We all know that the majority of “breaches” are caused by human error – intentional or not. We also know that passwords are amongst the weakest form of access management.
I had the privilege to sit in on a customer roundtable session hosted by Okta, a leader in identity and application access management, based in San Francisco. Its mission is to securely connect any person via any device to the technologies they need to do their work.
Frederic Kerrest, Co-founder, and Chief Operating Officer led the discussion. He was in Australia hosting Okta’s Identity and Mobility Forum in Sydney.
Before I get into what the customers discussed one thing Kerrest said resonated with me, “You have to make it easy for the end user. What device are you accessing it [networks and apps] from, what time are you doing it, where are you doing it, and perhaps why are you doing it. That context is vital, and that is why we came up with contextual access management.”
{loadposition ray}
The OKTA customers and staff present included:
- Michael Collins, General Manager Information Security & Technology, HESTA
- Aaron Finnis, Associate Director, Information Security & Risk, Flinders University
- Dave Glover, CTO Salmat
- Richard Mountstephens, Lead Enterprise Architect, TAL
- Frederic Kerrest, co-founder, and coo, Okta
- Graham Pearson, VP APAC, Okta
- Ryan Carlson, CMO, Okta
Kerrest spoke of the relatively recent accent of the company.
Kerrest co-founded Okta with Todd McKinnon, who he met while working at Salesforce. “The two of us worked together for six years at Salesforce. The Salesforce business was doing well and identity management was becoming an issue. CIOs would say we love this new Software as a Service model - but we’re running into basic problems of no central access control. We also realised that cloud adoption and software as a service in general was a huge trend. We left Salesforce to start Okta because this company had to be built as an independent of any software.”
There is a whole new acronym – CASB (Cloud Access Security Broker) although Identity as Service (IDaaS) is also used.
It is one of the more rapid growth areas of “Everything as a Service” expected to reach US$7.51 billion by 2020. According to Gartner CASBs act as intermediaries between end users and cloud applications, providing platforms with added security benefits through APIs or proxies. Those benefits include visibility and risk assessment, compliance, data security and threat protection.
Graham Pearson regional VP of Okta APAC said that its local customer base were all home brand names. “We’ve had extreme growth, and we’re obviously very happy with the way that it’s going. I’d love to be proven wrong, but I think that we are by far the number one identity management vendor now in Australia.”
Xero cloud accounting is one of Okta’s best APAC customers, and it has gone live with Workday as a master [there needs to be a central repository of users e.g. Microsoft Active Directory, or preferably an HR system like Workday that may be updated more regularly].
The remainder of the discussion is paraphrased to reflect the free-flowing conversation.
The issue is too many passwords and despite the best intentions to use different ones for each login the average user has dozens, if not many more, to remember. It is human nature to use a common “root” password you remember.
While consumers can use a password generator and vault like LastPass that is not possible in commercial situations where multiple BYOD and other devices are used and where hundreds of apps and even multiple networks may be exposed via a single network login.
Okta has two modes of use - Business to employee/supplier and Business to customer [think any website that requires customer login]. Essentially it allows an authorised person [known to the company] to use a Single Sign On (SSO) to access whatever they are allowed to under whatever terms they have been granted.
The latter is about contextual awareness. Why is “Fred” accessing the corporate server at midnight from the Maldives on an iPhone when he lives in SFO, uses Android, and has never dialed in at midnight before. A password will not stop that but Okta will.
The critical part is to establish if it really is Fred and if so what can he access? If he tries to do something outside his normal work habits, Okta can lock the fraudulent interloper out. Okta is used to control what Fred can access (and when) and brings back trust to the login process.
The group discussed the cloud – Identity as a Service and various security issues. The conclusion was that cloud adoption was inevitable especially with Microsoft Office/Dynamics 365 [and similar suites] and the resistance by Governments on data sovereignty grounds has almost disappeared. One commented that Okta had helped him identify major shadow IT – where apps were being purchased and installed by users without the IT purview.
That led to a conversation on security. Perimeter security [think of a moat around a castle] was popular because it allowed those inside the moat [network] to have complete freedom. The way to the future was to “put a lock on every door.”
The “lock on every door” raised the topic of apps calling other apps via APIs. The response was that users [clients] now asked software developers if an app or API was Okta compliant. There are thousands that are now part of Okta’s ecosystem and if not can be bought in or importantly locked out.
All commented on the speed of implementation especially if the HR system was the “trusted database”. It seemed all too easy to create a new user in Active Directory but purging a user that had left, transferred or promoted was often left to last. “What system knows all users? HR does because they need to get paid.”
In general, all clients present selected Okta after reviewing competing identity management systems and implemented it in a matter of “minutes” – it was a simple cut over once the basic rules were set up. After that, it was a matter of refining the rules based on actionable intelligence the system generated – who, what, when, where and why users needed access.
Because Okta is cloud-based, the question of absolute reliability was asked e.g. what happens if the cloud goes down? Kerrest explained that the architecture was such that Okta was always available – he did not go into specifics, but I gather it is about multiple redundant cloud servers and pathways. The overall feeling was that cloud is the best vehicle for this service. “Why build you own capability on premise when cloud offers so much more flexibility, immediate updates and cost savings.”
We spoke about Multi-Factor Authentication (MFA) – biometrics, voice, CVV, IP addresses, tokens (like Yubico’s Yubikey), and more. The general opinion was that the need for MFA was all about risk – the risk of the transaction, the organisation's appetite for risk, etc. Some had implemented it, and some had not but all reminded us that contextual awareness obviates much of the need.
Kerrest concluded, “We are excited by our acceptance in APAC, it is one of the fastest growing cloud users, and it is embracing IDaaS and CASB faster than many other regions.”
Following are some case studies from Okta clients present at the roundtable. If you are interested in the various use case scenarios, read on.
Okta Case Study Overview: Flinders University
Ranked in the top 2% of Universities worldwide, Flinders University strives to provide its students and staff with the best possible user experience, whether on-campus or working and studying remotely.
Over the past few years, the university has connected many different technologies and applications to keep up with the demands of staff and students. Although this greatly improved the availability of technologies to the university community, it led to an inconsistent user experience.
The university also had to continuously manage the on-boarding and off-boarding of thousands of users each year as students enrolled and graduated, and staff joined or left the university. Flinders was in need of a solution to manage the identities of its 30,000 users, while seamlessly connecting them to the different apps and devices they required.
The university’s priorities for improving its online services included:
- Streamline applications for a single online experience
- Decrease the number of online service support requests from users for password recovery
- Easily integrate with existing on-prem systems and new cloud services
- Efficiently on-board and off-board large numbers of users
- Improve proactive security monitoring practices
Flinders ultimately decided to procure a cloud-based identity solution, and Okta was selected for its simplicity and speed of deployment.
Now with Okta Single Sign-On, Flinders users have one login to easily access all the applications and services the university provides. Okta Lifecycle Management automates the process of granting and taking away access to apps based on the user’s role at the university. Okta also seamlessly integrates with the university’s existing systems, with ten new applications integrated within fourteen weeks of commencing the project. Thanks to Okta’s 5,000 pre-integrated applications in its network, Flinders’ deployment avoided additional software development costs, and everything was up and running in minimal time: 25,000 users were registered in 25 days!
The Flinders IT team now has the time to think about what’s next, giving them a leg up on the growing technological demands of students and staff by adding new services to improve self-service of its users. Flinders is now looking at Okta Mobility Management for its added benefits with their remote and mobile students and staff.
About Flinders University
Flinders University is a globally focused, locally engaged institution that exemplifies teaching, learning and research excellence. Offering a world-class education in a stimulating, friendly environment, and with a proud reputation for high-quality student experience, Flinders caters to more than 25,000 students from more than 90 countries. The university prides itself on its record of community engagement, as well as its long-standing commitment to enhancing educational opportunities for everyone.
Okta Case Study Overview: HESTA
HESTA is an industry-leading super fund for health and community services in Australia. Founded in
1987, the fund has more than 800,000 members and manages more than $34b in assets. HESTA
remains a relatively lean organisation with approximately 150 employees. Like many businesses, HESTA found its application landscape was growing, causing complexities around managing multiple passwords for each application, as well as on-boarding and off-boarding users as new employees joined or left the business.
HESTA priority was security, but they also wanted to build in flexibility in managing access to cloud-based applications — both within the business and for external contractors. Effective, simple and scalable identity management was important. After a trial with Okta, HESTA went live with a solution providing single sign-on capabilities for employees and contractors to access mission-critical, cloud-based applications.
From back office functions (including HR and payroll management) to client-facing customer
management, Okta helped HESTA develop a seamless, secure single sign-on to its business applications, including Microsoft Office 365 and a host of other cloud-based services. HESTA has also enabled users with access to a set of personal applications. Okta provides a simple management layer that helps HESTA ensure employee access to personal applications is secure and minimises risk to the business.
Okta’s solutions have reduced the administrative burden of relying solely on Active Directory-based
services, providing secure access with minimal disruption to employees and contractors.
About HESTA
HESTA is the super fund for health and community services, with more than 800,000 members and $34 billion in assets. HESTA was established in 1987 to help its members, 85% of whom are women, achieve the retirement they deserve.
HESTA maintains the highest ratings from all rating agencies including an AAA-Quality Rating and MySuper of the Year Award from SelectingSuper and SuperRatings’ 10-year Platinum Performance Rating. More people in health and community services choose HESTA for their super. Learn more at www.hesta.com.au
Okta Case Study Overview: Salmat
In 2014, Salmat’s new CEO realised that the company was distracting itself from its key strengths by constantly trying to fulfill endless customer and employee software customisation requests. Saying “yes” to every request was no longer sustainable, or strategic. In response, Salmat outlined a cloud strategy with the goal of building and delivering services on top of standard, reusable, repeatable platforms that benefit from economies of scale. After spending four months trying to integrate Workday with Microsoft Active Directory (AD), the team abandoned the project and begin searching for a cloud-based identity partner that could help pave the way for a full-scale transition to the cloud.
Salmat wanted to make its employees more efficient and secure, as well as to simplify and reduce the cost of the infrastructure that supports their work. Okta came in and solved Salmat’s Workday integration problem in a few hours, from there Salmat relied on the Okta Identity Cloud for its comprehensive Google Apps deployment. Today, Okta is helping Salmat move towards eliminating AD completely. Salmat employees can now access all their new cloud applications through Okta, which means they don’t have to be integrated with AD at all. By 2017, Salmat plans to master all employee email addresses and user IDs in Okta, rather than AD. And as Salmat navigates wholesale change, from on-prem infrastructure and desktop based work to cloud solutions and Chromebooks, Okta helps them focus on change management and cloud strategy, rather than on password and access issues.
Further information on the Okta deployment can be read here.
About Salmat
Salmat is a full-service marketing and communications company with a single aim since 1979—getting clients closer to their customers. The team of nearly 4,000 people across four countries works to enable ROI-driven marketing services across letterbox media, contact services, digital, and local area marketing. Every year, they manage billions of customer interactions for some of Australia and New Zealand’s most trusted brands.
Okta Case Study Overview: TAL
In 2015 TAL, one of Australia’s largest life insurance specialists embarked on a journey to broaden its business model beyond the traditional financial adviser and superannuation fund based distribution channels by extending its offerings directly to consumers.
Online channels are an essential element of a consumer-facing business model, and because TAL exists in the competitive insurance industry, it needed to deliver a quality seamless online experience for its customers. This also needed to be completed in time for the recent brand launch and major marketing campaign TAL faced different user experience challenges at each step of the online insurance business value chain.
The online quote/apply experience for TAL’s potential customers required the provision of medium-strength security credentials. While the challenge with existing customers is their infrequent interactions, usually logging one or two times each year to renew their policies or download invoices for tax purposes.
Due to the infrequent interactions, TAL has with its clients online, users forgetting login details and passwords is inevitable. In the development of its customer portal, TAL engaged with Okta to investigate how they could overcome the customer pain point of remembering login details and minimise the IT pressures that come with the multiple password requests, without compromising security.
TAL decided to implement Okta, using a multi-factor authentication process that would not require a unique password — a first for an Australian insurance provider. Following a short registration process with a policy number, customers are only required to input an email address as identification. When an email address is detected in the system, a security code is sent to either the email address or mobile phone listed on the account. Almost instantly, customers can login to access the information they need.
AL has now successfully opened its consumer channel with the launch of a customer self-service portal supporting two brands, My TAL, and Insuranceline, both running on the Okta Platform as a reusable enterprise capability. TAL IT is now expanding their use and looking at other areas of the business, including partners, retail, and potential consumers, to further enable their online experience.
About TAL
TAL is Australia's life insurance specialist. For over 140 years, TAL has been protecting people, not things. Today, TAL insures more than 3.7 million Australians. In 2015, TAL reached a new milestone paying over $1 billion in claims.