Putting a Lock on Password Management
Paul Aldridge, CIO of Genomic Health, Inc., wanted his technology team fully focused on supporting a next-generation network for cancer research. Yet with each user requiring logins for as many as a dozen software-as-a-service (SaaS) sites, password management such as lookups and resets were chewing up their time.
Genomic, based in Redwood City, Calif., is a firm believer in SaaS, subscribing to applications for performance reviews, expense reporting, payroll, employee benefits, vacation time tracking, customer relationship management, and more. "We're in the cancer diagnostics business, not back-office services. We use SaaS so IT can concentrate on things that are of value to us," he says.
Aldridge is not alone. Gartner predicted that worldwide SaaS sales would total $10.7 billion this year, a 16.2 percent increase from 2010. As companies become more comfortable with the SaaS model, they are subscribing to services for numerous individual functions.
As Genomics' pool of SaaS sites has grown, though, so has the complexity for the companys 500 employees. "Each provider has a separate password management process and a separate password convention," he says. "Even if users wanted to make it easier by keeping their password the same, they couldn't."
To track all their logons, users posted sticky notes with their passwords and other critical data on their monitors and desks. Rather than admonishing his users for this risky strategy, his team searched for an alternative. Aldridge wanted to simplify the situation so users weren't forced to take that step.
He found his solution, ironically, in another SaaS offering from Okta. Oktas cloud-based identity and access management service acts as a secure, single sign-on gateway to other SaaS offerings. Aldridge calls it a "password locker."
Each user is provisioned an account for the Okta portal where he or she logs in and enters URLs, usernames and passwords for all other corporate SaaS services. From then on, a customized Okta page provides access to other sites. Okta uses Security Assertion Markup Language (SAML), the XML-based framework, to exchange authentication, entitlement and attribution data with other providers. The security tool works with Microsofts Active Directory for centralized management and control, and features a directory of hundreds of pre-integrated on-premise applications and cloud-based services.
Aldridge calls the Okta interface intuitive and says users are pleased. "It makes their lives so much easier," he says. It's also freed up IT from dealing with the tedium of password management. "There is an administrative burden that has been lifted."
IT also gained a level of visibility and control they previously did not have with user passwords. Through a central dashboard, IT can make sure that users are following policies of frequently changing their passwords and can shut down accounts immediately if an employee leaves or is terminated. The team also can use Okta to generate reports on user activity to ensure license compliance.
"We've improved our security posture and are able to manage employees' behavior so they are compliant," Aldridge says.
While Aldridge credits Okta for its attention to security, that does not allow him to shirk responsibility. He regularly audits individual SaaS providers to ensure they have proper security controls in place to protect user and corporate data.
Currently, Genomic uses two-factor authentication for the Okta portal, but plans to soon move to three-factor (username, password and RSA token) for even tighter security.
Aldridge says he's happy to kiss the days of sticky notes and password lookups and resets goodbye so that his team can turn its attention to more important tasks.
Read more about industry verticals in CIO's Industry Verticals Drilldown.