How Thoughtworks Gained Better Security and Increased Productivity—by Losing Their Dependence on AD
Thoughtworks began its journey away from Active Directory (AD) less than three years ago, though Philip Ibarrola, Thoughtworks TechOps Head of Technology, says it was a long time coming.
Thoughtworks was once a Microsoft-only shop: Microsoft servers, Windows-based laptops, and security and authentications, all managed by AD. But since 2011, the company has taken a cloud-first approach, favouring cloud-based apps and eliminating on-premises servers. “We thought it was the future of work then, and we still do,” says Ibarrola. “Work is more and more distributed and more geographically dispersed, and the tools to enable that are in the cloud.”
Meanwhile, Thoughtworks employees had began choosing Mac laptops over PCs—at last count over 95% of employees used Macs. “So Microsoft AD was becoming a less important, and less interesting, part of our infrastructure,” says Ibarrola. “It wasn’t evolving and became an area of risk because we didn't have people who had the expertise to look after it.”
The heavy burden of Active Directory
AD had become a burdensome legacy system: upgrades were a hassle, and challenges to the system—such as AD not synching properly—would prevent employees from being able to log in to critical applications. For an international software consultancy like Thoughtworks, employee productivity is crucial to financial success. “If our authentication systems do not let workers in because of a failure of AD, that translates into hard dollars—our people can’t enter timesheets or bill clients, or work, period,” Ibarrola says, “because they can’t get into any business-critical apps.”
Thoughtworks had already implemented the Okta Identity Cloud for Single Sign-On, Lifecycle Management, Multi-factor Authentication, and to control access to cloud-based apps. Ibarrola knew the Okta Identity Cloud was a modern directory solution that, with a handful of other innovative partners, could eventually eliminate the company’s use of Active Directory. “AD was brittle and hard to maintain,” Ibarrola says. “We didn’t want to depend on it anymore because it was fragile. It was an area of risk, and we had a better alternative. I feel much more secure knowing that Okta has all the monitoring and analytics in place.”
Moving to a modern identity platform
As soon as the decision to remove AD was made, Ibarrola and his team spread the word across the company that nothing new could be attached to it. “That's what ultimately made the transition manageable,” Ibarrola says. “We had to draw that line in the sand.”
Ibarrola and his team prepared for the transition by identifying all the processes and applications that depended on AD. “Once we had a pretty good catalog, we prioritized and started a hit-list. One-by-one we eliminated those dependencies and started moving people away from AD.”
For Thoughtworks, removing AD has been a carefully planned, deliberate process. “Already we’ve seen some benefits in terms of not relying on AD for delegated authentication,” Ibarrola says. “It’s led to a lot less anxiety because we know that AD is not a critical part of our infrastructure anymore.”
Some network equipment and Wi-Fi still require AD—but they are the last items that do. Thoughtworks is currently working with their Wi-Fi provider, Mist Systems, on a direct integration with Okta. Ibarrola expects Thoughtworks will be fully AD-free within the next six months.
Expert analytics and secure authentication
“Now Okta is the crown jewel for all of our authentications. We feel much more confident now that our Okta has all the monitoring and analytics in place. Our passwords and our primary identity store is with Okta. Knowing that Okta’s team of experts is protecting that is definitely better than we could do internally.”
Are you ready to start rethinking Active Directory? Tune into Oktane20 Live! on April 1 at 12:00pm PT to hear directly from the Thoughtworks team on their journey to deprecate AD. Then download our eBook, Rethink Active Directory.