Navigating the effects of industry decline
Houston, Texas-based NOV, formerly National Oilwell Varco, experienced explosive growth over a 20-year period starting in the 1980s, completing hundreds of acquisitions and positioning itself as the world’s leading independent equipment and technology provider to the energy industry.
In 2015, oil and gas markets crashed and the company began what CISO John McLeod calls an “explosive lean” exercise. “The oil and gas industry, which we are part of, saw employee counts drop significantly,” he says, “and it happened pretty quickly.”
The company has broadened its mission to include renewable energy as well as traditional oil and gas, but the repercussions of industry contraction have been swift and severe. For IT, it sparked a complete rethinking of NOV’s approach to technology.
“Prior to 2015, we were like any other enterprise. Everything was on-prem: Microsoft Exchange, our internet filtering devices, and so forth,” says McLeod. “Then suddenly, we realized we couldn’t afford all that hardware.”
The team started by moving to Office 365 and went on to investigate SaaS options across their infrastructure, moving workloads and applications to the cloud where it made sense. A “cloud smart” strategy is what guides NOV. Today, IT manages a multi-cloud platform that includes Microsoft 365, Microsoft Azure, Oracle, Google, and Amazon Web Services (AWS).
A smaller IT security team, tasked with modernization
Moving to the cloud was one thing. Securing those diverse platforms, along with legacy on-prem infrastructure, and getting them all to talk to each other—that was the next challenge. For the security team, reduced in number and having grown up building and managing an on-prem network, it required a major shift in thinking.
“We couldn’t hire, but we had to make our security program leaner and more efficient as we adopted new technologies and got rid of legacy ones,” says McLeod.
Over years of M&A activity, the team had built a labyrinth of identity and access management (IAM) processes to satisfy the requirements of its numerous business units. They automated some of those processes with Microsoft Forefront Identity Manager (FIM), an on-prem tool implemented in 2008. For identity governance and administration (IGA), they used another “monolithic,” homegrown tool.
“Due to age and complexity, we had intermittent IAM outages with our legacy stack,” says Justin Moore, IAM manager. “Some months we’d have two or three.” The outages caused global productivity problems, plus major stress and high turnover for the IT staff members responsible for applications that were frequently going down.
The right identity solution for Zero Trust
In 2018, NOV leaders adopted a Zero Trust security strategy and reorganized IT to make security more identity driven. “The days of castle-and-moat networking and perimeters are gone,” says McLeod. “Identity is the new perimeter.”
With identity front and center, the team set out to modernize and consolidate their tech stack, replacing temperamental, on-prem identity solutions with a single, cloud-based IAM solution and implementing conditional access requirements that would help secure the enterprise from the outside in.
They evaluated Ping, Azure AD, and Okta. In the end, Okta stood out from the competition with its UX, ease of use, reliability and resiliency. NOV’s Okta customer success manager then introduced Okta Workflows.
“That’s when the lightbulb went on for us,” says Moore. The team realized they could replace all their outage-prone FIM and IGA scripts with Workflows—and that they could do it without a dedicated team of developers.
With the Okta Identity Cloud, they could also reduce and ultimately eliminate their identity-related server farm and its associated costs, maintenance, and outages. “We could get out of the infrastructure game and put all our disparate identity solutions under one roof,” says Moore.
Employee IAM that everyone can agree on
The NOV team started by securing employee access to applications, deploying Okta Single Sign-On, Okta Universal Directory, Okta Adaptive Multi-Factor Authentication, and Okta Lifecycle Management. They also took advantage of Okta’s integrations with Zscaler and Splunk, using those solutions along with Okta to help deepen security insights, secure cloud-based application access, and build a strong foundation for their Zero Trust strategy.
Today, application managers at NOV line up to get their apps tied to the Okta platform, says Moore, whereas in the past, getting them to set their apps up with the legacy IAM was “like pulling teeth.”
“As with anything, people have preferences—take the Android vs. iOS conversation, or AWS vs. Microsoft,” he says. “Okta rises above all the drama and plays well with everyone. People appreciate that.”
Complex business processes meet simple, no-code automation
The NOV team dove into Okta Workflows early on to automate processes for people joining or leaving NOV, while working to address staff moving from one internal role to another.
To date, the team has replaced FIM scripts with about 60 Okta workflows, which allowed them to end an expensive third-party FIM service contract. “It’s easier to find Okta Professional Services folks than FIM professional services,” says McLeod.
Okta Workflows has helped NOV build resilience into IAM processes. Recently, the company’s human resources system went offline for maintenance for 24 hours—downtime that would have been a big problem for NOV’s legacy IAM systems. This time, however, the team could relax. “We built in requisite retries with Workflows, so that systems can lose contact with each other and then be okay once everything wakes back up,” says Moore.
The wonderful thing about Workflows, he says, is its no-code simplicity. As the team works to modernize IT security and move forward with Zero Trust, Workflows is a vital tool for helping them automate processes and multiply their efforts.
More secure applications + happier developers
With employee IAM handled, the team turned to customer identity and access management (CIAM), configuring an NOV tenant that includes Okta Authentication, Okta User Management, Okta API Access Management, and Okta B2B Integration. After a short period of time for implementation, NOV’s CIAM tenant was fully configured and ready for its first app, a major business driver for NOV that serves several thousand users.
Next, the team started migrating the dozens of customer apps previously administered by Microsoft Active Directory Federation Services (ADFS). NOV works with developers to write custom apps, and Moore says the move to Okta helps make those relationships more collaborative.
“Our developers can now get an Okta developer account, do all their testing against it and then bring it to us when they’re ready,” says Moore. “That was not an option with ADFS.” That shift to developer ownership of the testing process helps clarify and improve communication.
Okta’s adherence to standard industry security protocols and its straightforward documentation around them also ensures more secure results. “In the past, developers have had to rewrite code because it wasn’t secure,” he says. “Now, they’re able to do it right the first time, and it’s better for everyone. Their job satisfaction is improved since they can provide value faster and don’t have to spend cycles fixing compliance issues.”
Steady progress toward Zero Trust
Moore’s team completed Okta CIAM deployment ahead of schedule, with help from Okta Professional Services. “I have nothing but positive feedback for our Okta Customer First team,” he says. “We don’t use the word “partner” lightly when it comes to IT vendors, but Okta fits that bill.”
The team still has a way to go in its transition to Okta, so they still have some legacy IAM-related downtime. “If a month goes by where I don’t have an outage, I’m surprised,” says Moore, “but we’ve been creating users with Okta for six months now and we’ve had no major Okta-related outages.”
Already, NOV is seeing reduced server and maintenance costs, which helps relieve overburdened team members. Microsoft FIM is history—a major KPI for the team—and they’re close to eliminating four legacy multi-factor authentication (MFA) servers. ADFS is next on the decommissioning list.
As the team progresses with their Okta migration, they also take positive steps along their Zero Trust continuum. “We’re becoming an identity-driven security team, which is a real shift in culture, because we’re talking about a team that was built for a flat, on-prem network,” says McLeod.
NOV is proof that, with the proper approach to identity, a large, complex organization experiencing significant industry contraction can make steady progress toward Zero Trust.
“Continuous improvement is key, especially when you’re going through industry upheaval,” says McLeod. “It’s easy to get stagnant and stay in survival mode, but you have to challenge that mindset.
“It’s always possible to improve your processes and technologies,” he says. “My advice is to look forward. And move forward.”
About NOV Inc.
NOV delivers technology-driven solutions to empower the global energy industry. For more than 150 years, NOV has pioneered innovations that enable its customers to safely produce abundant energy while minimizing environmental impact. The energy industry depends on NOV’s deep expertise and technology to continually improve oilfield operations and assist in efforts to advance the energy transition towards a more sustainable future. NOV powers the industry that powers the world.