I attended a customer roundtable session hosted by Okta, a San Francisco-based company that is a leader in identity and application access management. Its products securely connect any person via any device to the technologies they need to do their work.
Frederic Kerrest, co-founder and chief operating officer, led the discussion. He was in Australia hosting Okta’s Identity and Mobility Forum in Sydney.
Before I get into what the customers discussed, one thing Kerrest said resonated with me, “You have to make it easy for the end user. What device are you accessing it [networks and apps] from, what time are you doing it, where are you doing it, and perhaps why are you doing it. That context is vital, and that is why we came up with contextual access management.”
The OKTA customers and staff present included:
- Michael Collins, general manager Information Security & Technology, HESTA
- Aaron Finnis, associate director, Information Security & Risk, Flinders University
- Dave Glover, chief technology officer, Salmat
- Richard Mountstephens, lead enterprise architect, TAL
- Frederic Kerrest
- Graham Pearson, vic-president APAC, Okta
- Ryan Carlson, chief marketing officer, Okta
Kerrest spoke of the relatively recent ascent of the company.
He co-founded Okta with Todd McKinnon, whom he met while working at Salesforce. “The two of us worked together for six years at Salesforce. The Salesforce business was doing well and identity management was becoming an issue. CIOs would say we love this new Software as a Service model – but we’re running into basic problems of no central access control. We also realised that cloud adoption and software as a service in general was a huge trend. We left Salesforce to start Okta because this company had to be built independent of any software.”
There is a new acronym — CASB (Cloud Access Security Broker) — although Identity as Service (IDaaS) is also used.
It is one of the more rapid growth areas of “Everything as a Service” expected to reach US$7.51 billion by 2020. According to Gartner, CASBs act as intermediaries between end users and cloud applications, providing platforms with added security benefits through APIs or proxies. Those benefits include visibility and risk assessment, compliance, data security and threat protection.
Pearson said its local customer base were all home brand names. “We’ve had extreme growth, and we’re obviously very happy with the way that it’s going. I’d love to be proven wrong, but I think that we are by far the number one identity management vendor now in Australia.”
Xero cloud accounting is one of Okta’s best APAC customers, and it has gone live with Workday as a master [there needs to be a central repository of users e.g. Microsoft Active Directory, or preferably an HR system like Workday that may be updated more regularly].
The remainder of the discussion is paraphrased to reflect the free-flowing conversation.
The group felt the issue was too many passwords and the fact that despite the best intentions to use different ones for each login, the average user had dozens to remember. They also felt it was human nature to use a common “root” password that one remembered.
While consumers could use a password generator and vault like LastPass, that was not possible in commercial situations where multiple BYOD and other devices were used and where hundreds of apps and even multiple networks may be exposed via a single network login, the participants agreed.
Okta has two modes of use – business to employee/supplier and business to customer (think of any website that requires a customer login). Essentially it allows an authorised person (known to the company) to use a single sign-on (SSO) to access whatever they are allowed to, under whatever terms they have been granted.
The latter is about contextual awareness. Why is “Fred” accessing the corporate server at midnight from the Maldives on an iPhone when he lives in San Francisco, uses Android, and has never dialled in at midnight before? A password will not stop that but Okta will.
The critical part is to establish if it really is Fred and if so what can he access? If he tries to do something outside his normal work habits, Okta can lock the fraudulent interloper out. Okta is used to control what Fred can access (and when) and brings back trust to the login process.
The group discussed the cloud – Identity as a Service and various security issues. The conclusion was that cloud adoption was inevitable, especially with Microsoft Office/Dynamics 365 (and similar suites) and resistance by governments on data sovereignty grounds has almost disappeared. One participant commented that Okta had helped him identify major shadow IT use – where apps were being purchased and installed by users without It being aware.
That led to a conversation on security. Perimeter security (think of a moat around a castle) was popular because it allowed those inside the moat (network) to have complete freedom. The way to the future was to “put a lock on every door".
The “lock on every door” raised the topic of apps calling other apps via APIs. The response was that users (clients) now asked software developers if an app or API was Okta compliant. There are thousands that are now part of Okta’s ecosystem and, if not, they can be bought in or, importantly, locked out.
All commented on the speed of implementation, especially if the HR system was the “trusted database”. It seemed all too easy to create a new user in Active Directory but purging a user who had left, transferred or was promoted was often left to the last. “What system knows all users? HR does because they need to get paid.”
In general, all clients present selected Okta after reviewing competing identity management systems and implemented it in a matter of “minutes” – it was a simple crossover once the basic rules were set up. After that, it was a matter of refining the rules based on actionable intelligence the system generated – who, what, when, where and why users needed access.
Because Okta is cloud-based, the question of absolute reliability was raised e.g. what happens if the cloud goes down? Kerrest explained that the architecture was such that Okta was always available – he did not go into specifics, but I gather it is about multiple redundant cloud servers and pathways. The overall feeling was that cloud is the best vehicle for this service. “Why build you own capability on premise when cloud offers so much more flexibility, immediate updates and cost savings?”
We spoke about Multi-Factor Authentication (MFA) – biometrics, voice, CVV, IP addresses, tokens (like Yubico’s Yubikey), and more. The general opinion was that the need for MFA was all about risk – the risk of the transaction, the organisation's appetite for risk, etc. Some had implemented it, and some had not but all reminded us that contextual awareness obviates much of the need.
Kerrest concluded, “We are excited by our acceptance in APAC, it is one of the fastest growing cloud users, and it is embracing IDaaS and CASB faster than many other regions.”
Some case studies from Okta clients present. If you are interested in various use case scenarios, read on.
Okta Case Study Overview: Flinders University
Flinders University is ranked in the top 2% of universities worldwide. Over the past few years, the university has connected many different technologies and applications to keep up with the demands of staff and students. Although this greatly improved the availability of technologies to the university community, it led to an inconsistent user experience.
The university also had to continuously manage the on-boarding and off-boarding of thousands of users each year as students enrolled and graduated, and staff joined or left. It needed a solution to manage the identities of its 30,000 users, while connecting them to different apps and devices they required.
The university’s priorities for improving its online services included:
- Streamlining applications for a single online experience;
- Decreasing the number of online service support requests from users for password recovery;
- Easily integrating with existing on-prem systems and new cloud services;
- Efficiently on-board and off-board large numbers of users; and
- Improving proactive security monitoring practices
Flinders ultimately decided to procure a cloud-based identity solution, and Okta was selected.
Now with Okta Single Sign-On, Flinders users have one login to easily access all the applications and services the university provides. Okta Lifecycle Management automates the process of granting and taking away access to apps based on the user’s role. Okta also integrates with the university’s existing systems, with 10 new applications integrated within 14 weeks of commencing the project. Thanks to Okta’s 5000 pre-integrated applications in its network, Flinders’ deployment avoided additional software development costs, and everything was up and running in minimal time: 25,000 users were registered in 25 days.
The Flinders IT team now has the time to think about what’s next, giving them a leg up on the growing technological demands of students and staff by adding new services to improve self-service of its users. Flinders is now looking at Okta Mobility Management for its added benefits with their remote and mobile students and staff.
Okta Case Study Overview: HESTA
HESTA is a super fund for health and community services in Australia. Founded in 1987, it has more than 800,000 members and manages more than $34 billion in assets. HESTA remains a relatively lean organisation with approximately 150 employees. Like many businesses, HESTA found its application landscape was growing, causing complexities around managing multiple passwords for each application, as well as on-boarding and off-boarding users as new employees joined or left.
HESTA priority was security, but it also wanted to build in flexibility in managing access to cloud-based applications — both within the business and for external contractors. Effective, simple and scalable identity management was important. After a trial with Okta, HESTA went live with a solution providing single sign-on capabilities for employees and contractors to access mission-critical, cloud-based applications.
From back office functions (including HR and payroll management) to client-facing customer management, Okta helped HESTA develop a secure single sign-on to its business applications, including Microsoft Office 365 and a host of other cloud-based services. HESTA has also enabled users with access to a set of personal applications. Okta provides a simple management layer that helps HESTA ensure employee access to personal applications is secure and minimises risk to the business.
Okta’s solutions have reduced the administrative burden of relying solely on Active Directory-based services, providing secure access with minimal disruption to employees and contractors.
Okta Case Study Overview: Salmat
In 2014, Salmat’s new chief executive realised that the company was distracting itself from its key strengths by constantly trying to fulfill endless customer and employee software customisation requests. Saying “yes” to every request was no longer sustainable, or strategic. In response, Salmat outlined a cloud strategy to build and deliver services on top of standard, re-usable, repeatable platforms that benefit from economies of scale. After spending four months trying to integrate Workday with Microsoft Active Directory (AD), the team abandoned the project and began searching for a cloud-based identity partner for a full-scale transition to the cloud.
Salmat wanted to make its employees more efficient and secure, as well as to simplify and reduce the cost of their infrastructure. Okta solved Salmat’s Workday integration problem in a few hours. From there Salmat relied on the Okta Identity Cloud for its comprehensive Google Apps deployment. Today, Okta is helping Salmat move towards eliminating AD completely. Salmat employees can now access all their new cloud applications through Okta, which means they don’t have to be integrated with AD at all. By 2017, Salmat plans to master all employee email addresses and user IDs in Okta, rather than AD. And as Salmat navigates wholesale change, from on-premises infrastructure and desktop-based work to cloud solutions and Chromebooks, Okta helps them focus on change management and cloud strategy, rather than on password and access issues.
Further information on the Okta deployment can be read here.
Okta Case Study Overview: TAL
In 2015 TAL, one of Australia’s larger life insurance specialists embarked on a journey to broaden its business model beyond the traditional financial adviser and superannuation fund-based distribution channels by extending its offerings directly to consumers.
Online channels are an essential element of a consumer-facing business model, and because TAL exists in the competitive insurance industry, it needed to deliver a quality online experience for its customers. This also needed to be completed in time for the recent brand launch and major marketing campaign. TAL faced different user experience challenges at each step of the online insurance business value chain.
The online quote/apply experience for TAL’s potential customers required medium-strength security credentials, while the challenge with existing customers is their infrequent interactions. They usually log in once or twice a year to renew their policies or download invoices for tax purposes.
Due to the infrequent interactions TAL has with its clients online, it is inevitable that users forget login details and passwords. In the development of its customer portal, TAL and Okta looked at overcoming the customer pain point of remembering login details and minimising the IT pressures that come with the multiple password requests, without compromising security.
TAL decided to implement Okta, using a multi-factor authentication process that would not require a unique password – a first for an Australian insurance provider. Following a short registration process with a policy number, customers are only required to input an email address as identification. When this is detected, a security code is sent to either the email address or mobile phone listed on the account. Almost instantly, customers can login to access the information they need.
TAL has now successfully opened its consumer channel with the launch of a customer self-service portal supporting two brands, My TAL, and Insuranceline, both running on the Okta Platform as a re-usable enterprise capability. TAL IT is now expanding their use and looking at other areas of the business, including partners, retail, and potential consumers, to further enable their online experience.