Tidying Up IAM With Okta

Neal Tillery: Thank you for taking the time to be with us today given everything going on in the world right now. My name is Neal Tillery and today with my co-presenters, Brad Burton and Brad Goettemoeller, we're going to talk to you about how Okta helped two customers simplify and secure their identity environments. As you know, Okta is a public company and so flagging that any forward-looking statements we share here are subject to change. Please feel free to read the safe harbor note in depth at your leisure.

Neal Tillery: So today's identity and access management systems are complex. They have to deal with multiple identity silos, multiple application technologies, and legacy infrastructure. And that complexity comes at a cost, not just in money and time that it takes to manage and deploy these systems, but also it takes a cost and user experience, our attacks and our ability to understand and deal with complexity. And that also takes away from our ability to focus on our jobs.

Neal Tillery: So today, you're going to hear from two companies that have cleaned up and simplified their IAM experience. First off will be Brad Burton at Cypress Semiconductor. And Brad Goettemoeller from Mercy Corps. Not only did they make their IAM systems more manageable for themselves, but to present a more human user experience for their workforce so they could focus on work that made an impact in their organizations. So now I'd like to introduce Brad Burton, IT Director at Cypress.

Brad Burton: Thank you, Neal. I appreciate the time to talk. At Cypress, we have the motto, "We live for problems." So, what I'm going to talk about today is our walkthrough of problems prior Okta and also talk about our problems and solution as we rolled out Okta in our identity management solution at Cypress Semiconductor.

Brad Burton: A bit about Cypress before I go into our identity management, kind of give an overview of our company. We provide automotive, consumer and industrial solutions. Embedded solutions enable, sense, connect, learn, respond and make life easier, save time, and provide better user experience.

Brad Burton: Our history with my group with HR in identity management solutions is we provide productivity solutions and secure solutions for our workforce of 1,600 worldwide and in multiple centers, engineering centers and technology centers. Again, we want to make it productive and secure, and secure IP in our systems that we have with our critical IP.

Brad Burton: A brief look at our customer set. So our employees worldwide are making products for the customers I'm showing here. Some of you, logos and names, are very familiar. Like I've mentioned, Cypress, we live for problems. We see a world of problems and it's awesome. All right, IT, we say, "Got a problem, ask IT."

Brad Burton: So the next few slides, I want to go through our problem statement before Okta and also our journey through the last three or four years of rolling out Okta and deploying Okta at Cypress. So first, our journey in Okta, our problem. Our problem started with many identity sources, many password sources that comes with identity spread across LDAP, AD and all applications. We also had a limited password policy adherence and homegrown manual solutions for lifecycle account management.

Brad Burton: That led increasingly in a difficult solution for cloud-based applications and also growing M&A activities as we brought more people into Cypress. And also limited multi-factor utilization. This was prior to 2016 and in 2017, we started a project. We launched a project we called the SSO project. That's where we started out and we matured and we'll talk about that in just a little bit. We launched the project and deployed and integrated multiple 2 AD sources and LDAP, integrated multiple applications both internal and cloud, and utilized MFA for our HR product and integrated other applications in our SSO solution as we brought them on board.

Brad Burton: So as our start, and we quickly found that we need to enhance and establish standards and we did so in 2018 and '19. In 2018-'19 timeframe, we integrated about 80 apps, Office 365, our internal or external website and more. We also deployed MFA for Palo Alto VPN and started an effort to identify identity management standards and an automation program based upon our HR product SuccessFactors. We also deployed automation for our ITSM solution, Samanage and Zoom and Qualtrics. The Zoom and Qualtrics, we actually implemented custom SCIM process to automate those accounts. Then we deployed adaptive MFA for behavior and impossible travel scenarios. And lastly, we completed our SuccessFactors as a master to automate LDAP and AD synchronization and updates and creation.

Brad Burton: Continuing the maturing in 2020, we've actually completed our termination process and also implemented and rolling out a new MFA product called Cypress Key that I'll talk about. A work in progress right now is our employee conversion and new hire. So, we're working on that the remainder of this year. So like I said, we matured through this process as we rolled it out. But one of the things we found in our process rolling out in the management solution is we need the guiding principles and our guiding principles were fourfold.

Brad Burton: One is SuccessFactors, the HR is our master, single source of truth for automation, onboarding and offboarding, and also data downstream. And Okta played a key role in our automation as well as single sign-on. Our application access management, again, we wanted to use SuccessFactors, but utilize that data to build groups and data segregation to pass downstream. And then intrusion detection management. We want to utilize adaptive MFA and SIEM, our SIEM tool LogRhythm to catch events and manage that process.

Brad Burton: So, our guiding principles drive our architecture. So, the next slide I want to talk about are architecture. Our architectures simply put from left to right, SuccessFactors is our source of data, whether it be the type of information or type of employee or organization, our department, their title, maybe where they work or the status and the dates that they come and go. This is our process of the main data to push our automation and also drive Okta downstream.

Brad Burton: And what you see in the middle of the screen is Okta, automation tool to create accounts but also single sign-on to our systems downstream, whether it be cloud or internal. And also collect data from our HR source to build group management to have a proper authorization downstream to the right. This is a small set of our applications, whether it be Oracle ERP product, Zoom or Ask IT which is our ticketing system, Office 365 or our VPN GlobalProtect. This data passes down through Okta to downstream to provide the proper access management and login process. So again, access management driven from HR down downstream to the systems.

Brad Burton: So, this is what we learned as we went forward and deployed our identity management solution in Okta. Also, we ran in problems. So, I'm going to talk about three problems we ran into that's a good sample. And one problem we ran into is communication. So how do you communicate to our user base employees effectively? For this, password notifications or maybe bulletin board and video flyers we need to communicate. And also we need changes in processes that are coming. So I'll talk about how we dealt with them in the coming slides.

Brad Burton: Our HR Lifecycle Management. So we wanted HR Lifecycle SuccessFactors to be our source but it didn't fit well into our processes at Cypress, whether that be our custom notification, maybe ticketing process or how we wanted to actually send out notifications about new hire coming onboard with the welcome letter or the events and the timing of offboarding, how that would work.

Brad Burton: And lastly, MFA. We had challenges of deploying MFAs. We have some exceptions that we had to deal with and I'll talk about that. And security question was not secure enough for a VPN process, so how will we deal with that? We also had individuals in our Fab organization that cannot use a mobile, couldn't use hardware, couldn't use a desktop solution for VPN, so how do you deal with that? And we'll talk about that.

Brad Burton: So our solution is embrace the problem. We wanted to communicate in multiple channels. We'll talk about how we did that. But most importantly, leverage Okta's API and build some custom solutions to take the extra steps that Okta didn't provide out of the box. And then utilize SAML or IdPmultifactor. So, overall we embraced the problem using Okta's toolbox and I'll state that Okta got us 80, 85% of the way out of the box. So, how do you take the extra 20 and 15%. And we used Okta to take the extra mile. So, use Okta to solve the gaps we experienced in Okta.

Brad Burton: First, there's some examples about our communication problem and solution. So we had notifications we needed to send out to employees about new password policy and their deployment and expiring and roll that out gradually across organization. Also, our password expiration and change process. We wanted to make sure that we were providing the proper notification. And also, our MFA process, when we rolled out MFA, when it provided proper announcements that way. So, some examples our Cypress IT notification built off Okta's APIs. We generate the emails about password expirations coming. Notify the user or if a password is changed, we notify the user. And then more of a manual effort are adaptive MFA. When we rolled it out, we actually did a communication to the organization about this process coming. So, some of it driven by APIs, some of it by manual.

Brad Burton: Awareness using the customer announcements. We need to provide the custom processes. Lifecycle management. So, the next problem we covered is SuccessFactors is our single source of truth that was our guiding principle, but it didn't really fit the business roles that we need out of the box. So a few examples, we need to have a password process to set up initially. We need a welcome letter to be sent for new hires. We need to generate that dynamically. We need to also build in verification when we set up accounts manually. So how do you set that up?

Brad Burton: Also, generate email addresses. So, when someone comes onboard, generate their email address. Also terminating accounts, we had a different process and different advanced structure than SuccessFactors in some cases. So how do we handle that? And then daily audits, so we want to make sure that we audit terminations properly. So, we have an audit report. And we also generate tickets as employees come on board and off board.

Brad Burton: We solved the problem using Okta's API, Powershell and Java APIs, generating PDF, connecting to other systems through REST APIs and one example, Office 365 Graphic API. So, custom lifecycle will require some automation. Fill in the gaps. I'll talk about the next, some specifics on lifecycle management solution, going through some of the steps. When we bring an employee onboard, HR enters data about the employee and we have an automation process generate the account name for the user. And five days prior to starting, we start our automation. So we kick in some automation using Java code. We verify data from HR, we make sure we generate the email address, we kick off AD, LDAP account generation, create tickets and then activate the user.

Brad Burton: And so the next part is kind of an interesting part is the phase two process. We actually wait for these things to happen. We validate the accounts that got created by Okta correctly. And Office 365 license is ready. And then also the next password is generated in random and expired and then we send a notification to the manager. So the start day, we have a welcome letter that goes out so then generated for automation and gives the process that the new hires will follow.

Brad Burton: When the employee comes on board, I already mentioned about our notification process. They use Okta day to day but we also have notifications about password changes and password expirations and also working on the conversion process. And then the process to offboard. When we offboard accounts, we utilize a slightly different process than SuccessFactors. We use actually a custom attribute called Last Day Worked. When an employee passes their Last Day Worked, we actually fire off a process to automate the deactivation of accounts. We create a ticket, we deactivate Okta, AD and LDAP accounts and then also all accounts managed by Okta are deactivated too.

Brad Burton: And lastly, we also have an audit process. Our accounts for the last 90 days are checked to make sure that the key accounts have been cleaned up and then all of the accounts are gone. And also that we discover any other accounts that the person may have, so kind of a self-inventory and validation. All those are driven through Okta's API customized solution. Like I said, it takes us an extra mile to make sure we follow the process we needed in Cypress.

Brad Burton: And our last problem I want to talk about is the multifactor authentication. When we rolled out Okta in 2017, we provided security questions, Symantec VIP, SMS, Okta Verify and Okta Verify Push but that left us with a few problems when we rolled out VPN. And when we rolled out VPN, we actually took away the security question away from the people that use VPN because we're concerned about that. We actually introduced a new factor called Cypress Key that I'll talk about to fill in the gap.

Brad Burton: Our MFA Solution Cypress Key is a non-mobile, non-hardware, non-desktop factor. It's web based. It's more secure than security question and also has an expiration policy. We built the web app on top of the Okta's SAML IdP MFA. So, clever solution that integrates directly in Okta's MFA Factor Enrollment as well as Okta Profile and I'll talk about it. When you enroll the factor, you'll hit a web app then you can confirm, enroll. You'll get a key that's a 16-digit key that's generated for you, provided to you in a PDF file, and this key is actually stored in your Okta profile using our Okta APIs. And when an employee needs to use the key, we actually randomly ask for four or six digits of the key. You have to enter it appropriately, ask for different digits of the key. So, random every time you log in and we prompt you and if it's successful, you go on. And also we expire this key every 90 days.

Brad Burton: So, clever solution to solve our problem with non-mobile, non-hardware, non-desktop web-based solution for our Fab workers, specifically in Cypress. So again, we use Okta's SAML IdP and API to make the solution happen.

Brad Burton: Lastly, to wrap up, those were three solutions that I just talked about that we automated using Okta's API or called Okta's Toolbox. As we move forward in 2020, our next step to Cypress are around our guiding principles, SuccessFactors as a master. We want to support our conversion and rehire process. Our Okta SSO, we want to fully integrate salesforce and other applications as they come onboard at Cypress. Access management, we want to mature our group management and embrace our corporate role structure, a role based upon our SuccessFactors data. And also intrusion management, we want to embrace the HealthInsight and the ThreatInsight and look for additional MFA options.

Brad Burton: With our COVID-19 experience, our work from home experience right now, we've leveraged additional MFA options from Okta to make that happen and be more secure. That gives an overview of what we provide at Cypress, pre Okta as well as our deployment at Okta. So, again, I'll say Okta provide the 80% out of the box and the next 20% we used Okta Toolbox, a world-class API, to make it happen and solve the problem that Cypress was presented in cleaning up our identity management solution. With that, I'll hand it back over to Neal.

Neal Tillery: Thanks Brad. That's really interesting to hear how customers like yourself can use the Okta APIs and our MFA integration to extend the product to meet the needs of your business. Thank you for sharing that with us today. Now, I'd like to introduce Brad Goettemoeller from Mercy Corps who's a senior enterprise architect there and talk about how he used Okta to humanize and simplify their global identity environment. So Brad, go ahead and take it away.

Brad Goettemoeller: All right, thanks Neal. So, a little bit about Mercy Corps. We are an international humanitarian aid organization and we help communities with things like capacity building, resilience, humanitarian and disaster response. And we do this wherever these services are needed around the globe. And you can see we operate in a lot of different places, about 42 countries we're in currently. We have over 5,000 team members in these locations and this is kind of where some of the complexity comes in to our environment. These team members have their own cultural influences and they have interesting things with their names that are difficult for Western-developed systems to deal with like a lot of people have different characters in their names and that's a part of their name. They might have six names that describe themselves or they might just have one and they don't have two names to work with. So we've had to deal with some of these complexities in our environment.

Brad Goettemoeller: And some of the cultural influences we see, obviously regional, but there are a lot of strong religious influences that affect how we operate. There are tribal influences in some regions of the world. And we also have strong familial ties. This is kind of where the naming conventions of people come in play.

Brad Goettemoeller: So, a bit about complexity versus complications. So the MIT Sloan School of Management describes complicated as problems that can be hard to solve, but they are addressable with rules and recipes. And they also can be resolved with systems and processes. So this is traditionally IT-based systems. Complexity is more problems that involve too many unknowns, too many interrelated factors and you can't reduce it to rules and processes. So these are things like peace in the Middle East or ending poverty, for example. There is no simple solution to these problems. So, complex systems require more of a nuanced approach. What will not work is a rigid rules-based complicated approach.

Brad Goettemoeller: And we like to think manage, not solve. And so, this creates some problems and we're dealing with complicated technical systems. So what we try to do is start small, try some things and adapt. And so basically complicated systems are technology systems and complex systems are humans. So, that's where complexity comes from.

Brad Goettemoeller: Now, our Okta environment looks something like this. This is what a typical dashboard of a normal employee at Mercy Corps would see. And the apps here in red are custom web apps that we've connected to Okta using the OIDC protocol. And we've done this for a variety of different technologies. So some of these apps are PHP and Drupal-based systems, some are Python and Django, some are MediaWiki web apps. And we've connected them at the application or at the web server level, so it's not per application. And we use Apache for our systems. So, Apache has a specific module that you can use to do this. And the advantage here is that it's platform agnostic.

Brad Goettemoeller: So, we can integrate all these different apps the exact same way and we don't have to drill down into the specific application layer. However, the disadvantage is that we can't set user permission levels inside of the app. So, what we've done is we've incorporated our humans on the team. We've always had system administrators for these systems. So they manually set administrative levels for specific users if needed.

Brad Goettemoeller: And then generally on the custom apps, the user provisioning happens through some custom scripting with the Okta API. Now we also have your traditional SAML apps. Some of these come from the pre-built OIN app connectors. Others are custom SAML integrations, and these are pretty textbook out of the box that probably everybody sees when [inaudible 00:26:11] a solution like Okta.

Brad Goettemoeller: So our original state of where we're at when Okta was introduced is this. So we had an HR system up at the top here that wasn't integrated to anything and HR admins enter data into there. We have an LDAP-based system with a custom UI that was written in Perl probably 10, 15 years ago and that system is accessed with HR admins and IT admins. So we've got a lot of cooks in the kitchen and that's not the best environment to be in.

Brad Goettemoeller: So what we're trying to get to, and this is still our future state, we're about 80% of the way there. We have a new HR system called UltiPro and it is talking to Okta. Eventually, we'll have HR as a master, similar to how Cypress has done their system. We also have active directory and it communicates with our finance system and kind of sets permissions in our office and that's how it really does. LDAP drives everything else. We have web apps both internal and external that we do SSO and provisioning for. And then we have G suite, that's where all of our office productivity kind of solutions are and that will be integrated as well. But that will be the very last step once we retired our old LDAP [inaudible 00:27:35].

Brad Goettemoeller: Now, some more things about our complexity. So you can see here again, we've got HR admins logging into both IT systems and HR systems. This is where we want to get to where it's separated. IT admins are working in Okta, HR admins are working in [inaudible 00:27:54]. And some of the issues we've had in this environment is, like I said, LDAP is about 15 years old and it doesn't support modern character sets like UTF8. So when we have unique characters in a user's name in an old environment on an old character set, that creates problems trying to make it work with UTF8 in a modern cloud environment. So, we've had to incorporate a few interesting things there to catch those things and replace those characters with things that are more appropriate.

Brad Goettemoeller: So only our LDAP UI, the custom Perl script can write data into LDAP. And what that happens is… So, go to the next bullet here. So Okta can't manage passwords. We're delegating authentication to LDAP and that has created some issues that we are figuring out how to solve. Also LDAP can't be retired until all dependent systems are migrated to Okta. Now, AD issues, it only manages about 5% of our workforce. So, again, these are people in the Portland, Oregon headquarters office and people who need access to the finance system. And then HR system issues. It's not fully deployed and adopted globally. And LDAP is still used globally. So, those are sort of our complex issues around our implementation here.

Brad Goettemoeller: So what we've done to manage our complexity is we've developed an enterprise data governance practice. And what we do with that… Well, we're actually in our second year of operation so we're getting more mature with this. And what we do is we streamline the data flows between Okta and all the other enterprise systems. We create cool diagrams like this. Probably a little hard to see in this, but if you blow it up to poster size, you can actually see what's going on. And so, I as enterprise architect, create the diagrams and then us as a team data governance, we use the diagrams to figure out data flow issues, and it's worked out pretty well. We've also created a cross department collaborative working group that we've called the Enterprise Solutions Group and it includes members from IT, finance, HR, and our fundraising team, which in most organizations would be the sales and marketing team. And then our programs team, which again in most businesses would be operations.

Brad Goettemoeller: And what this allows us to do is we're now viewed more as a partner in solving business problems as opposed to just a technical IT group that limits what people can do. And then we also were included in projects much earlier, which helps to circumvent any shadow IT operations going on. And to get back to our iterative approach, how we've approached this whole project is, we launched Lean, we launched Okta with just one app just to make sure we get users logged in properly. And then we moved quickly to migrate the rest of our apps. And now we're really working on the long tail of these high-hanging fruit. Applications is about four or five that are taking more work than the rest and we hope to have those done very soon.

Brad Goettemoeller: Now, some of the successes we've been able to see. We have migrated 20 plus apps. We will be about 25 when we're fully done. We provisioned users into a bunch of different systems using things like Pre-built OIN apps. Our LDAP directory uses the LDAP agent. Active directory uses the AD agent. We have a custom web app that is using an LDAP interface product. And then for other custom web apps, we use the API integration. And what we've seen is we've reduced six individual logins to three logins and we're on our way to a true single sign-on employee experience and we're all excited about that. Hopefully we can get there in the next six to eight months.

Brad Goettemoeller: We have implemented some MFA for system admin roles. We haven't rolled it out in mass but we hope to do that as well in the next year. And really what's happened is we've improved the login experience for everybody at Mercy Corps from regular login frustration and a lot of password resets to it just worked now. And once we can get down to a single sign-on solution, I think we'll be even more well suited for doing that. So again, some of the future things we're looking at, we want to finish our Okta implementation, retire LDAP, we want to replace a few remaining systems. And once this is done, we'll remove about 40 or more remote IT admins who are currently managing user records out in the field.

Brad Goettemoeller: [inaudible 00:33:11] finish the Okta and HR system integration. To do this, we'll need to do write-backs from Okta into the HR system. And this will be for email account provisioning. Speaking of which, we'll have to integrate more fully with G suite for both single sign-on and provisioning. Finally, retire LDAP, do the cutover to HR as a master. And this is where it gets a little sticky because Okta is delegating authentication to LDAP. It's not managing any passwords. We're going to have to do one of three things, reset passwords for all 5,000 employees all at once which gives me a little bit of a heart attack to think about, or we will try to implement passwordless logins, or the third possibility is, and something I heard about just in preparing for this presentation from the Okta team, is a new webhook called password hook. And we're excited to work on those projects.

Brad Goettemoeller: Kind of the webhook path is definitely a path we're looking at. Again, to get email addresses that they're provisioned from Okta written in the HR system, we'll have to use a webhook to do that. And then in order to do any of this, we're still going to have to retire LDAP and evolve to HR as a master. Those are key parts of our future plans. We might work on passwordless logins as well, haven't made a decision on that, but it sounds like an exciting [inaudible 00:34:40].

Brad Goettemoeller: And so with that, that's where we're at with our project. We're really looking forward to finishing things up and continue to work with Okta. I want to give a shout out to a couple of people at Okta who've been instrumental in helping us, our Customer Success Manager, Bobby Alvarez and Professional Services Expert Suresh Bhatia. They've been excellent to work with and very excited to continue working with them as well. So with that, Neal, I'll kick it back to you to wrap us up.

Neal Tillery: Thanks Brad. It's really interesting to hear how Okta can help enable an organization with such a global scope and impact as Mercy Corps. That's great. Thank you both for sharing your stories with us today. I want to thank all our attendees today for taking the time out of their busy schedules to attend our session today. I really hope those are helpful and informative and kind of energize you and excite you to see what you can do with Okta in your organization. We hope you enjoy the rest of Oktane Live and hope to see you again next year. Thank you.