A massive migration, in a few short months
As an IT contractor for the U.S. Air Force, and an integrated technology solutions provider, CDO Technologies sees its share of challenging initiatives. This year, the company is moving a data center for the Air Force’s A1 unit to the cloud.
It’s a massive undertaking. A1 is the Human Resources branch of the Air Force, so the data center includes the entire applications portfolio for Air Force HR: all the applications and data required to manage and communicate with active duty personnel, reservists, contractors, and federal civilian employees, as well as an extended population of recruits, retirees, families, dependents, and other employees and volunteers.
All in all, the number of people needing access to A1 applications is in the millions. Everyone from individuals running services on bases including golf courses and bowling alleys, to those operating stealth fighters or planning top-secret military maneuvers needs secure access to the A1 unit. The roughly 200 apps in question include several homegrown and legacy applications, decidedly on-prem and not cloud friendly.
Nevertheless, says Michael McDonnell, cloud architect for CDO Technologies, the current data center will soon become a relic of the information age. “At the midpoint of 2020, it’s going to be closed down. Every one of those apps is going to be moved to the cloud.”
From DIY to centralized, shared responsibility
McDonnell has a crystal-clear vision for what he and the CDO team are out to achieve and how they plan to do it. It starts with centralized, cloud-based identity management—pulling hundreds of disconnected applications and millions of disconnected users into a single identity portfolio that is easy to manage, audit, and secure.
At the same time, they aim to break down what was once a monolithic, do-it-yourself approach to identity and create a shared responsibility model. In this new Air Force IT infrastructure, the experts in various disciplines assume responsibility for the applications that apply to their areas of knowledge.
It’s all part of a Zero Trust strategy, says McDonnell. “We need to treat security inside-out like an onion, spreading the job of security through each layer of the digital ecosystem. Security is not a final step in system development—it’s an integral part of every step.”
Siloed systems and a lack of trust
Initially, says McDonnell, the Air Force A1 database allowed different application owners to use their own form of authentication. “We had dispersed identities throughout all of these applications, none of them centralized,” he says. “Everybody had their own vetting system, using different types of authentication mechanisms.”
Although the organization used various forms of multi-factor authentication, single-factor authentication was a problem, says McDonnell. Login information was sometimes relayed through email, easily intercepted by third parties. Information about individual accounts—who created them, who was accessing them, and what was being done with them—was siloed within dispersed applications.
“There were no uniform standards for creating accounts or granting access,” he says. “No centralized auditing process. It was difficult and time consuming for IT security teams to figure out what users were doing on a day-to-day basis across all the systems they had access to.”
Many apps in the A1 data center were tied to the Air Force’s homegrown identity and access management (IAM) solution, AFPC Secure. “That application had several issues,” says McDonnell, “not only implementing to the cloud, but also some security concerns and no auditing functionality.”
From recruits to airmen to dependents, civilian employees, and retirees, A1’s legacy systems did not instill the level of confidence needed by its community of users. “Trust is important,” says McDonnell. “We’re losing trust in the technologies we work with because we see identities getting stolen every day.” Especially with a large and vital organization such as the U.S. Air Force, security is the focus, but trust and confidence from users is also of high importance. Providing tailored solutions resolves both objectives.
“Ten years ago,” he says, “identity management was about protecting the Air Force’s military and government data. Now, we have this very real concern of protecting the privacy of individuals, even if they’re just on base using the golf course or the bowling alley.”
Security, user experience, and value
CDO’s team saw A1’s data center migration to the cloud as the perfect opportunity to set up a new identity management service, based in the cloud. “To determine the best candidate for that, we did a bake-off between three competitors, including Okta,” says McDonnell.
One of the competitors wasn’t able to take identity management out of the data center and decouple it from the applications. The other didn’t meet standards for the Federal Risk and Authorization Management Program (FedRAMP). “Meeting FedRAMP standards is a huge plus, from a military standpoint,” says McDonnell.
In their evaluation, the team considered these requirements in addition to security, user experience, and value. “Okta was the best all-around solution to replace the legacy system and unify A1 systems together under one umbrella,” he says.
McDonnell foresaw immediate cost savings as a result of the way Okta would allow the team to structure application management. “The solution also gave us a greater reach of services and the ability to implement the solution with users who are outside the organization,” he says.
The team was also impressed with Okta’s customer focus. At one point, McDonnell requested Federal Information Processing Standards (FIPS) 140-2 compliance for Okta Verify. “Okta went right out and got the certification,” he says. “The Okta team goes after what customers want and focuses on their functional and security needs. They provide a service you can put your trust in.”
A complex use case
The A1 data center migration involves approximately five million people with widely varying levels of access and engagement. CDO separates A1 users into two groups and has deployed different Okta solutions within each group.
Active Air Force personnel comprise the first group, including nearly one million airmen (a term that includes all gender identities), reservists, federal civilian employees, and Air Force contractors. For those users, CDO deployed Okta’s workforce identity products, including Okta Single Sign-On, Okta Universal Directory, Okta Adaptive Multi-Factor Authentication, Okta Lifecycle Management, and Okta API Access Management.
The second group includes about four million ancillary and non-active-duty personnel: recruits, retired airmen, spouses, and dependents—as well as employees and volunteers who run military base services, such as golf courses and bowling alleys. To pull those users into the solution and standardize on one identity platform, CDO deployed Okta’s customer identity products, including Authentication, User Management, Adaptive Multi-Factor Authentication, and B2B Integration.
Together, the Okta Identity Cloud centralizes identity and access management for the Air Force, solving the challenges of dispersed and siloed information systems and providing a foundation for securing A1 data center resources in the cloud.
Making the move to centralized identity
The CDO team did not have centralized identity management in their sights initially. When they conducted their IAM “bake-off,” they were looking for a replacement for AFPC Secure. A large portion of the applications in the A1 data center were tied to that IAM solution, while the rest used other authentication methods.
After McDonnell’s team tested Okta, that plan changed. “We quickly realized we could bring in the applications that were not in that initial portfolio, to bring it all together in one place,” he says. They decided to connect the entire A1 data center to Okta—including 33 systems composed of about 200 applications.
CDO is taking a phased approach to the project, moving apps one by one from the data center to the cloud. “The base Okta implementation was very quick—it took a few weeks,” says McDonnell. Next, they integrated Air Force directory services into Okta, which took about a month. Then, it was a matter of moving each application over to Okta, a process that takes a day to a week for each app.
The team addressed some tough legacy app integrations early on. SAS and Archibus, for example, didn’t support cloud-based identity models at all. “Before Okta, we would have had to either replace the application or wait for the vendor to come up with a solution for us,” says McDonnell. “We would have had to pay them for that, and it would have taken time to get on their roadmap. Instead, we used a cloud infrastructure along with Okta solutions to bring those legacy applications right into the fold.”
CDO is replacing other legacy and in-house-developed apps with commercial, off-the-shelf applications, such as Tableau, Salesforce, and ServiceNow. Many of those apps hold long standing positions in the Okta Integration Network, so integrating them into the A1 Okta solution is simple. “It’s very helpful that the work has been done for us,” says McDonnell.
The results of centralization
“Okta’s ability to separate the applications from the system offers great value because now we don’t have to manage application administration anymore,” says McDonnell. While the scope of the A1 project is huge, the team required to manage Okta is not. “Each application has its assigned owner—we just hand over administration through the Okta portal,” he says.
Centralizing identity with Okta boosts security at the Air Force by giving teams robust tools for analyzing user behavior across a broad portfolio and uncovering anomalies as they occur.
The solution offers streamlined auditing and reporting tools, so that the Air Force can easily comply with the many security mandates of the U.S. government. It also sets the stage for continued security advancements. “As we apply machine learning and artificial intelligence to these auditing and reporting systems, it becomes easier to discover anomalies,” says McDonnell. “This centralized data is the key to a smarter, more agile cyber security defense.”
Adaptive MFA—for everyone
Decoupling IAM from the applications and the environment allows the Air Force to secure services that haven’t traditionally been under its umbrella. As a result, everyone who steps on base can be confident that their personal information is secure. Okta Adaptive Multi-Factor Authentication helps ensure that protection. When McDonnell finishes the A1 project in a few months, everyone using Air Force HR services will use MFA.
The military uses a smart card, the Common Access Card (CAC), as standard identification for active service members, civilians, and contractors. CAC holders complete a thorough vetting process and carry the card everywhere they go for access to buildings and controlled spaces, as well as to computer networks and systems. Now, they use it to authenticate into Okta-managed services, as well.
Ancillary and non-active-duty users who don’t carry a CAC use FIPS 140-2-compliant Okta Verify as their primary authentication factor. Different applications focus on CAC or Okta Verify as their authentication factor, depending on the level of sensitivity their data represents and who is using them.
Adaptive MFA also allows Air Force administrators to tailor application access according to user location. “If an airman is outside of the United States in a suspicious location, we’ll limit their information access, even if they have a CAC,” says McDonnell.
On the other side of that coin, he says, “Because Okta sits in the cloud, completely separate from our applications, we can use it all over the world. We’ve had issues in the past where access to our networks has been blocked in certain countries, and it’s been difficult to authenticate users because of that. So, this is another benefit of using a cloud-based service.”
McDonnell’s team is working to implement the pre-shared key infrastructure that the CAC is based on as the primary authentication factor across A1’s entire portfolio of applications. The goal, ultimately, is to get rid of passwords completely. The move to the cloud was met with some skepticism within the ranks, so it was important that the new identity solution offer significant user experience improvements, while solving security issues.
A more streamlined user life cycle experience
One major user experience hurdle pertains to the life cycle of an airman. That disconnection is immediately evident in the way the Air Force interacts with recruits, and exacts a toll on recruitment numbers. In an age when the job market is tight, first impressions are critical, says McDonnell.
“If you make recruits deal with an insecure, poor quality experience immediately coming in, they may come away with the impression that the Air Force doesn’t do the best job in other areas as well. Our goal is that Okta’s streamlined approach to user authentication will help us get better traction with recruits,” he says.
Airmen currently lose their profile again upon retirement. “The day after they retire,” says McDonnell, “they lose access to years of medical and personnel records. They have to start completely over with a new identity and go through the entire vetting process of this new identity to be given access to their old records.”
McDonnell looks forward to working with Okta to solve that problem once and for all. “I see the Air Force wholeheartedly centralizing all of their identities to follow the complete life cycle of an airman or associated member. And I definitely see the potential of Okta helping to accomplish that,” he says.
100% cloud. 100% possible.
Despite the enormous scale of the A1 project, McDonnell remains confident that Air Force HR will be operating 100% in the cloud by mid 2020. The team is working on accreditations and authorizations for all five million users who use A1 applications, so that they can authenticate through Okta. Already, 500,000 Air Force users and counting rely on Okta for access to applications for work and play.
The team measures user experience results by sending out questionnaires to stakeholders in the organization. “We’re getting a lot of anecdotal responses,” says McDonnell. “For instance, the Archibus team was originally told that they would never be able to move to that application to the cloud because there was no way they could authenticate their users into it.
“Of course, we brought in Okta, we set up a solution for them, and now all their users will be using Okta.”
Stories like that one secure the success of CDO Technologies with its federal clients. “We needed every possible win we could get when we brought these applications over,” says McDonnell. “Okta provided that. It’s pivotal to our cloud solution.”
About CDO Technologies
Since 1995, CDO Technologies has used technology and processes to build innovative and sustainable solutions for the commercial and federal sectors. Based in Dayton, Ohio, the company delivers data collection, advanced technology communications, and managed services solutions, supporting clients in achieving efficient and affordable solutions.