IDV 00:20:48] and it just wasn't well suited for handling a multi-master where you're writing to Okta, writing to IDV and then doing this roundtrip synchronization process and so we did have to change the architecture and master everything to eDirectory and then sync up to Okta.
Ben Hutchins: Once FamilySearch becomes its own independent IdP, at that point we'll be able to flip the switch and then begin mastering identity in the cloud. As we looked at the project approach we migrated the 300 plus apps off of WAM. We've configured the Okta production tenant with MFA policies disabled and this was key also for user experience. We wanted to introduce mobile to Okta first but we didn't want to force everyone to have to log back in as we introduced MFA policies and so we're allowing mobile apps to launch with Okta allowing users to get a new access token that's long lived and then when we introduce MFA, it won't be a disruptive login experience because we have a lot of people that span from young users to really, really old users that are technology averse and so that's a big reason why we chose to do that that way.
Ben Hutchins: We've loaded the 17 plus million users to Okta. We focused on mobile app integration first and a big reason for that was because of the API volume and this was a key discovery in the project, is, upfront we didn't quite understand how API services worked within Okta or the dynamics scale which is where... by default Okta supports up to so much throughput on each API that you're calling and if you start to exceed the throughput on that API, then they're going to limit you and that's very common of all cloud platforms.
Ben Hutchins: We just weren't familiar with exactly how it worked and there's a lot of different API end points and dynamic scale covers a number of those and by default we knew once we figured that out that we were going to dramatically exceed the threshold of allowance for some of those API calls. In some of our numbers we were doing as much as 96,000 calls per minute and so we had to do some re-architecture on our side to make it possible to reduce the API call volume and now that we're integrating mobile with Okta, we're doing one app at a time so that we can measure the API throughput and then look at where we are and how much head room we have before we introduce the next mobile app so that we can start to calculate how much volume we're going to produce on a regular basis.
Ben Hutchins: That's key because when you want to increase the API dynamic scale on the Okta side you can go to 5X, which is... or 3X is kind of the first threshold that you can jump to and then 5X and then from there, there are other thresholds beyond that but once you go beyond 5X, it requires Okta to do some architectural changes in the cell itself that you're sharing with other clients and that process can take up to two weeks and so we didn't want to get put in a situation where we were suddenly exceeding the API thresholds. We were introducing delays in the authentication, poor user experience and so we're being very methodical about how we roll out mobile, making sure that we have measured output and production and we have headroom as we introduce each of the new mobile applications and that we have time to work with Okta to increase the dynamic scale so that we never end up bumping into those rate limits.
Ben Hutchins: Then we're federating the Office 365 environments with Okta and then lastly, and this is the big piece because the vast majority of our applications are actually integrated with ForgeRock as an IdP that are all of our on-prem world and even some of our mobile and cloud stuff is integrated with ForgeRock and clearly we're going to be gradually migrating all of this to Okta, but kind of in the short term, we're still having ForgeRock be in place and we're simply going to federate ForgeRock against Okta and this part would be really difficult to roll back because this is also when we switch over with MFA providers from our custom MFA to Okta as an MFA provider and will require all of our users that are enrolled in MFA. They're going to have to re-enroll for push and for TOTP and for YubiKey type devices.
Ben Hutchins: The one nice thing about transitioning with Okta is they do support the migration of SMS as an MFA method and so anyone using SMS or mobile phone numbers to receive six digit code, they can continue to do that without disruption through this migration process. We introduced the MFA custom app, the Okta Verify app and then as we move forward we'll continue to integrate all of our applications that are AuthN compliant with Okta.
Ben Hutchins: Some of the key challenges that we've experienced in the project, I talked about the API rate limits already in terms of architectural impact. We did have to stop the project midway, re-architect how we were doing things. It's why we have FamilySearch still writing to on-prem as opposed to making FamilySearch and our church registration app both right to cloud because FamilySearch isn't using Okta as an IdP, only the church account registration app and all of the church applications outside of FamilySearch are using Okta as an IdP and because FamilySearch creates so much traffic, it would have been really costly to have them join us in writing directly to Okta.
Ben Hutchins: We did have to do some re-architecture and have everything flow back through IDV and then on the mobile side we had to implement single sign-on for our mobile apps and also account for the API rate limit potential and the errors that they might get back from Okta and how to gracefully handle those. We've been able to do a number of things that we think will be beneficial in terms of optimizing our experience for cloud and with Okta.
Ben Hutchins: The multi-master sync complexity, I've already talked about that and how we had to go back to a single master to on-prem for a temporary period. Loading on the 17 million accounts, our big mistake with here is that we did it too early, and we should have spent more time doing the loading and doing the integration testing in the preview environment before we jumped to loading the 17 plus million accounts to production because later as we dug deeper into integration testing, we realized that we had missed a couple of attributes in the load process and we also ended up discovering discrepancies with date format types both between Okta and eDirectory and so we had to go back and modify those and as a result by the time we're done with all of this, we'll have loaded the 17 plus million accounts and the attributes or parts of the user object three times as opposed to just doing it once.
Ben Hutchins: Registration, this was also a pain point for us only in that Okta today only supports registration via email and we had a half a million accounts already registered that were only registered via SMS or another option that we had provided and so we've had to go back and create some custom code to make sure that everybody has an email address associated with their account. Language support, the church supports 188 languages in our registration process that we had built and we supported 11 more languages than what Okta supported and so that was something that we had to... essentially one of the guiding principles of moving to cloud was we had to be willing to give up some of our functionality and features in order to take advantage of economies of scale that cloud provides.
Ben Hutchins: Unfortunately this is an area where we did have to sacrifice some functionality, but we are working with Okta and are hopeful that we'll have the ability to create custom languages and upload those for ourselves in the future. The Okta sign-in widget also had some user experience issues on really low bandwidths and so we've had to work through that a little bit and then there's no ACR support. An ACR is really, when you think of doing a step-up authentication and this is authentication contextual class where you can have parameters within the ID token that says "Hey, if you have this value, then it's going to require them to do a step-up authentication." And in OAuth that's not supported yet within Okta and so we hope that that will come in the future.
Ben Hutchins: Office 365, also if you have conditional access policies already in place and are hoping that those will just flow through to Okta when you federate with Okta, it doesn't quite work that way. Essentially you just have to re-account for all the conditional access policies and you have to make sure that you have equivalent policies in Okta that handle what you used to be doing in Office 365 and on the dev tenant automation, the Terraform templates are not comprehensive and so when you want to make it really easy for someone to spin up a dev tenant as they're getting ready to do some integration and want to do testing with Okta as an identity provider if they want it to look and match exactly like the production tenant, there's probably initial 60 to 90 minutes worth of configuration work that has to be done that can't be done in the Terraform template process.
Ben Hutchins: Those were essentially the main set of challenges that we had with this project and the good news is that we've been able to overcome most all of the challenges that we've faced. We still have a couple that we're working on but are really confident in being able to move forward in the future and we already have mobile apps that are integrated with Okta in production right now and we're able to move forward and so we're seeing the vision that we had in terms of being able to reach 3X by 2025 start to be realized and we've also seen our identity team size already start to be reduced as either people have taken new jobs to go elsewhere.
Ben Hutchins: We've chosen not to backfill some of those positions because we're already seeing benefits by moving to the cloud, retiring custom code, and leveraging a lot of the provided identity as a commodity type features that Okta provides for us. In this upcoming year, we're really looking forward to looking at identity engine and the possibilities that will allow us to even look further up the stack in terms of could we retire parts of our customer registration experience and rebuild those using identity engine. We see lots of possibilities in the cloud stack that Okta provides and are excited for the future.
Ben Hutchins: At this time I'll turn the time back over to Wendy and she's going to introduce our next speaker.
Wendy Busath: Great. Thank you Ben for that presentation. I just wanted to remind you guys you can write in the chat window any questions that you might have and we'll try to get back to you during the presentation but if we don't get back to you about those during the presentation, just know that we will make an attempt to get back to you via email later. Now I'd like to move on to Joe and Rubrik and allow him to kind of talk about what they've done with Okta. By way of introduction, Joseph Doyle is the director of workplace technologies at Rubrik now and that covers responsibilities for identity and access management for end user computing and for the enterprise SaaS applications.
Wendy Busath: As a graduate of San Jose State University, he's also spent the past 12 years working in the security industry with leadership roles at Rubrik, Illumio, and NASA. So Joe, take it away. Thank you.
Joseph Doyle: Great. Thanks Wendy. I appreciate it, and thanks for everyone checking in from home. I appreciate you guys taking the time and hopefully given you something really interesting to do from your couch or wherever you might be today. Like Wendy said I'm working at Rubrik. I'm currently the director of workplace technologies and that really does encompass all of our IAM stack as well as all the user applications and then how people do our whole authentication workflow.
Joseph Doyle: A little bit more about Rubrik. We're about 1600 employees. The company just had its sixth birthday here a couple of months ago. We've got about 2,500 customers both business and government throughout the globe. Basically we're a market leading data management solution, pretty much focused on helping do things like modernize data protection, help our customers accelerate their cloud adoption and ensure some cyber resiliency as well.
Joseph Doyle: Kind of an interesting one was we recently... we had the city of Durham in North Carolina who had a ransomware attack and they were able to just basically roll back instead of paying the ransom, so worked out pretty well. They got to keep their Bitcoins and their digital wallets and it was a really good use case an example for us of what just what Rubrik can do. Let's see, we made the move to Okta back in... we actually went live about 10 months ago at this point, made the decision around this time last year to go ahead and move to Okta.
Joseph Doyle: We had a situation at Rubrik where we as a company just grew so quickly, right? The company like I said just hit its sixth birthday and we were about 1600 employees, so you can imagine the ramp and the scale there was pretty explosive, definitely a hypergrowth environment. What happened with that is, anytime we're building a company of that size and that nature, you end up with a lot of what we call tactical debt, right? We've got this culture of builders, we're building things from creating a product, creating a market, right, where there really wasn't one necessarily what we did before so we're going to mark with a whole new strategy and whole new technologies. Everything had to be built quickly.
Joseph Doyle: What that meant practically was that you stood up whatever you needed to stand up to get the job done. In our case, what that meant was every solution had its own... every project, sorry, had its own bespoke custom solution of like let's just do identity this way or that way. Did end up putting us in a situation where we really had no centralized IT department. Everything was... all the decisions were being made by the product owners, which made sense for what they needed at the time because of that growth that we were experiencing, right?
Joseph Doyle: We had all these unique active directory domains because we didn't have a centralized IdP strategy we had, I believe, four different ADs when I came into the company at that point, and there was no integration or anything. There was no consistency. They weren't using different... totally different naming schemas. This wasn't like a domain forest entry type situation. This was literally just a bunch of ADs that didn't talk to each other.
Joseph Doyle: As an end user you can't really do much with that, right? You've got a bunch of apps, you've got a bunch of ways to get into a bunch of apps, you got a bunch of passwords, you've got a bunch of usernames, you've got different needs there for all of those things, right? So what does that mean for IT? You're putting in password reset requests for this app. You're putting in a reset request for that app. You're having trouble managing, remembering these things. No one would ever reuse a password, right? But I'm sure you know that unintentionally has happened here or there as well, right? So you run into those kinds of situations.
Joseph Doyle: It's a huge burden on IT. It's a huge burden on your application owner because those are the folks that have to actually figure out how to make all this stuff work and how to help all these end users and then you end up with really inconsistent application security. Every app as you're well aware out there from setting up apps in the past some apps require you to have a strong password. Some don't even let you put a strong password. Some requires to like an eight character password. Some of the support MFA, some don't support MFA. Some have different lengths of what a username could be or what a password could be so you have this really inconsistent situation as an end user and also as an IT organization trying to support all of that.
Joseph Doyle: We found for us the solution was really going to be going to something exactly like Okta, right? Okta ended up being our solution because really realistically we needed that cloud-based solution. The first step for us was like, let's bring in a centralized IT team, right? They'd made that decision shortly before I joined, hired a bunch of folks to come in from the outside, let's stand up on IT where we really didn't have one before. My team now it's global, I've got folks in three different continents all dealing with this stuff on a daily basis but we have a centralized management team, centralized goals and objectives. Everything is clear as to like what we use and how we go about using it. Right?
Joseph Doyle: For us it was, let's get into centralized IAM and IdP strategy. For us of course Okta is that strategy and we wanted it to be cloud-based. We didn't have to worry about where this AD was and where another AD was and if they're talking to each other and what happens there and trying to take, like I said, what we had before which was like the sprawl of different ADs and trying to put them into one, or trying to make sense of what was there. It was just a lot of these are to start over. For us, let's start over. Let's start over in the cloud. Being such a young company, it made sense given that we have about 150 cloud apps today, they're in Okta so it made sense to have a cloud-based identity strategy for us, right?
Joseph Doyle: It also was really important that we'd have that single source of truth. Everything federates back to that one identity master, which is Okta for us. The other thing Okta allowed us to solve was one account per employee. So you're not managing this account sprawl. You have one password to remember. You have one account to manage, you have one MFA to deal with. I mean, on a multiple MFA apps, you don't have to worry about all that on your phone. Everything is simplified, everything is streamlined and the ability to increase our security posture was tremendous as well.
Joseph Doyle: Not only the things that Okta natively can help you with, which I'll talk more about later, but more specifically just having one set of things and having that consistency across all your applications, right? You're trusting Okta to do your identity and your authentication. It's consistent across your apps. You don't have to sit there and continue to worry about how you're going to manage that. Kind of a quick overview of what... What did our architecture look like now? When we went ahead and put Okta in, one of the biggest things I believe in is like, especially as an IT professional, it's like how can I make my key stakeholders look good.
Joseph Doyle: As IT I consider myself to be in a business enablement organization. How can I make anyone I partner with, how can I make them successful? Like what are their pain points and what can I do to solve them? For example, let's take our HR department. They invested in Workday, they had an HRS system, but it wasn't really being used for anything other than HRS. From our standpoint we can use that to master employee information in Okta. If I'm a new employee, someone's... I get that email before I start.
Joseph Doyle: It says, hey, welcome to Rubrik. Go ahead and log in, create your Workday account, set up your attributes. Put in my name, my preferred name. What name I go by, how I want that to affect my email address and any other personal details about myself that you're going to have to do as part of any onboarding of any company. But now we can take that data, we can master that data down to Okta. So new hires, it flows into Okta. Employees who chose to leave the company, again, that's going to flow down into Okta. All of that onboarding, all of that offboarding, we're taking all of that and using Workday to master all of that data for us.
Joseph Doyle: That is such a critical component for us because we're not typing in anything by hand. We're not having to worry about inputting users and then also we can use Workday to both automate the onboarding of those users and also terminate those users and take away access when they leave. Again, really key component. From our IT standpoint, works great for us. From an infosec standpoint, much more secure than the alternative, and then from a business partnership standpoint we're able to point back to how we have some shared wins with our HR department, how everyone wins in these kinds of circumstances.
Joseph Doyle: The other big thing for us was using Okta to master our SaaS apps. If you're in Workday, you belong to our sales organization, you need a certain sub set of tools as well as the standard tools that we might give every employee. We're going to take those tools. Workday is going to say you're in sales, Okta is going to see you're in sales and Okta is going to say, hey look, you're in sales, let's give you those applications based on your attributes. We're going to let that whole thing flow downstream. From our standpoint, we're not having to manually master apps. It's all based on user attributes and group attributes they might belong in.
Joseph Doyle: The other really key area for us was Workspace ONE. Around the same time we bought Workspace ONE, we needed a way to put Workspace ONE in and we wanted to make sure that we were using that same Okta as source of truth, Okta as identity master situation. Natively, Workspace ONE is more specific about supporting AD and we wanted to make sure we were getting away from AD. For us we didn't want to have an AD that had all the people in the company and that we had to rely on and keep updated and keeps things. For us, that didn't really make any sense. We wanted Okta to be that master.
Joseph Doyle: We're able to set up the new Okta to Workspace ONE skim integration point all those users from Okta down, they get provision into Workspace ONE. All of that happens automatically. We're not having to manage that anymore and we now have all this set of mastered users that we can use with Workspace ONE and that helps us to manage all of our end points and how we assign our endpoints and roll our endpoints and the applications that our end users have available on their endpoints so all that data is super helpful for us.
Joseph Doyle: The one area where we did have to keep active directory around was we did have one very small subset. There was one unique application that relied upon active directory and can't be used with anything else at the moment. We were like, well, seems like there's always going to be at least one legacy thing that you can't totally rip out and replace everything. In our case, got rid of all the other ADs, had this one very small one. It's got a very small subset of users. Again, what we're doing in this case is just saying, hey, let's master that small set of users down to AD from Okta, that way again, they have the one single username and password. They understand everything that's going on there. Isn't this like multiple identities situation.
Joseph Doyle: Hopefully in the future I'll be able to get rid of that one too but for now we're at least using Okta to master that and that's helping us to control that entire environment. From an authentication standpoint, what is this looking like for our end users? And how are we leveraging Okta? As an end user I'm going to connect to Okta every morning in order to do just our basic SaaS apps and it's a pretty typical workflow, right? I need to get to my email. Let me open Okta. So open Okta, find your SaaS apps and then everyone pretty much understands that. Of course it's simplified. There's ease of use based on I know my password, I didn't have one MFA app and I know how to access Okta. That's going to provide me with all the SaaS applications.
Joseph Doyle: Another thing we're able to do with Okta is we're able to take other things that previously relied on AD like for example, our VPN software on the right hand side there. Our VPN required AD, but we were able to take a newer version of the VPN software, leverage that against Okta as well and now end users don't have a separate VPN account, they have that same Okta username and password. They have that same MFA everything. They understand that whole workflow. That's totally understood by all the end users, is now being used for granting network access amongst numerous data centers and numerous VPN endpoints.
Joseph Doyle: We're able to use that to control network access throughout many different points globally that we couldn't have done previously. Again, having that cloud-based Okta rather than trying to find some AD somewhere or stand up a bunch of ADs to control these different VPNs was super helpful for us. The other use case for us as well was we still had some on-premise servers or some cloud servers depending on where they might physically sit, but for us, a lot of that stuff was really key. Really key business stuff, holding really sensitive information and stuff that we really need to make sure it's well protected and well understood, of how all these authentication mechanisms work.
Joseph Doyle: Previously we had a bastion host set up. We had shared keys, we had... they're not shared keys, sorry. Private key pairs. You'd have to create the key pairs for every single new user when they came on. We'd have to rotate those key pairs at the necessary intervals as we specified, and so you have this constant like key services and trying to deal with the PKI infrastructure and trying to keep things rotated and make sure you're following your best practices and all that stuff because again, the data that you're storing on these services very critical.
Joseph Doyle: For us thankfully again, we were able to leverage Okta for that. We're using the Advanced Server Access product. If you haven't seen it before or you're not familiar with it, definitely I'm sure there's some sessions to go check it out but the gist of it is, it's basically Okta for servers. Typically if you would do an SSH session, you'd SSH into something, you might have a separate name or password for that SSH session that's unique for that machine. For us, previously we had a key pair. So that key pair is saying, okay, hey, this is Joe's key. Let's go ahead and let him in, but again, like I said key pairs have to be secured, they have to be rotated and all those types of things.
Joseph Doyle: Instead with this use case, we're able to take Advanced Server Access and use that to manage. If I were to SSH into a server, when I SSH in I typed the name of the server, it's going to pop up Okta and just let me type in my normal credentials, the same workflow I'm used to doing every morning for all of my SaaS apps. Or if I'm already logged in, I already have an active session, it'll just pass me right through. I don't even have to do anything. It's already going to Okta check in and make sure this is a valid connection during the authentication and everything's easy and simple. That's been a big help for us as well, being able to leverage Okta across all these different use cases.
Joseph Doyle: For us, it's kind of what does our future hold at this point? What are we looking to do here going forward? From that standpoint there's a bunch of things with Okta that we've already started leveraging. We already use Okta Verify as our MFA app. People find it easy to use. There's a bunch of great options there as far as the adaptive MFA stuff goes. We wanted to kind of say, okay, what else can we offer alongside Verify. We've rolled out recently the biometric MFA, super helpful. A lot of our users really appreciate the fact that it wasn't hard to pull your phone out. That's still an easy use case they can fall back to but if they've met all the right security, the posture of their device is correct then go ahead and just the touch ID or the fingerprint reader on their keyboard or a laptop and they'll use that to get in as their MFA.
Joseph Doyle: Again, like really simplified ease of use. We're also heavily leveraging the behavior detection. For us, if you haven't used that, basically what it says is, hey when are the last times that Joe's connected? They're going to look at what was my IP address? What was my laptop, where was I coming from? Is there anything out of the ordinary from what I'm doing? You can take that detection and you can say, okay, well, hey, if something is different let's know that that's different, right? And if it's my normal behavior, same time of day I log in from, same place I'm logging from, it's not going to raise any red flags on that situation.
Joseph Doyle: The reason we would use that is because we want to start doing things like factor sequencing and passwordless authentication. We have a pilot going right now of about 200 of our internal users that are using passwordless. We're relying on the things we built already, which was the biometric MFA component we've put in as well as the behavioral detection component we've put in and then we'll say, look let's look at what Joe's done. Hey, Joe's behavior is normal and he's already set up for biometric MFA using web AuthN. Let's go ahead and just... All I have to do is touch. I don't have to log in, type a name and password anymore into Okta. I could just touch an Okta, let me right in.
Joseph Doyle: The flip side of that is, in order to do that you have to set up the factor sequencing. We were able to say, hey, instead of password then MFA, let's just do MFA and then password rather than, hey, if behavior detection says that I'm low risk because everything is normal for me and then let's just skip the rest of it, right? Just the touch is enough, we don't need to go through that. The alternative flip side of that is if as a circumstance where I am... a lot of folks are working from home right now and maybe I don't work from home frequently, right? But maybe today I'm doing it and Okta is going to say, hey look, this IP address is not the same IP address that you've been using previously so let's go ahead and not let you do this, right. Or maybe we'll let you use the fingerprint, but you're still going to have to do another form and we can specify what that other form is.
Joseph Doyle: Maybe it's fingerprint and verify or maybe it's fingerprint and password. We can go ahead and specify that. Again, raising the behavior detection and being able to change the factor sequencing to kind of fit what we're looking for and what we need and, you know what, kind of helps that ease of use with our end users, but also kinds of adds to the overall security posture of what we're doing. Finally, the last thing we're really doing right now to leverage Okta here going forward, is we're... around our end points and how we manage our end points and how we do device trust over end point.
Joseph Doyle: We're using the Workspace ONE UEM as I kind of alluded to earlier, tied into Okta through the skim integration and that's helping us to... do some routing of how we route applications as well as how we provide access. If I'm coming in from a managed device, coming from a device that's trusted, I can specify different applications that are going to be available or maybe not available. If I'm coming in from a managed device, I have all my applications. If I'm coming in from an unmanaged device maybe I don't, maybe I only have access to my email, but I don't have access to some other app like Salesforce or something that we might consider to be more sensitive. So we can go ahead and take that piece and use Okta in conjunction with Workspace ONE to kind of identify like when and how to ground access based on the device that the end user is coming from.
Joseph Doyle: That's a big part of how we're going to continue to support a BYOD model, also to continue to support like a really mobile and remote workforce but being able to also kind of provide more security and more granularity of access around our specific applications that we're using. I do have a session later at two o'clock today that's kind of more detailed about this and how we did a lot of the integration stuff so if you want to come here, we talk about that, feel free to join up at two o'clock. Other than that, thank you all for joining. Really appreciate your time today and if you have any questions, we'll do our best to answer in the Q&A and I want to pass it back to Wendy.
Wendy Busath: Hey, thanks Joe. That was awesome. It's so exciting to hear from our customers and to watch them kind of push the limits of Okta and to gain these great efficiencies and save a lot of money and make a better user experience for their end users. It's always great to have people who we feel like we have a great partnership with, come and speak with us at Oktane and hopefully help some of you out there to maybe avoid some pitfalls that they've fallen into as well as to be able to take advantage of some of the features that they are using widely.
Wendy Busath: Thank you both very much and again, we thank our audience for listening and hopefully you can tune in to some of the other presentations. I have listed a few presentations that might be of interest to you all here on the screen. Notably Joe's other presentation about Workspace ONE which is Wednesday, April 1st, and then a couple that are also on Thursday talking about Okta's roadmap. Thanks everyone for attending, had a great time. We'll see you soon. Stay healthy.
As fast-growing organizations compete to meet the demands of their customers, IT is increasingly asked to do more to keep the business agile and flexible. However, expertise and budgets are not keeping up with the growth and IT is scrambling to balance scaling quickly and maintaining security. Come hear how The Church of Jesus Christ, with over 17M members, uses Okta to scale their growth without continuing to hire IT staff and how Rubrik, a startup now valued over $3.3B, uses Okta to go passwordless.